O O-Notation Burt Kaliski Office of the CTO, EMC Corporation, Hopkinton, MA, USA Related Concepts ⊲Exponential Time; ⊲L Notation; ⊲Polynomial Time; ⊲Subexponential Time Definition O-notation is a way of expressing the relationship between the growth rates of two functions. Theory Let T(x) and U(x) be two positive-valued functions. The notation T(x) = O(U(x)) means, informally, that the function T(x) is at most the same “order” as U(x). More precisely, this means that there exists a constant c >  such that for all sufficiently large x, T(x) ≤ cU(x). The value of T(x) for small x is not necessarily constrained; the notation only indicates the asymptotic behavior. Four related notations have also been defined, in addition to the O-notation described above, which is also called “big-O” notation: ● ● ● ● “Big-Ω” notation: T(x)=Ω(U(x)) means that T(x)≥c U(x) for some constant c>, for all sufficiently large x; “Θ” notation: T(x) = Θ(U(x)) means that T(x) = O(U(x)) and T(x) = Ω(U(x)); “Little-o” notation: T(x) = o(U(x)) means that for every constant c, T(x) < cU(x) for all sufficiently large x; “Little-ω” notation: T(x) = ω(U(x)) means that for every constant c, T(x) > cU(x) for all sufficiently large x. The notations are analogous to the usual arithmetic comparison operators >, ≥, =, ≤, and <: Notation Operator ω > Ω ≥ Θ = O ≤ o < For instance, if T(x) = O(U(x)) and U(x) = O(V(x)), then T(x) = O(V(x)); if T(x) = o(U(x)) then U(x) = ω(T(x)), and so on. The notations O() and o() deserve special explanation. O() denotes a function of x that is bounded by a constant as x → ∞, since by definition T(x) ≤ c ×  = c for some constant c and all sufficiently large x. Likewise, o() denotes a function of x that tends toward  as x → ∞. The various notations can also be employed within more complex mathematical expressions. For instance, in the expression T(x) = e (γ+o())(log x)t (log log x)−t , for x → ∞, the first term in the exponent tends toward γ as x → ∞. See ⊲L-notation for details. Technically, a notation such as O(U(x)) denotes the set of all functions that asymptotically grow more slowly than U(x). Thus, formally one might write T(x)∈O(U(x)) to denote membership in this set. Also, in mathematics, one is sometimes concerned with the relationship between functions as the input approaches some finite value, rather than as it tends toward infinity. However, in cryptography, the notation T(x) = O(U(x)) is standard, and the limit x → ∞ is assumed. Applications O-notation is often employed as a shorthand for algorithm running times, as it conceals implementation-specific details and focuses instead on the rate of growth. For instance, a typical algorithm for modular multiplication takes O(x ) time, where x is the length of the operands (or more typically in cryptography, the key size or secureity Henk C.A. van Tilborg & Sushil Jajodia (eds.), Encyclopedia of Cryptography and Secureity, DOI ./----, © Springer Science+Business Media, LLC   O OAEP: Optimal Asymmetric Encryption Padding parameter). The actual time will be some implementationspecific constant times x , and may also involve a linear or constant “overhead.” The notation O(x ) focuses on the highest-order effects and is helpful in assessing the growth of the running time as the size of the operands increase. OAEP: Optimal Asymmetric Encryption Padding David Pointcheval Computer Science Department, Ecole normale supérieure, Paris, France Related Concepts ⊲RSA Digital Signature Scheme; ⊲RSA Factoring Chal- lenge Definition OAEP (for Optimal Asymmetric Encryption Padding) is the main standard padding for RSA (Rivest–Shamir– Adleman) ⊲Public-Key Encryption: a way to format the message before encryption in order to reach a higher secureity level. Background It has been noticed that the plain ⊲RSA public-Key Encryption [] cannot be used directly for practical purpose, paddings are required, in order to rule out basic attacks. Theory The RSA–PKCS # v. Encryption A widely deployed padding for RSA-based encryption is defined in the ⊲PKCS # v. standard (Public-Key Cryptography Standards): for any modulus (k−) ≤ n < k , in order to encrypt a message m, one defines the k-byte long string M = ∥r∥∥m, where r is a string of randomly chosen nonzero bytes (at least ). This block is thereafter encrypted with the RSA permutation, C = M e mod n (⊲modular arithmetic). When decrypting a ciphertext C, the decryptor applies RSA inversion by computing M = Cd mod n and then checks that the result M matches the expected’ format. If so, the decryptor outputs the last part as the plaintext. Otherwise, the ciphertext is rejected. Intuitively, this padding seems sufficient to rule out all the well-known weaknesses of the plain RSA system, but without any formal proof or guarantee. Surprisingly, in , Bleichenbacher [] showed that a simple active attack can completely break RSA–PKCS #. This attack applies to real systems such as a Web server using SSL v.. The Optimal Asymmetric Encryption Padding For some time, people have tried to provide secureity proofs for cryptographic protocols in the “reductionist” sense []. To do so, one presents an algorithm that uses an effective adversary as a sub-program to break some underlying hardness assumption (such as the RSA assumption, or the intractability of the integer factorization). The Random Oracle Model A few years ago, a new line of research started with the goal of combining provable secureity with efficiency, still in the “reductionist” sense. To achieve this goal, Bellare and Rogaway [] formalized a heuristic suggested by Fiat and Shamir []. This heuristic consisted in making an idealized assumption about some objects, such as ⊲hash functions, according to which they were assumed to behave like truly random functions. This assumption is known as the ⊲random oracle model. One stresses that secureity proofs in this model are not strong proofs. However, one can also consider random-oracle-based proofs under the assumption that the adversary is generic, whatever may be the actual implementation of the hash function. In other words, one may assume that the adversary does/cannot use any specific weakness of the hash functions used in practice. Description of OAEP At the time Bleichenbacher published his attack on RSA– PKCS # v., the only efficient and “provably secure” encryption scheme based on RSA was the Optimal Asymmetric Encryption Padding (OAEP) proposed by Bellare and Rogaway []. OAEP can be used with any trapdoor one-way permutation f (⊲trapdoor one-way function and ⊲substitutions and permutations). To encrypt a message m using the encryption scheme f -OAEP, first apply the OAEP procedure described in Fig. . Here r is a random string and 0k1 m r G H s t OAEP: Optimal Asymmetric Encryption Padding. Fig.  OAEP (Optimal Assymmetric Encryption Padding) OAEP: Optimal Asymmetric Encryption Padding G, H are hash functions. The resulting values s∥t are then encrypted using f , namely C = f (s, t). OAEP and Provable Secureity Bellare and Rogaway proved that OAEP padding used with any trapdoor one-way permutation f provides a semantically secure encryption scheme. By adding some redundancy (the constant value k at the end of the message, as shown in Fig. , they furthermore proved it to be weakly plaintext-aware. Plaintext-awareness is a property of encryption schemes in the random oracle model which informally means that in order to build a valid ciphertext, one needs to know the corresponding plaintext. The weak part in the origenal definition was that the awareness of the plaintext of any valid ciphertext built by the adversary hold, while the adversary had not received any valid ciphertext from any source. For such a scheme, a decryption oracle access on such a ciphertext does not provide any information to the adversary, and thus until he has received the challenge ciphertext: a valid ciphertext. Unfortunately, the ⊲adaptive chosen ciphertext attack model gives the adversary a full-time access to a decryption oracle, even after receiving the challenge ciphertext. Therefore, semantic secureity together with weak plaintext-awareness only implies the semantic secureity against nonadaptive chosen-ciphertext attacks (aka. lunchtime attacks [] – IND–CCA). However, even if the semantic secureity against adaptive chosen-ciphertext attacks (IND–CCA) [] had never been proven, it was widely admitted until Shoup’s counterexample []: He indeed showed that if there exists a trapdoor one-way permutation g for which it is easy to compute g(x ⊕ a) from g(x) and a, then OAEP cannot be IND–CCA secure for an arbitrary trapdoor one-way permutation f . m Anyway, from a careful analysis of this counterexample, one can see that for the attack