MABS: Multicast Authentication

Based on Batch Signature
Yun Zhou, Xiaoyan Zhu, and Yuguang Fang, Fellow, IEEE
Abstract—Conventional block-based multicast authentication schemes overlook the heterogeneity of receivers by letting the sender
choose the block size, divide a multicast stream into blocks, associate each block with a signature, and spread the effect of the
signature across all the packets in the block through hash graphs or coding algorithms. The correlation among packets makes them
vulnerable to packet loss, which is inherent in the Internet and wireless networks. Moreover, the lack of Denial of Service (DoS)
resilience renders most of them vulnerable to packet injection in hostile environments. In this paper, we propose a novel multicast
authentication protocol, namely MABS, including two schemes. The basic scheme (MABS-B) eliminates the correlation among packets
and thus provides the perfect resilience to packet loss, and it is also efficient in terms of latency, computation, and communication
overhead due to an efficient cryptographic primitive called batch signature, which supports the authentication of any number of packets
simultaneously. We also present an enhanced scheme MABS-E, which combines the basic scheme with a packet filtering mechanism
to alleviate the DoS impact while preserving the perfect resilience to packet loss.
Index Terms—Multimedia, multicast, authentication, signature.
Ç
1 INTRODUCTION
M
ULTICAST [1] is an efficient method to deliver multi-
media content from a sender to a group of receivers
and is gaining popular applications such as realtime stock
quotes, interactive games, video conference, live video
broadcast, or video on demand. Authentication is one of
the critical topics in securing multicast [2], [3], [4], [5], [6],
[7] in an environment attractive to malicious attacks.
Basically, multicast authentication may provide the follow-
ing security services:
1. Data integrity: Each receiver should be able to
assure that received packets have not been modified
during transmissions.
2. Data origin authentication: Each receiver should be
able to assure that each received packet comes from
the real sender as it claims.
3. Nonrepudiation: The sender of a packet shouldnot be
able to deny sending the packet to receivers in case
there is a dispute between the sender and receivers.
All the three services can be supported by an asymmetric
key technique called signature. In an ideal case, the sender
generates a signature for each packet with its private key,
which is called signing, and each receiver checks the validity
of the signature with the sender’s public key, which is
called verifying. If the verification succeeds, the receiver
knows the packet is authentic.
Designing a multicast authentication protocol is not an
easy task. Generally, there are following issues in real world
challenging the design. First, efficiency needs to be
considered, especially for receivers. Compared with the
multicast sender, which could be a powerful server,
receivers can have different capabilities and resources. The
receiver heterogeneity requires that the multicast authenti-
cation protocol be able to execute on not only powerful
desktop computers but also resource-constrained mobile
handsets. In particular, latency, computation, and commu-
nication overhead are major issues to be considered. Second,
packet loss is inevitable. In the Internet, congestion at
routers is a major reason causing packet loss. An overloaded
router drops buffered packets according to its preset control
policy. Though TCP provides a certain retransmission
capability, multicast content is mainly transmitted over
UDP, which does not provide any loss recovery support. In
mobile environments, the situation is even worse. The
instability of wireless channel can cause packet loss very
frequently. Moreover, the smaller data rate of wireless
channel increases the congestion possibility. This is not
desirable for applications like realtime online streaming or
stock quotes delivering. End users of online streaming will
start to complain if they experience constant service
interruptions due to packet loss, and missing critical stock
quotes can cause severe capital loss of service subscribers.
Therefore, for applications where the quality of service is
critical to end users, a multicast authentication protocol
should provide a certain level of resilience to packet loss.
Specifically, the impact of packet loss on the authenticity of
the already-received packets should be as small as possible.
Efficiency and packet loss resilience can hardly be
supported simultaneously by conventional multicast
982 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
. Y. Zhou is with Microsoft Corporation, 1 Microsoft Way, Redmond, WA
98052-8300. E-mail: yun.zhou@microsoft.com.
. X. Zhu is with the National Key Laboratory of Integrated Services
Networks, Xidian University, PO Box 106, 2 South Taibai Road, Xi’an,
Shaanxi 10071, China. E-mail: xyzhu@mail.xidian.edu.cn.
. Y. Fang is with the Department of Electrical and Computer Engineering,
University of Florida, 435 New Engineering Building, PO Box 116130,
Gainesville, FL 32611, and with the National Key Laboratory of Integrated
Services Networks, Xidian University, Xi’an 710071, China.
E-mail: fang@ece.ufl.edu.
Manuscript received 28 Jan. 2008; revised 30 Jan. 2009; accepted 17 Oct.
2009; published online 23 Feb. 2010.
For information on obtaining reprints of this article, please send e-mail to:
tmc@computer.org, and reference IEEECS Log Number TMC-2008-01-0026.
Digital Object Identifier no. 10.1109/TMC.2010.37.
1536-1233/10/$26.00 ß 2010 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
schemes. As is well known that existing digital signature
algorithms are computationally expensive, the ideal ap-
proach of signing and verifying each packet independently
raises a serious challenge to resource-constrained devices.
In order to reduce computation overhead, conventional
schemes use efficient signature algorithms [8], [9] or
amortize one signature over a block of packets [10], [11],
[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],
[24], [25], [26] at the expense of increased communication
overhead [8], [9], [10], [11] or vulnerability to packet loss
[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],
[24], [25], [26].
Another problem with schemes in [8], [9], [10], [11], [12],
[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],
[25], [26] is that they are vulnerable to packet injection by
malicious attackers. An attacker may compromise a multi-
cast system by intentionally injecting forged packets to
consume receivers’ resource, leading to Denial of Service
(DoS). Compared with the efficiency requirement and packet
loss problems, the DoS attack is not common, but it is still
important in hostile environments. In the literature, some
schemes [27], [28], [29], [30], [31], [32] attempt to provide the
DoS resilience. However, they still have the packet loss
problem because they are based on the same approach as
previous schemes [10], [11], [22], [23], [24], [25], [26].
Recently, we demonstrated that batch signature schemes
can be used to improve the performance of broadcast
authentication [5], [6]. In this paper, we present our
comprehensive study on this approach and propose a novel
multicast authentication protocol called MABS (in short for
Multicast Authentication based on Batch Signature). MABS
includes two schemes. The basic scheme (called MABS-B
hereafter) utilizes an efficient asymmetric cryptographic
primitive called batch signature [33], [34], [35], [36], [37], [38],
[39], [40], [41], [42], [43], [44], which supports the
authentication of any number of packets simultaneously
with one signature verification, to address the efficiency
and packet loss problems in general environments. The
enhanced scheme (called MABS-E hereafter) combines
MABS-B with packet filtering to alleviate the DoS impact
in hostile environments. MABS provides data integrity,
origin authentication, and nonrepudiation as previous
asymmetric key based protocols. In addition, we make the
following contributions:
1. Our MABS can achieve perfect resilience to packet
loss in lossy channels in the sense that no matter
how many packets are lost the already-received
packets can still be authenticated by receivers.
2. MABS-B is efficient in terms of less latency,
computation, and communication overhead. Though
MABS-E is less efficient than MABS-B since it
includes the DoS defense, its overhead is still at the
same level as previous schemes.
3. We propose two new batch signature schemes based
on BLS [36] and DSA [38] and show they are more
efficient than the batch RSA [33] signature scheme.
The rest of the paper is organized as follows: We briefly
review related work in Section 2. Then, we present a basic
scheme for lossy channels in Section 3, which also includes
three batch signature schemes based on RSA [33], BLS [36],
and DSA, respectively [38]. An enhanced scheme is
discussed in Section 4. After performance evaluation in
Section 5, the paper is concluded in Section 6.
2 RELATED WORK
Schemes in [8], [9] follow the ideal approach of signing and
verifying each packet individually, but reduce the compu-
tation overhead at the sender by using one-time signatures
[8] or /-time signatures [9]. They are suitable for RSA [33],
which is expensive on signing while cheap on verifying. For
each packet, however, each receiver needs to perform one
more verification on its one-time or /-time signature plus
one ordinary signature verification. Moreover, the length of
one-time signature is too long (on the order of 1,000 bytes).
Tree chaining was proposed in [10], [11] by constructing
a tree for a block of packets. The root of the tree is signed by
the sender. Each packet carries the signed root and multiple
hashes. When each receiver receives one packet in the block,
it uses the authentication information in the packet to
authenticate it. The buffered authentication information is
further used to authenticate other packets in the same block.
Without the buffered authentication information, each
packet is independently verifiable at a cost of per-packet
signature verification.
Graph chaining was studied in [12], [13], [14], [15], [16],
[17], [18], [19], [20], [21]. A multicast stream is divided into
blocks and each block is associated with a signature. In each
block, the hash of each packet is embedded into several
other packets in a deterministic or probabilistic way. The
hashes form a graph, in which each path links a packet to
the block signature. Each receiver verifies the block
signature and authenticates all the packets through the
paths in the graph.
Erasure codes were used in [22], [23], [24], [25], [26]. A
signature is generated for the concatenation of the hashes of
all the packets in one block and then is erasure-coded into
many pieces. Erasure codes make each receiver be capable
of recovering the block signature when receiving at least a
certain number of pieces.
All these schemes [10], [11], [12], [13], [14], [15], [16], [17],
[18], [19], [20], [21], [22], [23], [24], [25], [26] are indeed
computationally efficient since each receiver needs to verify
only one signature for a block of packets. However, they all
increase packet overhead for hashes or erasure codes and
the block design introduces latency when buffering many
packets. Another major problem is that most schemes [12],
[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],
[25], [26] are vulnerable to packet loss even though they are
designed to tolerate a certain level of packet loss. If too
many packets are lost, other packets may not be authenti-
cated. In particular, if a block signature is lost, the entire
block cannot be authenticated.
