## Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

**Based on Batch Signature
**

Yun Zhou, Xiaoyan Zhu, and Yuguang Fang, Fellow, IEEE

Abstract—Conventional block-based multicast authentication schemes overlook the heterogeneity of receivers by letting the sender

choose the block size, divide a multicast stream into blocks, associate each block with a signature, and spread the effect of the

signature across all the packets in the block through hash graphs or coding algorithms. The correlation among packets makes them

vulnerable to packet loss, which is inherent in the Internet and wireless networks. Moreover, the lack of Denial of Service (DoS)

resilience renders most of them vulnerable to packet injection in hostile environments. In this paper, we propose a novel multicast

authentication protocol, namely MABS, including two schemes. The basic scheme (MABS-B) eliminates the correlation among packets

and thus provides the perfect resilience to packet loss, and it is also efficient in terms of latency, computation, and communication

overhead due to an efficient cryptographic primitive called batch signature, which supports the authentication of any number of packets

simultaneously. We also present an enhanced scheme MABS-E, which combines the basic scheme with a packet filtering mechanism

to alleviate the DoS impact while preserving the perfect resilience to packet loss.

Index Terms—Multimedia, multicast, authentication, signature.

Ç

1 INTRODUCTION

M

ULTICAST [1] is an efficient method to deliver multi-

media content from a sender to a group of receivers

and is gaining popular applications such as realtime stock

quotes, interactive games, video conference, live video

broadcast, or video on demand. Authentication is one of

the critical topics in securing multicast [2], [3], [4], [5], [6],

[7] in an environment attractive to malicious attacks.

Basically, multicast authentication may provide the follow-

ing security services:

1. Data integrity: Each receiver should be able to

assure that received packets have not been modified

during transmissions.

2. Data origin authentication: Each receiver should be

able to assure that each received packet comes from

the real sender as it claims.

3. Nonrepudiation: The sender of a packet shouldnot be

able to deny sending the packet to receivers in case

there is a dispute between the sender and receivers.

All the three services can be supported by an asymmetric

key technique called signature. In an ideal case, the sender

generates a signature for each packet with its private key,

which is called signing, and each receiver checks the validity

of the signature with the sender’s public key, which is

called verifying. If the verification succeeds, the receiver

knows the packet is authentic.

Designing a multicast authentication protocol is not an

easy task. Generally, there are following issues in real world

challenging the design. First, efficiency needs to be

considered, especially for receivers. Compared with the

multicast sender, which could be a powerful server,

receivers can have different capabilities and resources. The

receiver heterogeneity requires that the multicast authenti-

cation protocol be able to execute on not only powerful

desktop computers but also resource-constrained mobile

handsets. In particular, latency, computation, and commu-

nication overhead are major issues to be considered. Second,

packet loss is inevitable. In the Internet, congestion at

routers is a major reason causing packet loss. An overloaded

router drops buffered packets according to its preset control

policy. Though TCP provides a certain retransmission

capability, multicast content is mainly transmitted over

UDP, which does not provide any loss recovery support. In

mobile environments, the situation is even worse. The

instability of wireless channel can cause packet loss very

frequently. Moreover, the smaller data rate of wireless

channel increases the congestion possibility. This is not

desirable for applications like realtime online streaming or

stock quotes delivering. End users of online streaming will

start to complain if they experience constant service

interruptions due to packet loss, and missing critical stock

quotes can cause severe capital loss of service subscribers.

Therefore, for applications where the quality of service is

critical to end users, a multicast authentication protocol

should provide a certain level of resilience to packet loss.

Specifically, the impact of packet loss on the authenticity of

the already-received packets should be as small as possible.

Efficiency and packet loss resilience can hardly be

supported simultaneously by conventional multicast

982 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

. Y. Zhou is with Microsoft Corporation, 1 Microsoft Way, Redmond, WA

98052-8300. E-mail: yun.zhou@microsoft.com.

. X. Zhu is with the National Key Laboratory of Integrated Services

Networks, Xidian University, PO Box 106, 2 South Taibai Road, Xi’an,

Shaanxi 10071, China. E-mail: xyzhu@mail.xidian.edu.cn.

. Y. Fang is with the Department of Electrical and Computer Engineering,

University of Florida, 435 New Engineering Building, PO Box 116130,

Gainesville, FL 32611, and with the National Key Laboratory of Integrated

Services Networks, Xidian University, Xi’an 710071, China.

E-mail: fang@ece.ufl.edu.

Manuscript received 28 Jan. 2008; revised 30 Jan. 2009; accepted 17 Oct.

2009; published online 23 Feb. 2010.

For information on obtaining reprints of this article, please send e-mail to:

tmc@computer.org, and reference IEEECS Log Number TMC-2008-01-0026.

Digital Object Identifier no. 10.1109/TMC.2010.37.

1536-1233/10/$26.00 ß 2010 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

schemes. As is well known that existing digital signature

algorithms are computationally expensive, the ideal ap-

proach of signing and verifying each packet independently

raises a serious challenge to resource-constrained devices.

In order to reduce computation overhead, conventional

schemes use efficient signature algorithms [8], [9] or

amortize one signature over a block of packets [10], [11],

[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],

[24], [25], [26] at the expense of increased communication

overhead [8], [9], [10], [11] or vulnerability to packet loss

[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],

[24], [25], [26].

Another problem with schemes in [8], [9], [10], [11], [12],

[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],

[25], [26] is that they are vulnerable to packet injection by

malicious attackers. An attacker may compromise a multi-

cast system by intentionally injecting forged packets to

consume receivers’ resource, leading to Denial of Service

(DoS). Compared with the efficiency requirement and packet

loss problems, the DoS attack is not common, but it is still

important in hostile environments. In the literature, some

schemes [27], [28], [29], [30], [31], [32] attempt to provide the

DoS resilience. However, they still have the packet loss

problem because they are based on the same approach as

previous schemes [10], [11], [22], [23], [24], [25], [26].

Recently, we demonstrated that batch signature schemes

can be used to improve the performance of broadcast

authentication [5], [6]. In this paper, we present our

comprehensive study on this approach and propose a novel

multicast authentication protocol called MABS (in short for

Multicast Authentication based on Batch Signature). MABS

includes two schemes. The basic scheme (called MABS-B

hereafter) utilizes an efficient asymmetric cryptographic

primitive called batch signature [33], [34], [35], [36], [37], [38],

[39], [40], [41], [42], [43], [44], which supports the

authentication of any number of packets simultaneously

with one signature verification, to address the efficiency

and packet loss problems in general environments. The

enhanced scheme (called MABS-E hereafter) combines

MABS-B with packet filtering to alleviate the DoS impact

in hostile environments. MABS provides data integrity,

origin authentication, and nonrepudiation as previous

asymmetric key based protocols. In addition, we make the

following contributions:

1. Our MABS can achieve perfect resilience to packet

loss in lossy channels in the sense that no matter

how many packets are lost the already-received

packets can still be authenticated by receivers.

2. MABS-B is efficient in terms of less latency,

computation, and communication overhead. Though

MABS-E is less efficient than MABS-B since it

includes the DoS defense, its overhead is still at the

same level as previous schemes.

3. We propose two new batch signature schemes based

on BLS [36] and DSA [38] and show they are more

efficient than the batch RSA [33] signature scheme.

The rest of the paper is organized as follows: We briefly

review related work in Section 2. Then, we present a basic

scheme for lossy channels in Section 3, which also includes

three batch signature schemes based on RSA [33], BLS [36],

and DSA, respectively [38]. An enhanced scheme is

discussed in Section 4. After performance evaluation in

Section 5, the paper is concluded in Section 6.

2 RELATED WORK

Schemes in [8], [9] follow the ideal approach of signing and

verifying each packet individually, but reduce the compu-

tation overhead at the sender by using one-time signatures

[8] or /-time signatures [9]. They are suitable for RSA [33],

which is expensive on signing while cheap on verifying. For

each packet, however, each receiver needs to perform one

more verification on its one-time or /-time signature plus

one ordinary signature verification. Moreover, the length of

one-time signature is too long (on the order of 1,000 bytes).

Tree chaining was proposed in [10], [11] by constructing

a tree for a block of packets. The root of the tree is signed by

the sender. Each packet carries the signed root and multiple

hashes. When each receiver receives one packet in the block,

it uses the authentication information in the packet to

authenticate it. The buffered authentication information is

further used to authenticate other packets in the same block.

Without the buffered authentication information, each

packet is independently verifiable at a cost of per-packet

signature verification.

Graph chaining was studied in [12], [13], [14], [15], [16],

[17], [18], [19], [20], [21]. A multicast stream is divided into

blocks and each block is associated with a signature. In each

block, the hash of each packet is embedded into several

other packets in a deterministic or probabilistic way. The

hashes form a graph, in which each path links a packet to

the block signature. Each receiver verifies the block

signature and authenticates all the packets through the

paths in the graph.

Erasure codes were used in [22], [23], [24], [25], [26]. A

signature is generated for the concatenation of the hashes of

all the packets in one block and then is erasure-coded into

many pieces. Erasure codes make each receiver be capable

of recovering the block signature when receiving at least a

certain number of pieces.

All these schemes [10], [11], [12], [13], [14], [15], [16], [17],

[18], [19], [20], [21], [22], [23], [24], [25], [26] are indeed

computationally efficient since each receiver needs to verify

only one signature for a block of packets. However, they all

increase packet overhead for hashes or erasure codes and

the block design introduces latency when buffering many

packets. Another major problem is that most schemes [12],

[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],

[25], [26] are vulnerable to packet loss even though they are

designed to tolerate a certain level of packet loss. If too

many packets are lost, other packets may not be authenti-

cated. In particular, if a block signature is lost, the entire

block cannot be authenticated.

Moreover, previous schemes [8], [9], [10], [11], [12], [13],

[14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25],

[26] target at lossy channels, which are realistic in our daily

life since the Internet and wireless networks suffer from

packet loss. In a hostile environment, however, an active

attacker can inject forged packets to consume receivers’

resource, leading to DoS. In particular, schemes in [8], [9],

[10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21]

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

are vulnerable to forged signature attacks because they

require each receiver to verify each signature whereby to

authenticate data packets, and schemes in [22], [23], [24],

[25], [26] suffer from packet injection because each receiver

has to distinguish a certain number of valid packets from a

pool of a large number of packets including injected ones,

which is very time-consuming.

In order to deal with DoS, schemes in [27], [28], [29], [30],

[31], [32] were proposed. PARM [27] is similar to the tree

chaining scheme [10], [11] in the sense that multiple one-

way hash chains are used as shared keys between the

sender and receivers. Schemes in [28], [29] combine erasure

codes with one-way hash chains to detect forged packets.

Unfortunately, these schemes [27], [28], [29] are still

vulnerable to DoS because they require that one-way hash

chains are signed and transmitted to each receiver and

therefore an attacker can inject forged signatures for one-

way hash chains.

PRABS [30] uses distillation codes to deal with DoS. In

particular, valid packets and forged packets are partitioned

into disjoint sets and erasure decoding is performed over

each set. BAS [31] simply retransmits each signature

multiple times to tolerate packet loss and uses selective

verification to tolerate injected forged signatures. LTT [32]

uses error correction codes to replace erasure codes in

schemes [22], [23], [24], [25], [26]. The reason is that error

correction codes tolerate error packets. These three schemes

[30], [31], [32] are resilient to DoS, but they still have the

packet loss problem.

Some other schemes [45], [46], [47], [48], [49], [50], [51],

[52], [53] use shared symmetric keys between the sender and

receivers to authenticate multicast streams. Though they are

more efficient than those using signatures, they cannot

provide nonrepudiation as the signature approach, and they

require either time synchronization or trustful infrastruc-

tures. In this paper, we focus on the signature approach.

Though confidentiality is another important issue for

securing multicast, it can be achieved through group key

management [54]. In this paper, we focus on multicast

authentication.

3 BASIC SCHEME

Our target is to authenticate multicast streams from a sender

to multiple receivers. Generally, the sender is a powerful

multicast server managed by a central authority and can be

trustful. The sender signs each packet with a signature and

transmits it to multiple receivers through a multicast routing

protocol. Eachreceiver is aless powerful device withresource

constraints and may be managed by a nontrustworthy

person. Each receiver needs to assure that the received

packets are really from the sender (authenticity) and the

sender cannot deny the signing operation (nonrepudiation)

by verifying the corresponding signatures.

Ideally, authenticating a multicast stream can be

achieved by signing and verifying each packet. However,

the per-packet signature design has been criticized for its

high computation cost, and therefore, most previous

schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],

[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],

[32] incorporate a block-based design as shown in Section 2.

They do reduce the computation cost, but also introduce

new problems. The block design builds up correlation

among packets and makes them vulnerable to packet loss,

which is inherent in the Internet and wireless networks.

Received packets may not be authenticated because some

correlated packets are lost.

Also, the heterogeneity of receivers means that the buffer

resource at each receiver is different and can vary over the

timedependingontheoverall loadat thereceiver. Intheblock

design, the requiredblocksize, whichis chosenbythe sender,

may not be satisfied by each receiver.

Third, the correlation among packets can incur addi-

tional latency. Consider the high layer application needs

new data from the low layer authentication module in order

to render a smooth video stream to the client user. It is

desirable that the lower layer authentication module

delivers authenticated packets to the high layer application

at the time when the high layer application needs new data.

In the per-packet signature design it is not a problem, since

each packet can be independently verifiable at any time. In

the block design, however, it is possible that the packets

buffered at the low layer authentication module are not

verifiable because the correlated packets, especially the

block signatures, have not been received. Therefore, the

high layer application has to either wait, which leads to

additional latency, or return with a no-available-packets

exception, which could be interpreted as that the buffered

packets are “lost.” This latency, which is incurred at the

high layer when the high layer application waits for the

buffered packets to become verifiable, is different from the

buffering latency, which is required for the low layer

authentication protocol to buffer received packets.

In view of the problems regarding the sender-favored

block-based approach, we conceive a receiver-oriented

approach by taking into account the heterogeneity of the

receivers. As receiving devices have different computation

and communication capabilities, some could be powerful

desktop computers, while the others could be cheap

handsets with limited buffers and low-end CPUs. Mixed

with various channel loss rates, this heterogeneity poses a

demand on the capability of adjusting the buffer size and

authenticating buffered packets any time when the high

layer application requires at each receiver.

In order to fulfill the requirement, the basic scheme

MABS-B uses an efficient cryptographic primitive called

batch signature [33], [34], [35], [36], [37], [38], [39], [40], [41],

[42], [43], [44], which supports simultaneously verifying the

signatures of any number of packets. In particular, when a

receiver collects i packets:

j

i

¼ fi

i

. o

i

g. i ¼ 1. . . . . i.

where i

i

is the data payload, o

i

is the corresponding

signature, and i can be any positive integer, it can input

them into an algorithm

BatchVerifyðj

1

. j

2

. . . . . j

i

Þ 2 fTinc. 1o|:cg.

If the output is Tinc, the receiver knows the i packets are

authentic, and otherwise not.

To support authenticity and efficiency, the BatchVerifyðÞ

algorithm should satisfy the following properties:

984 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

1. Given a batch of packets that have been signed by

the sender, BatchVerifyðÞ outputs Tinc.

2. Given a batch of packets including some unauthentic

packets, the probability that BatchVerifyðÞ outputs

Tinc is very low.

3. The computation complexity of BatchVerifyðÞ is

comparable to that of verifying one signature and

is increased only gradually when the batch size i

is increased.

The computation complexity of BatchVerifyðÞ comes

with the fact that there are some additional cost on

processing multiple packets. As we will show later, those

additional computations are mostly modular additions and

multiplications, which are much faster than modular

exponentiations required in final signature verifications.

