MABS Multicast Authentication Based on Batch Signature (2)

8/4/2019 MABS Multicast Authentication Based on Batch Signature (2)

1/12

MABS: Multicast AuthenticationBased on Batch Signature

Yun Zhou, Xiaoyan Zhu, and Yuguang Fang, Fellow, IEEE

AbstractConventional block-based multicast authentication schemes overlook the heterogeneity of receivers by letting the sender

choose the block size, divide a multicast stream into blocks, associate each block with a signature, and spread the effect of the

signature across all the packets in the block through hash graphs or coding algorithms. The correlation among packets makes them

vulnerable to packet loss, which is inherent in the Internet and wireless networks. Moreover, the lack of Denial of Service (DoS)

resilience renders most of them vulnerable to packet injection in hostile environments. In this paper, we propose a novel multicast

authentication protocol, namely MABS, including two schemes. The basic scheme (MABS-B) eliminates the correlation among packets

and thus provides the perfect resilience to packet loss, and it is also efficient in terms of latency, computation, and communication

overhead due to an efficient cryptographic primitive called batch signature, which supports the authentication of any number of packets

simultaneously. We also present an enhanced scheme MABS-E, which combines the basic scheme with a packet filtering mechanism

to alleviate the DoS impact while preserving the perfect resilience to packet loss.

Index TermsMultimedia, multicast, authentication, signature.

1 INTRODUCTION

MULTICAST [1] is an efficient method to deliver multi-media content from a sender to a group of receiversand is gaining popular applications such as realtime stockquotes, interactive games, video conference, live video broadcast, or video on demand. Authentication is one ofthe critical topics in securing multicast [2], [3], [4], [5], [6],[7] in an environment attractive to malicious attacks.Basically, multicast authentication may provide the follow-ing security services:

1. Data integrity: Each receiver should be able toassure that received packets have not been modifiedduring transmissions.

2. Data origin authentication: Each receiver should beable to assure that each received packet comes fromthe real sender as it claims.

3. Nonrepudiation:Thesenderofapacketshouldnotbeable to deny sending the packet to receivers in casethere is a dispute between the sender and receivers.

All the three services can be supported by an asymmetrickey technique called signature. In an ideal case, the sendergenerates a signature for each packet with its private key,which is called signing, and each receiver checks the validity

of the signature with the senders public key, which iscalled verifying. If the verification succeeds, the receiverknows the packet is authentic.

Designing a multicast authentication protocol is not aneasy task. Generally, there are following issues in real worldchallenging the design. First, efficiency needs to beconsidered, especially for receivers. Compared with themulticast sender, which could be a powerful server,receivers can have different capabilities and resources. The

receiver heterogeneity requires that the multicast authenti-cation protocol be able to execute on not only powerfuldesktop computers but also resource-constrained mobilehandsets. In particular, latency, computation, and commu-nication overhead are major issues to be considered. Second,packet loss is inevitable. In the Internet, congestion atrouters is a major reason causing packet loss. An overloadedrouter drops buffered packets according to its preset controlpolicy. Though TCP provides a certain retransmissioncapability, multicast content is mainly transmitted overUDP, which does not provide any loss recovery support. Inmobile environments, the situation is even worse. Theinstability of wireless channel can cause packet loss very

frequently. Moreover, the smaller data rate of wirelesschannel increases the congestion possibility. This is notdesirable for applications like realtime online streaming orstock quotes delivering. End users of online streaming willstart to complain if they experience constant serviceinterruptions due to packet loss, and missing critical stockquotes can cause severe capital loss of service subscribers.Therefore, for applications where the quality of service iscritical to end users, a multicast authentication protocolshould provide a certain level of resilience to packet loss.Specifically, the impact of packet loss on the authenticity ofthe already-received packets should be as small as possible.

Efficiency and packet loss resilience can hardly be

supported simultaneously by conventional multicast

982 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

. Y. Zhou is with Microsoft Corporation, 1 Microsoft Way, Redmond, WA98052-8300. E-mail: [email protected].

. X. Zhu is with the National Key Laboratory of Integrated ServicesNetworks, Xidian University, PO Box 106, 2 South Taibai Road, Xian,Shaanxi 10071, China. E-mail: [email protected].

. Y. Fang is with the Department of Electrical and Computer Engineering,University of Florida, 435 New Engineering Building, PO Box 116130,Gainesville, FL 32611, and with the National Key Laboratory of IntegratedServices Networks, Xidian University, Xian 710071, China.E-mail: [email protected].

Manuscript received 28 Jan. 2008; revised 30 Jan. 2009; accepted 17 Oct.2009; published online 23 Feb. 2010.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TMC-2008-01-0026.

Digital Object Identifier no. 10.1109/TMC.2010.37.1536-1233/10/$26.00 2010 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.


2/12

schemes. As is well known that existing digital signaturealgorithms are computationally expensive, the ideal ap-proach of signing and verifying each packet independentlyraises a serious challenge to resource-constrained devices.In order to reduce computation overhead, conventionalschemes use efficient signature algorithms [8], [9] oramortize one signature over a block of packets [10], [11],

[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],[24], [25], [26] at the expense of increased communicationoverhead [8], [9], [10], [11] or vulnerability to packet loss[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],[24], [25], [26].

Another problem with schemes in [8], [9], [10], [11], [12],[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],[25], [26] is that they are vulnerable to packet injection bymalicious attackers. An attacker may compromise a multi-cast system by intentionally injecting forged packets toconsume receivers resource, leading to Denial of Service(DoS). Compared with the efficiency requirement and packetloss problems, the DoS attack is not common, but it is still

important in hostile environments. In the literature, someschemes [27], [28], [29], [30], [31], [32] attempt to provide theDoS resilience. However, they still have the packet lossproblem because they are based on the same approach asprevious schemes [10], [11], [22], [23], [24], [25], [26].

Recently, we demonstrated that batch signature schemescan be used to improve the performance of broadcastauthentication [5], [6]. In this paper, we present ourcomprehensive study on this approach and propose a novelmulticast authentication protocol called MABS (in short for Multicast Authentication based on Batch Signature). MABSincludes two schemes. The basic scheme (called MABS-Bhereafter) utilizes an efficient asymmetric cryptographicprimitive called batch signature [33], [34], [35], [36], [37], [38],[39], [40], [41], [42], [43], [44], which supports theauthentication of any number of packets simultaneouslywith one signature verification, to address the efficiencyand packet loss problems in general environments. Theenhanced scheme (called MABS-E hereafter) combinesMABS-B with packet filtering to alleviate the DoS impactin hostile environments. MABS provides data integrity,origin authentication, and nonrepudiation as previousasymmetric key based protocols. In addition, we make thefollowing contributions:

1. Our MABS can achieve perfect resilience to packetloss in lossy channels in the sense that no matter

how many packets are lost the already-receivedpackets can still be authenticated by receivers.2. MABS-B is efficient in terms of less latency,

computation, and communication overhead. ThoughMABS-E is less efficient than MABS-B since itincludes the DoS defense, its overhead is still at thesame level as previous schemes.

3. We propose two new batch signature schemes basedon BLS [36] and DSA [38] and show they are moreefficient than the batch RSA [33] signature scheme.

The rest of the paper is organized as follows: We brieflyreview related work in Section 2. Then, we present a basicscheme for lossy channels in Section 3, which also includes

three batch signature schemes based on RSA [33], BLS [36],

and DSA, respectively [38]. An enhanced scheme isdiscussed in Section 4. After performance evaluation inSection 5, the paper is concluded in Section 6.