Moreover, previous schemes [8], [9], [10], [11], [12], [13],
[14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25],
[26] target at lossy channels, which are realistic in our daily
life since the Internet and wireless networks suffer from
packet loss. In a hostile environment, however, an active
attacker can inject forged packets to consume receivers’
resource, leading to DoS. In particular, schemes in [8], [9],
[10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21]
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
are vulnerable to forged signature attacks because they
require each receiver to verify each signature whereby to
authenticate data packets, and schemes in [22], [23], [24],
[25], [26] suffer from packet injection because each receiver
has to distinguish a certain number of valid packets from a
pool of a large number of packets including injected ones,
which is very time-consuming.
In order to deal with DoS, schemes in [27], [28], [29], [30],
[31], [32] were proposed. PARM [27] is similar to the tree
chaining scheme [10], [11] in the sense that multiple one-
way hash chains are used as shared keys between the
sender and receivers. Schemes in [28], [29] combine erasure
codes with one-way hash chains to detect forged packets.
Unfortunately, these schemes [27], [28], [29] are still
vulnerable to DoS because they require that one-way hash
chains are signed and transmitted to each receiver and
therefore an attacker can inject forged signatures for one-
way hash chains.
PRABS [30] uses distillation codes to deal with DoS. In
particular, valid packets and forged packets are partitioned
into disjoint sets and erasure decoding is performed over
each set. BAS [31] simply retransmits each signature
multiple times to tolerate packet loss and uses selective
verification to tolerate injected forged signatures. LTT [32]
uses error correction codes to replace erasure codes in
schemes [22], [23], [24], [25], [26]. The reason is that error
correction codes tolerate error packets. These three schemes
[30], [31], [32] are resilient to DoS, but they still have the
packet loss problem.
Some other schemes [45], [46], [47], [48], [49], [50], [51],
[52], [53] use shared symmetric keys between the sender and
receivers to authenticate multicast streams. Though they are
more efficient than those using signatures, they cannot
provide nonrepudiation as the signature approach, and they
require either time synchronization or trustful infrastruc-
tures. In this paper, we focus on the signature approach.
Though confidentiality is another important issue for
securing multicast, it can be achieved through group key
management [54]. In this paper, we focus on multicast
authentication.
3 BASIC SCHEME
Our target is to authenticate multicast streams from a sender
to multiple receivers. Generally, the sender is a powerful
multicast server managed by a central authority and can be
trustful. The sender signs each packet with a signature and
transmits it to multiple receivers through a multicast routing
protocol. Eachreceiver is aless powerful device withresource
constraints and may be managed by a nontrustworthy
person. Each receiver needs to assure that the received
packets are really from the sender (authenticity) and the
sender cannot deny the signing operation (nonrepudiation)
by verifying the corresponding signatures.
Ideally, authenticating a multicast stream can be
achieved by signing and verifying each packet. However,
the per-packet signature design has been criticized for its
high computation cost, and therefore, most previous
schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],
[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],
[32] incorporate a block-based design as shown in Section 2.
They do reduce the computation cost, but also introduce
new problems. The block design builds up correlation
among packets and makes them vulnerable to packet loss,
which is inherent in the Internet and wireless networks.
Received packets may not be authenticated because some
correlated packets are lost.
Also, the heterogeneity of receivers means that the buffer
resource at each receiver is different and can vary over the
timedependingontheoverall loadat thereceiver. Intheblock
design, the requiredblocksize, whichis chosenbythe sender,
may not be satisfied by each receiver.
Third, the correlation among packets can incur addi-
tional latency. Consider the high layer application needs
new data from the low layer authentication module in order
to render a smooth video stream to the client user. It is
desirable that the lower layer authentication module
delivers authenticated packets to the high layer application
at the time when the high layer application needs new data.
In the per-packet signature design it is not a problem, since
each packet can be independently verifiable at any time. In
the block design, however, it is possible that the packets
buffered at the low layer authentication module are not
verifiable because the correlated packets, especially the
block signatures, have not been received. Therefore, the
high layer application has to either wait, which leads to
additional latency, or return with a no-available-packets
exception, which could be interpreted as that the buffered
packets are “lost.” This latency, which is incurred at the
high layer when the high layer application waits for the
buffered packets to become verifiable, is different from the
buffering latency, which is required for the low layer
authentication protocol to buffer received packets.
In view of the problems regarding the sender-favored
block-based approach, we conceive a receiver-oriented
approach by taking into account the heterogeneity of the
receivers. As receiving devices have different computation
and communication capabilities, some could be powerful
desktop computers, while the others could be cheap
handsets with limited buffers and low-end CPUs. Mixed
with various channel loss rates, this heterogeneity poses a
demand on the capability of adjusting the buffer size and
authenticating buffered packets any time when the high
layer application requires at each receiver.
In order to fulfill the requirement, the basic scheme
MABS-B uses an efficient cryptographic primitive called
batch signature [33], [34], [35], [36], [37], [38], [39], [40], [41],
[42], [43], [44], which supports simultaneously verifying the
signatures of any number of packets. In particular, when a
receiver collects i packets:
j
i
¼ fi
i
. o
i
g. i ¼ 1. . . . . i.
where i
i
is the data payload, o
i
is the corresponding
signature, and i can be any positive integer, it can input
them into an algorithm
BatchVerifyðj
1
. j
2
. . . . . j
i
Þ 2 fTinc. 1o|:cg.
If the output is Tinc, the receiver knows the i packets are
authentic, and otherwise not.
To support authenticity and efficiency, the BatchVerifyðÞ
algorithm should satisfy the following properties:
984 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
1. Given a batch of packets that have been signed by
the sender, BatchVerifyðÞ outputs Tinc.
2. Given a batch of packets including some unauthentic
packets, the probability that BatchVerifyðÞ outputs
Tinc is very low.
3. The computation complexity of BatchVerifyðÞ is
comparable to that of verifying one signature and
is increased only gradually when the batch size i
is increased.
The computation complexity of BatchVerifyðÞ comes
with the fact that there are some additional cost on
processing multiple packets. As we will show later, those
additional computations are mostly modular additions and
multiplications, which are much faster than modular
exponentiations required in final signature verifications.
Theoretically, a concern comes when the cost grows higher
than the final signature verification if the batch size is too
large. However, it is not the case in reality. The merit of
batch signature is that the batch size is chosen by each
receiver, which can optimize its own batch size, so that the
batch size will not be unmanageably large. Most important,
we will show later that in the implementation of batch
signature a technique called signature preaggregation can be
used so that the additional processing of multiple packets is
shifted from the time of final batch verification to the time
of each packet reception and thus the cost of final batch
signature verification is exactly the same as that of original
signature verification.
In order to show the merit of signature preaggregation,
we implemented batch signature by using our Batch-BLS
(will be discussed later) as an example. We measured the
normalized time cost of batch signature verification with
the batch size growing from 1 to 1,000, and recorded the
results for two scenarios, with and without signature
preaggregation. The result is shown in Fig. 1. We can see
that the time cost of general batch verification (without
signature aggregation) is still less than that of two single
signature verifications when batch size grows up to about
270, which validates the third property of batch signature.
The other curve in Fig. 1 shows that if the signature
preaggregation is used, then the final batch verification has
the same cost of single signature verification, no matter how
large the batch size is.
MABS-B uses per-packet signature instead of per-block
signature and thus eliminates the correlation among
packets. The packet independency makes MABS-B perfect
resilient to packet loss. The Internet and wireless channels
tend to be lossy due to congestion or channel instability,
where packets can be lost according to different loss
models, such as random loss or burst loss. In MABS-B,
however, no matter how many packets are lost, the already-
received packets can still be authenticated by each receiver.
This is a significant advantage over previous schemes [10],
[11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22],
[23], [24], [25], [26], [27], [28], [29], [30], [31], [32]. Mean-
while, efficiency can also be achieved because a batch of
packets can be authenticated simultaneously through one
batch signature verification operation. The packet indepen-
dency also brings other benefits in terms of smaller latency
and communication overhead compared with previous
schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],
[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],
[32]. In particular, each receiver can verify the authenticity
of all the received packets in its buffer whenever the high
layer applications require, and there is no additional hash
or code overhead in each packet.
Next, we present three implementations. In addition to
the one based on RSA [33], we propose two new batch
signature schemes based on BLS [36] and DSA [38], which
are more efficient than batch RSA. We must point out and
will show later that MABS is independent from these
signature algorithms. This independency brings the free-
dom to optimize MABS for a particular physical system or
platform as much as possible.
3.1 Batch RSA Signature
3.1.1 RSA
RSA [33] is a very popular cryptographic algorithm in
many security protocols. In order to use RSA, a sender
chooses two large random primes 1 and Q to get ` ¼ 1Q,
and then calculates two exponents c. d 2 ZZ
Ã
`
such that
cd ¼ 1 iod cð`Þ, where cð`Þ ¼ ð1 À1ÞðQÀ1Þ. The sender
publishes ðc. `Þ as its public key and keeps d in secret as its
private key. A signature of a message i can be generated as
o ¼ ð/ðiÞÞ
d
iod `, where /ðÞ is a collision-resistant hash
function. The sender sends fi. og to a receiver that can
verify the authenticity of the message i by checking
o
c
¼ /ðiÞ iod `.
3.1.2 Batch RSA
To accelerate the authentication of multiple signatures,
the batch verification of RSA [34], [35] can be used. Given
i packets fi
i
. o
i
g. i ¼ 1. . . . . i, where i
i
is the data
payload, o
i
is the corresponding signature and i is any
positive integer, the receiver can first calculate /
i
¼ /ði
i
Þ
and then perform the following verification:
Y
i
i¼1
o
i
!
c
iod ` ¼
Y
i
i¼1
/
i
iod `. ð1Þ
If all i packets are truly from the sender, the equation holds
because
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 985
Fig. 1. Normalized time cost of Batch-BLS signature verification.