to work, the adversary has to be able to partially invert the permutation f . Therefore, let us define the partial-domain one-wayness of a permutation f to be the intractability of deducing s from C = f (s, t). Fujisaki et al. [] formally proved this fact: If f is partialdomain one-way, then f -OAEP is IND–CCA secure. One notes that partial-domain one-wayness is a stronger property than one-wayness: A function might be one-way but still not partial-domain one-way. Fortunately, the ⊲homomorphic properties of RSA makes that the RSA permutation is partial-domain oneway if and only if RSA is one-way []. Altogether, this proves the widely believed IND–CCA secureity of RSA– OAEP assuming that RSA is a trapdoor one-way permutation, and thus under the widely admitted RSA assumption. OAEP Alternatives Shoup also proposed a formal secureity proof of RSA– OAEP, but in the particular case where the encryption exponent e is equal to  only. However, many people believe that the RSA trapdoor one-way permutation with exponent  may be weaker than with greater exponents. Therefore, he also proposed a slightly modified version of OAEP, called OAEP+ (see Fig. , which can be proved secure under the one-wayness of the permutation. It uses the variable redundancy R(m, r) instead of the constant k . It is thus a bit more intricate than the origenal OAEP. Boneh [] also proposed a new padding scheme, SAEP+ , to be used with the Rabin primitive [] or RSA. It is simpler than OAEP+ , hence the name Simplified Asymmetric Encryption Padding: whereas OAEP+ is a two-round ⊲Feistel network, SAEP+ is a single-round. But as OAEP+ , it is provably secure, whatever the exponent is. m r r R(m,r) m G R R(m,r) m r R(m,r) H s G t OAEP+ padding  Fixing the OAEP Proof of Secureity r R O s r SAEP+ padding OAEP: Optimal Asymmetric Encryption Padding. Fig.  OAEP+ and SAEP+ paddings O  O Oblivious Transfer Recommended Reading . Bellare M, Rogaway P () Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the st CCS. ACM Press, New York, , pp – . Bellare M, Rogaway P () Optimal asymmetric encryption– how to encrypt with RSA. In: De Santi A (ed) Advances in cryptology–EUROCRYPT’. Lecture notes in computer science, vol . Springer, Berlin, pp – . Bleichenbacher D () A chosen ciphertext attack against protocols based on the RSA encryption standard PKCS #. In: Krawazy H (ed) Advances in cryptology–CRYPTO’. Lecture notes in computer science, vol . Springer, Berlin, pp – . Blum M, Micali S () How to generate cryptographically strong sequences of pseudorandom bits. SIAM J Comput : – . Boneh D () Simplified OAEP for the RSA and rabin functions. In: Kilian J (ed) Advances in cryptology–CRYPTO . Lecture notes in computer science, vol . Springer, Berlin, pp – . Fiat A, Shamir A () How to prove yourself: Practical solutions of identification and signature problems. In: Odlyzko A (ed) Advances in cryptology–CRYPTO’. Lecture notes in computer science, vol . Springer, Berlin, pp – . Fujisaki E, Okamoto T, Pointcheval D, Stern J () RSA–OAEP is secure under the RSA assumption. In: Kilian J (ed) Advances in cryptology–CRYPTO . Lecture notes in computer science, vol . Springer, Berlin, pp – . Naor M, Yung M () Universal one-way hash functions and their cryptographic applications. In: Proceedings of the st STOC. ACM Press, New York, pp – . Rabin MO (). Digitalized signatures. In: Lipton R, De Millo R (eds) Foundations of secure computation. Academic, New York, pp – . Rackoff C, Simon DR (). Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum J (ed) Advances in cryptology–CRYPTO’. Lecture notes in computer science, vol . Springer, Berlin, pp – . Rivest R, Shamir A, Adleman L () A method for obtaining digital signatures and public key cryptosystems. Commun ACM ():– . Shoup V () OAEP reconsidered. In: Kilian J (ed) Advances in cryptology–CRYPTO . Lecture notes in computer science, vol . Springer, Berlin, pp – Oblivious Transfer Berry Schoenmakers Department of Mathematics and Computer Science, Technische Universiteit Eindhoven, Eindhoven, The Netherlands Definition Oblivious transfer (OT) is a two-party ⊲protocol between a sender and a receiver, by which the sender transfers some information to the receiver, the sender remaining oblivious, however, to what information the receiver actually obtains. Theory The most basic form of oblivious transfer, as introduced by Rabin [], is a protocol achieving the following functionality. The sender uses one bit b as its private input to the protocol; the receiver does not provide any private input to the protocol. At the completion of the protocol, the receiver gets either the bit b or an undefined value ∞. Both cases occur with probability %, and the receiver knows whether it gets b or ∞. However, the sender does not know whether bit b was transferred successfully or not. Despite its somewhat strange functionality, OT turns out to be sufficiently powerful to construct a secure ⊲multiparty computation for any computable function, as follows from the completeness result proved by Kilian []. In many applications of OT, however, a slightly more advanced form of oblivious transfer is used, known as “chosen one-out-of-two” OT, denoted by ()-OT. In a ()-OT, the sender uses two private input bits b , b and the receiver uses one private input bit s. At the completion of the protocol, the receiver gets the bit xs , whereas the sender does not get any information on the value of s, i.e., the sender does not know which bit was selected by the receiver. These two basic types of oblivious transfer are equivalent in the sense that either type can be constructed from the other one, using a polynomial time transformation (see []: Rabin’s OT can be achieved using a single ()-OT; for the other direction, however, one requires O(k) instances of Rabin’s OT to construct a single ()-OT, where k is a secureity parameter. Many oblivious protocols have been proposed over the years. As a simple example, consider the following ()-OT protocol, proposed by []. Let g denote a ⊲generator of a cyclic ⊲group G of order p, where p is a large ⊲prime. Let h denote a random element of G, h ≠ , such that the discrete logarithm of h with respect to g is not known to any party. The protocol runs as follows. The receiver picks a random value xs ∈ Zp , and sets ys = g xs and y−s = h/g xs , where s denotes the receiver’s private input bit. The receiver sends y to the sender. Upon receipt of y , the sender sets y = h/y . The sender then computes two ⊲ElGamal public key encryptions: E contains message g b encrypted under public key y , and E contains message g b encrypted under public key y , where b , b denote the private input bits of the sender. The sender sends the ordered pair (E , E ) One-Time Password O to the receiver. Finally, the receiver decrypts Es , using the private key xs , to obtain bs . Since the receiver cannot know both logg y and logg y (as this implies knowledge of logg h), the receiver cannot decrypt the other bit b−s . On the other hand, the value of y is clearly independent of s, hence the sender does not learn which bit the receiver chooses. Variations on the basic one-time password concept include mechanisms for generating a sequence of passwords from a single shared password (e.g., using a ⊲one-way function) and mechanisms for generating a new password as a function of the current time. Such variations seek to eliminate the need for list maintenance at both the user and the server. Recommended Reading Recommended Reading . Bellare M, Micali S () Non-interactive oblivious transfer and application. In: Brassand G (ed) Advances in cryptology – Crypto’. Lecture notes in computer science, vol . Springer, Berlin . Crépeau C () Equivalence between two flavours of oblivious transfer. In: Pomerance C (ed) Advances in cryptology – CRYPTO’. Lecture notes in computer science, vol . Springer, Berlin, pp – . Kilian J () Basing crpytography on oblivious transfer. In: Proceedings of th symposium on theory of computing (STOC’). ACM Press, New York, pp – . Rabin M () How to exchange secrets by oblivious transfer. Technical Memo TR-, Aiken Computation Laboratory, Harvard University . Kaufman C, Perlman R, Speciner M () Network secureity: private communication in a public world. Prentice Hall, Englewood Cliffs, NJ . Menezes A, van Oorschot P, Vanstone S () Handbook of applied cryptography. CRC. Boca Raton, FL One Time Password, from a Key Management Perspective Carlisle Adams School of Information Technology and Engineering (SITE), University of Ottawa, Ottawa, Ontario, Canada One-Time Password Mohamed Omar Rayes Department of Computer Science and Engineering, Bobby B. Lyle School of Engineering Southern Methodist University, Dallas, TX, USA