2 RELATED WORK

Schemes in [8], [9] follow the ideal approach of signing and

verifying each packet individually, but reduce the compu-tation overhead at the sender by using one-time signatures[8] or k-time signatures [9]. They are suitable for RSA [33],which is expensive on signing while cheap on verifying. Foreach packet, however, each receiver needs to perform onemore verification on its one-time or k-time signature plusone ordinary signature verification. Moreover, the length ofone-time signature is too long (on the order of 1,000 bytes).

Tree chaining was proposed in [10], [11] by constructinga tree for a block of packets. The root of the tree is signed bythe sender. Each packet carries the signed root and multiplehashes. When each receiver receives one packet in the block,it uses the authentication information in the packet to

authenticate it. The buffered authentication information isfurther used to authenticate other packets in the same block.Without the buffered authentication information, eachpacket is independently verifiable at a cost of per-packetsignature verification.

Graph chaining was studied in [12], [13], [14], [15], [16],[17], [18], [19], [20], [21]. A multicast stream is divided intoblocks and each block is associated with a signature. In each block, the hash of each packet is embedded into severalother packets in a deterministic or probabilistic way. Thehashes form a graph, in which each path links a packet tothe block signature. Each receiver verifies the blocksignature and authenticates all the packets through thepaths in the graph.

Erasure codes were used in [22], [23], [24], [25], [26]. Asignature is generated for the concatenation of the hashes ofall the packets in one block and then is erasure-coded intomany pieces. Erasure codes make each receiver be capableof recovering the block signature when receiving at least acertain number of pieces.

All these schemes [10], [11], [12], [13], [14], [15], [16], [17],[18], [19], [20], [21], [22], [23], [24], [25], [26] are indeedcomputationally efficient since each receiver needs to verifyonly one signature for a block of packets. However, they allincrease packet overhead for hashes or erasure codes andthe block design introduces latency when buffering manypackets. Another major problem is that most schemes [12],

[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],[25], [26] are vulnerable to packet loss even though they aredesigned to tolerate a certain level of packet loss. If toomany packets are lost, other packets may not be authenti-cated. In particular, if a block signature is lost, the entireblock cannot be authenticated.

Moreover, previous schemes [8], [9], [10], [11], [12], [13],[14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25],[26] target at lossy channels, which are realistic in our dailylife since the Internet and wireless networks suffer frompacket loss. In a hostile environment, however, an activeattacker can inject forged packets to consume receiversresource, leading to DoS. In particular, schemes in [8], [9],

[10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21]

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983



3/12

are vulnerable to forged signature attacks because theyrequire each receiver to verify each signature whereby toauthenticate data packets, and schemes in [22], [23], [24],[25], [26] suffer from packet injection because each receiverhas to distinguish a certain number of valid packets from apool of a large number of packets including injected ones,which is very time-consuming.

In order to deal with DoS, schemes in [27], [28], [29], [30],[31], [32] were proposed. PARM [27] is similar to the treechaining scheme [10], [11] in the sense that multiple one-way hash chains are used as shared keys between thesender and receivers. Schemes in [28], [29] combine erasurecodes with one-way hash chains to detect forged packets.Unfortunately, these schemes [27], [28], [29] are stillvulnerable to DoS because they require that one-way hashchains are signed and transmitted to each receiver andtherefore an attacker can inject forged signatures for one-way hash chains.

PRABS [30] uses distillation codes to deal with DoS. Inparticular, valid packets and forged packets are partitioned

into disjoint sets and erasure decoding is performed overeach set. BAS [31] simply retransmits each signaturemultiple times to tolerate packet loss and uses selectiveverification to tolerate injected forged signatures. LTT [32]uses error correction codes to replace erasure codes inschemes [22], [23], [24], [25], [26]. The reason is that errorcorrection codes tolerate error packets. These three schemes[30], [31], [32] are resilient to DoS, but they still have thepacket loss problem.

Some other schemes [45], [46], [47], [48], [49], [50], [51],[52], [53] use shared symmetric keys between the sender andreceivers to authenticate multicast streams. Though they aremore efficient than those using signatures, they cannotprovide nonrepudiation as the signature approach, and theyrequire either time synchronization or trustful infrastruc-tures. In this paper, we focus on the signature approach.

Though confidentiality is another important issue forsecuring multicast, it can be achieved through group keymanagement [54]. In this paper, we focus on multicastauthentication.

3 BASIC SCHEME

Our target is to authenticate multicast streams from a senderto multiple receivers. Generally, the sender is a powerfulmulticast server managed by a central authority and can betrustful. The sender signs each packet with a signature and

transmits it to multiple receivers through a multicast routingprotocol.Each receiver is a less powerful devicewithresourceconstraints and may be managed by a nontrustworthyperson. Each receiver needs to assure that the receivedpackets are really from the sender (authenticity) and thesender cannot deny the signing operation (nonrepudiation)by verifying the corresponding signatures.

Ideally, authenticating a multicast stream can beachieved by signing and verifying each packet. However,the per-packet signature design has been criticized for itshigh computation cost, and therefore, most previousschemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],

[32] incorporate a block-based design as shown in Section 2.

They do reduce the computation cost, but also introducenew problems. The block design builds up correlationamong packets and makes them vulnerable to packet loss,which is inherent in the Internet and wireless networks.Received packets may not be authenticated because somecorrelated packets are lost.

Also, the heterogeneity of receivers means that the buffer

resource at each receiver is different and can vary over thetimedependingontheoverallloadatthereceiver.Intheblockdesign, therequired block size, whichis chosenby thesender,may not be satisfied by each receiver.

Third, the correlation among packets can incur addi-tional latency. Consider the high layer application needsnew data from the low layer authentication module in orderto render a smooth video stream to the client user. It isdesirable that the lower layer authentication moduledelivers authenticated packets to the high layer applicationat the time when the high layer application needs new data.In the per-packet signature design it is not a problem, sinceeach packet can be independently verifiable at any time. In

the block design, however, it is possible that the packets buffered at the low layer authentication module are notverifiable because the correlated packets, especially the block signatures, have not been received. Therefore, thehigh layer application has to either wait, which leads toadditional latency, or return with a no-available-packetsexception, which could be interpreted as that the bufferedpackets are lost. This latency, which is incurred at thehigh layer when the high layer application waits for thebuffered packets to become verifiable, is different from the buffering latency, which is required for the low layerauthentication protocol to buffer received packets.

In view of the problems regarding the sender-favored block-based approach, we conceive a receiver-orientedapproach by taking into account the heterogeneity of thereceivers. As receiving devices have different computationand communication capabilities, some could be powerfuldesktop computers, while the others could be cheaphandsets with limited buffers and low-end CPUs. Mixedwith various channel loss rates, this heterogeneity poses ademand on the capability of adjusting the buffer size andauthenticating buffered packets any time when the highlayer application requires at each receiver.

In order to fulfill the requirement, the basic schemeMABS-B uses an efficient cryptographic primitive calledbatch signature [33], [34], [35], [36], [37], [38], [39], [40], [41],[42], [43], [44], which supports simultaneously verifying the

signatures of any number of packets. In particular, when areceiver collects n packets:

pi fmi; ig; i 1; . . . ; n;

where mi is the data payload, i is the correspondingsignature, and n can be any positive integer, it can inputthem into an algorithm

BatchVerifyp1; p2; . . . ; pn 2 fT rue; Falseg:

If the output is True, the receiver knows the n packets areauthentic, and otherwise not.

To support authenticity and efficiency, the BatchVerifyalgorithm should satisfy the following properties:




4/12

1.Given a batch of packets that have been signed bythe sender, BatchVerify outputs True.