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
Y
i
i¼1
o
i
!
c
iod ` ¼
Y
i
i¼1
o
c
i
iod `
¼
Y
i
i¼1
/
cd
i
iod `
¼
Y
i
i¼1
/
i
iod `.
ð2Þ
Before the batch verification, the receiver must ensure all
the messages are distinct. Otherwise batch RSAis vulnerable
to the forgery attack [35]. This is easy to implement because
sequence numbers are widely used in many network
protocols and can ensure all the messages are distinct. It
has been proved in [35] that when all the messages are
distinct, batch RSAis resistant to signature forgery as long as
the underlying RSA algorithm is secure.
In some circumstances, an attacker may not forge
signatures but manipulate authentic packets to produce
invalid signatures. For example, given two packets fi
i
. o
i
g
and fi
,
. o
,
g for i 6¼ ,, the attacker can modify them into
fi
i
. o
i
`g and fi
,
. o
,
´`g. The modified packets can still pass
the batch verification, but the signature of each packet is not
correct (that is why batch RSA verification is called screening
in [35]). However, the attacker can do this only when it gets
fi
i
. o
i
g and fi
,
. o
,
g, which means the message i
i
and i
,
have been correctly signed by the sender. Therefore, this
attack is of no harm to the receiver [35].
3.1.3 Requirements to the Sender
In most RSA implementations, the public key c is usually
small (c ¼ 3 for instance) while the private key d is large.
Therefore, the RSA signature verification is efficient while
the signature generation is expensive. This poses a
challenge to the computation capability of the sender
because the sender needs to sign each packet. Choosing a
small private key d can improve the computation efficiency
but compromise the security. If the sender does not have
enough resource, a pair of fc. dg with comparable sizes can
achieve a certain level of trade-off between computation
efficiency and security at the sender part. If the sender is a
powerful server, then signing each packet can be affordable
in this scenario. Next, we propose two efficient batch
signature schemes based on BLS [36] and DSA [38], which
can reduce the computation complexity at the sender.
3.2 Batch BLS Signature
Here, we propose a batch signature scheme based on the
BLS signature in [36].
3.2.1 BLS
The BLS signature scheme uses a cryptographic primitive
called pairing, which can be defined as a map over two
cyclic groups G
1
and G
2
, c : G
1
ÂG
1
! G
2
, satisfying the
following properties:
1. Bilinear: For all n. . 2 G
1
and o. / 2 ZZ, we have
cðn
o
. .
/
Þ ¼ cðn. .Þ
o/
.
2. Nondegenerate: For the generator o
1
of G
1
, i.e.,
o
j
1
¼ 1 2 G
1
, where j is the order of G
1
, we have
cðo
1
. o
1
Þ 6¼ 1 2 G
2
.
The BLS signature scheme consists of three phases:
1. In the key generation phase, a sender chooses a
random integer r 2 ZZ
j
and computes n ¼ o
1
r
2 G
1
.
The private key is r and the public key is n.
2. Given a message i 2 f0. 1g
Ã
in the signing phase, the
sender first computes / ¼ /ðiÞ 2 G
1
, where /ðÞ is a
hash function, then computes o ¼ /
r
2 G
1
. The
signature of i is o.
3. In the verification phase, the receiver first computes
/¼/ðiÞ2G
1
and then check whether cð/.nÞ¼cðo.o
1
Þ.
If the verification succeeds, then the message i is authentic
because
cð/. nÞ ¼ cð/. o
1
r
Þ ¼ cð/
r
. o
1
Þ ¼ cðo. o
1
Þ. ð3Þ
One merit of the BLS signature is that it can generate
a very short signature. It has been shown in [36] that an
i-bit BLS signature can provide a security level equiva-
lent to solving a Discrete Log Problem (DLP) [39] over a
finite field of size approximately 2
6i
. Therefore, a 171-bit
BLS signature provides the same level of security as a
1,024-bit DLP-based signature scheme such as DSA [38].
This is a very nice choice in the scenario where
communication overhead is an important issue.
3.2.2 Batch BLS
Based on BLS, we propose our batch BLS scheme here.
Given i packets fi
i
. o
i
g. i ¼ 1. . . . . i, the receiver can verify
the batch of BLS signatures by first computing /
i
¼ /ði
i
Þ.
i ¼ 1. . . . . i and then checking whether cð
Q
i
i¼1
/
i
. nÞ ¼

Q
i
i¼1
o
i
. o
1
Þ. This is because if all the messages are
authentic, then
c
Y
i
i¼1
/
i
. n
!
¼
Y
i
i¼1
cð/
i
. o
1
r
Þ
¼
Y
i
i¼1
c
À
/
i
r
. o
1
Á
¼ c
Y
i
i¼1
o
i
. o
1
!
.
ð4Þ
We can prove that our batch BLS is secure to signature
forgery as long as BLS is secure to signature forgery.
Theorem 1. Suppose an attacker A can break the batch BLS by
forging signatures. Then, another attacker B can break BLS
under the chosen message attack by colluding with A.
Proof. Suppose B is given i À1 messages and their valid
signatures fi
i
. o
i
g. i ¼ 1. . . . . i À1, B can forge a signa-
ture o
i
for any chosen message i
i
, such that fi
i
. o
i
g
satisfies the BLS signature scheme, by colluding with A
in the following steps:
1. B sends i messages i
i
. i ¼ 1. . . . . i and i À1
signatures o
i
. i ¼ 1. . . . . i À1 to A.
2. Because A can break the batch BLS scheme, A
generates i false signatures o
i
0
. i ¼ 1. . . . . i that
pass the batch BLS verification, then returns to B a
value \ ¼
Q
i
i¼1
o
i
0
.
3. B computes o
i
¼ \ ´
Q
iÀ1
i¼1
o
i
as the signature for
i
i
, because
986 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
c
Y
i
i¼1
/
i
. n
!
¼ cð\ . o
1
Þ
) c
Y
i
i¼1
/
i
. n
!
¼ c
Y
i
i¼1
o
i
. o
1
!
) c
Y
iÀ1
i¼1
/
i
. n
!
cð/
i
. nÞ ¼ c
Y
iÀ1
i¼1
o
i
. o
1
!
cðo
i
. o
1
Þ
) cð/
i
. nÞ ¼ cðo
i
. o
1
Þ .
ð5Þ
tu
Since BLS is forgery-secure under the chosen message
attack [36], our batch BLS scheme is also secure to forgery
under the chosen message attack.
Also like batch RSA, an attacker may not forge signatures
but manipulate authentic packets to produce invalid
signatures. For instance, two packets fi
i
. o
i
g and fi
,
. o
,
g
for i 6¼ , can be replaced with fi
i
. o
i
`g and fi
,
. o
,
´`g and
still pass the batch verification. However, it does not affect
the correctness and the authenticity of i
i
and i
,
because
they have been correctly signed by the sender.
3.2.3 Requirements to the Sender
In our batch BLS, the sender needs to sign each packet.
Because BLS can provide a security level equivalent to
conventional RSA and DSA with much shorter signature
[36], the signing operation is more efficient than the RSA
signature generation. Moreover, BLS can be implemented
over elliptic curves [55], [56], which have been shown in the
literature to be more efficient than finite integer fields on
which RSA is implemented. Therefore, we can expect that
our batch BLS is more affordable by the sender than batch
RSA and also achieve computation efficiency at the receiver.
3.3 Batch DSA Signature
DSA [38] is another popular digital signature algorithm.
Unlike RSA, which is based on the hardness of factoring
two large primes, DSA is deemed secure based on the
difficulty of solving DLP [39]. A batch DSA signature
scheme was proposed in [40], but later was found insecure
[41]. Harn improved the security of [40] in [42], [43].
Unfortunately, Boyd and Pavlovski pointed out in [44] that
Harn’s work is still vulnerable to malicious attacks. Here,
we propose a batch DSA scheme based on Harn’s work and
counteract the attack described in [44].
3.3.1 Harn DSA
In Harn DSA [43], some system parameters are defined as:
1. j, a prime longer than 512 bits.
2. c, a 160-bit prime divisor of j À1.
3. o, a generator of ZZ
Ã
j
with order c, i.e., o
c
¼ 1 iod j.
4. r, the private key of the signer, 0 < r < c.
5. n, the public key of the signer, n ¼ o
r
iod j.
6. /ðÞ, a hash function generating an output in ZZ
Ã
c
.
Given a message i, the signer generates a signature by:
1. randomly selecting an integer / with 0 < / < c,
2. computing / ¼ /ðiÞ,
3. computing i ¼ ðo
/
iod jÞ iod c, and
4. computing : ¼ i/ À/r iod c.
The signature for i is ði. :Þ.
The receiver can verify the signature by first computing
/ ¼ /ðiÞ and then checking whether
ððo
:i
À1
n
/i
À1
Þ iod jÞ iod c ¼ i.
This is because if the packet is authentic, then
ððo
:i
À1
n
/i
À1
Þ iod jÞ iod c
¼ ððo
ð:þ/rÞi
À1
Þ iod jÞ iod c
¼ ðo
/
iod jÞ iod c
¼ i.
ð6Þ
3.3.2 Harn Batch DSA
Given i packets fi
i
. ði
i
. :
i
Þg. i ¼ 1. . . . . i, the receiver can
verify the batch of signatures by first computing /
i
¼ /ði
i
Þ
and then checking whether
o
P
i
i¼1
:
i
i
i
À1
n
P
i
i¼1
/
i
i
i
À1

iod j

iod c ¼
Y
i
i¼1
i
i
iod c . ð7Þ
This is because, if the batch of packets is authentic, then
o
P
i
i¼1
:
i
i
i
À1
n
P
i
i¼1
/
i
i
i
À1

iod j

iod c
¼ o
P
i
i¼1
ð:iþ/i rÞii
À1

iod j

iod c
¼ o
P
i
i¼1
/i
iod j

iod c
¼
Y
i
i¼1
i
i
iod c.