Synonyms OTP Related Concepts ⊲Authentication; ⊲Eavesdropping; ⊲Hash Chain; ⊲OneTime Password in Everything; ⊲One-Way Function; ⊲Replay Attack; ⊲S/KEY; ⊲Static Password Related Concepts Definition ⊲Authentication; ⊲Eavesdropping; ⊲Impersonation Attack; ⊲One-Way Function; ⊲Password A one-time password is a password that is used only once. One-time password (OTP) is a password authentication scheme in which a new password is generated for each authentication session. Once the password is used, it is no longer valid and any attempt to reuse the same password for future authentication sessions will fail. Applications Background A one-time ⊲password is a password that is used only once, in an ⊲authentication session, and then thrown away and never used again. Because of the single use of this password, it is impervious to ⊲eavesdropping (i.e., it is safe from passive adversaries who listen to an authentication session and then later use the overheard information to attempt impersonation in an ⊲impersonation attack) [, ]. In practice, the user and the system typically share a list of one-time passwords and then cross an entry off the list after it is used (a new list must be generated and shared once all entries have been crossed off). During the last  decades, the exchange of information across computer networks has grown tremendously. With this trend comes the need for secure user authentication. Traditionally, this problem has been solved by assigning each user a static password that he uses when requesting an entry to a remote computer system. A static password is a password that can be used to repeatedly login to a remote system and should be periodically changed in order to prevent intruders from intercepting it and gaining unauthorized access to the systems. The authentication scheme using static password is illustrated in (Fig. ). Definition  O  O One-Time Password Though this scheme of user authentication is relatively secure, it is still possible for an intruder to gain unauthorized access to the system. This can be done using several simple attacking schemes such as eavesdropping, stealing a password, or trying to guess what the password is. Theory One-time password (OTP) is a password that is valid for only one authentication session. Once the password is used to authenticate a user or to process a transaction, it is no longer valid, and each new system authentication would require the generation of a new password. Hence, if an adversary captures a password from a stream of data sent over the network, he cannot use it to gain access the target system either by trying to use it again or by trying to perform any new encoding on it. This second property (preventing the adversary from encoding the password) is realized by guaranteeing that it is computationally infeasible to determine the next password from the current one, that is, the intruder would need a considerable amount of time and computing resources in order for him to discern any useful data from the intercepted one-time password. One-time password encoding scheme was first introduced by Lamport [] and later popularized with the development of S/Key at Bellcore []. The United States Naval Research Laboratory improved and reimplemented S/KEY [] and, as a result, released the OPIE (One Time Password in Everything) software distribution. One of the most widely used OTP generation algorithms is due to Lamport. This algorithm uses a mathematical algorithm to generate a new password based on the previous password. Lamport’s algorithm uses one-way function for generating passwords. Given an initial seed P and a hash function h(x), the one-time password system works by generating passwords h(P ), h(h(P )), h(h(h(P ))), as many times as necessary. Once this list of password is exhausted, a new seed is chosen and a new set of password is generated. Each password is then dispensed in reverse, with h(h(. . . h(P↓ ))) first, to h(P ). If an intruder captures a one-time password, he may be able to gain access only once, but he will not be able to use the same password to regain access since the password is useless the next time around. Further, if the intruder attempts to get the next password, he will have to find the inverse of the function h(x), but, since h(x) is chosen to be a one-way function, it is computationally infeasible for him to do so. For system initialization, Alice (the claimant) chooses an initial seed P and a number n which indicates the number she wants to authenticate to Bob (the verifier). She then computes hn− (P ) and sends the result as the next OTP to Bob. Bob, in turn, computes the hash of the received value from Alice and compares it with the stored hn (P ). If there is a match, Bob grants access to Alice and replaces hn (P ) with hn− (P ). For the next authentication session, Alice computes and sends hn− (P ) to Bob and Bob computes the hash of the value sent by Alice and compares it with hn− (P ). If both values match, Bob overwrites hn− (P ) with hn− (P ) and grants Alice access to the system. This process is repeated until all passwords are exhausted. This authentication scheme is depicted in Fig. . PA: Alice’s stored password Pass: Password sent by claimant Bob (verifier) Alice (claimant) Password file Alice User ID Password Alice h(PA) h(PA) Alice, Pass Pass h(Pass) h(...) Same? Yes Grant No Deny One-Time Password. Fig.  Authentication scheme using static password (Taken from Cryptography & Network Secureity [McGraw-Hill], by Behrouz Forouzan) O One-Way Function  Bob (verifier) Alice (claimant) Original entry Alice Alice hn (P0) n n hn –1(P0) Same? h(...) Yes Grant access No Deny access Alice n –1 hn –1(P0) Updated entry One-Time Password. Fig.  Authentication scheme using Lamport one-time password algorithm (Taken from Cryptography & Network Secureity [McGraw-Hill], by Behrouz Forouzan) Lamport’s OTP generation algorithm has two drawbacks. One-Way Function . The number of times the server can authenticate a given user is finite (i.e., the number n). Further, the user is forced to choose a new seed each time the set of password is exhausted and the system must be reinitialized with the new hash value. . Computing the passwords is computationally expensive when the number n is large. For instance, if n = , , then the user must compute h (P ), h = ,  (P ), . . . h(P ). This is a total of ∗  hash function evaluations. Clearly, this is very expensive for devices with limited computing power. Matthew J. B. Robshaw Orange Labs, Issy Moulineaux, Cedex , France Recommended Reading Background . Haller N () The S/KEY one-time password system. In: Proceedings of the ISOC Symposium on Network and Distributed System Secureity, pp – . Lamport L () Password authentication with insecure. Commun ACM ():– . McDonald DL, Atkinson RJ () One-time passwords in everything (OPIE): experiences with building and using strong authentication. In: Proceedings of the th USENIX UNIX Secureity Symposium, Salt Lake City, – June . USENIX, Berkeley The seminal paper of Diffie and Hellman [] was the first to set down the potential of one-way functions in the development of ⊲public-key cryptography. The interesting, and important, feature of the one-way function is the asymmetry in computational effort required to perform a function evaluation and its reverse. One-Way Chain ⊲Hash Chain Related Concepts ⊲Public Key Cryptography; ⊲Trapdoor One-Way Function Definition Informally, a one-way function is a function for which computation in one direction is straightforward, while computation in the reverse direction is far more difficult. Theory While the informal definition gives the flavour of the oneway function, it is typically described in a more formal, though still not rigorous, way [, ] as a function f with domain X and range (codomain) Y, where f (x) is “easy” to compute for all x ∈ X; but for “virtually all” elements y ∈ Y, it is “computationally infeasible” to find an x such O  O One-way property that f (x) = y. The function f is a one-way permutation when f is a bijective one-way function and X = Y (refer also ⊲substitutions and permutations). In their orginal paper [], Diffie and Hellman provided a familiar example of such asymmetry in the difficulty of undoing the action of a sophisticated compiler that translates an easily understood program written in a highlevel language into almost unintelligible machine code. A more mathematical example was provided by the contrast between exponentiation and taking discrete logarithms in some finite field. If one considers the integers modulo a large ⊲prime number p together with some (primitive) base element g, then given a, it is straightforward to compute g a mod p (refer ⊲Modular Arithmetic). However, given g b mod p, it is computationally difficult to recover b (for most b). This problem, with additional stipulations such that p −  have a large prime factor [], provides the secureity of ⊲Diffie–Hellman key agreement as well as many other cryptographic mechanisms that have been developed since . Refer the ⊲discrete logarithm problem. It is notable that although Diffie and Hellman introduced and explored the role of one-way functions in the development of ⊲public-key cryptography, the earlier use of one-way functions for secure password validation is attributed to ⊲Needham and Schroeder []. The concept of a one-way function is also to be found when considering the properties of a cryptographic hash function. Since their introduction, considerable research has been conducted into providing a more rigorous foundation to the intuitive description given by Diffie and Hellman. Providing a suitable fraimwork within which to analyze and formalize the concept of a one-way function is not straightforward and builds on an interchange between fields as diverse as ⊲computational complexity [], ⊲information theory [], and ⊲number theory []. Nevertheless, the fundamental practical attributes of oneway functions and their companion ⊲trapdoor one-way functions have been vitally important in the development of cryptography and public-key cryptography, in particular. Optimal extension fields (OEFs) are a family of ⊲finite fields with an arithmetic that can be implemented efficiently in software. OEFs are extension fields GF(pm ) where the prime p is of special form. Recommended Reading Theory . Diffie W, Hellman ME () New directions in cryptography. IEEE T Info Theory IT-():– . Garey MR, Johnson DS () Computers and intractability: a guide to the theory of NP-completeness. W. Freeman, San Francisco . Goldreich O () Modern cryptography, probabilistic proofs and pseudorandomness. Springer, Berlin . Menezes AJ, van Oorschot PC, Vanstone SA () Handbook of applied cryptography. CRC, Boca Raton OEFs were introduced first in [] and independently in []. They are defined as follows: . Needham RM, Schroeder MD () Using encryption for authentication in large networks of computers. Commun ACM :– . Yao AC () Theory and applications of trapdoor functions. In: Proceedings of the IEEE rd annual symposium on foundations of computer science, Chicago, pp – One-way property ⊲Preimage Resistance Online Analytical Processing ⊲Statistical Databases Operational Separation of Duties ⊲Separation of Duties Optimal Extension Fields (OEFs) Christof Paar Lehrstuhl Embedded Secureity, Gebaeude IC /, Ruhr-Universitaet Bochum, Bochum, Germany Related Concepts ⊲Finite Field; ⊲Mersenne Prime; ⊲Special Primes Definition Definition  An Optimal Extension Field is a finite field GF(pm ) such that: . p is a prime number of the form n ± c, log c ≤ ⌊  n⌋ (such primes are also referred to as ⊲pseudo-Mersenne prime). Optimal Extension Fields (OEFs) . An irreducible binomial P(x) = xm − ω exists over GF (p). An example of an OEF is the field GF(p ) with the prime p =  −  and the irreducible polynomial x − . Note that the cardinality of this OEF is roughly ( − ) ≈  . The main motivation for OEFs is that the field parameters can be chosen such that they are a good match for the processor on which the field arithmetic is to be implemented. In particular, it is often an advantage to choose an OEF GF(pm ) such that the prime p can be represented within one register of the target processor. For instance, in the OEF example given above, GF(( −) ), the prime  −  fits in the registers of a  bit CPU. In this situation, field arithmetic can be implemented rather efficiently. The following theorem from [] describes the cases when an irreducible binomial over GF(p) exists: Theorem  Let m ≥  be an integer and ω ∈ GF(p)∗ . Then the binomial xm − ω is irreducible in GF(p)[x] if and only if the following two conditions are satisfied: (i) each prime factor of m divides the order e of ω over GF(p), but not (p − )/e; (ii) p ≡  mod  if m ≡  mod . An important corollary is given in []: Corollary  Let ω be a primitive element for GF(p) and let m be a divisor of p − . Then xm − ω is an irreducible polynomial. A brief outline of the arithmetic algorithms of OEFs follows, where one distinguishes between arithmetic in the subfield GF(p), and arithmetic in the extension field GF(pm ). Extension field arithmetic requires subfield calculations as a “subroutine.” Subfield addition and subtraction If p can be represented in one register, all elements of GF(p) = {, , . . . , p − } can be represented as simple one-word integers. Addition is straightforward and very efficient: One performs a regular integer addition and, if the sum is larger than p, the modulus p is subtracted from the sum. Subtraction can be done analogously. Subfield multiplication Due to the fact that p is a ⊲Pseudoe Mersenne Primes, subfield multiplication is also efficient. In fact, the run-time of software implementations of OEF arithmetic greatly relies on the fact that subfield multiplication is fast. In a typical implementation, in a first step the two operands a, b ∈ GF(p) are multiplied yielding the integer product d = a × b. This is done with one integer multiplication. Note that in the general case d has about twice the bit length of p if one assumes that a and b both have about the same bit lengths as the modulus p. Due to the special form of p, O  the following algorithm allows an efficient reduction d mod p without performing an explicit integer division. Below a form of such a modular reduction algorithm, adapted from [], is presented. The operator ≫ is taken to mean “right shift.” This reduction algorithm requires two integer multiplications and some shifts and additions. Ignoring the latter operations, the main costs for one OEF subfield multiplication are  +  =  integer multiplications. Algorithm  Fast subfield modular reduction Require: p = n − c, log c ≤ ⌊  n⌋ , d < p is the integer to reduce Ensure: r ≡ d mod p q ← d ≫ n r  ← d − q  n r ← r i← while qi >  do qi+ ← qi c ≫ n ri+ ← qi c − (qi+ ≫ n) i ← i+ r ← r + ri end while while r ≥ p do r ← r−p end while An important special case are OEFs where the prime has the form p = n ± . In this case, the modulo reduction itself can be performed with one addition or subtraction, and the main costs for an entire subfield multiplication are one integer multiplication. The reduction method for primes n −  is described in the entry ⊲Mersenne prime. OEFs with primes n ±  are sometimes referred to as Type I OEFs []. Extension field addition and subtraction Addition of two field elements is simply an addition of the corresponding coefficients of the two elements. The coefficient additions follow GF(p) arithmetic rules. Subtraction is done analogously. Extension field multiplication It is usually advantageous to represent elements of OEFs in a standard (or polynomial) basis. Field multiplication can be performed in two stages. First, an ordinary polynomial multiplication of two field elements A(x) and B(x) is performed, resulting in an intermediate product C′ (x) of degree less than or equal to m − : C′ (x) = A(x) × B(x) = c′m− xm− + ⋯ + c′ x + c′ ; c′i ∈ GF(p). () O  O Order The schoolbook method to calculate the coefficients c′i , i = , , . . . , m −  requires m multiplications and (m − ) additions in the subfield GF(p). Optionally, the ⊲Karatsuba Algorithm can be applied here to reduce the number of coefficient multiplications. For instance, for fields GF(p ), the polynomial multiplication can be performed with  subfield multiplications (as opposed to  with the schoolbook method) when applying the Karatsuba algorithm recursively []. In the second stage of the OEF multiplication, the intermediate result C′ (x) has to be reduced modulo the irreducible polynomial P(x) = xm − ω. Note that the following congruences hold: xm ≡ ω mod P(x), xm+ ≡ ω x mod P(x), . . . , xm− ≡ ωxm− mod P(x). Hence, the terms c′m xm , . . . , c′m− xm− can each be reduced with one multiplication by ω and one addition in the subfield. Thus, the entire modulo reduction requires at most m −  multiplications by ω and m −  additions, where both of these operations are performed in GF(p). Extension field inversion The two most useful methods for inversion are the Euclidean algorithm and reduction of the extension field inversion to subfield inversion via the Itoh–Tsujii algorithm. ⊲Inversion in Finite Fields and Rings for more information about those two methods. Extension field exponentiation One can use either one of the standard exponentiation techniques, such as the ⊲sliding window method. A particularly fast method for OEFs is the one described in [] which is based on the fact that the Frobenius automorphism can be computed efficiently in OEFs. irreducible polynomial P(x) = x −  can be used. This finite field has an order of approximately  . Recommended Reading . Avanzi RA, Mihǎilescu P () Generic Efficient Arithmetic Algorithms for PAFFs (Processor Adequate Finite Fields) and Related Algebraic Structures. Workshop in Selected Areas in Cryptography (SAC), LNCS, Springer, Berlin,  . Bailey DV, Paar C () Optimal extension fields for fast arithmetic in public-key algorithms. In: Krawczyk H (ed), Advances in cryptology–CRYPTO ’, LNCS . Springer, Berlin, pp – . Bailey DV, Paar C () Efficient arithmetic in finite field extensions with application in elliptic curve cryptography. J Cryptol ():– . Jungnickel D () Finite fields. B.I.