Theoretically, a concern comes when the cost grows higher

than the final signature verification if the batch size is too

large. However, it is not the case in reality. The merit of

batch signature is that the batch size is chosen by each

receiver, which can optimize its own batch size, so that the

batch size will not be unmanageably large. Most important,

we will show later that in the implementation of batch

signature a technique called signature preaggregation can be

used so that the additional processing of multiple packets is

shifted from the time of final batch verification to the time

of each packet reception and thus the cost of final batch

signature verification is exactly the same as that of original

signature verification.

In order to show the merit of signature preaggregation,

we implemented batch signature by using our Batch-BLS

(will be discussed later) as an example. We measured the

normalized time cost of batch signature verification with

the batch size growing from 1 to 1,000, and recorded the

results for two scenarios, with and without signature

preaggregation. The result is shown in Fig. 1. We can see

that the time cost of general batch verification (without

signature aggregation) is still less than that of two single

signature verifications when batch size grows up to about

270, which validates the third property of batch signature.

The other curve in Fig. 1 shows that if the signature

preaggregation is used, then the final batch verification has

the same cost of single signature verification, no matter how

large the batch size is.

MABS-B uses per-packet signature instead of per-block

signature and thus eliminates the correlation among

packets. The packet independency makes MABS-B perfect

resilient to packet loss. The Internet and wireless channels

tend to be lossy due to congestion or channel instability,

where packets can be lost according to different loss

models, such as random loss or burst loss. In MABS-B,

however, no matter how many packets are lost, the already-

received packets can still be authenticated by each receiver.

This is a significant advantage over previous schemes [10],

[11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22],

[23], [24], [25], [26], [27], [28], [29], [30], [31], [32]. Mean-

while, efficiency can also be achieved because a batch of

packets can be authenticated simultaneously through one

batch signature verification operation. The packet indepen-

dency also brings other benefits in terms of smaller latency

and communication overhead compared with previous

schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],

[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],

[32]. In particular, each receiver can verify the authenticity

of all the received packets in its buffer whenever the high

layer applications require, and there is no additional hash

or code overhead in each packet.

Next, we present three implementations. In addition to

the one based on RSA [33], we propose two new batch

signature schemes based on BLS [36] and DSA [38], which

are more efficient than batch RSA. We must point out and

will show later that MABS is independent from these

signature algorithms. This independency brings the free-

dom to optimize MABS for a particular physical system or

platform as much as possible.

3.1 Batch RSA Signature

3.1.1 RSA

RSA [33] is a very popular cryptographic algorithm in

many security protocols. In order to use RSA, a sender

chooses two large random primes 1 and Q to get ` ¼ 1Q,

and then calculates two exponents c. d 2 ZZ

Ã

`

such that

cd ¼ 1 iod cð`Þ, where cð`Þ ¼ ð1 À1ÞðQÀ1Þ. The sender

publishes ðc. `Þ as its public key and keeps d in secret as its

private key. A signature of a message i can be generated as

o ¼ ð/ðiÞÞ

d

iod `, where /ðÞ is a collision-resistant hash

function. The sender sends fi. og to a receiver that can

verify the authenticity of the message i by checking

o

c

¼ /ðiÞ iod `.

3.1.2 Batch RSA

To accelerate the authentication of multiple signatures,

the batch verification of RSA [34], [35] can be used. Given

i packets fi

i

. o

i

g. i ¼ 1. . . . . i, where i

i

is the data

payload, o

i

is the corresponding signature and i is any

positive integer, the receiver can first calculate /

i

¼ /ði

i

Þ

and then perform the following verification:

Y

i

i¼1

o

i

!

c

iod ` ¼

Y

i

i¼1

/

i

iod `. ð1Þ

If all i packets are truly from the sender, the equation holds

because

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 985

Fig. 1. Normalized time cost of Batch-BLS signature verification.

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

Y

i

i¼1

o

i

!

c

iod ` ¼

Y

i

i¼1

o

c

i

iod `

¼

Y

i

i¼1

/

cd

i

iod `

¼

Y

i

i¼1

/

i

iod `.

ð2Þ

Before the batch verification, the receiver must ensure all

the messages are distinct. Otherwise batch RSAis vulnerable

to the forgery attack [35]. This is easy to implement because

sequence numbers are widely used in many network

protocols and can ensure all the messages are distinct. It

has been proved in [35] that when all the messages are

distinct, batch RSAis resistant to signature forgery as long as

the underlying RSA algorithm is secure.

In some circumstances, an attacker may not forge

signatures but manipulate authentic packets to produce

invalid signatures. For example, given two packets fi

i

. o

i

g

and fi

,

. o

,

g for i 6¼ ,, the attacker can modify them into

fi

i

. o

i

`g and fi

,

. o

,

´`g. The modified packets can still pass

the batch verification, but the signature of each packet is not

correct (that is why batch RSA verification is called screening

in [35]). However, the attacker can do this only when it gets

fi

i

. o

i

g and fi

,

. o

,

g, which means the message i

i

and i

,

have been correctly signed by the sender. Therefore, this

attack is of no harm to the receiver [35].

3.1.3 Requirements to the Sender

In most RSA implementations, the public key c is usually

small (c ¼ 3 for instance) while the private key d is large.

Therefore, the RSA signature verification is efficient while

the signature generation is expensive. This poses a

challenge to the computation capability of the sender

because the sender needs to sign each packet. Choosing a

small private key d can improve the computation efficiency

but compromise the security. If the sender does not have

enough resource, a pair of fc. dg with comparable sizes can

achieve a certain level of trade-off between computation

efficiency and security at the sender part. If the sender is a

powerful server, then signing each packet can be affordable

in this scenario. Next, we propose two efficient batch

signature schemes based on BLS [36] and DSA [38], which

can reduce the computation complexity at the sender.

3.2 Batch BLS Signature

Here, we propose a batch signature scheme based on the

BLS signature in [36].

3.2.1 BLS

The BLS signature scheme uses a cryptographic primitive

called pairing, which can be defined as a map over two

cyclic groups G

1

and G

2

, c : G

1

ÂG

1

! G

2

, satisfying the

following properties:

1. Bilinear: For all n. . 2 G

1

and o. / 2 ZZ, we have

cðn

o

. .

/

Þ ¼ cðn. .Þ

o/

.

2. Nondegenerate: For the generator o

1

of G

1

, i.e.,

o

j

1

¼ 1 2 G

1

, where j is the order of G

1

, we have

cðo

1

. o

1

Þ 6¼ 1 2 G

2

.

The BLS signature scheme consists of three phases:

1. In the key generation phase, a sender chooses a

random integer r 2 ZZ

j

and computes n ¼ o

1

r

2 G

1

.

The private key is r and the public key is n.

2. Given a message i 2 f0. 1g

Ã

in the signing phase, the

sender first computes / ¼ /ðiÞ 2 G

1

, where /ðÞ is a

hash function, then computes o ¼ /

r

2 G

1

. The

signature of i is o.

3. In the verification phase, the receiver first computes

/¼/ðiÞ2G

1

and then check whether cð/.nÞ¼cðo.o

1

Þ.

If the verification succeeds, then the message i is authentic

because

cð/. nÞ ¼ cð/. o

1

r

Þ ¼ cð/

r

. o

1

Þ ¼ cðo. o

1

Þ. ð3Þ

One merit of the BLS signature is that it can generate

a very short signature. It has been shown in [36] that an

i-bit BLS signature can provide a security level equiva-

lent to solving a Discrete Log Problem (DLP) [39] over a

finite field of size approximately 2

6i

. Therefore, a 171-bit

BLS signature provides the same level of security as a

1,024-bit DLP-based signature scheme such as DSA [38].

This is a very nice choice in the scenario where

communication overhead is an important issue.

3.2.2 Batch BLS

Based on BLS, we propose our batch BLS scheme here.

Given i packets fi

i

. o

i

g. i ¼ 1. . . . . i, the receiver can verify

the batch of BLS signatures by first computing /

i

¼ /ði

i

Þ.

i ¼ 1. . . . . i and then checking whether cð

Q

i

i¼1

/

i

. nÞ ¼

cð

Q

i

i¼1

o

i

. o

1

Þ. This is because if all the messages are

authentic, then

c

Y

i

i¼1

/

i

. n

!

¼

Y

i

i¼1

cð/

i

. o

1

r

Þ

¼

Y

i

i¼1

c

À

/

i

r

. o

1

Á

¼ c

Y

i

i¼1

o

i

. o

1

!

.

ð4Þ

We can prove that our batch BLS is secure to signature

forgery as long as BLS is secure to signature forgery.

Theorem 1. Suppose an attacker A can break the batch BLS by

forging signatures. Then, another attacker B can break BLS

under the chosen message attack by colluding with A.

Proof. Suppose B is given i À1 messages and their valid

signatures fi

i

. o

i

g. i ¼ 1. . . . . i À1, B can forge a signa-

ture o

i

for any chosen message i

i

, such that fi

i

. o

i

g

satisfies the BLS signature scheme, by colluding with A

in the following steps:

1. B sends i messages i

i

. i ¼ 1. . . . . i and i À1

signatures o

i

. i ¼ 1. . . . . i À1 to A.

2. Because A can break the batch BLS scheme, A

generates i false signatures o

i

0

. i ¼ 1. . . . . i that

pass the batch BLS verification, then returns to B a

value \ ¼

Q

i

i¼1

o

i

0

.

3. B computes o

i

¼ \ ´

Q

iÀ1

i¼1

o

i

as the signature for

i

i

, because

986 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

c

Y

i

i¼1

/

i

. n

!

¼ cð\ . o

1

Þ

) c

Y

i

i¼1

/

i

. n

!

¼ c

Y

i

i¼1

o

i

. o

1

!

) c

Y

iÀ1

i¼1

/

i

. n

!

cð/

i

. nÞ ¼ c

Y

iÀ1

i¼1

o

i

. o

1

!

cðo

i

. o

1

Þ

) cð/

i

. nÞ ¼ cðo

i

. o

1

Þ .

ð5Þ

tu

Since BLS is forgery-secure under the chosen message

attack [36], our batch BLS scheme is also secure to forgery

under the chosen message attack.

Also like batch RSA, an attacker may not forge signatures

but manipulate authentic packets to produce invalid

signatures. For instance, two packets fi

i

. o

i

g and fi

,

. o

,

g

for i 6¼ , can be replaced with fi

i

. o

i

`g and fi

,

. o

,

´`g and

still pass the batch verification. However, it does not affect

the correctness and the authenticity of i

i

and i

,

because

they have been correctly signed by the sender.

3.2.3 Requirements to the Sender

In our batch BLS, the sender needs to sign each packet.

Because BLS can provide a security level equivalent to

conventional RSA and DSA with much shorter signature

[36], the signing operation is more efficient than the RSA

signature generation. Moreover, BLS can be implemented

over elliptic curves [55], [56], which have been shown in the

literature to be more efficient than finite integer fields on

which RSA is implemented. Therefore, we can expect that

our batch BLS is more affordable by the sender than batch

RSA and also achieve computation efficiency at the receiver.

3.3 Batch DSA Signature

DSA [38] is another popular digital signature algorithm.

Unlike RSA, which is based on the hardness of factoring

two large primes, DSA is deemed secure based on the

difficulty of solving DLP [39]. A batch DSA signature

scheme was proposed in [40], but later was found insecure

[41]. Harn improved the security of [40] in [42], [43].

Unfortunately, Boyd and Pavlovski pointed out in [44] that

Harn’s work is still vulnerable to malicious attacks. Here,

we propose a batch DSA scheme based on Harn’s work and

counteract the attack described in [44].

3.3.1 Harn DSA

In Harn DSA [43], some system parameters are defined as:

1. j, a prime longer than 512 bits.

2. c, a 160-bit prime divisor of j À1.

3. o, a generator of ZZ

Ã

j

with order c, i.e., o

c

¼ 1 iod j.

4. r, the private key of the signer, 0 < r < c.

5. n, the public key of the signer, n ¼ o

r

iod j.

6. /ðÞ, a hash function generating an output in ZZ

Ã

c

.

Given a message i, the signer generates a signature by:

1. randomly selecting an integer / with 0 < / < c,

2. computing / ¼ /ðiÞ,

3. computing i ¼ ðo

/

iod jÞ iod c, and

4. computing : ¼ i/ À/r iod c.

The signature for i is ði. :Þ.

The receiver can verify the signature by first computing

/ ¼ /ðiÞ and then checking whether

ððo

:i

À1

n

/i

À1

Þ iod jÞ iod c ¼ i.

This is because if the packet is authentic, then

ððo

:i

À1

n

/i

À1

Þ iod jÞ iod c

¼ ððo

ð:þ/rÞi

À1

Þ iod jÞ iod c

¼ ðo

/

iod jÞ iod c

¼ i.

ð6Þ

3.3.2 Harn Batch DSA

Given i packets fi

i

. ði

i

. :

i

Þg. i ¼ 1. . . . . i, the receiver can

verify the batch of signatures by first computing /

i

¼ /ði

i

Þ

and then checking whether

o

P

i

i¼1

:

i

i

i

À1

n

P

i

i¼1

/

i

i

i

À1

iod j

iod c ¼

Y

i

i¼1

i

i

iod c . ð7Þ

This is because, if the batch of packets is authentic, then

o

P

i

i¼1

:

i

i

i

À1

n

P

i

i¼1

/

i

i

i

À1

iod j

iod c

¼ o

P

i

i¼1

ð:iþ/i rÞii

À1

iod j

iod c

¼ o

P

i

i¼1

/i

iod j

iod c

¼

Y

i

i¼1

i

i

iod c.

ð8Þ

3.3.3 The Boyd-Pavlovski Attack

Boyd and Pavlovski [44] pointed out an attack against the

Harn batch DSA scheme [43], where an attacker can forge

signatures for any chosen message set that has not been

signed by the sender. The process is:

1. Choose 1 and C, calculate ¹ ¼ ðo

1

n

C

iod jÞ iod c.

2. For any message set i

i

, i ¼ 1. . . . . i, randomly

choose i

i

, i ¼ 1. . . . . i À2.

3. Compute i

iÀ1

and i

i

to ensure that

Y

i

i¼1

i

i

iod c ¼ ¹ iod c ð9Þ

X

i

i¼1

/

i

i

i

À1

iod c ¼ C iod c. ð10Þ

4. Randomly choose :

i

, i ¼ 1. . . . . i À1 and compute :

i

to ensure that

X

i

i¼1

:

i

i

i

À1

iod c ¼ 1 iod c. ð11Þ

The probability that fi

i

. i

i

. :

i

g, i ¼ 1. . . . . i are forged

messages satisfying the batch verification is

1

2

[44].

3.3.4 Our Batch DSA

In order to counteract the Boyd-Pavlovski attack, our batch

DSA makes an improvement to the Harn DSA algorithm.

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 987

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

We replace the hash operation /ðiÞ in the signature

generation and verification process with /ði. iÞ. All the

other steps are the same as those in Harn’s scheme.

Though it is simple, our method can significantly

increase the security of batch DSA. In the Boyd-Pavlovski

attack, the attacker can compute i

i

values according to (9)

and (10) because parameters ¹, C, /

i

values are known. By

introducing i

i

into the hash operation, the hash values /

i

in

(10) are unknown to the attacker. Therefore, the attacker

cannot compute i

i

values and the forgery attack discussed

in [44] is defeated.

Like the cases inbatchRSAandour batchBLS, the attacker

may manipulate authentic packets fi

i

. ði

i

. :

i

Þg to produce

invalid signatures fi

i

. ði

i

0

. :

i

0

Þg, which can still pass the

batch verification. The attacker can keep i

i

unchanged,

randomly choose :

i

0

, i ¼ 1. . . . . i À1 and solve :

i

0

satisfying

X

i

i¼1

:

i

0

i

i

À1

iod c ¼

X

i

i¼1

:

i

i

i

À1

iod c. ð12Þ

However, this attack does not affect the correctness and

authenticity of messages because they have been really

signed by the sender [44]. Therefore, the receiver can still

accept them because the batch verification succeeds.

3.3.5 Requirements to the Sender

In batch RSA and our batch BLS, the sender needs to

compute one modular exponentiation to sign each packet.