ð8Þ
3.3.3 The Boyd-Pavlovski Attack
Boyd and Pavlovski [44] pointed out an attack against the
Harn batch DSA scheme [43], where an attacker can forge
signatures for any chosen message set that has not been
signed by the sender. The process is:
1. Choose 1 and C, calculate ¹ ¼ ðo
1
n
C
iod jÞ iod c.
2. For any message set i
i
, i ¼ 1. . . . . i, randomly
choose i
i
, i ¼ 1. . . . . i À2.
3. Compute i
iÀ1
and i
i
to ensure that
Y
i
i¼1
i
i
iod c ¼ ¹ iod c ð9Þ
X
i
i¼1
/
i
i
i
À1
iod c ¼ C iod c. ð10Þ
4. Randomly choose :
i
, i ¼ 1. . . . . i À1 and compute :
i
to ensure that
X
i
i¼1
:
i
i
i
À1
iod c ¼ 1 iod c. ð11Þ
The probability that fi
i
. i
i
. :
i
g, i ¼ 1. . . . . i are forged
messages satisfying the batch verification is
1
2
[44].
3.3.4 Our Batch DSA
In order to counteract the Boyd-Pavlovski attack, our batch
DSA makes an improvement to the Harn DSA algorithm.
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 987
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
We replace the hash operation /ðiÞ in the signature
generation and verification process with /ði. iÞ. All the
other steps are the same as those in Harn’s scheme.
Though it is simple, our method can significantly
increase the security of batch DSA. In the Boyd-Pavlovski
attack, the attacker can compute i
i
values according to (9)
and (10) because parameters ¹, C, /
i
values are known. By
introducing i
i
into the hash operation, the hash values /
i
in
(10) are unknown to the attacker. Therefore, the attacker
cannot compute i
i
values and the forgery attack discussed
in [44] is defeated.
Like the cases inbatchRSAandour batchBLS, the attacker
may manipulate authentic packets fi
i
. ði
i
. :
i
Þg to produce
invalid signatures fi
i
. ði
i
0
. :
i
0
Þg, which can still pass the
batch verification. The attacker can keep i
i
unchanged,
randomly choose :
i
0
, i ¼ 1. . . . . i À1 and solve :
i
0
satisfying
X
i
i¼1
:
i
0
i
i
À1
iod c ¼
X
i
i¼1
:
i
i
i
À1
iod c. ð12Þ
However, this attack does not affect the correctness and
authenticity of messages because they have been really
signed by the sender [44]. Therefore, the receiver can still
accept them because the batch verification succeeds.
3.3.5 Requirements to the Sender
In batch RSA and our batch BLS, the sender needs to
compute one modular exponentiation to sign each packet.
In our batch DSA, the sender needs to compute one
modular exponentiation to get i and two modular multi-
plications to get :. However, i is independent on the
message i. Therefore, the sender can generate many
i values offline. When the sender starts a multicast session,
it can use reserved i values to compute : values. In this
way, only two modular multiplications are necessary to
sign a packet. Therefore, our batch DSA is much more
efficient than batch RSA and our batch BLS at the sender,
while also achieving computation efficiency at the receiver.
3.4 Preaggregation of Message Hashes and
Signatures
If we take a closer look at batch-RSA and batch-BLS, we can
notice that they use exactly the orignal RSA and BLS
algorithms, respectively. The only difference is that the
batch algorithms take the aggregations of message hashes
and signatures f
Q
i
i¼1
/
i
.
Q
i
i¼1
o
i
g as the parameters to the
original signature algorithms. This aggregation is indepen-
dent of the final signature verification. Therefore, each
receiver can compute and update f
Q
i
i¼1
/
i
.
Q
i
i¼1
o
i
g after
receiving every packet. When the time of batch verification
comes, each receiver needs just one signature verification.
For batch-DSA, the aggregations of message hashes and
signatures f
P
i
i¼1
:
i
i
i
À1
.
P
i
i¼1
/
i
i
i
À1
.
Q
i
i¼1
i
i
g are inside the
signature verification. Therefore, the cost of the aggregations
is incurred with the final signature verification. However, if
we modify the original DSA so that it takes f:i
À1
. /i
À1
. ig
instead of f/. :. ig as parameters, then batch-DSA can take
the advantage of preaggregating message hashes and
signatures, just like batch-RSA and batch-BLS.
Obviously, the computation cost at each receiver can be
more manageable no matter how large each batch is if
signature preaggregation is enforced, as shown in Fig. 1.
4 ENHANCED SCHEME
The basic scheme MABS-B targets at the packet loss
problem, which is inherent in the Internet and wireless
networks. It has perfect resilience to packet loss, no matter
whether it is random loss or burst loss. In some circum-
stances, however, an attacker can inject forged packets into
a batch of packets to disrupt the batch signature verifica-
tion, leading to DoS. A naive approach to defeat the DoS
attack is to divide the batch into multiple smaller batches
and perform a batch verification over each smaller batch,
and this divide-and-conquer approach can be recursively
carried out for each smaller batch, which means more
signature verifications at each receiver. In the worst case,
the attacker can inject forged packets at very high frequency
and expect that each receiver stops the batch operation and
recovers the basic per-packet signature verification, which
may not be viable at resource-constrained receiver devices.
In this section, we present an enhanced scheme called
MABS-E, which combines the basic scheme MABS-B and a
packet filtering mechanism to tolerate packet injection. In
particular, the sender attaches each packet with a mark,
which is unique to the packet and cannot be spoofed. At
each receiver, the multicast stream is classified into disjoint
sets based on marks. Each set of packets comes from either
the real sender or the attacker. The mark design ensures that
a packet from the real sender never falls into any set of
packets fromthe attacker, and vice versa. Next, each receiver
only needs to perform BatchVerifyðÞ over each set. If the
result is Tinc, the set of packets is authentic. If not, the set of
packets is from the attacker, and the receiver simply drops
themand does not need to divide the set into smaller subsets
for further batch verification. Therefore, a strong resilience
to DoS due to injected packets can be provided.
In MABS-E, Merkle tree [57] is used to generate marks.
An example is illustrated in Fig. 2. The sender constructs a
binary tree for eight packets. Each leaf is a hash of one
packet. Each internal node is the hash value on the
concatenation of its left and right children. For each packet,
a mark is constructed as the set of the siblings of the nodes
along the path from the packet to the root. For example, the
mark of the packet 1
3
is fH
4
. H
1.2
. H
5.8
g and the root can be
recovered as H
1.8
¼ HððH
1.2
. ðHð1
3
Þ. H
4
ÞÞ. H
5.8
Þ.
Constructing a Merkle tree is very efficient because only
hash operations are performed. Meanwhile, the one-way
property of hash operation ensures that given the root of a
Merkle tree it is infeasible to find a packet, which is not in
988 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
Fig. 2. An example of Merkle tree. Each leaf is a hash of one packet.
Each internal node is the hash value on both its left and right children.
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
the set associated with the Merkle tree and from which
there is a path to the root. This guarantees that forged
packets cannot fall into the set of authentic packets.
When the sender has a set of packets for multicast, it
generates a Merkle tree for the set and attaches a mark to
each packet. The root can be recovered based on each
packet and its mark. Each receiver can find whether two
packets belong to the same set by checking whether they
lead to the same root value. Therefore, the recovered roots
help classify received packets into disjoint sets. Each
receiver does not need to wait for a set to include all the
packets under the Merkle tree, and it can batch-verify the
set anytime. Once the set is authentic, the corresponding
root can be used to authenticate the rest of packets under
the same Merkle tree without batch-verifying them, which
saves computation overhead at each receiver.
An attacker may inject small sets of forged packets or
even inject single packet that does not belong to any set. In
this case, each receiver has many small sets and each of
them has only a few packets. Doing the BatchVerify
algorithm on each small set compromises efficiency. Since
the sets from the sender can have a large number of packets,
each receiver can choose a threshold (say t) and start batch
verification over one set only when the set has no less than
t packets. If a set has less than t packets and the root value
recovered from the set has not been authenticated, the
receiver simply drop the set of packets without processing
them and thus save computation resource. For each
receiver, the threshold t can vary according to the receiver’s
computation resource. In this way, the impact of DoS due to
packet injection can be reduced by a factor of t.
5 PERFORMANCE EVALUATION
In this section, we evaluate MABS performance in terms of
resilience to packet loss, efficiency, and DoS resilience. As
we discussed before, MABS does not assume any particular
underlying signature algorithm. This is also true for all the
literature multicast authentication schemes referenced in
this paper. Therefore, all the discussions and evaluations of
MABS and the literature works in Section 5.1 and Section 5.2
are under the assumption that they are using the same
underlying signature algorithm. The discussion of signature
algorithms is in Section 5.3.
5.1 Resilience to Packet Loss
We use simulations to evaluate the resilience to packet
loss. The metric here is the verification rate, i.e., the ratio
of the number of authenticated packets to the number of
received packets.
We compare MABS with some well-known loss tolerant
schemes EMSS [14], augmented chain (AugChain) [18],
PiggyBack [16], tree chain (Tree) [11], and SAIDA [23].
These schemes are representatives of graph chaining, tree
chaining, and erasure coding schemes and are widely used
in performance evaluation in the literature.
For EMSS [14], we choose the chain configuration of
5 À11 À17 À24 À36 À39, which has the best performance
among all the configurations of length 6 as is shown in [14].
For AugChain [18], we choose C
3.7
chain configuration. For
PiggyBack [16], we choose two class priorities. For Tree
chain [11], we choose binary tree. For SAIDA [23], we choose
the erasure code ð256. 128Þ. For all these schemes, we choose
the block size of 256 packets and simulate over 100 blocks.
We consider the random loss and the burst loss with a
maximum loss length of 10 packets. The verification rates
under different loss rates are given in Fig. 3 and Fig. 4.