2. Given a batch of packets including some unauthenticpackets, the probability that BatchVerify outputsTrue is very low.

3. The computation complexity of BatchVerify iscomparable to that of verifying one signature andis increased only gradually when the batch size nis increased.

The computation complexity of BatchVerify comeswith the fact that there are some additional cost onprocessing multiple packets. As we will show later, thoseadditional computations are mostly modular additions andmultiplications, which are much faster than modular

exponentiations required in final signature verifications.Theoretically, a concern comes when the cost grows higherthan the final signature verification if the batch size is toolarge. However, it is not the case in reality. The merit of batch signature is that the batch size is chosen by eachreceiver, which can optimize its own batch size, so that thebatch size will not be unmanageably large. Most important,we will show later that in the implementation of batchsignature a technique called signature preaggregation can beused so that the additional processing of multiple packets isshifted from the time of final batch verification to the timeof each packet reception and thus the cost of final batchsignature verification is exactly the same as that of original

signature verification.In order to show the merit of signature preaggregation,we implemented batch signature by using our Batch-BLS(will be discussed later) as an example. We measured thenormalized time cost of batch signature verification withthe batch size growing from 1 to 1,000, and recorded theresults for two scenarios, with and without signaturepreaggregation. The result is shown in Fig. 1. We can seethat the time cost of general batch verification (withoutsignature aggregation) is still less than that of two singlesignature verifications when batch size grows up to about270, which validates the third property of batch signature.The other curve in Fig. 1 shows that if the signature

preaggregation is used, then the final batch verification has

the same cost of single signature verification, no matter howlarge the batch size is.

MABS-B uses per-packet signature instead of per-blocksignature and thus eliminates the correlation amongpackets. The packet independency makes MABS-B perfectresilient to packet loss. The Internet and wireless channelstend to be lossy due to congestion or channel instability,

where packets can be lost according to different lossmodels, such as random loss or burst loss. In MABS-B,however, no matter how many packets are lost, the already-received packets can still be authenticated by each receiver.This is a significant advantage over previous schemes [10],[11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22],[23], [24], [25], [26], [27], [28], [29], [30], [31], [32]. Mean-while, efficiency can also be achieved because a batch ofpackets can be authenticated simultaneously through onebatch signature verification operation. The packet indepen-dency also brings other benefits in terms of smaller latencyand communication overhead compared with previousschemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],

[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],[32]. In particular, each receiver can verify the authenticityof all the received packets in its buffer whenever the highlayer applications require, and there is no additional hashor code overhead in each packet.

Next, we present three implementations. In addition tothe one based on RSA [33], we propose two new batchsignature schemes based on BLS [36] and DSA [38], whichare more efficient than batch RSA. We must point out andwill show later that MABS is independent from thesesignature algorithms. This independency brings the free-dom to optimize MABS for a particular physical system orplatform as much as possible.

3.1 Batch RSA Signature3.1.1 RSA

RSA [33] is a very popular cryptographic algorithm inmany security protocols. In order to use RSA, a senderchooses two large random primes P and Q to get N P Q,and then calculates two exponents e; d2 ZZN such thated 1 mod N, where N P 1Q 1. The senderpublishes e; N as its public key and keeps din secret as itsprivate key. A signature of a message m can be generated as hmd mod N, where h is a collision-resistant hashfunction. The sender sends fm; g to a receiver that canverify the authenticity of the message m by checkinge hm mod N.

3.1.2 Batch RSA

To accelerate the authentication of multiple signatures,the batch verification of RSA [34], [35] can be used. Givenn packets fmi; ig; i 1; . . . ; n, where mi is the datapayload, i is the corresponding signature and n is anypositive integer, the receiver can first calculate hi hmiand then perform the following verification:

Yni1

i

!emod N

Yni1

hi mod N: 1

If all n packets are truly from the sender, the equation holds

because


Fig. 1. Normalized time cost of Batch-BLS signature verification.



5/12

Yni1

i

!emod N

Yni1

ei mod N

Yni1

hedi mod N

Yn

i1

hi mod N:

2

Before the batch verification, the receiver must ensure allthe messages are distinct. Otherwise batch RSA is vulnerableto the forgery attack [35]. This is easy to implement becausesequence numbers are widely used in many networkprotocols and can ensure all the messages are distinct. Ithas been proved in [35] that when all the messages aredistinct, batch RSA is resistant to signature forgery as long asthe underlying RSA algorithm is secure.

In some circumstances, an attacker may not forgesignatures but manipulate authentic packets to produce

invalid signatures. For example, given two packets fmi; ig

and fmj; jg for i 6 j, the attacker can modify them intofmi; ig and fmj; j=g. The modified packets can still passthe batch verification, but the signature of each packet is not

correct (that is why batch RSA verification is called screeningin [35]). However, the attacker can do this only when it gets

fmi; ig and fmj; jg, which means the message mi and mjhave been correctly signed by the sender. Therefore, thisattack is of no harm to the receiver [35].

3.1.3 Requirements to the Sender

In most RSA implementations, the public key e is usuallysmall (e 3 for instance) while the private key d is large.Therefore, the RSA signature verification is efficient whilethe signature generation is expensive. This poses achallenge to the computation capability of the senderbecause the sender needs to sign each packet. Choosing asmall private key dcan improve the computation efficiency but compromise the security. If the sender does not haveenough resource, a pair of fe; dg with comparable sizes canachieve a certain level of trade-off between computationefficiency and security at the sender part. If the sender is apowerful server, then signing each packet can be affordablein this scenario. Next, we propose two efficient batchsignature schemes based on BLS [36] and DSA [38], whichcan reduce the computation complexity at the sender.

3.2 Batch BLS Signature

Here, we propose a batch signature scheme based on theBLS signature in [36].

3.2.1 BLS

The BLS signature scheme uses a cryptographic primitivecalled pairing, which can be defined as a map over twocyclic groups G1 and G2, e : G1 G1 ! G2, satisfying thefollowing properties:

1. Bilinear: For all u; v 2 G1 and a; b 2 ZZ, we haveeua; vb eu; vab.

2. Nondegenerate: For the generator g1 of G1, i.e.,gp1 1 2 G1, where p is the order of G1, we haveeg1; g1 6 1 2 G2.

The BLS signature scheme consists of three phases:

1. In the key generation phase, a sender chooses arandom integer x 2 ZZp and computes y g1

x 2 G1.The private key is x and the public key is y.

2. Given a message m 2 f0; 1g in the signing phase, thesender first computes h hm 2 G1, where h is a

hash function, then computes hx

2 G1. Thesignature of m is .3. In the verification phase, the receiver first computes

h hm 2G1 and then check whether eh;y e;g1.

If the verification succeeds, then the message m is authenticbecause

eh; y eh; g1x ehx; g1 e; g1: 3

One merit of the BLS signature is that it can generatea very short signature. It has been shown in [36] that ann-bit BLS signature can provide a security level equiva-lent to solving a Discrete Log Problem (DLP) [39] over afinite field of size approximately 26n. Therefore, a 171-bit

BLS signature provides the same level of security as a1,024-bit DLP-based signature scheme such as DSA [38].This is a very nice choice in the scenario wherecommunication overhead is an important issue.

3.2.2 Batch BLS

Based on BLS, we propose our batch BLS scheme here.Given n packets fmi; ig; i 1; . . . ; n, the receiver can verifythe batch of BLS signatures by first computing hi hmi;i 1; . . . ; n and then checking whether e

Qni1 hi; y

eQn

i1 i; g1. This is because if all the messages areauthentic, then

eYni1

hi; y !

Yni1

ehi; g1x

Yni1

e

hix; g1

eYni1

i; g1

!:

4

We can prove that our batch BLS is secure to signatureforgery as long as BLS is secure to signature forgery.