In our batch DSA, the sender needs to compute one

modular exponentiation to get i and two modular multi-

plications to get :. However, i is independent on the

message i. Therefore, the sender can generate many

i values offline. When the sender starts a multicast session,

it can use reserved i values to compute : values. In this

way, only two modular multiplications are necessary to

sign a packet. Therefore, our batch DSA is much more

efficient than batch RSA and our batch BLS at the sender,

while also achieving computation efficiency at the receiver.

3.4 Preaggregation of Message Hashes and

Signatures

If we take a closer look at batch-RSA and batch-BLS, we can

notice that they use exactly the orignal RSA and BLS

algorithms, respectively. The only difference is that the

batch algorithms take the aggregations of message hashes

and signatures f

Q

i

i¼1

/

i

.

Q

i

i¼1

o

i

g as the parameters to the

original signature algorithms. This aggregation is indepen-

dent of the final signature verification. Therefore, each

receiver can compute and update f

Q

i

i¼1

/

i

.

Q

i

i¼1

o

i

g after

receiving every packet. When the time of batch verification

comes, each receiver needs just one signature verification.

For batch-DSA, the aggregations of message hashes and

signatures f

P

i

i¼1

:

i

i

i

À1

.

P

i

i¼1

/

i

i

i

À1

.

Q

i

i¼1

i

i

g are inside the

signature verification. Therefore, the cost of the aggregations

is incurred with the final signature verification. However, if

we modify the original DSA so that it takes f:i

À1

. /i

À1

. ig

instead of f/. :. ig as parameters, then batch-DSA can take

the advantage of preaggregating message hashes and

signatures, just like batch-RSA and batch-BLS.

Obviously, the computation cost at each receiver can be

more manageable no matter how large each batch is if

signature preaggregation is enforced, as shown in Fig. 1.

4 ENHANCED SCHEME

The basic scheme MABS-B targets at the packet loss

problem, which is inherent in the Internet and wireless

networks. It has perfect resilience to packet loss, no matter

whether it is random loss or burst loss. In some circum-

stances, however, an attacker can inject forged packets into

a batch of packets to disrupt the batch signature verifica-

tion, leading to DoS. A naive approach to defeat the DoS

attack is to divide the batch into multiple smaller batches

and perform a batch verification over each smaller batch,

and this divide-and-conquer approach can be recursively

carried out for each smaller batch, which means more

signature verifications at each receiver. In the worst case,

the attacker can inject forged packets at very high frequency

and expect that each receiver stops the batch operation and

recovers the basic per-packet signature verification, which

may not be viable at resource-constrained receiver devices.

In this section, we present an enhanced scheme called

MABS-E, which combines the basic scheme MABS-B and a

packet filtering mechanism to tolerate packet injection. In

particular, the sender attaches each packet with a mark,

which is unique to the packet and cannot be spoofed. At

each receiver, the multicast stream is classified into disjoint

sets based on marks. Each set of packets comes from either

the real sender or the attacker. The mark design ensures that

a packet from the real sender never falls into any set of

packets fromthe attacker, and vice versa. Next, each receiver

only needs to perform BatchVerifyðÞ over each set. If the

result is Tinc, the set of packets is authentic. If not, the set of

packets is from the attacker, and the receiver simply drops

themand does not need to divide the set into smaller subsets

for further batch verification. Therefore, a strong resilience

to DoS due to injected packets can be provided.

In MABS-E, Merkle tree [57] is used to generate marks.

An example is illustrated in Fig. 2. The sender constructs a

binary tree for eight packets. Each leaf is a hash of one

packet. Each internal node is the hash value on the

concatenation of its left and right children. For each packet,

a mark is constructed as the set of the siblings of the nodes

along the path from the packet to the root. For example, the

mark of the packet 1

3

is fH

4

. H

1.2

. H

5.8

g and the root can be

recovered as H

1.8

¼ HððH

1.2

. ðHð1

3

Þ. H

4

ÞÞ. H

5.8

Þ.

Constructing a Merkle tree is very efficient because only

hash operations are performed. Meanwhile, the one-way

property of hash operation ensures that given the root of a

Merkle tree it is infeasible to find a packet, which is not in

988 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

Fig. 2. An example of Merkle tree. Each leaf is a hash of one packet.

Each internal node is the hash value on both its left and right children.

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

the set associated with the Merkle tree and from which

there is a path to the root. This guarantees that forged

packets cannot fall into the set of authentic packets.

When the sender has a set of packets for multicast, it

generates a Merkle tree for the set and attaches a mark to

each packet. The root can be recovered based on each

packet and its mark. Each receiver can find whether two

packets belong to the same set by checking whether they

lead to the same root value. Therefore, the recovered roots

help classify received packets into disjoint sets. Each

receiver does not need to wait for a set to include all the

packets under the Merkle tree, and it can batch-verify the

set anytime. Once the set is authentic, the corresponding

root can be used to authenticate the rest of packets under

the same Merkle tree without batch-verifying them, which

saves computation overhead at each receiver.

An attacker may inject small sets of forged packets or

even inject single packet that does not belong to any set. In

this case, each receiver has many small sets and each of

them has only a few packets. Doing the BatchVerify

algorithm on each small set compromises efficiency. Since

the sets from the sender can have a large number of packets,

each receiver can choose a threshold (say t) and start batch

verification over one set only when the set has no less than

t packets. If a set has less than t packets and the root value

recovered from the set has not been authenticated, the

receiver simply drop the set of packets without processing

them and thus save computation resource. For each

receiver, the threshold t can vary according to the receiver’s

computation resource. In this way, the impact of DoS due to

packet injection can be reduced by a factor of t.

5 PERFORMANCE EVALUATION

In this section, we evaluate MABS performance in terms of

resilience to packet loss, efficiency, and DoS resilience. As

we discussed before, MABS does not assume any particular

underlying signature algorithm. This is also true for all the

literature multicast authentication schemes referenced in

this paper. Therefore, all the discussions and evaluations of

MABS and the literature works in Section 5.1 and Section 5.2

are under the assumption that they are using the same

underlying signature algorithm. The discussion of signature

algorithms is in Section 5.3.

5.1 Resilience to Packet Loss

We use simulations to evaluate the resilience to packet

loss. The metric here is the verification rate, i.e., the ratio

of the number of authenticated packets to the number of

received packets.

We compare MABS with some well-known loss tolerant

schemes EMSS [14], augmented chain (AugChain) [18],

PiggyBack [16], tree chain (Tree) [11], and SAIDA [23].

These schemes are representatives of graph chaining, tree

chaining, and erasure coding schemes and are widely used

in performance evaluation in the literature.

For EMSS [14], we choose the chain configuration of

5 À11 À17 À24 À36 À39, which has the best performance

among all the configurations of length 6 as is shown in [14].

For AugChain [18], we choose C

3.7

chain configuration. For

PiggyBack [16], we choose two class priorities. For Tree

chain [11], we choose binary tree. For SAIDA [23], we choose

the erasure code ð256. 128Þ. For all these schemes, we choose

the block size of 256 packets and simulate over 100 blocks.

We consider the random loss and the burst loss with a

maximum loss length of 10 packets. The verification rates

under different loss rates are given in Fig. 3 and Fig. 4.

We can see that the verification rates of EMSS [14],

augmented chain (AugChain) [18] and PiggyBack [16] are

decreased quickly when the loss rate is increased. The reason

is that graph chaining results in the correlation among

packets and this correlation is vulnerable to packet loss.

SAIDA [23] illustrates a resilience to packet loss up to a

certain threshold, because of the threshold performance of

erasure codes. Our MABS andTree schemes [11] have perfect

resilience to packet loss in the sense that all the received

packets can be authenticated. This is because all the packets

in MABS andTree schemes are independent fromeach other.

As we will show later, however, Tree [11] achieves this

independency by incurring large overhead and latency at the

sender and each receiver and is vulnerable to DoS, while our

MABS-B has less overhead and latency and MABS-E is

resilient to DoS at the same level of overhead as Tree [11].

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 989

Fig. 3. Verification rate under the random loss model.

Fig. 4. Verification rate under the burst loss model with the maximum

burst length 10.

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

One thing needs to be pointed out is that we do not

differentiate between MABS-B and MABS-E in Fig. 3 and

Fig. 4. MABS-B is perfect resilient to packet loss because of

its inherent design. While it is not designed for lossy

channels, MABS-E can also achieve the perfect resilience to

packet loss in lossy channels. In the lossy channel model,

where no DoS attack is assumed to present, we can set the

threshold t ¼ 1 (refer to Section 4) for MABS-E, and thus

each receiver can start batch-verification as long as there is at

least one packet received for each set of packets constructed

under the same Merkle tree. Once the received packets are

authenticated, the extracted root of the Merkle tree can be

used to authenticate the rest of packets in the same set

within several hash operations. If we set t 1, which is not

the best choice for the lossy channel, MABS-E can tolerate up

to i Àt lost packets for each set of i packets, which shows a

threshold-based loss resilience, similar to SAIDA [23].

5.2 Efficiency

We consider latency, computation, and communication

overhead for efficiency evaluation under lossy channels

and DoS channels. The notations used here are defined in

Table 1. All the evaluations are carried out over i packets.

The results are depicted in Table 2 and Table 3.

5.2.1 Comparisons over Lossy Channels

Table 2 shows the comparisons between MABS-B and well-

known loss-tolerant schemes tree chain (Tree) [11], EMSS

[14], PiggyBack [16], augmented chain (AugChain) [18], and

SAIDA [23]. We also include MABS-E and three DoS

resilient schemes PRABS [30], BAS [31], and LTT [32] in the

table just for comparisons even though they are not

designed for lossy channels.

Previous block-based schemes introduce latency either at

the sender [11], [16] or at each receiver [14], [31] or both [18],

[23], [30], [32]. The latency is inherent in the block design

due to chaining or coding. At the sender side, the

correlation among a block of packets has to be established

before the sender starts sending the packets. At each

receiver, the latency is incurred when the high layer

application waits for the buffered packets to be authenti-

cated after the correlation is recovered. This receiver side

latency is variable depending on whether the correlation

among the underline buffered packets has been recovered

or not when the high layer application needs new data, and

its maximum value is the block size. MABS-B eliminates the

correlation among packets. Each packet is independently

sent out at the sender. At each receiver, the high layer

application does not need to wait because the low layer

authentication module can deliver authenticated packets at

any time when the high layer application needs new data.

This makes MABS-B pretty suitable for realtime multimedia

applications. MABS-E introduces latency at the sender

because it includes a tree construction to counteract DoS,

but it still preserves the merit of instantaneous authentica-

tion at each receiver as MABS-B.

Both the block-based schemes and MABS require one

signature verification operation on a block or a batch of

i packets at each receiver. In addition, the schemes using

990 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

TABLE 1

Notations

TABLE 2

Comparisons over Lossy Channels

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

chaining also require many hashes, and the ones using

coding require multiple hashes and one or two decoding

operations. MABS-B is more efficient since there is no more

hashing or decoding operations. MABS-E requires ilog

2

i

hashes, which is comparable to previous schemes using

hashing and coding.

In MABS, a trade-off for perfect resilience to packet loss

is that the sender needs to sign each packet, which incurs

more computation overhead than conventional block-based

schemes. Therefore, efficient signature generation is desir-

able at the sender. Compared with RSA [33], which is

efficient in verifying but is expensive in signing, BLS [36]

and DSA [38] are pretty good candidates as we will show

later. Moreover, in multimedia multicast, the sender is

usually a powerful server and thus the per-packet signature

generation can be affordable, and the advance of computing

technology makes it easier in the long run.

For i packets, Tree [11] require an overhead of i signature

and Oðilog

2

iÞ hashes, schemes in [14], [16], [18], [23], [30],

[31], [32] require one or more signatures and up to

Oði

2

Þ hashes. MABS-B and MABS-E require i signatures

and MABS-E requires additional Oðilog

2

iÞ hashes. If long

signatures are used (like 1,024-bit RSA), MABS-B andMABS-

E have more communication overhead than those in [14],

[16], [18], [23], [30], [31], [32], which is the same case as Tree

[11]. However, BLS [36] generates short signatures of 171 bits,

which is comparable to most well-known hash algorithms

MD5 [58] (128 bits) and SHA-1 [59] (160 bits). Therefore,

MABS can have the same level of communication efficiency

as conventional schemes when BLS is used.

5.2.2 Comparisons over DoS Channels

DoS is a method for an attacker to deplete the resource of a

receiver. Processinginjectedpackets fromthe attacker always

consumes a certain amount of resource. Here, we assume an

attacker factor u, which means that for i valid packets

ui invalid packets are injected. The computation overheads

at each receiver for different schemes are depicted in Table 3.

For schemes in [11], [14], [16], [18], which authenticate

signatures first and then authenticate packet through hash

chains, the attacker can inject ui forged signature packets

because signature verification is an expensive operation.

For SAIDA [23], which requires erasure decoding, the

attacker simply injects ui forged packets because each

receiver has to choose a certain number of valid packets

from all the ð1 þuÞi packet to do decoding, which can have

a significant number of tries.

Schemes in [30], [31], [32] are designed for DoS defense.

They canalleviate the impact of packet injection by a constant

factor to reduce the computation cost at each receiver.

MABS-B is vulnerable to packet injection as schemes in

[11], [14], [16], [18], [23] since they are designed only for

lossy channels. MABS-E has the same level of DoS resilience

as those in [30], [31], [32].

5.3 Comparisons of Signature Schemes

We compare the computation overhead of three batch

signature schemes in Table 4. RSA [33] and BLS [36] require

one modular exponentiation at the sender and DSA [38]

requires two modular multiplications when i value is

computed offline. Usually one c-bit modular exponentiation

is equivalent to 1.5c modular multiplications over the same

field [35], [44]. Moreover, a c-bit modular exponentiation in

DLP is equivalent to a

c

6

-bit modular exponentiation in BLS

for the same security level. Therefore, we can estimate that

the computation overhead of one 1,024-bit RSA signing

operation is roughly equivalent to that of 768 DSA signing

operations (1,536 modular multiplications) and that of

6 BLS signing operations (each one is corresponding to

255 modular multiplications).

According to the report [60] on the computational over-

head of signature schemes on PIII 1 GHz CPU, the signing

andverificationtime for 1,024-bit RSAwitha 1,007-bit private

key are 7.9 ms and 0.4 ms, for 157-bit BLS are 2.75 ms and

81 ms, and for 1,024-bit DSA with a 160-bit private key

(without precomputing i value) are 4.09 ms and 4.87 ms. We

can observe that for BLS and DSA the signing is efficient but

the verification is expensive, and vice versa for RSA.

Therefore, we can save more computation resource at the

sender by using our batch BLS and batch DSA than batch

RSA. It is alsomeaningful touse our batchBLSandbatchDSA

at the receiver to save computation resources.

We alsocompare the lengthof twopopular hashalgorithm

MD5 [58] and SHA-1 [59] and the signature length of three

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 991

TABLE 4

Computational Overhead of Different Batch Schemes

1-modular exponentiation. `-modular multiplication. 1-pairing.

TABLE 3

Comparisons over DoS Channels

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

signature algorithms inTable 5. Giventhe same security level

as 1,024-bit RSA, BLS generates a 171-bit signature and 1o¹

generates a 320-bit signature. It is clear that by using BLS or

DSA, MABS can achieve more bandwidth efficiency than

using RSA, and could be even more efficient than conven-

tional schemes using a large number of hashes.

6 CONCLUSIONS

To reduce the signature verification overheads in the secure

multimedia multicasting, block-based authentication

schemes have been proposed. Unfortunately, most previous

schemes have many problems such as vulnerability to

packet loss and lack of resilience to denial of service (DoS)

attack. To overcome these problems, we develop a novel

authentication scheme MABS. We have demonstrated that

MABS is perfectly resilient to packet loss due to the

elimination of the correlation among packets and can

effectively deal with DoS attack. Moreover, we also show

that the use of batch signature can achieve the efficiency less

than or comparable with the conventional schemes. Finally,

we further develop two new batch signature schemes based

on BLS and DSA, which are more efficient than the batch

RSA signature scheme.