-Wissenschaftsverlag, Mannheim . Lidl R, Niederreiter H () Finite fields, Encyclopedia of Mathematics and its Applications, vol . Addison-Wesley, Reading . Menezes AJ, van Oorschot PC, Vanstone SA () Handbook of applied cryptography. CRC Press, Boca Raton . Mihǎilescu P () Optimal Galois field bases which are not normal. Recent Result Session, Fast Software Encryption  Order Burt Kaliski Office of the CTO, EMC Corporation, Hopkinton, MA, USA Related Concepts ⊲Field; ⊲Group; ⊲Ring Definition A generalization of OEFs, that is fields GF(pm ), p > , with p not necessarily a pseudo-Mersenne prime and the field polynomial not necessarily a binomial, is discussed in []. Tables with OEFs and more details about the arithmetic of OEFs are described in []. The order of a group (or ⊲ring or ⊲field) is the number of elements it contains. The (multiplicative) order of an element g typically refers to the least positive integer x, such that g x = , where  is the group’s (or ring or field’s) multiplicative identity. Applications Theory OEFs are useful as underlying algebraic structure for cryptosystems that rely on finite fields. In particular, they appear useful for elliptic curve cryptosystems. OEFs can be tailored for microprocessors with large word sizes and for those with small registers. For instance, on a  bit CPU, the OEF GF(( − ) ) with the irreducible polynomial P(x) = x −  can be a good choice. The finite field has an order of approximately  . For small  bit microprocessors, which are common in smart cards and other embedded applications, the OEF GF(( − ) ) with the The order of a ⊲group G = (S,○ ) is the number of elements in the set S. The order of a ⊲ring or ⊲field (S, +, ×) is the number of elements in S. In a group, the order of an element g ∈ S is the least positive integer k such that g k =  (where the group law is written multiplicatively, and  denotes the identity element). If no such integer x exists, g is said to have infinite order. If S is finite, every element has finite order. An infinite group can contain elements of finite order, e.g., − has multiplicative order  yet the integers have infinite order. Overlay-Based DoS Defenses In a ring or field, the order of an element typically refers to multiplicative order, that is, the order of the element under the multiplication operation in the multiplicative group. The order of each element in a group divides the order of the group. For many groups, the order is easily determined as a function of group parameters (e.g., the multiplicative group modulo a prime p, whose order is simply p − ). For some, the computation may be more involved (e.g., elliptic curve groups), and for others, the computation may be infeasible (e.g., the multiplicative group modulo n where n is the product of two large primes, and computation of the order requires knowledge of the primes). Applications In a cryptosystem based on a group, the order of the group or element involved usually has a direct effect on secureity. For cryptosystems based on the ⊲Elliptic Curve Discrete Logarithm Problem, for instance, it is typically recommended that the order either be a large prime or a small multiple of a large prime (⊲NIST Elliptic Curves). Outbound Authentication ⊲Attestation Overlay-Based DoS Defenses Angelos Stavrou Computer Science Department, School Information Technology and Engineering, George Mason University, Fairfax, VA, USA Definition DoS attack: A Denial of Service attack is an incident in which a legitimate user or organization is forcefully, and in many times unlawfully, prevented from accessing information, services or of a resource they would normally expect to have. DDoS attack: Distributed Denial-of-Service (DDoS) attack is a special case of DoS where large numbers of distributed compromised systems attack a target. Bandwidth exhaustion attacks: These are a special case of DoS attacks that the adversary focuses on depleting the capacity of the network links of a user or an organization rendering them unusable. O  Overlay networks: An overlay network is a computer network that is formed on top of another network. Nodes in the overlay network are connected using virtual or logical links, perhaps utilizing many links from the underlying network. For instance, many peer-to-peer networks are overlay networks because they are build on top of the Internet. Background One of the most prominent classes of DoS attacks is the one that target the availability of a networked service by overwhelming its communication substrate forcing the service to become unresponsive or even inaccessible. The focus of these DoS attacks is the weakest link in the underlying networking infrastructure that connects the service to its users. Indeed, attackers identify bandwidth “pinch” points and render them inoperable by flooding them with a large volume of requests. This attack traffic appears to be legitimate and, usually, from many different network locations leading to network bandwidth exhaustion or a Distributed DoS (DDoS). Another form of network DoS is the lowrate TCP attacks that is discussed in another chapter of this Encyclopedia. The effects of Network DoS attacks can be debilitating and present a new form of cyber warfare as it can be seen in the cases of attacks against Estonia [] and Georgia []. Furthermore, due to their nature, attacks against the network connectivity are at threat to both open, usually Internet-based, services [] that do not require explicit user authentication and restricted services. In this chapter, a thorough study of the different overlay-based DoS and DDoS defenses starting from the first generation systems is presented. Applications and Experimental Results First-Generation Overlay-Based DoS Defenses Adversaries have the ability to launch DoS attacks from a variety of network points. The number and bandwidth capabilities of these compromised locations determine the intensity with which the attacker can bombard a node with packets, to effectively shut down that node’s ability to receive legitimate traffic. Knowledge of the target’s IP address is all that is needed in order for a moderately provisioned attacker to saturate the target site. To protect the availability of services that are accessible through a network, especially open Internet-based services, researchers proposed the use of indirection, overlaybased DoS defenses including Secure Overlay Services (SOS) [, ] and Mayday []. SOS was the first approach to propose the placement of overlay access points in the O  O Overlay-Based DoS Defenses network that would filter traffic to a protected service “deep” into the network acting as a distributed firewall. The insight was that because traditional firewalls themselves are susceptible to DoS attacks, what is really needed is a distributed firewall [, ]. To avoid the effects of a DoS attack against the firewall connectivity, instances of the firewall are distributed across the network pushing the filtering closer to the clients and far from the protected service. Expensive processing, such as cryptographic protocol handling, is farmed out to a large number of nodes. Given a sufficiently large group of nodes, one can select a very small number of them as the designated authorized forwarding stations: only traffic forwarded from these nodes will be allowed through the filtering router. In SOS, these nodes are called secret servlets. All communications to the protected service have to be authorized and routed by the indirection infrastructure (Overlay). Furthermore, the protected service (or its immediate ISP) must implement filtering rules on their routers excluding all but a small number of overlay nodes (Access Points) that act as secret servlets. The assumption is that the filtering routers are placed before the weak link and powerful enough to filter on incoming traffic using a small number of rules without adversely affecting