Theorem 1. Suppose an attacker A can break the batch BLS byforging signatures. Then, another attacker B can break BLSunder the chosen message attack by colluding with A.

Proof. Suppose B is given n 1 messages and their validsignatures fmi; ig; i 1; . . . ; n 1, B can forge a signa-ture n for any chosen message mn, such that fmn; ngsatisfies the BLS signature scheme, by colluding with Ain the following steps:

1. B sends n messages mi; i 1; . . . ; n and n 1signatures i; i 1; . . . ; n 1 to A.

2. Because A can break the batch BLS scheme, Agenerates n false signatures i

0; i 1; . . . ; n thatpass the batch BLS verification, then returns to Bavalue V

Qni1 i

0.3. B computes n V =Q

n1i1 i as the signature for

mn, because




6/12

eYni1

hi; y

! eV ; g1

) eYni1

hi; y

! e

Yni1

i; g1

!

) e Yn1

i1

hi; y !ehn; y e Yn1

i1

i; g1 !en; g1) ehn; y en; g1 :

5

tu

Since BLS is forgery-secure under the chosen messageattack [36], our batch BLS scheme is also secure to forgeryunder the chosen message attack.

Also like batch RSA, an attacker may not forge signatures but manipulate authentic packets to produce invalidsignatures. For instance, two packets fmi; ig and fmj; jgfor i 6 j can be replaced with fmi; ig and fmj; j=g andstill pass the batch verification. However, it does not affectthe correctness and the authenticity of mi and mj because

they have been correctly signed by the sender.


In our batch BLS, the sender needs to sign each packet.Because BLS can provide a security level equivalent toconventional RSA and DSA with much shorter signature[36], the signing operation is more efficient than the RSAsignature generation. Moreover, BLS can be implementedover elliptic curves [55], [56], which have been shown in theliterature to be more efficient than finite integer fields onwhich RSA is implemented. Therefore, we can expect thatour batch BLS is more affordable by the sender than batchRSA and also achieve computation efficiency at the receiver.

3.3 Batch DSA SignatureDSA [38] is another popular digital signature algorithm.Unlike RSA, which is based on the hardness of factoringtwo large primes, DSA is deemed secure based on thedifficulty of solving DLP [39]. A batch DSA signaturescheme was proposed in [40], but later was found insecure[41]. Harn improved the security of [40] in [42], [43].Unfortunately, Boyd and Pavlovski pointed out in [44] thatHarns work is still vulnerable to malicious attacks. Here,we propose a batch DSA scheme based on Harns work andcounteract the attack described in [44].

3.3.1 Harn DSA

In Harn DSA [43], some system parameters are defined as:

1. p, a prime longer than 512 bits.2. q, a 160-bit prime divisor of p 1.3. g, a generator ofZZp with order q, i.e., g

q 1 mod p.4. x, the private key of the signer, 0 < x < q.5. y, the public key of the signer, y gx mod p.6. h, a hash function generating an output in ZZq.

Given a message m, the signer generates a signature by:

1. randomly selecting an integer k with 0 < k < q,2. computing h hm,3. computing r gk mod p mod q, and4. computing s rk hx mod q.

The signature for m is r; s.

The receiver can verify the signature by first computing

h hm and then checking whether

gsr1

yhr1

mod p mod q r:

This is because if the packet is authentic, then

gsr1

yhr1

mod p mod q

gshxr1

mod p mod q

gk mod p mod q

r:

6

3.3.2 Harn Batch DSA

Given n packets fmi; ri; sig; i 1; . . . ; n, the receiver canverify the batch of signatures by first computing hi hmi

and then checking whether

g

Pn

i1siri 1y

Pn

i1hiri 1

mod p

mod q

Yn

i1

ri mod q : 7

This is because, if the batch of packets is authentic, then

gPn

i1siri 1y

Pni1

hiri 1

mod p

mod q

gPn

i1sihixri1

mod p

mod q

gPn

i1ki mod p

mod q

Yni1

ri mod q:

8

3.3.3 The Boyd-Pavlovski Attack

Boyd and Pavlovski [44] pointed out an attack against the

Harn batch DSA scheme [43], where an attacker can forgesignatures for any chosen message set that has not been

signed by the sender. The process is:

1. Choose B and C, calculate A gByC mod p mod q.2. For any message set mi, i 1; . . . ; n, randomly

choose ri, i 1; . . . ; n 2.3. Compute rn1 and rn to ensure that

Yni1

ri mod q A mod q 9

Xn

i1

hiri1 mod q C mod q: 10

4. Randomly choose si, i 1; . . . ; n 1 and compute snto ensure that

Xni1

siri1 mod q B mod q: 11

The probability that fmi; ri; sig, i 1; . . . ; n are forged

messages satisfying the batch verification is 12

[44].

3.3.4 Our Batch DSA

In order to counteract the Boyd-Pavlovski attack, our batch

DSA makes an improvement to the Harn DSA algorithm.




7/12

We replace the hash operation hm in the signaturegeneration and verification process with hr; m. All theother steps are the same as those in Harns scheme.

Though it is simple, our method can significantlyincrease the security of batch DSA. In the Boyd-Pavlovskiattack, the attacker can compute ri values according to (9)and (10) because parameters A, C, hi values are known. By

introducing ri into the hash operation, the hash values hi in(10) are unknown to the attacker. Therefore, the attackercannot compute ri values and the forgery attack discussedin [44] is defeated.

Likethe cases in batch RSA and our batch BLS, the attackermay manipulate authentic packets fmi; ri; sig to produceinvalid signatures fmi; ri

0; si0g, which can still pass the

batch verification. The attacker can keep ri unchanged,randomly choose si

0, i 1; . . . ; n 1 and solve sn0 satisfying

Xni1

si0ri

1 mod qXni1

siri1 mod q: 12

However, this attack does not affect the correctness and

authenticity of messages because they have been reallysigned by the sender [44]. Therefore, the receiver can stillaccept them because the batch verification succeeds.


In batch RSA and our batch BLS, the sender needs tocompute one modular exponentiation to sign each packet.In our batch DSA, the sender needs to compute onemodular exponentiation to get r and two modular multi-plications to get s. However, r is independent on themessage m. Therefore, the sender can generate manyr values offline. When the sender starts a multicast session,it can use reserved r values to compute s values. In thisway, only two modular multiplications are necessary to

sign a packet. Therefore, our batch DSA is much moreefficient than batch RSA and our batch BLS at the sender,while also achieving computation efficiency at the receiver.

3.4 Preaggregation of Message Hashes andSignatures

If we take a closer look at batch-RSA and batch-BLS, we cannotice that they use exactly the orignal RSA and BLSalgorithms, respectively. The only difference is that thebatch algorithms take the aggregations of message hashesand signatures f

Qni1 hi;

Qni1 ig as the parameters to the

original signature algorithms. This aggregation is indepen-dent of the final signature verification. Therefore, each

receiver can compute and update fQn

i1 hi;Qn

i1 ig afterreceiving every packet. When the time of batch verificationcomes, each receiver needs just one signature verification.

For batch-DSA, the aggregations of message hashes andsignatures f

Pni1 siri

1;Pn

i1 hiri1;Qn

i1 rig are inside thesignature verification. Therefore, the cost of the aggregationsis incurred with the final signature verification. However, ifwe modify the original DSA so that it takes fsr1; hr1; rginstead of fh;s;rg as parameters, then batch-DSA can takethe advantage of preaggregating message hashes andsignatures, just like batch-RSA and batch-BLS.

Obviously, the computation cost at each receiver can bemore manageable no matter how large each batch is if

signature preaggregation is enforced, as shown in Fig. 1.