ACKNOWLEDGMENTS

This work was partially supported by the US National

Science Foundation under grants CNS-0916391, CNS-

0716450, and CNS-0626881. The works of Fang and Zhu

were also partially supported by the 111 Project under

Grant B08038. The work of Zhu was also partially

supported by the National Natural Science Foundation of

China under grant 60772136 and supported by the Funda-

mental Research Funds for the Central Universities.

REFERENCES

[1] S.E. Deering, “Multicast Routing in Internetworks and Extended

LANs,” Proc. ACM SIGCOMM Symp. Comm. Architectures and

Protocols, pp. 55-64, Aug. 1988.

[2] T. Ballardie and J. Crowcroft, “Multicast-Specific Security Threats

and Counter-Measures,” Proc. Second Ann. Network and Distributed

System Security Symp. (NDSS ’95), pp. 2-16, Feb. 1995.

[3] P. Judge and M. Ammar, “Security Issues and Solutions in

Mulicast Content Distribution: A Survey,” IEEE Network Magazine,

vol. 17, no. 1, pp. 30-36, Jan./Feb. 2003.

[4] Y. Challal, H. Bettahar, and A. Bouabdallah, “A Taxonomy of

Multicast Data Origin Authentication: Issues and Solutions,” IEEE

Comm. Surveys & Tutorials, vol. 6, no. 3, pp. 34-57, Oct. 2004.

[5] Y. Zhou and Y. Fang, “BABRA: Batch-Based Broadcast Authenti-

cation in Wireless Sensor Networks,” Proc. IEEE GLOBECOM,

Nov. 2006.

[6] Y. Zhou and Y. Fang, “Multimedia Broadcast Authentication

Based on Batch Signature,” IEEE Comm. Magazine, vol. 45, no. 8,

pp. 72-77, Aug. 2007.

[7] K. Ren, K. Zeng, W. Lou, and P.J. Moran, “On Broadcast

Authentication in Wireless Sensor Networks,” Proc. First Ann. Int’l

Conf. Wireless Algorithms, Systems, and Applications (WASA ’06),

Aug. 2006.

[8] S. Even, O. Goldreich, and S. Micali, “On-Line/Offline Digital

Signatures,” J. Cryptology, vol. 9, pp. 35-67, 1996.

[9] P. Rohatgi, “A Compact and Fast Hybrid Signature Scheme for

Multicast Packet,” Proc. Sixth ACM Conf. Computer and Comm.

Security (CCS ’99), Nov. 1999.

[10] C.K. Wong and S.S. Lam, “Digital Signatures for Flows and

Multicasts,” Proc. Sixth Int’l Conf. Network Protocols (ICNP ’98),

pp. 198-209, Oct. 1998.

[11] C.K. Wong and S.S. Lam, “Digital Signatures for Flows and

Multicasts,” IEEE/ACM Trans. Networking, vol. 7, no. 4, pp. 502-

513, Aug. 1999.

[12] R. Gennaro and P. Rohatgi, “How to Sign Digital Streams,”

Information and Computation, vol. 165, no. 1, pp. 100-116, Feb. 2001.

[13] R. Gennaro and P. Rohatgi, “How to Sign Digital Streams,” Proc.

17th Ann. Cryptology Conf. Advances in Cryptology (CRYPTO ’97),

Aug. 1997.

[14] A. Perrig, R. Canetti, J.D. Tygar, and D. Song, “Efficient

Authentication and Signing of Multicast Streams over Lossy

Channels,” Proc. IEEE Symp. Security and Privacy (SP ’00), pp. 56-

75, May 2000.

[15] Y. Challal, H. Bettahar, and A. Bouabdallah, “A

2

Cast: An

Adaptive Source Authentication Protocol for Multicast Streams,”

Proc. Ninth Int’l Symp. Computers and Comm. (ISCC ’04), vol. 1,

pp. 363-368, June 2004.

[16] S. Miner and J. Staddon, “Graph-Based Authentication of Digital

Streams,” Proc. IEEE Symp. Security and Privacy (SP ’01), pp. 232-

246, May 2001.

[17] Z. Zhang, Q. Sun, W-C Wong, J. Apostolopoulos, and S. Wee, “A

Content-Aware Stream Authentication Scheme Optimized for

Distortion and Overhead,” Proc. IEEE Int’l Conf. Multimedia and

Expo (ICME ’06), pp. 541-544, July 2006.

[18] P. Golle and N. Modadugu, “Authenticating Streamed Data in the

Presence of Random Packet Loss,” Proc. Eighth Ann. Network and

Distributed System Security Symp. (NDSS ’01), Feb. 2001.

[19] Z. Zhang, Q. Sun, and W-C Wong, “A Proposal of Butterfly-

Graphy Based Stream Authentication over Lossy Networks,” Proc.

IEEE Int’l Conf. Multimedia and Expo (ICME ’05), July 2005.

[20] S. Ueda, N. Kawaguchi, H. Shigeno, and K. Okada, “Stream

Authentication Scheme for the Use over the IP Telephony,” Proc.

18th Int’l Conf. Advanced Information Networking and Application

(AINA ’04), vol. 2, pp. 164-169, Mar. 2004.

[21] D. Song, D. Zuckerman, and J.D. Tygar, “Expander Graphs for

Digital Stream Authentication and Robust Overlay Networks,”

Proc. 2002 IEEE Symp. Security and Privacy (S&P ’02), May 2002.

[22] J.M. Park, E.K.P. Chong, and H.J. Siegel, “Efficient Multicast

Packet Authentication Using Signature Amortization,” Proc. IEEE

Symp. Security and Privacy (SP ’02), pp. 227-240, May 2002.

[23] J.M. Park, E.K.P. Chong, and H.J. Siegel, “Efficient Multicast

Stream Authentication Using Erasure Codes,” ACM Trans.

Information and System Security, vol. 6, no. 2, pp. 258-285, May 2003.

[24] A. Pannetrat and R. Molva, “Authenticating Real Time Packet

Streams and Multicasts,” Proc. Seventh IEEE Int’l Symp. Computers

and Comm. (ISCC ’02), pp. 490-495, July 2002.

[25] A. Pannetrat and R. Molva, “Efficient Multicast Packet Authenti-

cation,” Proc. 10th Ann. Network and Distributed System Security

Symp. (NDSS ’03), Feb. 2003.

[26] Y. Wu and T. Li, “Video Stream Authentication in Lossy

Networks,” Proc. IEEE Wireless Comm. and Networking Conf.

(WCNC ’06), vol. 4, pp. 2150-2155, Apr. 2006.

[27] Y. Lin, S. Shieh, and W. Lin, “Lightweight, Pollution-Attack

Resistant Multicast Authentication Scheme,” Proc. ACM Symp.

Information, Computer, and Comm. Security (ASIACCS ’06), Mar.

2006.

[28] J. Jeong, Y. Park, and Y. Cho, “Efficient DoS Resistant Multicast

Authentication Schemes,” Proc. Int’l Conf. Computational Science

and Its Applications (ICCSA ’05), May 2005.

[29] S. Choi, “Denial-of-Service Resistant Multicast Authentication

Protocol with Prediction Hashing and One-Way Key Chain,” Proc.

Seventh IEEE Int’l Symp. Multimedia (ISM ’05), Dec. 2005.

[30] C. Karlof, N. Sastry, Y. Li, A. Perrig, and J.D. Tygar, “Distillation

Codes and Applications to DoS Resistant Multicast Authentica-

tion,” Proc. 11th Ann. Network and Distributed System Security Symp.

(NDSS ’04), Feb. 2004.

992 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

TABLE 5

Communication Overhead of Signature Schemes

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

[31] C.A. Gunter, S. Khanna, K. Tan, and S. Venkatesh, “DoS

Protection for Reliably Authenticated Broadcast,” Proc. 11th Ann.

Network and Distributed System Security Symp. (NDSS ’04), Feb.

2004.

[32] A. Lysyanskaya, R. Tamassia, and N. Triandopoulos, “Multicast

Authentication in Fully Adversarial Networks,” Proc. IEEE Symp.

Security and Privacy (SP ’04), May 2004.

[33] R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining

Digital Signatures and Public-Key Cryptosystems,” Comm. ACM,

vol. 21, no. 2, pp. 120-126, Feb. 1978.

[34] L. Harn, “Batch Verifying Multiple RSA Digital Signatures,” IEE

Electronic Letters, vol. 34, no. 12, pp. 1219-1220, June 1998.

[35] M. Bellare, J.A. Garay, and T. Rabin, “Fast Batch Verification for

Modular Exponentiation and Digital Signatures,” Proc. Advances in

Cryptology (EUROCRYPT ’98), pp. 236-250, May 1998.

[36] D. Boneh, B. Lynn, and H. Shacham, “Short Signatures from the

Weil Pairing,” Proc. Seventh Int’l Conf. Theory and Application of

Cryptology and Information Security Advances in Cryptology

(ASIACRYPT ’01), pp. 514-532, Dec. 2001.

[37] S. Cui, P. Duan, and C.W. Chan, “An Efficient Identity-Based

Signature Scheme with Batch Verifications,” Proc. First Int’l Conf.

Scalable Information Systems, 2006.

[38] FIPS PUB 186, Digital Signature Standard (DSS), May 1994.

[39] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme

Based on Discrete Logarithms,” IEEE Trans. Information Theory,

vol. IT-31, no. 4, pp. 469-472, July 1985.

[40] D. Naccache, D. M’Raihi, S. Vaudenay, and D. Raphaeli, “Can

D.S.A. be Improved? Complexity Trade Offs with the Digital

Signature Standard,” Proc. Workshop Theory and Application of

Cryptographic Techniques Advances in Cryptology (EUROCRYPT ’94),

pp. 77-85, May 1995.

[41] C.H. Lim and P.J. Lee, “Security of Interactive DSA Batch

Verification,” IEE Electronic Letters, vol. 30, no. 19, pp. 1592-1593,

Sept. 1994.

[42] L. Harn, “DSA-Type Secure Interactive Batch Verification Proto-

cols,” IEE Electronic Letters, vol. 31, no. 4, pp. 257-258, Feb. 1995.

[43] L. Harn, “Batch Verifying Multiple DSA-Type Digital Signatures,”

IEE Electronic Letters, vol. 34, no. 9, pp. 870-871, Apr. 1998.

[44] C. Boyd and C. Pavlovski, “Attacking and Repairing Batch

Verification Schemes,” Proc. Sixth Int’l Conf. Theory and Application

of Cryptology and Information Security Advances in Cryptology

(ASIANCRYPT ’00), pp. 58-71, Dec. 2000.

[45] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-Receiver/Multi-

Sender Network Security: Efficient Authenticated Multicast/

Feedback,” Proc. IEEE INFOCOM, vol. 3, pp. 2045-2054, May 1992.

[46] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B.

Pinkas, “Multicast Security: A Taxonomy and Some Efficient

Constructions,” Proc. IEEE INFOCOM, vol. 2, pp. 708-716, Mar.

1999.

[47] L. Lamport, “Password Authentication with Insecure Commu-

nication,” Comm. ACM, vol. 24, no. 11, pp. 770-772, Nov. 1981.

[48] N.M. Haller, “The S/Key One-Time Password System,” Proc.

ISOC Symp. Network and Distributed Security, Feb. 1994.

[49] F. Bergadano, D. Cavagnino, and B. Crispo, “Individual Single-

Source Authentication on The Mbone,” Proc. IEEE Int’l Conf.

Multimedia and Expo (ICME ’00), vol. 1, pp. 541-544, July 2000.

[50] A. Perrig, R. Canetti, D. Song, and J. Tygar, “Efficient and Secure

Source Authentication for Multicast,” Proc. Network and Distributed

System Security Symp. (NDSS ’01), 2001.

[51] A. Perrig, “The BiBa One-Time Signature and Broadcast Authen-

tication Protocol,” Proc. Eighth ACM Conf. Computer and Comm.

Security (CCS ’01), pp. 28-37, Nov. 2001.

[52] Q. Li and W. Trappe, “Reducing Delay and Enhancing DoS

Resistance in Multicast Authentication through Multigrade

Security,” IEEE Trans. Info. Forensics and Security, vol. 1, no. 2,

pp. 190-204, June 2006.

[53] S. Xu and R. Sandhu, “Authenticated Multicast Immune to Denial-

of-Service Attack,” Proc. ACM Symp. Applied Computing (SAC ’02),

2002.

[54] S. Rafaeli and D. Hutchison, “A Survey of Key Management for

Secure Group Communication,” ACM Computing Surveys, vol. 35,

no. 3, pp. 309-329, Sept. 2003.

[55] N. Koblitz, “Elliptic Curve Cryptosystems,” Math. Computation,

vol. 48, pp. 203-209, 1987.

[56] V. Miller, “Uses of Elliptic Curves in Cryptography,” Proc. Int’l

Cryptology Conf. (CRYPTO ’85), pp. 417-426, 1986.

[57] R. Merkle, “Protocols for Public Key Cryptosystems,” Proc. IEEE

Symp. Security and Privacy, Apr. 1980.

[58] R. Rivest, “The MD5 Message-Digest Algorithm,” RFC 1319, Apr.

1992.

[59] D. Eastlake and P. Jones, “US Secure Hash Algorithm 1 (SHA1),”

RFC 3174, Sept. 2001.

[60] P. Barreto, H. Kim, B. Lynn, and M. Scott, “Efficient Algorithms

for Pairing-Based Cryptosystems,” Proc. Int’l Cryptology Conf.

(CRYPTO ’02), 2002.

Yun Zhou received the BE degree in electronic

information engineering and the ME degree in

communication and information system from the

Department of Electronic Engineering and In-

formation Science, University of Science and

Technology, Hefei, China, in 2000 and 2003,

respectively, and the PhD degree from the

Department of Electrical and Computer Engi-

neering, University of Florida, Gainesville, in

2007. He is currently with Microsoft Corporation.

His research interests include security, cryptography, wireless commu-

nications and networking, signal processing, and operating systems.

Xiaoyan Zhu received the BE, ME, and PhD

degrees from the School of Telecommunications

Engineering at Xidian University, Xi’an, China, in

2000, 2004, and 2009, respectively. She is now

a visiting research scholar in the Department of

Electrical and Computer Engineering at the

University Florida, Gainesville, on leave from

the School of Telecommunications Engineering,

Xidian University, Xi’an, China, where she is a

lecturer. Her research interests include wireless

networks, network security, and network coding.

Yuguang Fang received the PhD degree in

systems engineering from Case Western Re-

serve University in 1994 and the PhD degree in

electrical engineering from Boston University in

1997. He was an assistant professor in the

Department of Electrical andComputer Engineer-

ingat theNewJersey Instituteof Technology from

1998 to 2000. He then joined the Department of

Electrical and Computer Engineering at Univer-

sity of Florida in 2000 as an assistant professor,

got an early promotion to an associate professor with tenure in 2003, and

to a full professor in 2005. He holds a University of Florida Research

Foundation (UFRF) Professorship from 2006 to 2009, a Changjiang

scholar chair professorshipwith XidianUniversity, Xi’an, China, from2008

to 2011, and a guest chair professorship with Tsinghua University, China,

from 2009 to 2012. He has published more than 250 papers in refereed

professional journals and conferences. He received the US National

Science Foundation Faculty Early Career Award in 2001 and the US

Office of Naval Research Young Investigator Award in 2002, and is the

recipient of the Best Paper Award fromthe IEEEInternational Conference

on Network Protocols (ICNP) in 2006 and the IEEE TCGN Best Paper

Award from the IEEE High-Speed Networks Symposium, IEEE GLOBE-

COM, in 2002. He is also active in professional activities. He is currently

serving as the editor-in-chief for IEEE Wireless Communications and

serves/served on several editorial boards of technical journals including

the IEEE Transactions on Communications, the IEEE Transactions on

Wireless Communications, IEEE Wireless Communications Magazine,

and ACMWireless Networks. He was an editor for the IEEE Transactions

on Mobile Computing and currently serves on its steering committee. He

has been actively participating in professional conference organizations

such as serving as the steering committee cochair for QShine (2004-

2008), the technical program vice-chair for IEEE INFOCOM 2005, a

technical program symposium cochair for IEEE GLOBECOM 2004, an

areatechnical programcommittee chair for IEEEINFOCOM(2009-2010),

and a member of the technical program committee for IEEE INFOCOM

(1998, 2000, 2003-2008) andACMMobiHoc (2008-2009). Heis afellowof

the IEEE and the IEEE Computer Society and a member of the ACM.