We can see that the verification rates of EMSS [14],
augmented chain (AugChain) [18] and PiggyBack [16] are
decreased quickly when the loss rate is increased. The reason
is that graph chaining results in the correlation among
packets and this correlation is vulnerable to packet loss.
SAIDA [23] illustrates a resilience to packet loss up to a
certain threshold, because of the threshold performance of
erasure codes. Our MABS andTree schemes [11] have perfect
resilience to packet loss in the sense that all the received
packets can be authenticated. This is because all the packets
in MABS andTree schemes are independent fromeach other.
As we will show later, however, Tree [11] achieves this
independency by incurring large overhead and latency at the
sender and each receiver and is vulnerable to DoS, while our
MABS-B has less overhead and latency and MABS-E is
resilient to DoS at the same level of overhead as Tree [11].
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 989
Fig. 3. Verification rate under the random loss model.
Fig. 4. Verification rate under the burst loss model with the maximum
burst length 10.
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
One thing needs to be pointed out is that we do not
differentiate between MABS-B and MABS-E in Fig. 3 and
Fig. 4. MABS-B is perfect resilient to packet loss because of
its inherent design. While it is not designed for lossy
channels, MABS-E can also achieve the perfect resilience to
packet loss in lossy channels. In the lossy channel model,
where no DoS attack is assumed to present, we can set the
threshold t ¼ 1 (refer to Section 4) for MABS-E, and thus
each receiver can start batch-verification as long as there is at
least one packet received for each set of packets constructed
under the same Merkle tree. Once the received packets are
authenticated, the extracted root of the Merkle tree can be
used to authenticate the rest of packets in the same set
within several hash operations. If we set t 1, which is not
the best choice for the lossy channel, MABS-E can tolerate up
to i Àt lost packets for each set of i packets, which shows a
threshold-based loss resilience, similar to SAIDA [23].
5.2 Efficiency
We consider latency, computation, and communication
overhead for efficiency evaluation under lossy channels
and DoS channels. The notations used here are defined in
Table 1. All the evaluations are carried out over i packets.
The results are depicted in Table 2 and Table 3.
5.2.1 Comparisons over Lossy Channels
Table 2 shows the comparisons between MABS-B and well-
known loss-tolerant schemes tree chain (Tree) [11], EMSS
[14], PiggyBack [16], augmented chain (AugChain) [18], and
SAIDA [23]. We also include MABS-E and three DoS
resilient schemes PRABS [30], BAS [31], and LTT [32] in the
table just for comparisons even though they are not
designed for lossy channels.
Previous block-based schemes introduce latency either at
the sender [11], [16] or at each receiver [14], [31] or both [18],
[23], [30], [32]. The latency is inherent in the block design
due to chaining or coding. At the sender side, the
correlation among a block of packets has to be established
before the sender starts sending the packets. At each
receiver, the latency is incurred when the high layer
application waits for the buffered packets to be authenti-
cated after the correlation is recovered. This receiver side
latency is variable depending on whether the correlation
among the underline buffered packets has been recovered
or not when the high layer application needs new data, and
its maximum value is the block size. MABS-B eliminates the
correlation among packets. Each packet is independently
sent out at the sender. At each receiver, the high layer
application does not need to wait because the low layer
authentication module can deliver authenticated packets at
any time when the high layer application needs new data.
This makes MABS-B pretty suitable for realtime multimedia
applications. MABS-E introduces latency at the sender
because it includes a tree construction to counteract DoS,
but it still preserves the merit of instantaneous authentica-
tion at each receiver as MABS-B.
Both the block-based schemes and MABS require one
signature verification operation on a block or a batch of
i packets at each receiver. In addition, the schemes using
990 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
TABLE 1
Notations
TABLE 2
Comparisons over Lossy Channels
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
chaining also require many hashes, and the ones using
coding require multiple hashes and one or two decoding
operations. MABS-B is more efficient since there is no more
hashing or decoding operations. MABS-E requires ilog
2
i
hashes, which is comparable to previous schemes using
hashing and coding.
In MABS, a trade-off for perfect resilience to packet loss
is that the sender needs to sign each packet, which incurs
more computation overhead than conventional block-based
schemes. Therefore, efficient signature generation is desir-
able at the sender. Compared with RSA [33], which is
efficient in verifying but is expensive in signing, BLS [36]
and DSA [38] are pretty good candidates as we will show
later. Moreover, in multimedia multicast, the sender is
usually a powerful server and thus the per-packet signature
generation can be affordable, and the advance of computing
technology makes it easier in the long run.
For i packets, Tree [11] require an overhead of i signature
and Oðilog
2
iÞ hashes, schemes in [14], [16], [18], [23], [30],
[31], [32] require one or more signatures and up to
Oði
2
Þ hashes. MABS-B and MABS-E require i signatures
and MABS-E requires additional Oðilog
2
iÞ hashes. If long
signatures are used (like 1,024-bit RSA), MABS-B andMABS-
E have more communication overhead than those in [14],
[16], [18], [23], [30], [31], [32], which is the same case as Tree
[11]. However, BLS [36] generates short signatures of 171 bits,
which is comparable to most well-known hash algorithms
MD5 [58] (128 bits) and SHA-1 [59] (160 bits). Therefore,
MABS can have the same level of communication efficiency
as conventional schemes when BLS is used.
5.2.2 Comparisons over DoS Channels
DoS is a method for an attacker to deplete the resource of a
receiver. Processinginjectedpackets fromthe attacker always
consumes a certain amount of resource. Here, we assume an
attacker factor u, which means that for i valid packets
ui invalid packets are injected. The computation overheads
at each receiver for different schemes are depicted in Table 3.
For schemes in [11], [14], [16], [18], which authenticate
signatures first and then authenticate packet through hash
chains, the attacker can inject ui forged signature packets
because signature verification is an expensive operation.
For SAIDA [23], which requires erasure decoding, the
attacker simply injects ui forged packets because each
receiver has to choose a certain number of valid packets
from all the ð1 þuÞi packet to do decoding, which can have
a significant number of tries.
Schemes in [30], [31], [32] are designed for DoS defense.
They canalleviate the impact of packet injection by a constant
factor to reduce the computation cost at each receiver.
MABS-B is vulnerable to packet injection as schemes in
[11], [14], [16], [18], [23] since they are designed only for
lossy channels. MABS-E has the same level of DoS resilience
as those in [30], [31], [32].
5.3 Comparisons of Signature Schemes
We compare the computation overhead of three batch
signature schemes in Table 4. RSA [33] and BLS [36] require
one modular exponentiation at the sender and DSA [38]
requires two modular multiplications when i value is
computed offline. Usually one c-bit modular exponentiation
is equivalent to 1.5c modular multiplications over the same
field [35], [44]. Moreover, a c-bit modular exponentiation in
DLP is equivalent to a
c
6
-bit modular exponentiation in BLS
for the same security level. Therefore, we can estimate that
the computation overhead of one 1,024-bit RSA signing
operation is roughly equivalent to that of 768 DSA signing
operations (1,536 modular multiplications) and that of
6 BLS signing operations (each one is corresponding to
255 modular multiplications).
According to the report [60] on the computational over-
head of signature schemes on PIII 1 GHz CPU, the signing
andverificationtime for 1,024-bit RSAwitha 1,007-bit private
key are 7.9 ms and 0.4 ms, for 157-bit BLS are 2.75 ms and
81 ms, and for 1,024-bit DSA with a 160-bit private key
(without precomputing i value) are 4.09 ms and 4.87 ms. We
can observe that for BLS and DSA the signing is efficient but
the verification is expensive, and vice versa for RSA.
Therefore, we can save more computation resource at the
sender by using our batch BLS and batch DSA than batch
RSA. It is alsomeaningful touse our batchBLSandbatchDSA
at the receiver to save computation resources.
We alsocompare the lengthof twopopular hashalgorithm
MD5 [58] and SHA-1 [59] and the signature length of three
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 991
TABLE 4
Computational Overhead of Different Batch Schemes
1-modular exponentiation. `-modular multiplication. 1-pairing.
TABLE 3
Comparisons over DoS Channels
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
signature algorithms inTable 5. Giventhe same security level
as 1,024-bit RSA, BLS generates a 171-bit signature and 1o¹
generates a 320-bit signature. It is clear that by using BLS or
DSA, MABS can achieve more bandwidth efficiency than
using RSA, and could be even more efficient than conven-
tional schemes using a large number of hashes.
6 CONCLUSIONS
To reduce the signature verification overheads in the secure
multimedia multicasting, block-based authentication
schemes have been proposed. Unfortunately, most previous
schemes have many problems such as vulnerability to
packet loss and lack of resilience to denial of service (DoS)
attack. To overcome these problems, we develop a novel
authentication scheme MABS. We have demonstrated that
MABS is perfectly resilient to packet loss due to the
elimination of the correlation among packets and can
effectively deal with DoS attack. Moreover, we also show
that the use of batch signature can achieve the efficiency less
than or comparable with the conventional schemes. Finally,
we further develop two new batch signature schemes based
on BLS and DSA, which are more efficient than the batch
RSA signature scheme.
ACKNOWLEDGMENTS
This work was partially supported by the US National
Science Foundation under grants CNS-0916391, CNS-
0716450, and CNS-0626881. The works of Fang and Zhu
were also partially supported by the 111 Project under
Grant B08038. The work of Zhu was also partially
supported by the National Natural Science Foundation of
China under grant 60772136 and supported by the Funda-
mental Research Funds for the Central Universities.
REFERENCES
[1] S.E. Deering, “Multicast Routing in Internetworks and Extended
LANs,” Proc. ACM SIGCOMM Symp. Comm. Architectures and
Protocols, pp. 55-64, Aug. 1988.