4 ENHANCED SCHEME

The basic scheme MABS-B targets at the packet lossproblem, which is inherent in the Internet and wireless

networks. It has perfect resilience to packet loss, no matterwhether it is random loss or burst loss. In some circum-stances, however, an attacker can inject forged packets intoa batch of packets to disrupt the batch signature verifica-tion, leading to DoS. A naive approach to defeat the DoSattack is to divide the batch into multiple smaller batchesand perform a batch verification over each smaller batch,and this divide-and-conquer approach can be recursivelycarried out for each smaller batch, which means moresignature verifications at each receiver. In the worst case,the attacker can inject forged packets at very high frequencyand expect that each receiver stops the batch operation andrecovers the basic per-packet signature verification, whichmay not be viable at resource-constrained receiver devices.

In this section, we present an enhanced scheme calledMABS-E, which combines the basic scheme MABS-B and apacket filtering mechanism to tolerate packet injection. Inparticular, the sender attaches each packet with a mark,which is unique to the packet and cannot be spoofed. Ateach receiver, the multicast stream is classified into disjointsets based on marks. Each set of packets comes from eitherthe real sender or the attacker. The mark design ensures thata packet from the real sender never falls into any set ofpackets from the attacker, and vice versa. Next, each receiveronly needs to perform BatchVerify over each set. If theresult is True, the set of packets is authentic. If not, the set ofpackets is from the attacker, and the receiver simply dropsthem and does not need to divide the set into smaller subsets

for further batch verification. Therefore, a strong resilienceto DoS due to injected packets can be provided.In MABS-E, Merkle tree [57] is used to generate marks.

An example is illustrated in Fig. 2. The sender constructs a binary tree for eight packets. Each leaf is a hash of onepacket. Each internal node is the hash value on theconcatenation of its left and right children. For each packet,a mark is constructed as the set of the siblings of the nodesalong the path from the packet to the root. For example, themark of the packet P3 is fH4; H1;2; H5;8g and the root can berecovered as H1;8 HH1;2; HP3; H4; H5;8.

Constructing a Merkle tree is very efficient because onlyhash operations are performed. Meanwhile, the one-wayproperty of hash operation ensures that given the root of a

Merkle tree it is infeasible to find a packet, which is not in


Fig. 2. An example of Merkle tree. Each leaf is a hash of one packet.Each internal node is the hash value on both its left and right children.



8/12

the set associated with the Merkle tree and from whichthere is a path to the root. This guarantees that forgedpackets cannot fall into the set of authentic packets.

When the sender has a set of packets for multicast, itgenerates a Merkle tree for the set and attaches a mark toeach packet. The root can be recovered based on eachpacket and its mark. Each receiver can find whether twopackets belong to the same set by checking whether theylead to the same root value. Therefore, the recovered rootshelp classify received packets into disjoint sets. Eachreceiver does not need to wait for a set to include all thepackets under the Merkle tree, and it can batch-verify theset anytime. Once the set is authentic, the correspondingroot can be used to authenticate the rest of packets under

the same Merkle tree without batch-verifying them, whichsaves computation overhead at each receiver.

An attacker may inject small sets of forged packets oreven inject single packet that does not belong to any set. Inthis case, each receiver has many small sets and each ofthem has only a few packets. Doing the BatchVerifyalgorithm on each small set compromises efficiency. Sincethe sets from the sender can have a large number of packets,each receiver can choose a threshold (say t) and start batchverification over one set only when the set has no less thant packets. If a set has less than t packets and the root valuerecovered from the set has not been authenticated, thereceiver simply drop the set of packets without processingthem and thus save computation resource. For each

receiver, the threshold t can vary according to the receiverscomputation resource. In this way, the impact of DoS due topacket injection can be reduced by a factor of t.

5 PERFORMANCE EVALUATION

In this section, we evaluate MABS performance in terms ofresilience to packet loss, efficiency, and DoS resilience. Aswe discussed before, MABS does not assume any particularunderlying signature algorithm. This is also true for all theliterature multicast authentication schemes referenced inthis paper. Therefore, all the discussions and evaluations ofMABS and the literature works in Section 5.1 and Section 5.2

are under the assumption that they are using the same

underlying signature algorithm. The discussion of signaturealgorithms is in Section 5.3.

5.1 Resilience to Packet Loss

We use simulations to evaluate the resilience to packetloss. The metric here is the verification rate, i.e., the ratioof the number of authenticated packets to the number ofreceived packets.

We compare MABS with some well-known loss tolerantschemes EMSS [14], augmented chain (AugChain) [18],PiggyBack [16], tree chain (Tree) [11], and SAIDA [23].These schemes are representatives of graph chaining, treechaining, and erasure coding schemes and are widely usedin performance evaluation in the literature.

For EMSS [14], we choose the chain configuration of5 11 17 24 36 39, which has the best performanceamong all the configurations of length 6 as is shown in [14].For AugChain [18], we choose C3;7 chain configuration. ForPiggyBack [16], we choose two class priorities. For Treechain [11], we choose binary tree. For SAIDA [23], we choosethe erasure code 256; 128. For all these schemes, we choosethe block size of 256 packets and simulate over 100 blocks.We consider the random loss and the burst loss with amaximum loss length of 10 packets. The verification ratesunder different loss rates are given in Fig. 3 and Fig. 4.

We can see that the verification rates of EMSS [14],augmented chain (AugChain) [18] and PiggyBack [16] are

decreased quickly when the loss rate is increased. The reasonis that graph chaining results in the correlation amongpackets and this correlation is vulnerable to packet loss.SAIDA [23] illustrates a resilience to packet loss up to acertain threshold, because of the threshold performance oferasure codes.Our MABS andTree schemes [11] have perfectresilience to packet loss in the sense that all the receivedpackets can be authenticated. This is because all the packetsin MABS and Tree schemes are independent from each other.As we will show later, however, Tree [11] achieves thisindependency by incurring large overhead and latency at thesender and each receiver and is vulnerable to DoS, while ourMABS-B has less overhead and latency and MABS-E is

resilient to DoS at the same level of overhead as Tree [11].


Fig. 3. Verification rate under the random loss model.Fig. 4. Verification rate under the burst loss model with the maximumburst length 10.



9/12

One thing needs to be pointed out is that we do notdifferentiate between MABS-B and MABS-E in Fig. 3 and

Fig. 4. MABS-B is perfect resilient to packet loss because ofits inherent design. While it is not designed for lossychannels, MABS-E can also achieve the perfect resilience topacket loss in lossy channels. In the lossy channel model,where no DoS attack is assumed to present, we can set thethreshold t 1 (refer to Section 4) for MABS-E, and thuseach receiver can start batch-verification as long as there is atleast one packet received for each set of packets constructedunder the same Merkle tree. Once the received packets areauthenticated, the extracted root of the Merkle tree can beused to authenticate the rest of packets in the same set

within several hash operations. If we set t > 1, which is notthe best choice for the lossy channel, MABS-E can tolerate upto n t lost packets for each set ofn packets, which shows athreshold-based loss resilience, similar to SAIDA [23].

5.2 Efficiency

We consider latency, computation, and communication

overhead for efficiency evaluation under lossy channelsand DoS channels. The notations used here are defined inTable 1. All the evaluations are carried out over n packets.The results are depicted in Table 2 and Table 3.

5.2.1 Comparisons over Lossy Channels

Table 2 shows the comparisons between MABS-B and well-known loss-tolerant schemes tree chain (Tree) [11], EMSS[14], PiggyBack [16], augmented chain (AugChain) [18], andSAIDA [23]. We also include MABS-E and three DoSresilient schemes PRABS [30], BAS [31], and LTT [32] in thetable just for comparisons even though they are notdesigned for lossy channels.