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 993

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

[44]. [24]. [20]. [26] are vulnerable to packet loss even though they are designed to tolerate a certain level of packet loss. [16]. [40]. [34]. [14]. and DSA. The hashes form a graph. [12]. the DoS attack is not common. [17]. [16]. however. [17]. [31]. Without the buffered authentication information. leading to Denial of Service (DoS). In particular. which are realistic in our daily life since the Internet and wireless networks suffer from packet loss. [11]. The basic scheme (called MABS-B hereafter) utilizes an efficient asymmetric cryptographic primitive called batch signature [33]. which also includes three batch signature schemes based on RSA [33]. [20]. [21]. [12]. [18]. [21]. The buffered authentication information is further used to authenticate other packets in the same block. Each packet carries the signed root and multiple hashes. [22]. however. [20]. MABS includes two schemes. [9]. In this paper. [19]. When each receiver receives one packet in the block. An enhanced scheme is discussed in Section 4. [13]. However. [20]. [21]. if a block signature is lost. 1. [24]. [26] target at lossy channels. Tree chaining was proposed in [10]. [9]. [10]. The enhanced scheme (called MABS-E hereafter) combines MABS-B with packet filtering to alleviate the DoS impact in hostile environments. Graph chaining was studied in [12]. [15]. [9] or amortize one signature over a block of packets [10]. [21]. [17]. each packet is independently verifiable at a cost of per-packet signature verification. [22]. [21]. [13]. If too many packets are lost. [26]. [9]. [16]. MABS-B is efficient in terms of less latency. [13]. [14]. [25]. [25]. In each block. [25]. [18]. [24]. In particular. [29]. [19]. [23]. [15]. Another major problem is that most schemes [12]. [11]. [11]. we demonstrated that batch signature schemes can be used to improve the performance of broadcast authentication [5]. . [12]. [25]. [38]. [22]. [16]. [12]. [11]. they all increase packet overhead for hashes or erasure codes and the block design introduces latency when buffering many packets. [14]. [21]. In addition. [15]. [13]. [16]. origin authentication. [23]. the ideal approach of signing and verifying each packet independently raises a serious challenge to resource-constrained devices. [9] follow the ideal approach of signing and verifying each packet individually. [22]. Then.2010 at 01:51:59 UTC from IEEE Xplore. they still have the packet loss problem because they are based on the same approach as previous schemes [10]. conventional schemes use efficient signature algorithms [8]. [19]. [15]. [6]. [18]. [39]. which is expensive on signing while cheap on verifying. BLS [36]. [25]. [19]. Compared with the efficiency requirement and packet loss problems. [17]. [25]. [9]. In order to reduce computation overhead. [23]. We propose two new batch signature schemes based on BLS [36] and DSA [38] and show they are more efficient than the batch RSA [33] signature scheme. 2 RELATED WORK Schemes in [8]. [23]. [17]. [43]. After performance evaluation in Section 5. As is well known that existing digital signature algorithms are computationally expensive. The root of the tree is signed by the sender. some schemes [27]. [17]. [22]. to address the efficiency and packet loss problems in general environments. the length of one-time signature is too long (on the order of 1. A multicast stream is divided into blocks and each block is associated with a signature. [18]. but it is still important in hostile environments. [10]. Moreover. [23]. [22]. computation. [32] attempt to provide the DoS resilience. [26]. [42]. [21] Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [14]. [26]. [16]. [13]. [14]. [11] by constructing a tree for a block of packets. [20]. [26] are indeed computationally efficient since each receiver needs to verify only one signature for a block of packets. its overhead is still at the same level as previous schemes.ZHOU ET AL. [37]. [15]. [19]. [10]. [30]. [10]. Moreover. [15]. Erasure codes make each receiver be capable of recovering the block signature when receiving at least a certain number of pieces. [25]. [24]. 2. A signature is generated for the concatenation of the hashes of all the packets in one block and then is erasure-coded into many pieces. In the literature. the entire block cannot be authenticated. [23]. each receiver needs to perform one more verification on its one-time or k-time signature plus one ordinary signature verification. [11]. [14]. other packets may not be authenticated. [15]. An attacker may compromise a multicast system by intentionally injecting forged packets to consume receivers’ resource. [13]. [41]. 3. [26] at the expense of increased communication overhead [8]. [11]. an active attacker can inject forged packets to consume receivers’ resource. the hash of each packet is embedded into several other packets in a deterministic or probabilistic way. [14]. the paper is concluded in Section 6. previous schemes [8]. [16]. Though MABS-E is less efficient than MABS-B since it includes the DoS defense. Restrictions apply. They are suitable for RSA [33]. For each packet. [18]. Downloaded on May 31. [24]. respectively [38]. schemes in [8]. we present a basic scheme for lossy channels in Section 3. and nonrepudiation as previous asymmetric key based protocols. [12]. [35]. [23]. [25]. which supports the authentication of any number of packets simultaneously with one signature verification. in which each path links a packet to the block signature. [24]. [26] is that they are vulnerable to packet injection by malicious attackers. In a hostile environment. The rest of the paper is organized as follows: We briefly review related work in Section 2. [18]. [24].000 bytes). [36]. [14]. [20]. Erasure codes were used in [22]. [18]. [20]. [13]. [11] or vulnerability to packet loss [12]. [28]. [22]. we make the following contributions: Our MABS can achieve perfect resilience to packet loss in lossy channels in the sense that no matter how many packets are lost the already-received packets can still be authenticated by receivers. MABS provides data integrity. we present our comprehensive study on this approach and propose a novel multicast authentication protocol called MABS (in short for Multicast Authentication based on Batch Signature). [15]. [18]. However. [19]. [20]. All these schemes [10]. but reduce the computation overhead at the sender by using one-time signatures [8] or k-time signatures [9]. [16]. [19]. [19]. [21]. [13]. and communication overhead.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983 schemes. [23]. leading to DoS. [24]. it uses the authentication information in the packet to authenticate it. Each receiver verifies the block signature and authenticates all the packets through the paths in the graph. Recently. [17]. Another problem with schemes in [8]. [17].

In the block design. Generally. . [50]. Therefore. i g. [14]. Each receiver is a less powerful device with resource constraints and may be managed by a nontrustworthy person. [23]. . which is chosen by the sender. [26]. In particular. i ¼ 1. [40]. which is incurred at the high layer when the high layer application waits for the buffered packets to become verifiable. Restrictions apply. [32] incorporate a block-based design as shown in Section 2. [29] are still vulnerable to DoS because they require that one-way hash chains are signed and transmitted to each receiver and therefore an attacker can inject forged signatures for oneway hash chains. In the block design. [41]. which supports simultaneously verifying the signatures of any number of packets. schemes in [27]. [31]. [53] use shared symmetric keys between the sender and receivers to authenticate multicast streams. [25]. the heterogeneity of receivers means that the buffer resource at each receiver is different and can vary over the time depending on the overall load at the receiver. which could be interpreted as that the buffered packets are “lost. However. [51]. [29]. it is possible that the packets buffered at the low layer authentication module are not verifiable because the correlated packets. In particular. . Downloaded on May 31. [30]. [25]. but also introduce new problems. [22]. Though they are more efficient than those using signatures. . . the per-packet signature design has been criticized for its high computation cost. [21]. while the others could be cheap handsets with limited buffers and low-end CPUs. and n can be any positive integer. [46]. [28]. [18]. p2 . and therefore. [24]. . Some other schemes [45]. In this paper. . The reason is that error correction codes tolerate error packets. Though confidentiality is another important issue for securing multicast. i is the corresponding signature. where mi is the data payload. this heterogeneity poses a demand on the capability of adjusting the buffer size and authenticating buffered packets any time when the high layer application requires at each receiver. JULY 2010 are vulnerable to forged signature attacks because they require each receiver to verify each signature whereby to authenticate data packets. [17]. These three schemes [30]. we conceive a receiver-oriented approach by taking into account the heterogeneity of the receivers. In view of the problems regarding the sender-favored block-based approach. and schemes in [22]. [28]. In this paper. As receiving devices have different computation and communication capabilities. . [31]. In the per-packet signature design it is not a problem.2010 at 01:51:59 UTC from IEEE Xplore. authenticating a multicast stream can be achieved by signing and verifying each packet. [36]. F alseg: If the output is T rue. [27]. [23]. [29]. but they still have the packet loss problem. [39]. . [25]. [13]. the sender is a powerful multicast server managed by a central authority and can be trustful. Consider the high layer application needs new data from the low layer authentication module in order to render a smooth video stream to the client user. PRABS [30] uses distillation codes to deal with DoS. the correlation among packets can incur additional latency. Mixed with various channel loss rates. which is required for the low layer authentication protocol to buffer received packets. we focus on the signature approach. which is inherent in the Internet and wireless networks. since each packet can be independently verifiable at any time. [23]. they cannot provide nonrepudiation as the signature approach. [32] were proposed. [38]. The sender signs each packet with a signature and transmits it to multiple receivers through a multicast routing protocol. Ideally. [48].984 IEEE TRANSACTIONS ON MOBILE COMPUTING. Also. the high layer application has to either wait. [20]. VOL. They do reduce the computation cost. which leads to additional latency. pn Þ 2 fT rue. have not been received. Schemes in [28]. however. the basic scheme MABS-B uses an efficient cryptographic primitive called batch signature [33].” This latency. [30]. [11]. it can be achieved through group key management [54]. valid packets and forged packets are partitioned into disjoint sets and erasure decoding is performed over each set. the BatchVerifyðÞ algorithm should satisfy the following properties: Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [32] are resilient to DoS. [37]. or return with a no-available-packets exception. is different from the buffering latency. the receiver knows the n packets are authentic. [52]. [49]. 7. PARM [27] is similar to the tree chaining scheme [10]. [29] combine erasure codes with one-way hash chains to detect forged packets. Third. [11] in the sense that multiple oneway hash chains are used as shared keys between the sender and receivers. [24]. [26]. [28]. To support authenticity and efficiency. n. may not be satisfied by each receiver. Unfortunately. Each receiver needs to assure that the received packets are really from the sender (authenticity) and the sender cannot deny the signing operation (nonrepudiation) by verifying the corresponding signatures. The block design builds up correlation among packets and makes them vulnerable to packet loss. [35]. [44]. 9. [12]. LTT [32] uses error correction codes to replace erasure codes in schemes [22]. NO. Received packets may not be authenticated because some correlated packets are lost. [43]. [24]. [26] suffer from packet injection because each receiver has to distinguish a certain number of valid packets from a pool of a large number of packets including injected ones. BAS [31] simply retransmits each signature multiple times to tolerate packet loss and uses selective verification to tolerate injected forged signatures. [16]. [19]. some could be powerful desktop computers. which is very time-consuming. It is desirable that the lower layer authentication module delivers authenticated packets to the high layer application at the time when the high layer application needs new data. it can input them into an algorithm BatchVerifyðp1 . especially the block signatures. we focus on multicast authentication. In order to deal with DoS. [34]. [47]. 3 BASIC SCHEME Our target is to authenticate multicast streams from a sender to multiple receivers. In order to fulfill the requirement. [42]. [31]. when a receiver collects n packets: pi ¼ fmi . most previous schemes [10]. and they require either time synchronization or trustful infrastructures. and otherwise not. these schemes [27]. [15]. the required block size.

However. [14]. [15]. [30]. [25]. [17]. MABS-B uses per-packet signature instead of per-block signature and thus eliminates the correlation among packets. The computation complexity of BatchVerifyðÞ is comparable to that of verifying one signature and is increased only gradually when the batch size n is increased. [19]. [23]. [26]. Given n packets fmi . and then calculates two exponents e. n. [12]. In order to show the merit of signature preaggregation. where ðNÞ ¼ ðP À 1ÞðQ À 1Þ. [20]. Theoretically. with and without signature preaggregation. then the final batch verification has 1. . We can see that the time cost of general batch verification (without signature aggregation) is still less than that of two single signature verifications when batch size grows up to about 270. [27]. In particular. [21]. we present three implementations. we will show later that in the implementation of batch signature a technique called signature preaggregation can be used so that the additional processing of multiple packets is shifted from the time of final batch verification to the time of each packet reception and thus the cost of final batch signature verification is exactly the same as that of original signature verification. We measured the normalized time cost of batch signature verification with the batch size growing from 1 to 1. the batch verification of RSA [34]. those additional computations are mostly modular additions and multiplications. The computation complexity of BatchVerifyðÞ comes with the fact that there are some additional cost on processing multiple packets. Meanwhile. [32]. 1. [16].000.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 985 Fig. [31]. [21]. it is not the case in reality. [27]. This is a significant advantage over previous schemes [10]. [23]. the equation holds because Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [30]. We must point out and will show later that MABS is independent from these signature algorithms. . Most important. we propose two new batch signature schemes based on BLS [36] and DSA [38]. [15]. [28]. the alreadyreceived packets can still be authenticated by each receiver. [18]. and there is no additional hash or code overhead in each packet. i g. . however.1. The packet independency also brings other benefits in terms of smaller latency and communication overhead compared with previous schemes [10]. [14]. 3. . In order to use RSA. BatchVerifyðÞ outputs T rue. NÞ as its public key and keeps d in secret as its private key. The sender sends fm.1 RSA RSA [33] is a very popular cryptographic algorithm in many security protocols.1. [12]. . [22]. The sender publishes ðe. [29]. we implemented batch signature by using our Batch-BLS (will be discussed later) as an example. This independency brings the freedom to optimize MABS for a particular physical system or platform as much as possible.2 Batch RSA To accelerate the authentication of multiple signatures. 3. where packets can be lost according to different loss models. so that the batch size will not be unmanageably large. such as random loss or burst loss. In addition to the one based on RSA [33]. which are more efficient than batch RSA. d 2 Z Ã such that ZN ed ¼ 1 mod ðNÞ. where mi is the data payload. the probability that BatchVerifyðÞ outputs T rue is very low. Given a batch of packets including some unauthentic packets. [28]. i is the corresponding signature and n is any positive integer. The Internet and wireless channels tend to be lossy due to congestion or channel instability. [31]. [26]. The other curve in Fig. [25]. Given a batch of packets that have been signed by the sender. efficiency can also be achieved because a batch of packets can be authenticated simultaneously through one batch signature verification operation. 3. Downloaded on May 31. i ¼ 1. [24]. and recorded the results for two scenarios. the receiver can first calculate hi ¼ hðmi Þ and then perform the following verification: !e n n Y Y i mod N ¼ hi mod N: ð1Þ i¼1 i¼1 If all n packets are truly from the sender. [29].2010 at 01:51:59 UTC from IEEE Xplore. no matter how many packets are lost. [32]. which are much faster than modular exponentiations required in final signature verifications. As we will show later. which validates the third property of batch signature. [19]. [13]. [18].1 Batch RSA Signature 3. In MABS-B. a sender chooses two large random primes P and Q to get N ¼ P Q. 1 shows that if the signature preaggregation is used. Normalized time cost of Batch-BLS signature verification. g to a receiver that can verify the authenticity of the message m by checking e ¼ hðmÞ mod N. Next. The result is shown in Fig.ZHOU ET AL. 2. The packet independency makes MABS-B perfect resilient to packet loss. the same cost of single signature verification. no matter how large the batch size is. [20]. [11]. A signature of a message m can be generated as ¼ ðhðmÞÞd mod N. each receiver can verify the authenticity of all the received packets in its buffer whenever the high layer applications require. The merit of batch signature is that the batch size is chosen by each receiver. [17]. [13]. [24]. which can optimize its own batch size. [16]. [22]. 1. Restrictions apply. [35] can be used. a concern comes when the cost grows higher than the final signature verification if the batch size is too large. [11]. where hðÞ is a collision-resistant hash function.