[2] T. Ballardie and J. Crowcroft, “Multicast-Specific Security Threats
and Counter-Measures,” Proc. Second Ann. Network and Distributed
System Security Symp. (NDSS ’95), pp. 2-16, Feb. 1995.
[3] P. Judge and M. Ammar, “Security Issues and Solutions in
Mulicast Content Distribution: A Survey,” IEEE Network Magazine,
vol. 17, no. 1, pp. 30-36, Jan./Feb. 2003.
[4] Y. Challal, H. Bettahar, and A. Bouabdallah, “A Taxonomy of
Multicast Data Origin Authentication: Issues and Solutions,” IEEE
Comm. Surveys & Tutorials, vol. 6, no. 3, pp. 34-57, Oct. 2004.
[5] Y. Zhou and Y. Fang, “BABRA: Batch-Based Broadcast Authenti-
cation in Wireless Sensor Networks,” Proc. IEEE GLOBECOM,
Nov. 2006.
[6] Y. Zhou and Y. Fang, “Multimedia Broadcast Authentication
Based on Batch Signature,” IEEE Comm. Magazine, vol. 45, no. 8,
pp. 72-77, Aug. 2007.
[7] K. Ren, K. Zeng, W. Lou, and P.J. Moran, “On Broadcast
Authentication in Wireless Sensor Networks,” Proc. First Ann. Int’l
Conf. Wireless Algorithms, Systems, and Applications (WASA ’06),
Aug. 2006.
[8] S. Even, O. Goldreich, and S. Micali, “On-Line/Offline Digital
Signatures,” J. Cryptology, vol. 9, pp. 35-67, 1996.
[9] P. Rohatgi, “A Compact and Fast Hybrid Signature Scheme for
Multicast Packet,” Proc. Sixth ACM Conf. Computer and Comm.
Security (CCS ’99), Nov. 1999.
[10] C.K. Wong and S.S. Lam, “Digital Signatures for Flows and
Multicasts,” Proc. Sixth Int’l Conf. Network Protocols (ICNP ’98),
pp. 198-209, Oct. 1998.
[11] C.K. Wong and S.S. Lam, “Digital Signatures for Flows and
Multicasts,” IEEE/ACM Trans. Networking, vol. 7, no. 4, pp. 502-
513, Aug. 1999.
[12] R. Gennaro and P. Rohatgi, “How to Sign Digital Streams,”
Information and Computation, vol. 165, no. 1, pp. 100-116, Feb. 2001.
[13] R. Gennaro and P. Rohatgi, “How to Sign Digital Streams,” Proc.
17th Ann. Cryptology Conf. Advances in Cryptology (CRYPTO ’97),
Aug. 1997.
[14] A. Perrig, R. Canetti, J.D. Tygar, and D. Song, “Efficient
Authentication and Signing of Multicast Streams over Lossy
Channels,” Proc. IEEE Symp. Security and Privacy (SP ’00), pp. 56-
75, May 2000.
[15] Y. Challal, H. Bettahar, and A. Bouabdallah, “A
2
Cast: An
Adaptive Source Authentication Protocol for Multicast Streams,”
Proc. Ninth Int’l Symp. Computers and Comm. (ISCC ’04), vol. 1,
pp. 363-368, June 2004.
[16] S. Miner and J. Staddon, “Graph-Based Authentication of Digital
Streams,” Proc. IEEE Symp. Security and Privacy (SP ’01), pp. 232-
246, May 2001.
[17] Z. Zhang, Q. Sun, W-C Wong, J. Apostolopoulos, and S. Wee, “A
Content-Aware Stream Authentication Scheme Optimized for
Distortion and Overhead,” Proc. IEEE Int’l Conf. Multimedia and
Expo (ICME ’06), pp. 541-544, July 2006.
[18] P. Golle and N. Modadugu, “Authenticating Streamed Data in the
Presence of Random Packet Loss,” Proc. Eighth Ann. Network and
Distributed System Security Symp. (NDSS ’01), Feb. 2001.
[19] Z. Zhang, Q. Sun, and W-C Wong, “A Proposal of Butterfly-
Graphy Based Stream Authentication over Lossy Networks,” Proc.
IEEE Int’l Conf. Multimedia and Expo (ICME ’05), July 2005.
[20] S. Ueda, N. Kawaguchi, H. Shigeno, and K. Okada, “Stream
Authentication Scheme for the Use over the IP Telephony,” Proc.
18th Int’l Conf. Advanced Information Networking and Application
(AINA ’04), vol. 2, pp. 164-169, Mar. 2004.
[21] D. Song, D. Zuckerman, and J.D. Tygar, “Expander Graphs for
Digital Stream Authentication and Robust Overlay Networks,”
Proc. 2002 IEEE Symp. Security and Privacy (S&P ’02), May 2002.
[22] J.M. Park, E.K.P. Chong, and H.J. Siegel, “Efficient Multicast
Packet Authentication Using Signature Amortization,” Proc. IEEE
Symp. Security and Privacy (SP ’02), pp. 227-240, May 2002.
[23] J.M. Park, E.K.P. Chong, and H.J. Siegel, “Efficient Multicast
Stream Authentication Using Erasure Codes,” ACM Trans.
Information and System Security, vol. 6, no. 2, pp. 258-285, May 2003.
[24] A. Pannetrat and R. Molva, “Authenticating Real Time Packet
Streams and Multicasts,” Proc. Seventh IEEE Int’l Symp. Computers
and Comm. (ISCC ’02), pp. 490-495, July 2002.
[25] A. Pannetrat and R. Molva, “Efficient Multicast Packet Authenti-
cation,” Proc. 10th Ann. Network and Distributed System Security
Symp. (NDSS ’03), Feb. 2003.
[26] Y. Wu and T. Li, “Video Stream Authentication in Lossy
Networks,” Proc. IEEE Wireless Comm. and Networking Conf.
(WCNC ’06), vol. 4, pp. 2150-2155, Apr. 2006.
[27] Y. Lin, S. Shieh, and W. Lin, “Lightweight, Pollution-Attack
Resistant Multicast Authentication Scheme,” Proc. ACM Symp.
Information, Computer, and Comm. Security (ASIACCS ’06), Mar.
2006.
[28] J. Jeong, Y. Park, and Y. Cho, “Efficient DoS Resistant Multicast
Authentication Schemes,” Proc. Int’l Conf. Computational Science
and Its Applications (ICCSA ’05), May 2005.
[29] S. Choi, “Denial-of-Service Resistant Multicast Authentication
Protocol with Prediction Hashing and One-Way Key Chain,” Proc.
Seventh IEEE Int’l Symp. Multimedia (ISM ’05), Dec. 2005.
[30] C. Karlof, N. Sastry, Y. Li, A. Perrig, and J.D. Tygar, “Distillation
Codes and Applications to DoS Resistant Multicast Authentica-
tion,” Proc. 11th Ann. Network and Distributed System Security Symp.
(NDSS ’04), Feb. 2004.
992 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
TABLE 5
Communication Overhead of Signature Schemes
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
[31] C.A. Gunter, S. Khanna, K. Tan, and S. Venkatesh, “DoS
Protection for Reliably Authenticated Broadcast,” Proc. 11th Ann.
Network and Distributed System Security Symp. (NDSS ’04), Feb.
2004.
[32] A. Lysyanskaya, R. Tamassia, and N. Triandopoulos, “Multicast
Authentication in Fully Adversarial Networks,” Proc. IEEE Symp.
Security and Privacy (SP ’04), May 2004.
[33] R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining
Digital Signatures and Public-Key Cryptosystems,” Comm. ACM,
vol. 21, no. 2, pp. 120-126, Feb. 1978.
[34] L. Harn, “Batch Verifying Multiple RSA Digital Signatures,” IEE
Electronic Letters, vol. 34, no. 12, pp. 1219-1220, June 1998.
[35] M. Bellare, J.A. Garay, and T. Rabin, “Fast Batch Verification for
Modular Exponentiation and Digital Signatures,” Proc. Advances in
Cryptology (EUROCRYPT ’98), pp. 236-250, May 1998.
[36] D. Boneh, B. Lynn, and H. Shacham, “Short Signatures from the
Weil Pairing,” Proc. Seventh Int’l Conf. Theory and Application of
Cryptology and Information Security Advances in Cryptology
(ASIACRYPT ’01), pp. 514-532, Dec. 2001.
[37] S. Cui, P. Duan, and C.W. Chan, “An Efficient Identity-Based
Signature Scheme with Batch Verifications,” Proc. First Int’l Conf.
Scalable Information Systems, 2006.
[38] FIPS PUB 186, Digital Signature Standard (DSS), May 1994.
[39] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme
Based on Discrete Logarithms,” IEEE Trans. Information Theory,
vol. IT-31, no. 4, pp. 469-472, July 1985.
[40] D. Naccache, D. M’Raihi, S. Vaudenay, and D. Raphaeli, “Can
D.S.A. be Improved? Complexity Trade Offs with the Digital
Signature Standard,” Proc. Workshop Theory and Application of
Cryptographic Techniques Advances in Cryptology (EUROCRYPT ’94),
pp. 77-85, May 1995.
[41] C.H. Lim and P.J. Lee, “Security of Interactive DSA Batch
Verification,” IEE Electronic Letters, vol. 30, no. 19, pp. 1592-1593,
Sept. 1994.
[42] L. Harn, “DSA-Type Secure Interactive Batch Verification Proto-
cols,” IEE Electronic Letters, vol. 31, no. 4, pp. 257-258, Feb. 1995.
[43] L. Harn, “Batch Verifying Multiple DSA-Type Digital Signatures,”
IEE Electronic Letters, vol. 34, no. 9, pp. 870-871, Apr. 1998.
[44] C. Boyd and C. Pavlovski, “Attacking and Repairing Batch
Verification Schemes,” Proc. Sixth Int’l Conf. Theory and Application
of Cryptology and Information Security Advances in Cryptology
(ASIANCRYPT ’00), pp. 58-71, Dec. 2000.