Previous block-based schemes introduce latency either at

the sender [11], [16] or at each receiver [14], [31] or both [18],[23], [30], [32]. The latency is inherent in the block designdue to chaining or coding. At the sender side, thecorrelation among a block of packets has to be established before the sender starts sending the packets. At eachreceiver, the latency is incurred when the high layerapplication waits for the buffered packets to be authenti-cated after the correlation is recovered. This receiver sidelatency is variable depending on whether the correlationamong the underline buffered packets has been recoveredor not when the high layer application needs new data, andits maximum value is the block size. MABS-B eliminates thecorrelation among packets. Each packet is independentlysent out at the sender. At each receiver, the high layer

application does not need to wait because the low layerauthentication module can deliver authenticated packets atany time when the high layer application needs new data.This makes MABS-B pretty suitable for realtime multimediaapplications. MABS-E introduces latency at the sender because it includes a tree construction to counteract DoS,but it still preserves the merit of instantaneous authentica-tion at each receiver as MABS-B.

Both the block-based schemes and MABS require onesignature verification operation on a block or a batch ofn packets at each receiver. In addition, the schemes using


TABLE 1Notations

TABLE 2

Comparisons over Lossy Channels



10/12

chaining also require many hashes, and the ones usingcoding require multiple hashes and one or two decodingoperations. MABS-B is more efficient since there is no morehashing or decoding operations. MABS-E requires nlog2nhashes, which is comparable to previous schemes using

hashing and coding.In MABS, a trade-off for perfect resilience to packet lossis that the sender needs to sign each packet, which incursmore computation overhead than conventional block-basedschemes. Therefore, efficient signature generation is desir-able at the sender. Compared with RSA [33], which isefficient in verifying but is expensive in signing, BLS [36]and DSA [38] are pretty good candidates as we will showlater. Moreover, in multimedia multicast, the sender isusually a powerful server and thus the per-packet signaturegeneration can be affordable, and the advance of computingtechnology makes it easier in the long run.

For n packets, Tree [11] require an overhead ofn signatureand Onlog2n hashes, schemes in [14], [16], [18], [23], [30],

[31], [32] require one or more signatures and up toOn2 hashes. MABS-B and MABS-E require n signaturesand MABS-E requires additional Onlog2n hashes. If longsignatures are used (like 1,024-bit RSA), MABS-B and MABS-E have more communication overhead than those in [14],[16], [18], [23], [30], [31], [32], which is the same case as Tree[11]. However, BLS [36] generatesshortsignatures of 171bits,which is comparable to most well-known hash algorithmsMD5 [58] (128 bits) and SHA-1 [59] (160 bits). Therefore,MABS can have the same level of communication efficiencyas conventional schemes when BLS is used.

5.2.2 Comparisons over DoS Channels

DoS is a method for an attacker to deplete the resource of a

receiver.Processinginjectedpacketsfromthe attacker alwaysconsumes a certain amount of resource. Here, we assume anattacker factor , which means that for n valid packetsn invalid packets are injected. The computation overheadsat each receiver for different schemes are depicted in Table 3.

For schemes in [11], [14], [16], [18], which authenticatesignatures first and then authenticate packet through hashchains, the attacker can inject n forged signature packets because signature verification is an expensive operation.For SAIDA [23], which requires erasure decoding, theattacker simply injects n forged packets because eachreceiver has to choose a certain number of valid packetsfrom all the 1 n packet to do decoding, which can have

a significant number of tries.

Schemes in [30], [31], [32] are designed for DoS defense.They canalleviatethe impact of packetinjection by a constantfactor to reduce the computation cost at each receiver.

MABS-B is vulnerable to packet injection as schemes in[11], [14], [16], [18], [23] since they are designed only for

lossy channels. MABS-E has the same level of DoS resilienceas those in [30], [31], [32].

5.3 Comparisons of Signature Schemes

We compare the computation overhead of three batchsignature schemes in Table 4. RSA [33] and BLS [36] requireone modular exponentiation at the sender and DSA [38]requires two modular multiplications when r value iscomputed offline. Usually one c-bit modular exponentiationis equivalent to 1:5c modular multiplications over the samefield [35], [44]. Moreover, a c-bit modular exponentiation inDLP is equivalent to a c

6-bit modular exponentiation in BLS

for the same security level. Therefore, we can estimate thatthe computation overhead of one 1,024-bit RSA signing

operation is roughly equivalent to that of 768 DSA signingoperations (1,536 modular multiplications) and that of6 BLS signing operations (each one is corresponding to255 modular multiplications).

According to the report [60] on the computational over-head of signature schemes on PIII 1 GHz CPU, the signingandverification time for1,024-bit RSAwith a 1,007-bitprivatekey are 7.9 ms and 0.4 ms, for 157-bit BLS are 2.75 ms and81 ms, and for 1,024-bit DSA with a 160-bit private key(without precomputing r value) are 4.09 ms and 4.87 ms. Wecan observe that for BLS and DSA the signing is efficient butthe verification is expensive, and vice versa for RSA.Therefore, we can save more computation resource at thesender by using our batch BLS and batch DSA than batch

RSA.ItisalsomeaningfultouseourbatchBLSandbatchDSAat the receiver to save computation resources.

We also compare thelength of two popular hash algorithmMD5 [58] and SHA-1 [59] and the signature length of three


TABLE 4Computational Overhead of Different Batch Schemes

E-modular exponentiation. M-modular multiplication. P-pairing.

TABLE 3Comparisons over DoS Channels



11/12

signature algorithms in Table 5. Given thesame security levelas 1,024-bit RSA, BLS generates a 171-bit signature and DSAgenerates a 320-bit signature. It is clear that by using BLS orDSA, MABS can achieve more bandwidth efficiency thanusing RSA, and could be even more efficient than conven-tional schemes using a large number of hashes.

6 CONCLUSIONS

To reduce the signature verification overheads in the secure

multimedia multicasting, block-based authenticationschemes have been proposed. Unfortunately, most previousschemes have many problems such as vulnerability topacket loss and lack of resilience to denial of service (DoS)attack. To overcome these problems, we develop a novelauthentication scheme MABS. We have demonstrated thatMABS is perfectly resilient to packet loss due to theelimination of the correlation among packets and caneffectively deal with DoS attack. Moreover, we also showthat the use of batch signature can achieve the efficiency lessthan or comparable with the conventional schemes. Finally,we further develop two new batch signature schemes basedon BLS and DSA, which are more efficient than the batchRSA signature scheme.

ACKNOWLEDGMENTS

This work was partially supported by the US NationalScience Foundation under grants CNS-0916391, CNS-0716450, and CNS-0626881. The works of Fang and Zhuwere also partially supported by the 111 Project underGrant B08038. The work of Zhu was also partiallysupported by the National Natural Science Foundation ofChina under grant 60772136 and supported by the Funda-mental Research Funds for the Central Universities.

REFERENCES

[1] S.E. Deering, Multicast Routing in Internetworks and ExtendedLANs, Proc. ACM SIGCOMM Symp. Comm. Architectures andProtocols, pp. 55-64, Aug. 1988.

[2] T. Ballardie and J. Crowcroft, Multicast-Specific Security Threatsand Counter-Measures, Proc. Second Ann. Network and DistributedSystem Security Symp. (NDSS 95), pp. 2-16, Feb. 1995.

[3] P. Judge and M. Ammar, Security Issues and Solutions inMulicast Content Distribution: A Survey, IEEE Network Magazine,vol. 17, no. 1, pp. 30-36, Jan./Feb. 2003.