NO. batch RSA is resistant to signature forgery as long as the underlying RSA algorithm is secure. a pair of fe. 2. . which can be defined as a map over two cyclic groups G1 and G2 .2 Batch BLS Based on BLS. i. then the message m is authentic because 1. . Bilinear: For all u. given two packets fmi . 1gÃ in the signing phase. i g. h i ¼ 1. yÞ ¼ i¼1 Q eð n i . where p is the order of G1 . the attacker can do this only when it gets fmi . vb Þ ¼ eðu. 3. Next. this attack is of no harm to the receiver [35]. n À 1. . Proof. A generates n false signatures i 0 . n À 1 to A. . It has been shown in [36] that an n-bit BLS signature can provide a security level equivalent to solving a Discrete Log Problem (DLP) [39] over a finite field of size approximately 26n . . Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. . i ¼ 1. Nondegenerate: For the generator g1 of G1 . The modified packets can still pass the batch verification. i ¼ 1. dg with comparable sizes can achieve a certain level of trade-off between computation efficiency and security at the sender part.yÞ ¼ eð. the RSA signature verification is efficient while the signature generation is expensive. . n g satisfies the BLS signature scheme. i ¼ 1.1. . which can reduce the computation complexity at the sender. However. i g and fmj . where hðÞ is a hash function. Z. n and n À 1 signatures i . the receiver can verify the batch of BLS signatures by first computingQ i ¼ hðmi Þ. then returns to B a Q value V ¼ n i 0 .2. the receiver must ensure all the messages are distinct. The signature of m is . the sender first computes h ¼ hðmÞ 2 G1 . This is because if all the messages are i¼1 authentic. g1 ¼ i¼1 n Y i¼1 ð4Þ ! i . g1 Þ. the receiver first computes h ¼ hðmÞ 2 G1 and then check whether eðh. then computes ¼ hx 2 G1 . 3. 9. . i ¼ 1.g1Þ. g1 x Þ ¼ eðhx . the attacker can modify them into fmi . j g. . . g1 Þ 6¼ 1 2 G2 . the public key e is usually small (e ¼ 3 for instance) while the private key d is large. a 171-bit BLS signature provides the same level of security as a 1. then signing each packet can be affordable in this scenario. g1 : ¼e We can prove that our batch BLS is secure to signature forgery as long as BLS is secure to signature forgery. such that fmn . . . . which means the message mi and mj have been correctly signed by the sender. . j g for i 6¼ j. Then.e. g1 x Þ e i¼1 i¼1 n Y À Á e hi x . VOL. n that pass the batch BLS verification. Theorem 1. . 3. e : G1 Â G1 ! G2 . we propose our batch BLS scheme here. For example.986 n Y i¼1 IEEE TRANSACTIONS ON MOBILE COMPUTING. we have 1 eðg1 . i g. B can forge a signature n for any chosen message mn . B sends n messages mi . Suppose B is given n À 1 messages and their valid signatures fmi .3 Requirements to the Sender In most RSA implementations. Downloaded on May 31. a sender chooses a Z random integer x 2 Z p and computes y ¼ g1 x 2 G1 . If the verification succeeds. JULY 2010 !e i mod N ¼ ¼ ¼ n Y i¼1 n Y i¼1 n Y i¼1 e mod N i hed i mod N ð2Þ The BLS signature scheme consists of three phases: In the key generation phase. . satisfying the following properties: 1. Q i¼1 B computes n ¼ V = nÀ1 i as the signature for i¼1 mn . v 2 G1 and a. . Therefore. eðh.. Choosing a small private key d can improve the computation efficiency but compromise the security. Because A can break the batch BLS scheme. we propose a batch signature scheme based on the BLS signature in [36]. This is a very nice choice in the scenario where communication overhead is an important issue. The private key is x and the public key is y. If the sender does not have enough resource. but the signature of each packet is not correct (that is why batch RSA verification is called screening in [35]). i g and fmj .1 BLS The BLS signature scheme uses a cryptographic primitive called pairing.2 Batch BLS Signature Here. . In some circumstances. 2. Given n packets fmi . Therefore. . . Suppose an attacker A can break the batch BLS by forging signatures. an attacker may not forge signatures but manipulate authentic packets to produce invalid signatures. Therefore. .2. Given a message m 2 f0. One merit of the BLS signature is that it can generate a very short signature. 2. we propose two efficient batch signature schemes based on BLS [36] and DSA [38]. n. by colluding with A in the following steps: 1. In the verification phase. It has been proved in [35] that when all the messages are distinct. another attacker B can break BLS under the chosen message attack by colluding with A. then ! n n Y Y hi . If the sender is a powerful server. . because 3. b 2 Z we have eðua . g1 Þ: ð3Þ hi mod N: Before the batch verification.024-bit DLP-based signature scheme such as DSA [38]. . gp ¼ 1 2 G1 . 3. n and then checking whether eð n hi . Restrictions apply. 7. g1 Þ ¼ eð.2010 at 01:51:59 UTC from IEEE Xplore. This is easy to implement because sequence numbers are widely used in many network protocols and can ensure all the messages are distinct. j =g. y ¼ eðhi . i g and fmj . This poses a challenge to the computation capability of the sender because the sender needs to sign each packet. i ¼ 1. yÞ ¼ eðh. . vÞab . 3. Otherwise batch RSA is vulnerable to the forgery attack [35].

2 3. Zq Given a message m. For any message set mi . . the private key of the signer. n À 2. y. 6. 0 < x < q. q. g1 eðn . y ¼ gx mod p.2 Harn Batch DSA Given n packets fmi . i ¼ 1. yÞ ¼ eðn . n. a generator of Z Ã with order q. gq ¼ 1 mod p. Moreover.3 Requirements to the Sender In our batch BLS. sÞ. [43]. computing h ¼ hðmÞ. two packets fmi . BLS can be implemented over elliptic curves [55]. a 160-bit prime divisor of p À 1. . For instance.3 The Boyd-Pavlovski Attack Boyd and Pavlovski [44] pointed out an attack against the Harn batch DSA scheme [43]. . y nÀ1 Y i¼1 hi . j g for i 6¼ j can be replaced with fmi . DSA is deemed secure based on the difficulty of solving DLP [39]. and 4. Also like batch RSA. which have been shown in the literature to be more efficient than finite integer fields on which RSA is implemented. Therefore.3. the sender needs to sign each packet. g1 Þ : ð6Þ Since BLS is forgery-secure under the chosen message attack [36]. The signature for m is ðr. 5. 2. 2. 3. si g. it does not affect the correctness and the authenticity of mi and mj because they have been correctly signed by the sender. .: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE n Y i¼1 987 ! hi . 3. if the batch of packets is authentic. . ðri . i ¼ 1. computing r ¼ ðgk mod pÞ mod q. . some system parameters are defined as: 1. n. p. .e. the signing operation is more efficient than the RSA signature generation. i g and fmj . . . Unfortunately.3.2010 at 01:51:59 UTC from IEEE Xplore. . then Pn Pn À1 À1 mod p mod q g i¼1 si ri y i¼1 hi ri Pn À1 ¼ g i¼1 ðsi þhi xÞri mod p mod q Pn ð8Þ ¼ g i¼1 ki mod p mod q ¼ n Y i¼1 ri mod q: 3. the signer generates a signature by: 1. . the receiver can verify the batch of signatures by first computing hi ¼ hðmi Þ and then checking whether n Pn Pn Y À1 À1 ri mod q : ð7Þ g i¼1 si ri y i¼1 hi ri mod p mod q ¼ i¼1 3. The process is: 1. . 2. Harn improved the security of [40] in [42]. . Choose B and C. i ¼ 1. a hash function generating an output in Z Ã . Restrictions apply. j =g and still pass the batch verification. randomly choose ri . i ¼ 1. the public key of the signer.4 Our Batch DSA In order to counteract the Boyd-Pavlovski attack. This is because.1 Harn DSA In Harn DSA [43]. Compute rnÀ1 and rn to ensure that n Y i¼1 n X i¼1 ri mod q ¼ A mod q ð9Þ ð10Þ hi ri À1 mod q ¼ C mod q: 4. our batch DSA makes an improvement to the Harn DSA algorithm. 3. 3. g. but later was found insecure [41]. Randomly choose si . Boyd and Pavlovski pointed out in [44] that Harn’s work is still vulnerable to malicious attacks. .. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. n À 1 and compute sn to ensure that n X i¼1 si ri À1 mod q ¼ B mod q: ð11Þ The probability that fmi . i.3. where an attacker can forge signatures for any chosen message set that has not been signed by the sender.3 Batch DSA Signature DSA [38] is another popular digital signature algorithm. . [56]. Downloaded on May 31. y n Y i¼1 e ¼ eðV . computing s ¼ rk À hx mod q. x. . 3. . g1 Þ ! ¼e ! n Y i¼1 nÀ1 Y i¼1 ! i . our batch BLS scheme is also secure to forgery under the chosen message attack. Here. Unlike RSA.3. an attacker may not forge signatures but manipulate authentic packets to produce invalid signatures. . i g and fmj . . which is based on the hardness of factoring two large primes. 3.2. . n are forged messages satisfying the batch verification is 1 [44]. then ððgsr yhr Þ mod pÞ mod q ¼ ððgðsþhxÞr Þ mod pÞ mod q u t ¼ ðgk mod pÞ mod q ¼ r: À1 À1 À1 À1 À1 )e )e hi . g1 Þ ð5Þ The receiver can verify the signature by first computing h ¼ hðmÞ and then checking whether ððgsr yhr Þ mod pÞ mod q ¼ r: This is because if the packet is authentic. g1 ! i . . Zp 4. calculate A ¼ ðgB yC mod pÞ mod q. we propose a batch DSA scheme based on Harn’s work and counteract the attack described in [44].ZHOU ET AL. y eðhn . i ¼ 1. a prime longer than 512 bits. yÞ ¼ e ) eðhn . randomly selecting an integer k with 0 < k < q. si Þg. Because BLS can provide a security level equivalent to conventional RSA and DSA with much shorter signature [36]. hðÞ. we can expect that our batch BLS is more affordable by the sender than batch RSA and also achieve computation efficiency at the receiver. A batch DSA signature scheme was proposed in [40]. ri . However.

3. An example is illustrated in Fig. Each leaf is a hash of one packet. VOL.2010 at 01:51:59 UTC from IEEE Xplore. At each receiver. leading to DoS. Though it is simple. By introducing ri into the hash operation. which means more signature verifications at each receiver. the cost of the aggregations is incurred with the final signature verification.2 . 9. ðri 0 . our method can significantly increase the security of batch DSA. if we modify the original DSA so that it takes fsrÀ1 . H1. ðHðP3 Þ. the mark of the packet P3 is fH4 . 2. Meanwhile. 2. randomly choose si 0 . we can notice that they use exactly the orignal RSA and BLS algorithms. Next. n i g after i¼1 i¼1 receiving every packet. Each set of packets comes from either the real sender or the attacker. an attacker can inject forged packets into a batch of packets to disrupt the batch signature verification. A naive approach to defeat the DoS attack is to divide the batch into multiple smaller batches and perform a batch verification over each smaller batch. . the attacker may manipulate authentic packets fmi . the aggregations Q message hashes and of P P signatures f n si ri À1 . NO. r is independent on the message m. we present an enhanced scheme called MABS-E. each receiver only needs to perform BatchVerifyðÞ over each set.3. In this section. n À 1 and solve sn 0 satisfying n X i¼1 Fig. For each packet. In particular. a mark is constructed as the set of the siblings of the nodes along the path from the packet to the root.8 ¼ HððH1. Therefore. si 0 ri À1 mod q ¼ n X i¼1 si ri À1 mod q: ð12Þ 4 ENHANCED SCHEME However. each Q Q receiver can compute and update f n hi . In some circumstances. only two modular multiplications are necessary to sign a packet. Merkle tree [57] is used to generate marks. Each internal node is the hash value on both its left and right children. When the sender starts a multicast session. If the result is T rue. For batch-DSA. H5. When the time of batch verification comes. however. . the hash values hi in (10) are unknown to the attacker. the attacker can compute ri values according to (9) and (10) because parameters A.8 Þ. and the receiver simply drops them and does not need to divide the set into smaller subsets for further batch verification.988 IEEE TRANSACTIONS ON MOBILE COMPUTING. H5. Preaggregation of Message Hashes and Signatures If we take a closer look at batch-RSA and batch-BLS. . no matter whether it is random loss or burst loss. and vice versa. Restrictions apply. . while also achieving computation efficiency at the receiver. which is unique to the packet and cannot be spoofed.8 g and the root can be recovered as H1. Like the cases in batch RSA and our batch BLS. In our batch DSA. just like batch-RSA and batch-BLS. as shown in Fig.4 The basic scheme MABS-B targets at the packet loss problem. the attacker can inject forged packets at very high frequency and expect that each receiver stops the batch operation and recovers the basic per-packet signature verification. hrÀ1 . The mark design ensures that a packet from the real sender never falls into any set of packets from the attacker. n i g as the parameters to the i¼1 i¼1 original signature algorithms. In the Boyd-Pavlovski attack. For example. ðri . Therefore. Therefore. Constructing a Merkle tree is very efficient because only hash operations are performed. si Þg to produce invalid signatures fmi . which is not in Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Therefore. rg as parameters. It has perfect resilience to packet loss. 1. The only difference is that the batch algorithms Q take the aggregations of message hashes Q and signatures f n hi . which can still pass the batch verification. the set of packets is authentic. the sender needs to compute one modular exponentiation to get r and two modular multiplications to get s.5 Requirements to the Sender In batch RSA and our batch BLS. the multicast stream is classified into disjoint sets based on marks. our batch DSA is much more efficient than batch RSA and our batch BLS at the sender. The sender constructs a binary tree for eight packets. mÞ. the set of packets is from the attacker. s. Therefore. the computation cost at each receiver can be more manageable no matter how large each batch is if signature preaggregation is enforced. which may not be viable at resource-constrained receiver devices. each receiver needs just one signature verification. i ¼ 1. n hi ri À1 . the one-way property of hash operation ensures that given the root of a Merkle tree it is infeasible to find a packet. 7. and this divide-and-conquer approach can be recursively carried out for each smaller batch. Therefore. This aggregation is independent of the final signature verification. a strong resilience to DoS due to injected packets can be provided. H4 ÞÞ. si 0 Þg. If not. Therefore. the sender needs to compute one modular exponentiation to sign each packet. the sender can generate many r values offline. In the worst case. hi values are known. The attacker can keep ri unchanged. Each leaf is a hash of one packet. then batch-DSA can take the advantage of preaggregating message hashes and signatures. which combines the basic scheme MABS-B and a packet filtering mechanism to tolerate packet injection.2 . Obviously. An example of Merkle tree. Downloaded on May 31. which is inherent in the Internet and wireless networks. In MABS-E. the sender attaches each packet with a mark. . However. it can use reserved r values to compute s values. All the other steps are the same as those in Harn’s scheme. C. rg instead of fh. n ri g are inside the i¼1 i¼1 i¼1 signature verification. this attack does not affect the correctness and authenticity of messages because they have been really signed by the sender [44]. In this way. Each internal node is the hash value on the concatenation of its left and right children. JULY 2010 We replace the hash operation hðmÞ in the signature generation and verification process with hðr. However. respectively. 3. the attacker cannot compute ri values and the forgery attack discussed in [44] is defeated. the receiver can still accept them because the batch verification succeeds.