[45] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-Receiver/Multi-
Sender Network Security: Efficient Authenticated Multicast/
Feedback,” Proc. IEEE INFOCOM, vol. 3, pp. 2045-2054, May 1992.
[46] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B.
Pinkas, “Multicast Security: A Taxonomy and Some Efficient
Constructions,” Proc. IEEE INFOCOM, vol. 2, pp. 708-716, Mar.
1999.
[47] L. Lamport, “Password Authentication with Insecure Commu-
nication,” Comm. ACM, vol. 24, no. 11, pp. 770-772, Nov. 1981.
[48] N.M. Haller, “The S/Key One-Time Password System,” Proc.
ISOC Symp. Network and Distributed Security, Feb. 1994.
[49] F. Bergadano, D. Cavagnino, and B. Crispo, “Individual Single-
Source Authentication on The Mbone,” Proc. IEEE Int’l Conf.
Multimedia and Expo (ICME ’00), vol. 1, pp. 541-544, July 2000.
[50] A. Perrig, R. Canetti, D. Song, and J. Tygar, “Efficient and Secure
Source Authentication for Multicast,” Proc. Network and Distributed
System Security Symp. (NDSS ’01), 2001.
[51] A. Perrig, “The BiBa One-Time Signature and Broadcast Authen-
tication Protocol,” Proc. Eighth ACM Conf. Computer and Comm.
Security (CCS ’01), pp. 28-37, Nov. 2001.
[52] Q. Li and W. Trappe, “Reducing Delay and Enhancing DoS
Resistance in Multicast Authentication through Multigrade
Security,” IEEE Trans. Info. Forensics and Security, vol. 1, no. 2,
pp. 190-204, June 2006.
[53] S. Xu and R. Sandhu, “Authenticated Multicast Immune to Denial-
of-Service Attack,” Proc. ACM Symp. Applied Computing (SAC ’02),
2002.
[54] S. Rafaeli and D. Hutchison, “A Survey of Key Management for
Secure Group Communication,” ACM Computing Surveys, vol. 35,
no. 3, pp. 309-329, Sept. 2003.
[55] N. Koblitz, “Elliptic Curve Cryptosystems,” Math. Computation,
vol. 48, pp. 203-209, 1987.
[56] V. Miller, “Uses of Elliptic Curves in Cryptography,” Proc. Int’l
Cryptology Conf. (CRYPTO ’85), pp. 417-426, 1986.
[57] R. Merkle, “Protocols for Public Key Cryptosystems,” Proc. IEEE
Symp. Security and Privacy, Apr. 1980.
[58] R. Rivest, “The MD5 Message-Digest Algorithm,” RFC 1319, Apr.
1992.
[59] D. Eastlake and P. Jones, “US Secure Hash Algorithm 1 (SHA1),”
RFC 3174, Sept. 2001.
[60] P. Barreto, H. Kim, B. Lynn, and M. Scott, “Efficient Algorithms
for Pairing-Based Cryptosystems,” Proc. Int’l Cryptology Conf.
(CRYPTO ’02), 2002.
Yun Zhou received the BE degree in electronic
information engineering and the ME degree in
communication and information system from the
Department of Electronic Engineering and In-
formation Science, University of Science and
Technology, Hefei, China, in 2000 and 2003,
respectively, and the PhD degree from the
Department of Electrical and Computer Engi-
neering, University of Florida, Gainesville, in
2007. He is currently with Microsoft Corporation.
His research interests include security, cryptography, wireless commu-
nications and networking, signal processing, and operating systems.
Xiaoyan Zhu received the BE, ME, and PhD
degrees from the School of Telecommunications
Engineering at Xidian University, Xi’an, China, in
2000, 2004, and 2009, respectively. She is now
a visiting research scholar in the Department of
Electrical and Computer Engineering at the
University Florida, Gainesville, on leave from
the School of Telecommunications Engineering,
Xidian University, Xi’an, China, where she is a
lecturer. Her research interests include wireless
networks, network security, and network coding.
Yuguang Fang received the PhD degree in
systems engineering from Case Western Re-
serve University in 1994 and the PhD degree in
electrical engineering from Boston University in
1997. He was an assistant professor in the
Department of Electrical andComputer Engineer-
ingat theNewJersey Instituteof Technology from
1998 to 2000. He then joined the Department of
Electrical and Computer Engineering at Univer-
sity of Florida in 2000 as an assistant professor,
got an early promotion to an associate professor with tenure in 2003, and
to a full professor in 2005. He holds a University of Florida Research
Foundation (UFRF) Professorship from 2006 to 2009, a Changjiang
scholar chair professorshipwith XidianUniversity, Xi’an, China, from2008
to 2011, and a guest chair professorship with Tsinghua University, China,
from 2009 to 2012. He has published more than 250 papers in refereed
professional journals and conferences. He received the US National
Science Foundation Faculty Early Career Award in 2001 and the US
Office of Naval Research Young Investigator Award in 2002, and is the
recipient of the Best Paper Award fromthe IEEEInternational Conference
on Network Protocols (ICNP) in 2006 and the IEEE TCGN Best Paper
Award from the IEEE High-Speed Networks Symposium, IEEE GLOBE-
COM, in 2002. He is also active in professional activities. He is currently
serving as the editor-in-chief for IEEE Wireless Communications and
serves/served on several editorial boards of technical journals including
the IEEE Transactions on Communications, the IEEE Transactions on
Wireless Communications, IEEE Wireless Communications Magazine,
and ACMWireless Networks. He was an editor for the IEEE Transactions
on Mobile Computing and currently serves on its steering committee. He
has been actively participating in professional conference organizations
such as serving as the steering committee cochair for QShine (2004-
2008), the technical program vice-chair for IEEE INFOCOM 2005, a
technical program symposium cochair for IEEE GLOBECOM 2004, an
areatechnical programcommittee chair for IEEEINFOCOM(2009-2010),
and a member of the technical program committee for IEEE INFOCOM
(1998, 2000, 2003-2008) andACMMobiHoc (2008-2009). Heis afellowof
the IEEE and the IEEE Computer Society and a member of the ACM.
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 993
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

[44]. [24]. [20]. [26] are vulnerable to packet loss even though they are designed to tolerate a certain level of packet loss. [16]. [40]. [34]. [14]. and DSA. The hashes form a graph. [12]. the DoS attack is not common. [17]. [16]. however. [17]. [31]. Without the buffered authentication information. leading to Denial of Service (DoS). In particular. which are realistic in our daily life since the Internet and wireless networks suffer from packet loss. [11]. The basic scheme (called MABS-B hereafter) utilizes an efficient asymmetric cryptographic primitive called batch signature [33]. which also includes three batch signature schemes based on RSA [33]. [20]. [21]. [12]. [18]. [21]. The buffered authentication information is further used to authenticate other packets in the same block. Each packet carries the signed root and multiple hashes. [22]. however. [20]. MABS includes two schemes. [9]. In this paper. [19]. When each receiver receives one packet in the block. An enhanced scheme is discussed in Section 4. [13]. However. [20]. [21]. if a block signature is lost. 1. [24]. [26] target at lossy channels. Tree chaining was proposed in [10]. [9]. [10]. The enhanced scheme (called MABS-E hereafter) combines MABS-B with packet filtering to alleviate the DoS impact in hostile environments. Graph chaining was studied in [12]. [15]. [9] or amortize one signature over a block of packets [10]. [21]. [17]. each packet is independently verifiable at a cost of per-packet signature verification. [22]. [21]. [13]. If too many packets are lost. [26]. [9]. [16]. MABS-B is efficient in terms of less latency. [13]. [14]. [25]. [25]. In each block. [25]. [18]. [24]. In particular. [29]. [19]. [23]. [15]. Another major problem is that most schemes [12]. [11]. [11]. we demonstrated that batch signature schemes can be used to improve the performance of broadcast authentication [5]. . [12]. [25]. [38]. [22]. [16]. [12]. [11]. they all increase packet overhead for hashes or erasure codes and the block design introduces latency when buffering many packets. [14]. [21]. In addition. [15]. [13]. [16]. origin authentication. [23]. the ideal approach of signing and verifying each packet independently raises a serious challenge to resource-constrained devices. [9] follow the ideal approach of signing and verifying each packet individually. [22]. Then.2010 at 01:51:59 UTC from IEEE Xplore. they still have the packet loss problem because they are based on the same approach as previous schemes [10]. conventional schemes use efficient signature algorithms [8]. [19]. [15]. [6]. [18]. [39]. which is expensive on signing while cheap on verifying. BLS [36]. [25]. [19]. Compared with the efficiency requirement and packet loss problems. [17]. [25]. [9]. In order to reduce computation overhead. [23]. We propose two new batch signature schemes based on BLS [36] and DSA [38] and show they are more efficient than the batch RSA [33] signature scheme. 2 RELATED WORK Schemes in [8]. [23]. [17]. [43]. After performance evaluation in Section 5. As is well known that existing digital signature algorithms are computationally expensive. The root of the tree is signed by the sender. some schemes [27]. [17]. [22]. to address the efficiency and packet loss problems in general environments. the length of one-time signature is too long (on the order of 1. A multicast stream is divided into blocks and each block is associated with a signature. [18]. but it is still important in hostile environments. [10]. Moreover. [23]. [22]. computation. [32] attempt to provide the DoS resilience. [26]. [42]. [21] Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [14]. [26]. [16]. [13]. [14]. [11] by constructing a tree for a block of packets. [20]. [26] are indeed computationally efficient since each receiver needs to verify only one signature for a block of packets. its overhead is still at the same level as previous schemes.ZHOU ET AL. [37]. [15]. [19]. [10]. [30]. [10]. Moreover. [15]. Erasure codes make each receiver be capable of recovering the block signature when receiving at least a certain number of pieces. [25]. [24]. 2. A signature is generated for the concatenation of the hashes of all the packets in one block and then is erasure-coded into many pieces. In the literature. the entire block cannot be authenticated. [23]. each receiver needs to perform one more verification on its one-time or k-time signature plus one ordinary signature verification. [11]. [14]. other packets may not be authenticated. [15]. An attacker may compromise a multicast system by intentionally injecting forged packets to consume receivers’ resource. [13]. [41]. 3. [26] at the expense of increased communication overhead [8]. [11]. an active attacker can inject forged packets to consume receivers’ resource. the hash of each packet is embedded into several other packets in a deterministic or probabilistic way. [14]. the paper is concluded in Section 6. previous schemes [8]. [16]. Though MABS-E is less efficient than MABS-B since it includes the DoS defense. Restrictions apply. They are suitable for RSA [33]. For each packet. [18]. Downloaded on May 31. [24]. respectively [38]. schemes in [8]. we present a basic scheme for lossy channels in Section 3. and nonrepudiation as previous asymmetric key based protocols. [12]. [35]. [23]. [25]. which supports the authentication of any number of packets simultaneously with one signature verification. in which each path links a packet to the block signature. [24]. [26] is that they are vulnerable to packet injection by malicious attackers. In a hostile environment. The rest of the paper is organized as follows: We briefly review related work in Section 2. [18]. [24].000 bytes). [36]. [14]. [20]. Erasure codes were used in [22]. [18]. [20]. [13]. [11] or vulnerability to packet loss [12]. [28]. [22]. we make the following contributions: Our MABS can achieve perfect resilience to packet loss in lossy channels in the sense that no matter how many packets are lost the already-received packets can still be authenticated by receivers. MABS provides data integrity. we present our comprehensive study on this approach and propose a novel multicast authentication protocol called MABS (in short for Multicast Authentication based on Batch Signature). [15]. [18]. However. [19]. [20]. All these schemes [10]. but reduce the computation overhead at the sender by using one-time signatures [8] or k-time signatures [9]. [16]. [19]. [19]. [21]. [13]. and communication overhead.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983 schemes. [23]. leading to DoS. [24]. it uses the authentication information in the packet to authenticate it. Each receiver verifies the block signature and authenticates all the packets through the paths in the graph. Recently. [17]. Another problem with schemes in [8]. [17].