[4] Y. Challal, H. Bettahar, and A. Bouabdallah, A Taxonomy ofMulticast Data Origin Authentication: Issues and Solutions, IEEEComm. Surveys & Tutorials, vol. 6, no. 3, pp. 34-57, Oct. 2004.

[5] Y. Zhou and Y. Fang, BABRA: Batch-Based Broadcast Authenti-cation in Wireless Sensor Networks, Proc. IEEE GLOBECOM,Nov. 2006.

[6] Y. Zhou and Y. Fang, Multimedia Broadcast AuthenticationBased on Batch Signature, IEEE Comm. Magazine, vol. 45, no. 8,

pp. 72-77, Aug. 2007.

[7] K. Ren, K. Zeng, W. Lou, and P.J. Moran, On BroadcastAuthentication in Wireless Sensor Networks, Proc. First Ann. IntlConf. Wireless Algorithms, Systems, and Applications (WASA 06),Aug. 2006.

[8] S. Even, O. Goldreich, and S. Micali, On-Line/Offline DigitalSignatures, J. Cryptology, vol. 9, pp. 35-67, 1996.

[9] P. Rohatgi, A Compact and Fast Hybrid Signature Scheme forMulticast Packet, Proc. Sixth ACM Conf. Computer and Comm.Security (CCS 99), Nov. 1999.

[10] C.K. Wong and S.S. Lam, Digital Signatures for Flows andMulticasts, Proc. Sixth Intl Conf. Network Protocols (ICNP 98),pp. 198-209, Oct. 1998.

[11] C.K. Wong and S.S. Lam, Digital Signatures for Flows andMulticasts, IEEE/ACM Trans. Networking, vol. 7, no. 4, pp. 502-513, Aug. 1999.

[12] R. Gennaro and P. Rohatgi, How to Sign Digital Streams,Information and Computation, vol. 165, no. 1, pp. 100-116, Feb. 2001.

[13] R. Gennaro and P. Rohatgi, How to Sign Digital Streams, Proc.17th Ann. Cryptology Conf. Advances in Cryptology (CRYPTO 97),Aug. 1997.

[14] A. Perrig, R. Canetti, J.D. Tygar, and D. Song, EfficientAuthentication and Signing of Multicast Streams over LossyChannels, Proc. IEEE Symp. Security and Privacy (SP 00), pp. 56-75, May 2000.

[15] Y. Challal, H. Bettahar, and A. Bouabdallah, A2Cast: AnAdaptive Source Authentication Protocol for Multicast Streams,

Proc. Ninth Intl Symp. Computers and Comm. (ISCC 04), vol. 1,pp. 363-368, June 2004.

[16] S. Miner and J. Staddon, Graph-Based Authentication of DigitalStreams, Proc. IEEE Symp. Security and Privacy (SP 01), pp. 232-246, May 2001.

[17] Z. Zhang, Q. Sun, W-C Wong, J. Apostolopoulos, and S. Wee, AContent-Aware Stream Authentication Scheme Optimized forDistortion and Overhead, Proc. IEEE Intl Conf. Multimedia andExpo (ICME 06), pp. 541-544, July 2006.

[18] P. Golle and N. Modadugu, Authenticating Streamed Data in thePresence of Random Packet Loss, Proc. Eighth Ann. Network andDistributed System Security Symp. (NDSS 01), Feb. 2001.

[19] Z. Zhang, Q. Sun, and W-C Wong, A Proposal of Butterfly-Graphy Based Stream Authentication over Lossy Networks, Proc.IEEE Intl Conf. Multimedia and Expo (ICME 05), July 2005.

[20] S. Ueda, N. Kawaguchi, H. Shigeno, and K. Okada, StreamAuthentication Scheme for the Use over the IP Telephony, Proc.

18th Intl Conf. Advanced Information Networking and Application(AINA 04), vol. 2, pp. 164-169, Mar. 2004.

[21] D. Song, D. Zuckerman, and J.D. Tygar, Expander Graphs forDigital Stream Authentication and Robust Overlay Networks,Proc. 2002 IEEE Symp. Security and Privacy (S&P 02), May 2002.

[22] J.M. Park, E.K.P. Chong, and H.J. Siegel, Efficient MulticastPacket Authentication Using Signature Amortization, Proc. IEEESymp. Security and Privacy (SP 02), pp. 227-240, May 2002.

[23] J.M. Park, E.K.P. Chong, and H.J. Siegel, Efficient MulticastStream Authentication Using Erasure Codes, ACM Trans.Information and System Security, vol. 6, no. 2, pp. 258-285, May 2003.

[24] A. Pannetrat and R. Molva, Authenticating Real Time PacketStreams and Multicasts, Proc. Seventh IEEE Intl Symp. Computersand Comm. (ISCC 02), pp. 490-495, July 2002.

[25] A. Pannetrat and R. Molva, Efficient Multicast Packet Authenti-cation, Proc. 10th Ann. Network and Distributed System SecuritySymp. (NDSS 03), Feb. 2003.

[26] Y. Wu and T. Li, Video Stream Authentication in LossyNetworks, Proc. IEEE Wireless Comm. and Networking Conf.(WCNC 06), vol. 4, pp. 2150-2155, Apr. 2006.

[27] Y. Lin, S. Shieh, and W. Lin, Lightweight, Pollution-AttackResistant Multicast Authentication Scheme, Proc. ACM Symp.Information, Computer, and Comm. Security (ASIACCS 06), Mar.2006.

[28] J. Jeong, Y. Park, and Y. Cho, Efficient DoS Resistant MulticastAuthentication Schemes, Proc. Intl Conf. Computational Scienceand Its Applications (ICCSA 05), May 2005.

[29] S. Choi, Denial-of-Service Resistant Multicast AuthenticationProtocol with Prediction Hashing and One-Way Key Chain, Proc.Seventh IEEE Intl Symp. Multimedia (ISM 05), Dec. 2005.

[30] C. Karlof, N. Sastry, Y. Li, A. Perrig, and J.D. Tygar, DistillationCodes and Applications to DoS Resistant Multicast Authentica-tion, Proc. 11th Ann. Network and Distributed System Security Symp.

(NDSS 04), Feb. 2004.


TABLE 5Communication Overhead of Signature Schemes



12/12

[31] C.A. Gunter, S. Khanna, K. Tan, and S. Venkatesh, DoSProtection for Reliably Authenticated Broadcast, Proc. 11th Ann.Network and Distributed System Security Symp. (NDSS 04), Feb.2004.

[32] A. Lysyanskaya, R. Tamassia, and N. Triandopoulos, MulticastAuthentication in Fully Adversarial Networks, Proc. IEEE Symp.Security and Privacy (SP 04), May 2004.

[33] R.L. Rivest, A. Shamir, and L. Adleman, A Method for ObtainingDigital Signatures and Public-Key Cryptosystems, Comm. ACM,

vol. 21, no. 2, pp. 120-126, Feb. 1978.[34] L. Harn, Batch Verifying Multiple RSA Digital Signatures, IEE

Electronic Letters, vol. 34, no. 12, pp. 1219-1220, June 1998.[35] M. Bellare, J.A. Garay, and T. Rabin, Fast Batch Verification for

Modular Exponentiation and Digital Signatures, Proc. Advances inCryptology (EUROCRYPT 98), pp. 236-250, May 1998.

[36] D. Boneh, B. Lynn, and H. Shacham, Short Signatures from theWeil Pairing, Proc. Seventh Intl Conf. Theory and Application ofCryptology and Information Security Advances in Cryptology(ASIACRYPT 01), pp. 514-532, Dec. 2001.