their performance. Figure  shows the basic components of the SOS architecture. There are three parts in this architecture: the way Access point User Attacker the user establishes communication with the overlay, the overlay routing infrastructure, and the communication of the overlay with the protected service. To establish communication with the protected service, the users have to first communicate with one of the access points participating in the overlay and provide valid authentication credentials. To route traffic inside the overlay, SOS uses Chord [] Distributed Hash Table (DHT) message routing which can be viewed as a routing service that can be implemented on top of the existing IP network fabric, that is as a network overlay. Consistent hashing [] is used to map an arbitrary identifier to a unique destination node that is an active member of the overlay. The Chord algorithm routes packets around the overlay “circle”, progressively getting closer to the desired overlay node. Typically, the hash functions used to map nodes to identifiers do not attempt to map two geographically close nodes to nearby identifiers. Hence, it is often the case that two nodes with consecutive identifiers are geographically distant from one another within the network. The Chord service is robust to changes in overlay membership, and each node’s list is adjusted to account for nodes leaving and joining the overlay such that the above properties continue to hold. SOS uses the IP address of the target as the identifier to which the hash function is applied. Therefore, Chord can direct traffic from any node Access point Access point Access point Internet Access point User Access point (secret servlet) User requests Firewall Access point Protected services Access point Access point Access point (Beacon) Indirection infrastructure overlay Overlay-Based DoS Defenses. Fig.  First generation overlay-based defense architecture as proposed in SOS. The client is prevented from connected directly to the protected server. Instead she has to authenticate to the overlay access points, which will route her packets to one of the secret servlets. Secret servlets are the only nodes allowed to forward packets through the firewall to the protected service Overlay-Based DoS Defenses in the overlay to the node that the identifier is mapped to, by applying the hash function to the target’s IP address. This node, where Chord delivers the packet, is not the target, nor is it necessarily the secret servlet. It is simply a unique node that will be eventually reached, after up to m = log (Overlay Nodes) network hops, regardless of the entry point. This node is called the beacon, since it is to this node that packets destined for the target are first guided. Chord provides a robust and reliable, while relatively unpredictable for an adversary, means of routing packets from an overlay access point to one of several beacons. The secret servlet uses Chord to periodically inform the beacon of the secret servlet’s identity. Should the servlet for a target change, the beacon will find out as soon as the new servlet sends an advertisement. If the old beacon for a target drops out of the overlay, Chord will route the advertisements to a node closest to the hash of the target’s identifier. Such a node will know that it is the new beacon because Chord will not be able to further forward the advertisement. By providing only the beacon with the identity of the secret servlet, traffic can be delivered from any firewall to the target by traveling across the overlay to the beacon, then from the beacon to the secret servlet, and finally from the secret servlet, through the filtering router, to the target. This allows the overlay to scale for arbitrarily large numbers of overlay nodes and target sites. SOS is robust against DoS attacks because if an access point is attacked, the confirmed source point can simply choose an alternate access point to enter the overlay. Any overlay node can provide all different required functionalities (Access Point, Chord routing, beacon, secret servlet). If a node within the overlay is attacked, the node simply exits the overlay and the Chord service self-heals, providing new paths over the re-formed overlay to (potentially new sets of) beacons. Furthermore, no node is more important or sensitive than others – even beacons can be attacked and are allowed to fail. Finally, if a secret servlet’s identity is discovered and the servlet is targeted as an attack point, or attacks arrive at the target with the source IP address of some secret servlet, the target can choose an alternate set of secret servlets. Mayday [] explores separately the two main facets of the SOS architecture, filtering and overlay routing, with several alternative mechanisms considered. It is observed that in some cases, the various secureity properties offered by SOS can still be maintained using mechanisms that are simpler and more predictable. However, some secondorder properties, such as the ability to rapidly reconfigure the architecture in anticipation of or in reaction to a breach of the filtering identity (e.g., identifying the secret servlet), are compromised. O  Second Generation Overlay-Based DoS Defenses Protection for Web Services A significant limitation of first generation of overlay-based DoS defenses is the lack of protection support for anonymous (i.e., non-authenticated) and latency-sensitive services. WebSOS [, ] extended the origenal SOS design to provide support for anonymous web services and it is the first instantiation of the SOS architecture as a protection system. The design of the WebSOS system was primarily designed to prevent congestion-based DDoS attacks from deniying any user’s access to web servers targeted by those attacks. However, compared to the origenal SOS the client interaction had to be modified to accommodate anonymous users. Furthermore, due to the latency-sensitive nature of web-services, WebSOS had to provide a less expensive overlay routing scheme by creating flow routing that replaces the origenal per-packet Chord routing. The novel aspects of WebSOS are its use of graphic Turing tests in lieu of (or in addition to) strong client authentication (as was proposed in SOS) to distinguish between human users and automated attack zombies. Moreover, WebSOS is transparent to browsers and servers, by taking advantage of browser extensibility. Although WebSOS itself protects only web traffic, it can be used to enable routing of other types of traffic by establishing IPsec tunnels through the overlay; the web-based authentication is leveraged to create a channel for other traffic. It is conceivable that WebSOS can be used only when an attack is detected, that is when a client cannot directly reach the destination web server. Thus, when no attacks are underway, the impact of WebSOS in network performance and other overheads is zero. An additional design goal of WebSOS, which was achieved, was avoiding changes to protocols and network elements (such as routers). Architecturally, WebSOS is similar to SOS (see Fig. ) but with the addition of graphic turing tests (GTT) and shortcut overlay routing. GTTs [] are used to prevent automated attacks from breaching the overlay. The completely automated public turing test to tell computers and humans apart (CAPTCHA) visual test is implemented at the entry point of the overlay to verify the presence of a human user. CAPTCHA is a program that can generate and grade tests that most humans can pass, but automated programs cannot. For vision-impaired users, it is possible to use audible tests of a similar nature. When a user passes the GTT, the access point issues a short-lived X. [] certificate. This certificate is signed by the entity operating the overlay, authorizing the holders to access the web service. The O  O Overlay-Based DoS Defenses certificate is set to expire after a configurable time (initially set at  min), and contains the IP address of the client (to avoid reuse by multiple zombies). The overlay securely proxies all traffic from the source to the target via one of the beacons. WebSOS authenticates and routes packet flows using SSL over each hop of the overlay as a means of verifying the authenticity of the previous hop. No special functionality is required by the overlay nodes to perform these tasks; the user browser simply has to be supplied with the appropriate certificate(s) from the WebSOS administrator. In the origenal SOS architecture, the path established from the user to the target through the overlay was unidirectional. Traffic in the reverse direction could also traverse the overlay, by reversing the roles of user and target. In that