i. This is also true for all the literature multicast authentication schemes referenced in this paper. This guarantees that forged packets cannot fall into the set of authentic packets. We consider the random loss and the burst loss with a maximum loss length of 10 packets. Our MABS and Tree schemes [11] have perfect resilience to packet loss in the sense that all the received packets can be authenticated. 4. 5 PERFORMANCE EVALUATION In this section.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 989 Fig. we choose the erasure code ð256. the impact of DoS due to packet injection can be reduced by a factor of t.ZHOU ET AL. Once the set is authentic. underlying signature algorithm. MABS does not assume any particular underlying signature algorithm. Verification rate under the random loss model.7 chain configuration. . and SAIDA [23]. The metric here is the verification rate. For AugChain [18]. SAIDA [23] illustrates a resilience to packet loss up to a certain threshold. each receiver can choose a threshold (say t) and start batch verification over one set only when the set has no less than t packets. we choose two class priorities. and DoS resilience.3. For SAIDA [23]. In this way. We compare MABS with some well-known loss tolerant schemes EMSS [14]. tree chaining. while our MABS-B has less overhead and latency and MABS-E is resilient to DoS at the same level of overhead as Tree [11]. 128Þ. Restrictions apply. When the sender has a set of packets for multicast.1 Resilience to Packet Loss We use simulations to evaluate the resilience to packet loss. If a set has less than t packets and the root value recovered from the set has not been authenticated.2 are under the assumption that they are using the same 5. Doing the BatchVerify algorithm on each small set compromises efficiency. PiggyBack [16]. An attacker may inject small sets of forged packets or even inject single packet that does not belong to any set. Each receiver does not need to wait for a set to include all the packets under the Merkle tree. we choose the chain configuration of 5 À 11 À 17 À 24 À 36 À 39. As we will show later. which has the best performance among all the configurations of length 6 as is shown in [14]. and erasure coding schemes and are widely used in performance evaluation in the literature. As we discussed before. In this case. 3. Therefore. The reason is that graph chaining results in the correlation among packets and this correlation is vulnerable to packet loss. the threshold t can vary according to the receiver’s computation resource. Tree [11] achieves this independency by incurring large overhead and latency at the sender and each receiver and is vulnerable to DoS. all the discussions and evaluations of MABS and the literature works in Section 5. We can see that the verification rates of EMSS [14]. the receiver simply drop the set of packets without processing them and thus save computation resource. the corresponding root can be used to authenticate the rest of packets under the same Merkle tree without batch-verifying them.e.1 and Section 5. Verification rate under the burst loss model with the maximum burst length 10. The root can be recovered based on each packet and its mark. Each receiver can find whether two packets belong to the same set by checking whether they lead to the same root value. it generates a Merkle tree for the set and attaches a mark to each packet. The verification rates under different loss rates are given in Fig.. The discussion of signature algorithms is in Section 5. the recovered roots help classify received packets into disjoint sets. For EMSS [14]. because of the threshold performance of erasure codes. For PiggyBack [16]. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. we choose C3. which saves computation overhead at each receiver. Since the sets from the sender can have a large number of packets.2010 at 01:51:59 UTC from IEEE Xplore. each receiver has many small sets and each of them has only a few packets. however. 3 and Fig. For Tree chain [11]. For all these schemes. and it can batch-verify the set anytime. This is because all the packets in MABS and Tree schemes are independent from each other. we choose the block size of 256 packets and simulate over 100 blocks. 4. Downloaded on May 31. we choose binary tree. augmented chain (AugChain) [18]. Fig. For each receiver. we evaluate MABS performance in terms of resilience to packet loss. efficiency. augmented chain (AugChain) [18] and PiggyBack [16] are decreased quickly when the loss rate is increased. Therefore. tree chain (Tree) [11]. the set associated with the Merkle tree and from which there is a path to the root. These schemes are representatives of graph chaining. the ratio of the number of authenticated packets to the number of received packets.

NO. While it is not designed for lossy channels. MABS-B is perfect resilient to packet loss because of its inherent design. but it still preserves the merit of instantaneous authentication at each receiver as MABS-B. similar to SAIDA [23]. 4. 7. At each receiver. and communication overhead for efficiency evaluation under lossy channels and DoS channels. the high layer application does not need to wait because the low layer authentication module can deliver authenticated packets at any time when the high layer application needs new data.2. MABS-E can also achieve the perfect resilience to packet loss in lossy channels. The notations used here are defined in Table 1. [16] or at each receiver [14]. [23]. EMSS [14]. JULY 2010 TABLE 1 Notations within several hash operations. . This makes MABS-B pretty suitable for realtime multimedia applications.1 Comparisons over Lossy Channels Table 2 shows the comparisons between MABS-B and wellknown loss-tolerant schemes tree chain (Tree) [11]. 5. This receiver side latency is variable depending on whether the correlation among the underline buffered packets has been recovered or not when the high layer application needs new data.2010 at 01:51:59 UTC from IEEE Xplore. BAS [31]. the schemes using One thing needs to be pointed out is that we do not differentiate between MABS-B and MABS-E in Fig. Restrictions apply. and LTT [32] in the table just for comparisons even though they are not designed for lossy channels. The latency is inherent in the block design due to chaining or coding. Previous block-based schemes introduce latency either at the sender [11]. Downloaded on May 31. and its maximum value is the block size. 9. [31] or both [18]. the extracted root of the Merkle tree can be used to authenticate the rest of packets in the same set TABLE 2 Comparisons over Lossy Channels Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. which shows a threshold-based loss resilience. [30]. augmented chain (AugChain) [18]. PiggyBack [16]. MABS-E introduces latency at the sender because it includes a tree construction to counteract DoS. which is not the best choice for the lossy channel. Once the received packets are authenticated. All the evaluations are carried out over n packets. 5. 3 and Fig. and SAIDA [23]. If we set t > 1. In addition. We also include MABS-E and three DoS resilient schemes PRABS [30]. we can set the threshold t ¼ 1 (refer to Section 4) for MABS-E. the correlation among a block of packets has to be established before the sender starts sending the packets. VOL. Both the block-based schemes and MABS require one signature verification operation on a block or a batch of n packets at each receiver.2 Efficiency We consider latency. Each packet is independently sent out at the sender. [32]. In the lossy channel model. computation. At each receiver. MABS-E can tolerate up to n À t lost packets for each set of n packets. the latency is incurred when the high layer application waits for the buffered packets to be authenticated after the correlation is recovered. The results are depicted in Table 2 and Table 3. and thus each receiver can start batch-verification as long as there is at least one packet received for each set of packets constructed under the same Merkle tree. At the sender side.990 IEEE TRANSACTIONS ON MOBILE COMPUTING. MABS-B eliminates the correlation among packets. where no DoS attack is assumed to present.

[16]. [23] since they are designed only for lossy channels. [14]. They can alleviate the impact of packet injection by a constant factor to reduce the computation cost at each receiver. In MABS. BLS [36] generates short signatures of 171 bits. Processing injected packets from the attacker always consumes a certain amount of resource. Therefore. we assume an attacker factor . [31]. MABS-B and MABSE have more communication overhead than those in [14]. which is the same case as Tree [11]. MABS can have the same level of communication efficiency as conventional schemes when BLS is used. Compared with RSA [33]. Schemes in [30]. [30]. which is comparable to previous schemes using hashing and coding. efficient signature generation is desirable at the sender. [32] require one or more signatures and up to Oðn2 Þ hashes. which is comparable to most well-known hash algorithms MD5 [58] (128 bits) and SHA-1 [59] (160 bits). [32]. [31].024-bit RSA). [23]. However. 5. [32] are designed for DoS defense. [23]. [16]. MABS-E has the same level of DoS resilience as those in [30]. MABS-B and MABS-E require n signatures and MABS-E requires additional Oðnlog2 nÞ hashes.2. For n packets. MABS-B is more efficient since there is no more hashing or decoding operations. and the ones using coding require multiple hashes and one or two decoding operations.2 Comparisons over DoS Channels DoS is a method for an attacker to deplete the resource of a receiver. [16]. Moreover. Tree [11] require an overhead of n signature and Oðnlog2 nÞ hashes. schemes in [14]. and the advance of computing technology makes it easier in the long run. [32]. Therefore. in multimedia multicast. a trade-off for perfect resilience to packet loss is that the sender needs to sign each packet. [30]. MABS-B is vulnerable to packet injection as schemes in [11]. which incurs more computation overhead than conventional block-based schemes. [18]. [31].: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 991 TABLE 3 Comparisons over DoS Channels chaining also require many hashes. [18].ZHOU ET AL. the sender is usually a powerful server and thus the per-packet signature generation can be affordable. [18]. If long signatures are used (like 1. [31]. MABS-E requires nlog2 n hashes. which is efficient in verifying but is expensive in signing. Here. BLS [36] and DSA [38] are pretty good candidates as we will show later.

. which means that for n valid packets .

the attacker can inject .n invalid packets are injected. [18]. For schemes in [11]. The computation overheads at each receiver for different schemes are depicted in Table 3. [14]. [16]. which authenticate signatures first and then authenticate packet through hash chains.

n forged signature packets because signature verification is an expensive operation. the attacker simply injects . For SAIDA [23]. which requires erasure decoding.

n forged packets because each receiver has to choose a certain number of valid packets from all the ð1 þ .

M-modular multiplication. Restrictions apply. Moreover. for 157-bit BLS are 2. Downloaded on May 31. 5. and for 1. which can have a significant number of tries. a c-bit modular exponentiation in c DLP is equivalent to a 6 -bit modular exponentiation in BLS for the same security level.87 ms.3 Comparisons of Signature Schemes We compare the computation overhead of three batch signature schemes in Table 4.Þn packet to do decoding. We also compare the length of two popular hash algorithm MD5 [58] and SHA-1 [59] and the signature length of three TABLE 4 Computational Overhead of Different Batch Schemes E-modular exponentiation. According to the report [60] on the computational overhead of signature schemes on PIII 1 GHz CPU.007-bit private key are 7. [44].4 ms. the signing and verification time for 1. and vice versa for RSA. We can observe that for BLS and DSA the signing is efficient but the verification is expensive.024-bit RSA signing operation is roughly equivalent to that of 768 DSA signing operations (1.09 ms and 4.024-bit RSA with a 1. Therefore. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. P -pairing.024-bit DSA with a 160-bit private key (without precomputing r value) are 4. Therefore. Usually one c-bit modular exponentiation is equivalent to 1:5c modular multiplications over the same field [35]. It is also meaningful to use our batch BLS and batch DSA at the receiver to save computation resources. we can save more computation resource at the sender by using our batch BLS and batch DSA than batch RSA.9 ms and 0.75 ms and 81 ms. RSA [33] and BLS [36] require one modular exponentiation at the sender and DSA [38] requires two modular multiplications when r value is computed offline. . we can estimate that the computation overhead of one 1.2010 at 01:51:59 UTC from IEEE Xplore.536 modular multiplications) and that of 6 BLS signing operations (each one is corresponding to 255 modular multiplications).

Lin. “Multicast-Specific Security Threats and Counter-Measures. It is clear that by using BLS or DSA. T. pp. and W-C Wong. and Applications (WASA ’06). Modadugu. 2003. “How to Sign Digital Streams. Computer. 232246. Aug. First Ann.” Proc.” Proc. Multimedia (ISM ’05).” Proc. 2006. “A Content-Aware Stream Authentication Scheme Optimized for Distortion and Overhead. block-based authentication schemes have been proposed. 1998. 4. pp. no. Lam. Second Ann. N. R. Multimedia and Expo (ICME ’06). Multimedia and Expo (ICME ’05). Y.J. ACM Symp. Song. Pollution-Attack Resistant Multicast Authentication Scheme. “Multimedia Broadcast Authentication Based on Batch Signature. 55-64.” Proc.992 IEEE TRANSACTIONS ON MOBILE COMPUTING. 2004. R. C.” IEEE Network Magazine. Network Protocols (ICNP ’98).J. Wee. 2001. Y. Canetti. Nov. Sixth Int’l Conf. H. July 2005.E. Ren. Comm. Bettahar. pp. Mar. 1995. “Multicast Routing in Internetworks and Extended LANs. “On-Line/Offline Digital Signatures. and Networking Conf. May 2001. no. Moreover. Molva. C. 72-77. and A. “On Broadcast Authentication in Wireless Sensor Networks. Security and Privacy (SP ’02). Magazine. D. Y. “BABRA: Batch-Based Broadcast Authentication in Wireless Sensor Networks. Aug. 1997. N. 2004. Staddon. Choi. Zeng. Tygar. (NDSS ’03). 227-240. Feb. (ISCC ’02). and W. Tygar. 17th Ann. Karlof. Wireless Algorithms. Shieh. Park. Perrig. . Zhang. 1988. 541-544. IEEE Symp. pp. vol. VOL.” Proc. “Stream Authentication Scheme for the Use over the IP Telephony. 2150-2155. June 2004. Computers and Comm. Wong and S. “Security Issues and Solutions in Mulicast Content Distribution: A Survey. 1999. Chong. (WCNC ’06). “A Proposal of ButterflyGraphy Based Stream Authentication over Lossy Networks. 2. Challal. 2006. Sastry.” IEEE Comm. Advances in Cryptology (CRYPTO ’97). “Digital Signatures for Flows and Multicasts. Networking. Li. [28] [29] [30] K. Crowcroft. pp. A. 2. “Efficient DoS Resistant Multicast Authentication Schemes. 2001. Security (ASIACCS ’06). Micali.” ACM Trans. Advanced Information Networking and Application (AINA ’04). 1. Given the same security level as 1. 2002 IEEE Symp. Chong. Cho. 7. 17. Cryptology. “Video Stream Authentication in Lossy Networks. May 2003. and Comm. A. Seventh IEEE Int’l Symp.” Proc. Molva. pp. pp.K.2010 at 01:51:59 UTC from IEEE Xplore. 363-368. “A2 Cast: An Adaptive Source Authentication Protocol for Multicast Streams. Siegel. Rohatgi. MABS can achieve more bandwidth efficiency than using RSA. Lam. [16] [17] [18] [19] [20] ACKNOWLEDGMENTS This work was partially supported by the US National Science Foundation under grants CNS-0916391. “A Taxonomy of Multicast Data Origin Authentication: Issues and Solutions. and S. no. 7. 18th Int’l Conf. Int’l Conf. Y. Zuckerman. and K. Q. Okada. Systems. Zhang. Song. Network and Distributed System Security Symp. 45. vol. “Efficient Authentication and Signing of Multicast Streams over Lossy Channels. ACM SIGCOMM Symp.S. 1. E. IEEE Int’l Conf. J. (NDSS ’04). 6. O. 6. pp. Park. Y. July 2002. pp. P. Seventh IEEE Int’l Symp. Feb. IEEE Int’l Conf.” Proc. Z. Surveys & Tutorials. 100-116. Network and Distributed System Security Symp. (ISCC ’04). Network and Distributed System Security Symp. Kawaguchi. NO. W-C Wong. Z. Oct. Security and Privacy (S&P ’02). (NDSS ’01). The works of Fang and Zhu were also partially supported by the 111 Project under Grant B08038. 2004. 198-209. pp. no.J. 2006.” Proc.” IEEE Comm.” Proc. 4. Int’l Conf.” Proc.D. Q. 2005. “A Compact and Fast Hybrid Signature Scheme for Multicast Packet. Fang. 9. Security and Privacy (SP ’00). Shigeno. W. vol. Bouabdallah. we further develop two new batch signature schemes based on BLS and DSA.P. vol. “Distillation Codes and Applications to DoS Resistant Multicast Authentication. and Y. July 2006.K. H. J. and D. Wu and T. and A. “Efficient Multicast Packet Authentication Using Signature Amortization. C. Feb. 502513.D.M. Lin. vol. Downloaded on May 31. 35-67. Gennaro and P. Apr. Fang. Unfortunately. “How to Sign Digital Streams. Ballardie and J. pp. Ammar. H. no. pp. Cryptology Conf. Park. we develop a novel authentication scheme MABS. P. Rohatgi. and J. Tygar. A. vol. vol. 9. Zhou and Y. Jeong. Network and Distributed System Security Symp. Perrig. Siegel.” Proc. no. we also show that the use of batch signature can achieve the efficiency less than or comparable with the conventional schemes. Eighth Ann. and could be even more efficient than conventional schemes using a large number of hashes. and H. 258-285. 8.P. Gennaro and P.” Information and Computation. J. We have demonstrated that MABS is perfectly resilient to packet loss due to the elimination of the correlation among packets and can effectively deal with DoS attack. Mar. J. Sun. Y. Feb. Information and System Security. and H. “Digital Signatures for Flows and Multicasts. S. Aug. and J. pp. Y. Li. Ueda. 30-36. IEEE Symp. pp. S. A. Rohatgi. Dec.” Proc. CNS0716450. Ninth Int’l Symp.024-bit RSA. Aug. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY./Feb. and CNS-0626881. “Authenticating Streamed Data in the Presence of Random Packet Loss. 2-16. Deering. May 2000. BLS generates a 171-bit signature and DSA generates a 320-bit signature. pp. Pannetrat and R. S. R. Bouabdallah. Feb. “Authenticating Real Time Packet Streams and Multicasts. Computer and Comm. “Denial-of-Service Resistant Multicast Authentication Protocol with Prediction Hashing and One-Way Key Chain. 2007. May 2005.” Proc.” Proc. Apostolopoulos. 490-495. E.M. S.” Proc. Bettahar. (NDSS ’95). Miner and J. vol.” IEEE/ACM Trans. vol. “Efficient Multicast Stream Authentication Using Erasure Codes. [21] [22] [23] [24] [25] [26] [27] REFERENCES [1] [2] [3] [4] [5] [6] S.S. pp. JULY 2010 TABLE 5 Communication Overhead of Signature Schemes [7] [8] [9] [10] [11] signature algorithms in Table 5. Oct. 3. P. Security (CCS ’99). D. Zhou and Y. 10th Ann. Wong and S. Sun.” J. May 2002. vol. Judge and M. Golle and N. “Efficient Multicast Packet Authentication. May 2002. 1996. To overcome these problems. pp. Architectures and Protocols.” Proc. “Lightweight. 2006. most previous schemes have many problems such as vulnerability to packet loss and lack of resilience to denial of service (DoS) attack.” Proc. Information. and P. 34-57. pp. Sixth ACM Conf. Pannetrat and R. Finally. K. Goldreich.” Proc. 1. 165. Jan.” Proc. IEEE Wireless Comm. S. Restrictions apply. 1999. IEEE GLOBECOM. “Expander Graphs for Digital Stream Authentication and Robust Overlay Networks.K. 164-169.” Proc. The work of Zhu was also partially supported by the National Natural Science Foundation of China under grant 60772136 and supported by the Fundamental Research Funds for the Central Universities. and S. Aug.” Proc. Computational Science and Its Applications (ICCSA ’05). Even.” Proc. Y.” Proc. Security and Privacy (SP ’01). Challal. which are more efficient than the batch RSA signature scheme. 11th Ann. J.D. Nov. Computers and Comm. 2003. “Graph-Based Authentication of Digital Streams. Moran. 5675.K. Lou. IEEE Symp. [12] [13] [14] 6 CONCLUSIONS [15] To reduce the signature verification overheads in the secure multimedia multicasting.