[37] S. Cui, P. Duan, and C.W. Chan, An Efficient Identity-BasedSignature Scheme with Batch Verifications, Proc. First Intl Conf.Scalable Information Systems, 2006.

[38] FIPS PUB 186, Digital Signature Standard (DSS), May 1994.[39] T. ElGamal, A Public Key Cryptosystem and a Signature Scheme

Based on Discrete Logarithms, IEEE Trans. Information Theory,vol. IT-31, no. 4, pp. 469-472, July 1985.

[40] D. Naccache, D. MRaihi, S. Vaudenay, and D. Raphaeli, CanD.S.A. be Improved? Complexity Trade Offs with the DigitalSignature Standard, Proc. Workshop Theory and Application ofCryptographic Techniques Advances in Cryptology (EUROCRYPT 94),pp. 77-85, May 1995.

[41] C.H. Lim and P.J. Lee, Security of Interactive DSA BatchVerification, IEE Electronic Letters, vol. 30, no. 19, pp. 1592-1593,Sept. 1994.

[42] L. Harn, DSA-Type Secure Interactive Batch Verification Proto-cols, IEE Electronic Letters, vol. 31, no. 4, pp. 257-258, Feb. 1995.

[43] L. Harn, Batch Verifying Multiple DSA-Type Digital Signatures,IEE Electronic Letters, vol. 34, no. 9, pp. 870-871, Apr. 1998.

[44] C. Boyd and C. Pavlovski, Attacking and Repairing BatchVerification Schemes, Proc. Sixth Intl Conf. Theory and Applicationof Cryptology and Information Security Advances in Cryptology(ASIANCRYPT 00), pp. 58-71, Dec. 2000.

[45] Y. Desmedt, Y. Frankel, and M. Yung, Multi-Receiver/Multi-Sender Network Security: Efficient Authenticated Multicast/Feedback, Proc. IEEE INFOCOM, vol. 3, pp. 2045-2054, May 1992.

[46] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B.Pinkas, Multicast Security: A Taxonomy and Some EfficientConstructions, Proc. IEEE INFOCOM, vol. 2, pp. 708-716, Mar.1999.

[47] L. Lamport, Password Authentication with Insecure Commu-nication, Comm. ACM, vol. 24, no. 11, pp. 770-772, Nov. 1981.

[48] N.M. Haller, The S/Key One-Time Password System, Proc.ISOC Symp. Network and Distributed Security, Feb. 1994.

[49] F. Bergadano, D. Cavagnino, and B. Crispo, Individual Single-Source Authentication on The Mbone, Proc. IEEE Intl Conf.

Multimedia and Expo (ICME 00), vol. 1, pp. 541-544, July 2000.[50] A. Perrig, R. Canetti, D. Song, and J. Tygar, Efficient and Secure

Source Authentication for Multicast, Proc. Network and DistributedSystem Security Symp. (NDSS 01), 2001.

[51] A. Perrig, The BiBa One-Time Signature and Broadcast Authen-tication Protocol, Proc. Eighth ACM Conf. Computer and Comm.Security (CCS 01), pp. 28-37, Nov. 2001.

[52] Q. Li and W. Trappe, Reducing Delay and Enhancing DoSResistance in Multicast Authentication through MultigradeSecurity, IEEE Trans. Info. Forensics and Security, vol. 1, no. 2,pp. 190-204, June 2006.

[53] S. Xu and R. Sandhu, Authenticated Multicast Immune to Denial-of-Service Attack, Proc. ACM Symp. Applied Computing (SAC 02),2002.

[54] S. Rafaeli and D. Hutchison, A Survey of Key Management forSecure Group Communication, ACM Computing Surveys, vol. 35,no. 3, pp. 309-329, Sept. 2003.

[55] N. Koblitz, Elliptic Curve Cryptosystems, Math. Computation,vol. 48, pp. 203-209, 1987.

[56] V. Miller, Uses of Elliptic Curves in Cryptography, Proc. Intl

C t l C f (CRYPTO 85) 417 426 1986

[57] R. Merkle, Protocols for Public Key Cryptosystems, Proc. IEEESymp. Security and Privacy, Apr. 1980.

[58] R. Rivest, The MD5 Message-Digest Algorithm, RFC 1319, Apr.1992.

[59] D. Eastlake and P. Jones, US Secure Hash Algorithm 1 (SHA1),RFC 3174, Sept. 2001.

[60] P. Barreto, H. Kim, B. Lynn, and M. Scott, Efficient Algorithmsfor Pairing-Based Cryptosystems, Proc. Intl Cryptology Conf.(CRYPTO 02), 2002.

Yun Zhou received the BE degree in electronicinformation engineering and the ME degree incommunication and information system from theDepartment of Electronic Engineering and In-formation Science, University of Science andTechnology, Hefei, China, in 2000 and 2003,respectively, and the PhD degree from theDepartment of Electrical and Computer Engi-neering, University of Florida, Gainesville, in2007. He is currently with Microsoft Corporation.

His research interests include security, cryptography, wireless commu-nications and networking, signal processing, and operating systems.

Xiaoyan Zhu received the BE, ME, and PhDdegrees from the School of TelecommunicationsEngineering at Xidian University, Xian, China, in

2000, 2004, and 2009, respectively. She is nowa visiting research scholar in the Department ofElectrical and Computer Engineering at theUniversity Florida, Gainesville, on leave fromthe School of Telecommunications Engineering,Xidian University, Xian, China, where she is alecturer. Her research interests include wireless

networks, network security, and network coding.

Yuguang Fang received the PhD degree insystems engineering from Case Western Re-serve University in 1994 and the PhD degree inelectrical engineering from Boston University in1997. He was an assistant professor in theDepartment of Electrical andComputer Engineer-ingat theNew Jersey Institute of Technology from1998 to 2000. He then joined the Department ofElectrical and Computer Engineering at Univer-sity of Florida in 2000 as an assistant professor,

got an early promotion to an associate professor with tenure in 2003, andto a full professor in 2005. He holds a University of Florida ResearchFoundation (UFRF) Professorship from 2006 to 2009, a Changjiangscholarchair professorship withXidianUniversity,Xian,China,from 2008to 2011, and a guest chair professorship with Tsinghua University, China,from 2009 to 2012. He has published more than 250 papers in refereedprofessional journals and conferences. He received the US NationalScience Foundation Faculty Early Career Award in 2001 and the USOffice of Naval Research Young Investigator Award in 2002, and is therecipient of the BestPaper Award fromthe IEEEInternational Conferenceon Network Protocols (ICNP) in 2006 and the IEEE TCGN Best PaperAward from the IEEE High-Speed Networks Symposium, IEEE GLOBE-COM, in 2002. He is also active in professional activities. He is currentlyserving as the editor-in-chief for IEEE Wireless Communications andserves/served on several editorial boards of technical journals includingthe IEEE Transactions on Communications, the IEEE Transactions onWireless Communications, IEEE Wireless Communications Magazine,and ACM Wireless Networks. Hewasan editorfor the IEEE Transactionson Mobile Computingand currently serves on its steering committee. Hehas been actively participating in professional conference organizationssuch as serving as the steering committee cochair for QShine (2004-2008), the technical program vice-chair for IEEE INFOCOM 2005, atechnical program symposium cochair for IEEE GLOBECOM 2004, anareatechnicalprogramcommittee chair forIEEE INFOCOM(2009-2010),and a member of the technical program committee for IEEE INFOCOM(1998, 2000, 2003-2008) andACM MobiHoc(2008-2009). He is a fellow ofthe IEEE and the IEEE Computer Society and a member of the ACM.


Documents

MABS Multicast Authentication Based on Batch Signature (2)