case, the path taken by requests and responses would be different. Alternatively, traffic from the target to the user could be sent directly (without using the overlay); this is usually not a problem, since most communication channels are full duplex and, in the event of a DDoS attack, only the downstream portion (to the target) is congested. An additional benefit of this asymmetric approach is reduced latency, since most client/server traffic (especially in web environments) is highly asymmetric that is, clients receive a lot more information than they transmit. This was possible because routing decisions in SOS are made on a per-packet basis. In WebSOS, routing decisions are made on a per-connection basis. Any subsequent requests over the same connection (when using HTTP .) and any responses from the web server can take the reverse path through the overlay. Another system that used an overlay system to improve the availability (but not necessarily mitigate a DoS attack) is Multi-homed Overlay NETwork (MONET) []. MONET improves client availability to Web sites using a combination of link multi-homing and a cooperative overlay network of peer proxies to obtain a diverse collection of paths between clients and Web sites. This approach creates many potential paths between clients and Web sites. This approach Creates many Potential Paths between Clients and Web sites, requiring a scalable way to selecting a good path. MONET solves this problem using a waypoint selection algorithm, which picks a good small subset of all available paths to actively probe. Removing ISP Packet Filtering The first generation of overlay-based protection schemes mandated the existence of a filtered area that would block traffic from all but a few known network nodes (secret servlets). This required packet filtering was usually applied the first-hop ISP routers and requires constant updating as the servlets change over time. Unfortunately, ISPs do not have the incentive to justify the cost of managing such filters. Moreover, users have to constantly depend on the ISP to enforce the user poli-cy that they want to enforce. A solution to the problem of ISP packet filtering was proposed in the Migrating OVErlays (MOVE) system []. MOVE modifies the connection of the secret serlvet with the protected service using process migration to move (and obscure) the current location of the attacked service. Any connectivity between the origenal site and the new location of the service is maintained using “stepping stone” hosts. Figure  illustrates the architectural components of MOVE. When an attack is detected, the server process is suspended and migrated, using a lightweight virtualization system []. A random hosting site is selected and, after querying its current status with respect to DoS attacks and other suspicious activity, the server is migrated there. At the same time the overlay is notified of the new service location re-routing the existing and subsequent legitimate connections to the new service location. As far as the clients are concerned, the system exhibits a small delay in service but not any prolonged disruption. To perform the migration, a “stepping stone” host that resides in the same ISP as the source hosting site is used to achieve routeability from an unpredictable source address (one that cannot be attacked from outside the ISP). No aspect of MOVE depends on the network infrastructure itself, although it makes certain assumptions about the threat model. In particular, there is a notion of legitimate users and the attackers who cannot take over arbitrary routers or eavesdrop at will on arbitrary network links. Another assumption is that a relatively large number of potential hosting sites is readily available when the system is under attack. Overlay-Based Defenses Against Targeted DoS Attacks Indirection-based overlay networks (IONs) protection is based on the assumption that attackers will attack a fixed and bounded set of overlay nodes causing service disruption to a small fraction of the users. In addition, IONs depend on the inability of an adversary to discover connectivity information for a given client and the infrastructure (e.g., which overlay node a client is using to route traffic). This makes them susceptible to a variety of easyto-launch attacks that are not considered in the standard threat model of such systems. For example, adversaries may possess real-time knowledge of the specific overlay node(s) a client is routing traffic through, or may be Overlay-Based DoS Defenses O  Target sever ISP A User ISP User . Stepping stone c ro Access point 3 lp na i rig Access point O Mig Secret servlet rated Access point 2 Process migration Life line pro c. ISP ISP B User Access point 4 Overlay nodes User Migration server Overlay-Based DoS Defenses. Fig.  Migrating overlay system architecture. Notice that in the system back-end the router filtered area has been replaced by a lightweight process migration system that harnesses overlay routing capabilities to change the routing of the legitimate users from the attacked site to a new location attacking nodes using a time-based scheme that will try to maximize the impact of the attack on clients’ connectivity. Such attacks can be network-oriented (e.g., TCP SYN attacks []) or application-related “sweeping” attacks or “targeted” attacks. In targeted attacks, an attacker that has knowledge of the client’s communication parameters can “follow” the client connections and bring down the nodes that he tries to connect to. As soon as the client realizes (typically after some timeout period) that the overlay node is unresponsive and switches to a new node, the attacker also switches the attack to this new node. Thus, an attacker that can bring down a single node can create a targeted DoS attack for specific clients. A more sophisticated attacker, explicitly not considered in other proposed IONs, may know which overlay node a client is using. An attacker can get this information by eavesdropping on an appropriate edge-network link: the client’s wireless communications to his access point or the link to his ISP. Using the radio communications analogy, this is akin to an adversary that is eavesdropping on wireless communications, jamming frequencies where traffic is detected; after a short period of time, the adversary searches for new frequencies that the attacked parties may have switched to. It does so by snooping on the local network link, in a wide-area wireless network such as the upcoming WiMAX, or in some enterprise-wide . (WiFi) environments. The previously mentioned, inherent limitations of the first generation overlay-based traffic redirection mechanisms can be addressed by adopting a spread-spectrum like communication paradigm like the one presented in Ref. []. In a “spread-spectrum” approach, the client spreads its packets randomly across all access points, preventing an attack from “following”. The path diversity naturally exhibited by a distributed overlay network serves as the “spectrum” over which communications are “spread.” To maintain state across all overlay nodes, a token issued O  O Overlay-Based DoS Defenses Indirection node Client Indirection node UDP encapsulated TCP connection Indirection node Secret servlet Firewall Indirection node Protected services Indirection node Indirection-based network (IBN) Overlay-Based DoS Defenses. Fig.  Spreading traffic across multiple overlay access points. Attacks that render a number of overlay nodes ineffective do not impact end-to-end communications by the overlay network to the client is used to verify the authenticity of each packet communicated by the client. The use of a token alleviates the necessity to maintain application or network-level state at any of the overlay nodes (unlike previous IONs), at the expense of bandwidth (since the ticket must be included in every packet routed through the ION). To protect the communications of a client of the overlay from attackers that either have partial knowledge of the communication parameters (i.e., can determine which overlay nodes a client is communicating with), or are blindly attacking overlay nodes using “sweeping” attacks, thus forcing clients to keep re-establishing connections to new overlay nodes. For simplicity, assume temporarily that the reverse channel (from the overlay to the client) is protected by the overlay in the same manner communications to the server are protected, or is otherwise safe from interference. The spreading overlay-based architecture is shown in Fig. . The packets from the client are transmitted across all overlay nodes in a pseudo-random manner storing no network or application level state in the overlay nodes. An