and PhD degrees from the School of Telecommunications Engineering at Xidian University. Cavagnino. pp. 2003-2008) and ACM MobiHoc (2008-2009). pp. Information Theory.” Proc. 34.A. Xidian University. Rafaeli and D.” Proc. in 2002. [51] A. (CRYPTO ’02). M’Raihi. where she is a lecturer. 541-544. and S. 35. pp. Perrig. pp. [36] D. Xi’an. IEEE Symp. Shacham. 2045-2054. Rivest. vol. Sandhu. Lynn. 257-258. Network and Distributed System Security Symp. S.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 993 [31] C. Tamassia. no. Koblitz. 1998. He was an editor for the IEEE Transactions on Mobile Computing and currently serves on its steering committee. 1994. Pavlovski. be Improved? Complexity Trade Offs with the Digital Signature Standard. Lysyanskaya. 417-426. Chan. Network and Distributed Security. and M.” Proc. vol. 2001. IEEE Symp. from 2009 to 2012. vol. Yun Zhou received the BE degree in electronic information engineering and the ME degree in communication and information system from the Department of Electronic Engineering and Information Science.W. got an early promotion to an associate professor with tenure in 2003. J.” Comm. [59] D. 28-37. 12. pp. Tygar. Merkle. J. pp. Adleman. His research interests include security.” IEEE Trans. May 2004. Desmedt. 19. and N. Dec. in 2000 and 2003. A. R. Lim and P. July 1985. Y. Garay. in 2000. “Efficient Algorithms for Pairing-Based Cryptosystems. Trappe. He is currently serving as the editor-in-chief for IEEE Wireless Communications and serves/served on several editorial boards of technical journals including the IEEE Transactions on Communications. 1986. 203-209. She is now a visiting research scholar in the Department of Electrical and Computer Engineering at the University Florida. 21. He then joined the Department of Electrical and Computer Engineering at University of Florida in 2000 as an assistant professor.” IEE Electronic Letters. June 1998.” Proc. Sept. Nov. no. 2. “Attacking and Repairing Batch Verification Schemes. Micciancio. pp. China. ISOC Symp. 2004.” Proc. “Batch Verifying Multiple DSA-Type Digital Signatures. Computer and Comm.A. Xi’an. “Efficient and Secure Source Authentication for Multicast. “Multicast Security: A Taxonomy and Some Efficient Constructions. [56] V.” Proc. vol. 514-532. “An Efficient Identity-Based Signature Scheme with Batch Verifications. 469-472. [43] L.” IEE Electronic Letters. D. ElGamal. [39] T. Boneh. 2004. in 2007. 2003. D. D. 1219-1220. May 1995. Sixth Int’l Conf.2010 at 01:51:59 UTC from IEEE Xplore.” ACM Computing Surveys. (CRYPTO ’85). on leave from the School of Telecommunications Engineering. pp. Feb. [38] FIPS PUB 186. [57] R. Computation. Xu and R. Triandopoulos. Multimedia and Expo (ICME ’00). 1980. vol. [48] N. “Password Authentication with Insecure Communication. pp. 48. Lee. [37] S. Rivest. Boyd and C. IEEE INFOCOM. no. and B. China. Apr. no.” Proc. China. Naccache. and to a full professor in 2005. He has been actively participating in professional conference organizations such as serving as the steering committee cochair for QShine (20042008).S. Gainesville. 236-250. May 1998. vol. Lynn. IEEE GLOBECOM. S. “DSA-Type Secure Interactive Batch Verification Protocols. Apr. Shamir. “Batch Verifying Multiple RSA Digital Signatures.” Proc. Venkatesh. [40] D. Her research interests include wireless networks. 1994. China.M. Hutchison. Yuguang Fang received the PhD degree in systems engineering from Case Western Reserve University in 1994 and the PhD degree in electrical engineering from Boston University in 1997. vol. IEEE Int’l Conf. 2002. 2001. Info.J. Scott. and a guest chair professorship with Tsinghua University. and B. Downloaded on May 31. ACM. and the PhD degree from the Department of Electrical and Computer Engineering.” Proc. “The BiBa One-Time Signature and Broadcast Authentication Protocol. 9. Frankel. [47] L. 1987. “Protocols for Public Key Cryptosystems. Harn. “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. 708-716. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. 309-329. 3. Scalable Information Systems. Harn. and is the recipient of the Best Paper Award from the IEEE International Conference on Network Protocols (ICNP) in 2006 and the IEEE TCGN Best Paper Award from the IEEE High-Speed Networks Symposium. Song. 4. ACM Symp. Sept. Applied Computing (SAC ’02). [34] L. Int’l Cryptology Conf. and H. pp. and L. Security and Privacy (SP ’04). 2000. Int’l Cryptology Conf. “Multi-Receiver/MultiSender Network Security: Efficient Authenticated Multicast/ Feedback. and D. a Changjiang scholar chair professorship with Xidian University. (NDSS ’01). Advances in Cryptology (EUROCRYPT ’98). 2006. Itkis.” IEEE Trans. “A Survey of Key Management for Secure Group Communication. D. Perrig. “DoS Protection for Reliably Authenticated Broadcast. 4. He is a fellow of the IEEE and the IEEE Computer Society and a member of the ACM.” Proc. [42] L. “Reducing Delay and Enhancing DoS Resistance in Multicast Authentication through Multigrade Security. First Int’l Conf. [60] P. vol. pp. IEEE Wireless Communications Magazine. 11.L. He holds a University of Florida Research Foundation (UFRF) Professorship from 2006 to 2009. Seventh Int’l Conf. Dec. University of Science and Technology. M. Theory and Application of Cryptology and Information Security Advances in Cryptology (ASIACRYPT ’01). Gunter. [32] A. 2000. and operating systems. He has published more than 250 papers in refereed professional journals and conferences.ZHOU ET AL. 2001. [44] C. pp. 1981. R. May 1992. and T. Duan. Xi’an. 2002. He is also active in professional activities. Theory and Application of Cryptology and Information Security Advances in Cryptology (ASIANCRYPT ’00). 770-772. China. Eighth ACM Conf.” IEE Electronic Letters. Security (CCS ’01). B. Miller.” Proc. Rabin. pp.” Math. pp.” Comm. vol. Garay. Canetti. and a member of the technical program committee for IEEE INFOCOM (1998. 1978. “Can D. IEEE INFOCOM. July 2000. Digital Signature Standard (DSS). University of Florida. Naor. Yung. Raphaeli. Restrictions apply. Network and Distributed System Security Symp. vol. 190-204. 3. no. Khanna. Gainesville. [41] C. pp. Harn. 1992. no. Workshop Theory and Application of Cryptographic Techniques Advances in Cryptology (EUROCRYPT ’94). ME. “Elliptic Curve Cryptosystems. “Uses of Elliptic Curves in Cryptography. 24. no. [55] N. He is currently with Microsoft Corporation. Security and Privacy.” Proc. and 2009. vol. P. 120-126. the IEEE Transactions on Wireless Communications. pp. vol. G. from 2008 to 2011. 1. 30. 2. [35] M. and network coding. Apr. 11th Ann. Bellare. wireless communications and networking.” Proc. pp. an area technical program committee chair for IEEE INFOCOM (2009-2010). 34. Kim. 1. 31. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. [33] R. Jones. vol. network security. “Security of Interactive DSA Batch Verification. a technical program symposium cochair for IEEE GLOBECOM 2004. (NDSS ’04).A. Pinkas. Vaudenay. IT-31. “Fast Batch Verification for Modular Exponentiation and Digital Signatures. B. Feb. Bergadano. 1592-1593. “Individual SingleSource Authentication on The Mbone. no. 870-871.H. respectively. He was an assistant professor in the Department of Electrical and Computer Engineering at the New Jersey Institute of Technology from 1998 to 2000. [50] A. 2. H. cryptography. ACM. “The S/Key One-Time Password System. K. 2001. Tan. 1999. . [49] F. “US Secure Hash Algorithm 1 (SHA1). [58] R. the technical program vice-chair for IEEE INFOCOM 2005. pp.” Proc. and ACM Wireless Networks. He received the US National Science Foundation Faculty Early Career Award in 2001 and the US Office of Naval Research Young Investigator Award in 2002. Hefei.” Proc. [54] S. [52] Q.” Proc. and J. no. Li and W.” RFC 3174. June 2006. May 1994. Eastlake and P.” IEE Electronic Letters. Canetti. 77-85. and C. Barreto. and M. Feb. [46] R. “Authenticated Multicast Immune to Denialof-Service Attack. “Multicast Authentication in Fully Adversarial Networks. “Short Signatures from the Weil Pairing. pp. Feb. Xiaoyan Zhu received the BE. Nov. 58-71. Crispo. Cui. Sept. Lamport. signal processing. Forensics and Security. Mar. Haller.” RFC 1319. [53] S.” Proc. “The MD5 Message-Digest Algorithm. respectively. [45] Y. 1995.

- MABS
- Main Pjct Mabs
- As If
- FinalReportPS2
- epgp
- Merkle Hash Tree based Techniques for Data Integrity of Outsourced Data
- Electronic Cash
- NETSEC-1
- Assignment 2
- MABS Multicast Authentication Based on Batch Signature (2)
- 00-2 quiz-1-ans-1
- it1
- Unit -4 –Internet payment systems
- 2MABS Multicast Authentication Based on Batch Signature
- sec2000
- Hakin9_EN_05_2014 (1)
- Template Action Plan Paraguay
- smartcard_ca
- Improvising Forward Stream Integrity for Secure Logging in the Cloud
- WRK6sol.pdf 3031
- Phpunit Book
- Analysis and Improvement of Pairing-Free Certificate-Less Two-Party Authenticated Key Agreement Protocol for Grid Computing
- Network
- Critical Review of Cryptographic Techniq
- 100418
- Diffie-Hellman Key Agreement Method
- Q&A
- OpenSSL Protocol
- Br15 English
- Cyber Law rgpv

- UT Dallas Syllabus for cs6377.001.09s taught by Murat Kantarcioglu (mxk055100)
- As 4539.1.2.1-2001 Information Technology - Public Key Authentication Framework (PKAF) General - X.509 Certif
- As ISO 17090.1-2003 Health Informatics - Public Key Infrastructure Framework and Overview
- Network Security & Cryptography MCQ'S
- Blockchain Technology and Applications from a Financial Perspective
- Computationally Efficient ID-Based Blind Signature Scheme in E-Voting
- As 4539.1.1-2002 Information Technology - Public Key Authentication Framework (PKAF) Related Standards Genera
- Network Signatures v. Tyson Foods
- Network Signatures v. ConocoPhillips Company
- A Robust Cryptographic System using Neighborhood-Generated Keys
- A Survey and Analysis Performance of Generating Key in Cryptography
- Review on variants of Security aware AODV
- lavabit-aclu-amicus-13-1024.pdf
- The Security and Efficiency in Attribute-Based Data Sharing
- An Efficient Approach for Securing Broker-Less Publish-Subscribe System Using Identity-Based Encryption Scheme
- The Myth of Superiority of American Encryption Products, Cato Briefing Paper
- WP2016 3-1 4 Blockchain Security
- Analysis of VoIP Forensics with Digital Evidence Procedure
- Federal Reserve on Fintech
- Network Signatures v. Comcast
- As NZS ISO IEC 11770.3-2008 Information Technology - Security Techniques - Key Management Mechanisms Using As
- Network Signatures v. Purdue Pharma
- A Survey of Source Authentication Schemes for Multicast transfer in Adhoc Network
- DIFFIE-HELLMAN KEY EXCHANGE TECHNIQUE AND VIDEO STEGANOGRAPHY BASED ON LSB
- A Symmetric Key Generation for File Encryption and Protection using/by USB Storage Device
- As 4539.1.2.3-2001 Information Technology - Public Key Authentication Framework (PKAF) Related Standards Gene
- As 2805.6.1.4-2009 Electronic Funds Transfer - Requirements for Interfaces Key Management - Asymmetric Crypto
- lavabit-eff-amicus-13-1024.pdf
- HYBRID APPROACH FOR SECURE DATA COMMUNICATION FOR DECENTALIZED DISRUPTION-TOLERANT MILITARY NETWORKS
- As ISO 17090.3-2003 Health Informatics - Public Key Infrastructure Policy Management of Certification Authori

Sign up to vote on this title

UsefulNot usefulClose Dialog## Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

Close Dialog## This title now requires a credit

Use one of your book credits to continue reading from where you left off, or restart the preview.

Loading