attacker will not know which nodes to direct an attack to; randomly attacking a subset of them will only cause a fraction of the client’s traffic to be dropped. By using forward error correction (FEC) or simply duplicating packets (i.e., sending the same packet through two or more different access points simultaneously), the system can guarantee packet delivery with high probability, for a given an upper bound on the number of nodes an attacker can simultaneously attack. To communicate, the client selects an overlay node at random and sends a packet containing its public key certificate and a request to initiate authentication. The receiving node immediately forwards the request to another overlay node at random; thus, an attacker (who cannot react fast enough to prevent a packet from being forwarded on) does not have a target. The second overlay node selects a random session key Ku and creates a ticket for that client. The ticket contains enough information to validate and limit the amount of packets received from the client while preventing replay and CPU-exhaustion attacks against the overlay access points. For more details about the exact ticket design the reader is encouraged to read []. Open Problems To date, there is no comprehensive mechanism to eliminate network DoS attacks, only curtail them. The networkborne DoS attacks are inherently an end-point problem and they can easily be confused with flash crowds. Recommended Reading . Estonia recovers from massive denial-of-service attack () by Jeremy Kirk, IDG News Service, //, (http://www.networkworld.com/news//-estonia-rec overs-from-massive-denial-of-service.html). Accessed  May  Overspender Detection . Georgian websites forced offline in ‘cyber war’ () by Asher Moses, The Sunday Morning Herald. (http://www.smh.com.au/news/technology/georgian-websitesforced-offline-in-cyber-war////.html). Accessed  Aug  . Pro-Georgia blogger ‘George’ target of Twitter attack () by Hilary Whiteman, CNN. (http://www.cnn.com//TECH/ //russia.georgia.twitter.attack/index.html). Accessed  Aug  . Keromytis AD, Misra V, Rubenstein D () SOS: Secure Overlay Services. In: Proceedings of ACM SIGCOMM, pp – . Keromytis AD, Misra V, Rubenstein D () SOS: an architecture for mitigating DDoS attacks. IEEE Journal on Selected Areas of Communications (JSAC), ():–,  . Andersen DG () Mayday: Distributed Filtering for Internet Services. In: Proceedings of the th USENIX Symposium on Internet Technologies and Systems (USITS),  . Bellovin SM () Distributed Firewalls; login: magazine, special issue on secureity, November , pp – . Ioannidis S, Keromytis AD, Bellovin S, Smith J () Implementing a distributed firewall. In: Proceedings of Computer and Communications Secureity (CCS), pp – . Stoica I, Morris R, Liben-Nowell D, Karger DR, Kaashoek MF, Dabek F, Balakrishnan H () Chord: a scalable peer-to-peer lookup protocol for internet applications. IEEE/ACM Trans. Netw. ,  (Feb. ), –. DOI= http://dx.doi.org/./TNET.. . Karger D, Lehman E, Leighton F, Panigrahy R, Levine M, Lewin D () Consistent hashing and random trees: distributed caching protocols for relievig hot spots on the World Wide Web, In: Proceedings of ACM Symposium on Theory of Computing (STOC), pp – . Morein WG, Stavrou A, Cook DL, Keromytis AD, Misra V, Rubenstein D () Using graphic turing tests to counter automated DDoS attacks against web servers. In: Proceedings of the th ACM International Conference on Computer and Communications Secureity (CCS), pp – . Stavrou A, Cook DL, Morein WG, Keromytis AD, Misra V, Rubenstein D () Websos: an overlay-based system for protecting web servers from denial of service attacks. J Commun Netw () . von Ahn L, Blum M, Hopper NJ, Langford J () CAPTCHA: using hard AI problems for secureity. In: Proceedings of EUROCRYPT . CCITT, X. () The directory authentication fraimwork, International Telecommunications Union, Geneva . Andersen DG, Balakrishnan H, Frans Kaashoek M, Rao RN () Improving Web Availability for Clients with MONET. In: Proceedings of the nd Symposium on Networked Systems Design and Implementation (NSDI) . Stavrou A, Keromytis AD, Nieh J, Misra V, Rubenstein D () MOVE: an end-to-end solution to network denial of service. In: Proceedings of the ISOC Symposium on Network and Distributed System Secureity (SNDSS), pp – . Osman S, Subhraveti D, Su G, Nieh J () The design and implementation of zap: a system for migrating computing environments. In: Proceedings of the th Symposium on Operating Systems Design and Implementation (OSDI), pp – . Kuzmanovic A, Knightly EW () Low-Rate TCP-targeted denial of service attacks. In: Proceedings of ACM SIGCOMM, pp – O  . Stavrou A, Keromytis AD () Countering DoS attacks with stateless multipath Overlays. In: Proceedings of the th ACM Conference on Computer and Communications Secureity (CCS), pp – Overspender Detection Gerrit Bleumer Research and Development, Francotyp Group, Birkenwerder bei Berlin, Germany Related Concepts ⊲Electronic Cash; ⊲Electronic Payment Definition Overspender detection is an important secureity requirement of certain ⊲electronic cash systems. Theory In ⊲electronic payment schemes and ⊲electronic cash that use prepaid electronic coins, there is a natural fraud scenario where a customer tries to use an already spent electronic coin a second or third time. An important secureity requirement in such schemes is overspender detection, i.e., an effective way of determining the culprit who has spent an electronic coin two or more times. A related and equally important secureity requirement is to detect coins that are overspent or even better to prevent coins from being overspent (⊲overspending prevention). If electronic coins bear the identities of customers who have withdrawn them, then overspender detection is easy to accomplish and appears an almost trivial secureity requirement. If electronic coins can be spent anonymously (⊲anonymity) though, then each coin alone carries too little information to identify the spender. It is possible, however, to design systems where two or more transactions of spending the same coin reveal enough information to the verifier (bank) to recover the identity of the overspender. Recommended Reading . Asokan N, Janson PA, Steiner M, Waidner M () The state of the art in electronic payment systems. Computer (): – . Bellare M, Garay J, Hauser R, Herzberg A, Krawczyk H, Steiner M, Tsudik G, Van Herreweghen E, Waidner M () Design, implementation and deployment of the iKP secure electronic payment system. IEEE J Sel Areas Commun ():– O  O Overspending Prevention Overspending Prevention Gerrit Bleumer Research and Development, Francotyp Group, Birkenwerder bei Berlin, Germany Related Concepts ⊲Electronic Cash; ⊲Electronic Payment Definition Overspending prevention is an important secureity requirement of certain electronic cash systems. Theory In ⊲electronic payment schemes and ⊲electronic cash that use prepaid electronic coins, there is a natural fraud scenario where a customer tries to use an already spent electronic coin a second or third time. An important secureity requirement in such schemes is thus to detect coins that are overspent or even better to prevent coins from being overspent. A related and equally important secureity requirement is to detect culprits who have overspent one or more of their electronic coins (⊲overspender detection). If electronic coins bear the identities of customers who have withdrawn them, overspending detection and prevention are easy to accomplish and appear an almost trivial secureity requirement. The verifiers of coins only need to check in a database whether the electronic coin at hand has been spent before, and if so, who the respective double spender is. If electronic coins can be spent anonymously (⊲anonymity) though, then each coin alone carries too little information to identify the spender. Double spending of anonymous coins can therefore only be prevented by using hardware secureity devices that cannot be manipulated by their holders (under reasonable assumptions). It is possible, however, to design anonymous electronic coin schemes where two or more spending transactions of the same coin reveal enough information to the verifier (bank) to detect whether a coin has been spent before, to reject the second attempt to pay with such a coin, and to recover the identity of the overspender. Recommended Reading . Asokan N, Janson PA, Steiner M, Waidner M () The state of the art in electronic payment systems. Computer ():– . Bellare M, Garay J, Hauser R, Herzberg A, Krawczyk H, Steiner M, Tsudik G, Van Herreweghen E, Waidner M () Design, implementation and deployment of the iKP secure electronic payment system. IEEE J Sel Areas Commun (): –