In the block design. Generally. . [50]. Therefore. i g. [14]. Each receiver is a less powerful device with resource constraints and may be managed by a nontrustworthy person. [23]. . which is chosen by the sender. [26]. In particular. i ¼ 1. [40]. which is incurred at the high layer when the high layer application waits for the buffered packets to become verifiable. Restrictions apply. [32] incorporate a block-based design as shown in Section 2. [29] are still vulnerable to DoS because they require that one-way hash chains are signed and transmitted to each receiver and therefore an attacker can inject forged signatures for oneway hash chains. In the block design. [41]. which supports simultaneously verifying the signatures of any number of packets. schemes in [27]. [31]. [53] use shared symmetric keys between the sender and receivers to authenticate multicast streams. [25]. the heterogeneity of receivers means that the buffer resource at each receiver is different and can vary over the time depending on the overall load at the receiver. which could be interpreted as that the buffered packets are “lost. However. [51]. [29]. it is possible that the packets buffered at the low layer authentication module are not verifiable because the correlated packets. In particular. . Downloaded on May 31. [30]. [25]. but also introduce new problems. [22]. Though they are more efficient than those using signatures. . . the per-packet signature design has been criticized for its high computation cost. [21]. while the others could be cheap handsets with limited buffers and low-end CPUs. and n can be any positive integer. [46]. [28]. [18]. p2 . and therefore. [24]. . Some other schemes [45]. In this paper. . The reason is that error correction codes tolerate error packets. Though confidentiality is another important issue for securing multicast. i is the corresponding signature. where mi is the data payload. this heterogeneity poses a demand on the capability of adjusting the buffer size and authenticating buffered packets any time when the high layer application requires at each receiver. JULY 2010 are vulnerable to forged signature attacks because they require each receiver to verify each signature whereby to authenticate data packets. [17]. These three schemes [30]. we conceive a receiver-oriented approach by taking into account the heterogeneity of the receivers. In view of the problems regarding the sender-favored block-based approach. and schemes in [22]. [28]. In this paper. As receiving devices have different computation and communication capabilities. . [31]. In the per-packet signature design it is not a problem.2010 at 01:51:59 UTC from IEEE Xplore. authenticating a multicast stream can be achieved by signing and verifying each packet. [36]. F alseg: If the output is T rue. [27]. [23]. [29]. but they still have the packet loss problem. [39]. . [25]. [13]. the sender is a powerful multicast server managed by a central authority and can be trustful. Consider the high layer application needs new data from the low layer authentication module in order to render a smooth video stream to the client user. PRABS [30] uses distillation codes to deal with DoS. the correlation among packets can incur additional latency. Mixed with various channel loss rates. which is required for the low layer authentication protocol to buffer received packets. we focus on the signature approach. which is inherent in the Internet and wireless networks. since each packet can be independently verifiable at any time. [23]. they cannot provide nonrepudiation as the signature approach. [32] were proposed. [38]. The sender signs each packet with a signature and transmits it to multiple receivers through a multicast routing protocol. Ideally. [48].984 IEEE TRANSACTIONS ON MOBILE COMPUTING. Also. the high layer application has to either wait. [20]. VOL. They do reduce the computation cost. which leads to additional latency. pn Þ 2 fT rue. have not been received. Schemes in [28]. however. the basic scheme MABS-B uses an efficient cryptographic primitive called batch signature [33].” This latency. [30]. [11]. it can be achieved through group key management [54]. valid packets and forged packets are partitioned into disjoint sets and erasure decoding is performed over each set. the BatchVerifyðÞ algorithm should satisfy the following properties: Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [32] are resilient to DoS. [37]. or return with a no-available-packets exception. is different from the buffering latency. the receiver knows the n packets are authentic. [52]. [49]. 7. PARM [27] is similar to the tree chaining scheme [10]. [29] combine erasure codes with one-way hash chains to detect forged packets. Third. [11] in the sense that multiple oneway hash chains are used as shared keys between the sender and receivers. [24]. [26]. [28]. To support authenticity and efficiency. n. may not be satisfied by each receiver. Unfortunately. Each receiver needs to assure that the received packets are really from the sender (authenticity) and the sender cannot deny the signing operation (nonrepudiation) by verifying the corresponding signatures. The block design builds up correlation among packets and makes them vulnerable to packet loss. [35]. [44]. 9. [12]. LTT [32] uses error correction codes to replace erasure codes in schemes [22]. NO. Received packets may not be authenticated because some correlated packets are lost. [43]. [24]. [26] suffer from packet injection because each receiver has to distinguish a certain number of valid packets from a pool of a large number of packets including injected ones. BAS [31] simply retransmits each signature multiple times to tolerate packet loss and uses selective verification to tolerate injected forged signatures. [16]. [19]. some could be powerful desktop computers. which is very time-consuming. It is desirable that the lower layer authentication module delivers authenticated packets to the high layer application at the time when the high layer application needs new data. it can input them into an algorithm BatchVerifyðp1 . especially the block signatures. we focus on multicast authentication. In order to deal with DoS. [34]. [47]. 3 BASIC SCHEME Our target is to authenticate multicast streams from a sender to multiple receivers. In order to fulfill the requirement. [42]. [31]. when a receiver collects n packets: pi ¼ fmi . most previous schemes [10]. and they require either time synchronization or trustful infrastructures. and otherwise not. these schemes [27]. [15]. the required block size.

However. [14]. [15]. [30]. [25]. [17]. MABS-B uses per-packet signature instead of per-block signature and thus eliminates the correlation among packets. The computation complexity of BatchVerifyðÞ is comparable to that of verifying one signature and is increased only gradually when the batch size n is increased. [19]. [23]. [26]. Given n packets fmi . and then calculates two exponents e. n. [12]. In order to show the merit of signature preaggregation. where ðNÞ ¼ ðP À 1ÞðQ À 1Þ. [20]. Theoretically. with and without signature preaggregation. then the final batch verification has 1. . We can see that the time cost of general batch verification (without signature aggregation) is still less than that of two single signature verifications when batch size grows up to about 270. [27]. In particular. [21]. we present three implementations. we will show later that in the implementation of batch signature a technique called signature preaggregation can be used so that the additional processing of multiple packets is shifted from the time of final batch verification to the time of each packet reception and thus the cost of final batch signature verification is exactly the same as that of original signature verification. We measured the normalized time cost of batch signature verification with the batch size growing from 1 to 1. the batch verification of RSA [34]. those additional computations are mostly modular additions and multiplications. The computation complexity of BatchVerifyðÞ comes with the fact that there are some additional cost on processing multiple packets. Meanwhile. [32]. 1. [16].000.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 985 Fig. [31]. [21]. it is not the case in reality. [27]. This is a significant advantage over previous schemes [10]. [23]. the equation holds because Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [30]. We must point out and will show later that MABS is independent from these signature algorithms. . Most important. we propose two new batch signature schemes based on BLS [36] and DSA [38]. [15]. [28]. the alreadyreceived packets can still be authenticated by each receiver. [18]. and there is no additional hash or code overhead in each packet. i g. . however.1. The packet independency also brings other benefits in terms of smaller latency and communication overhead compared with previous schemes [10]. [14]. 3. . In order to use RSA. BatchVerifyðÞ outputs T rue. NÞ as its public key and keeps d in secret as its private key. The sender sends fm.1 RSA RSA [33] is a very popular cryptographic algorithm in many security protocols.1. [12]. . [22]. The sender publishes ðe. [29]. we implemented batch signature by using our Batch-BLS (will be discussed later) as an example. This independency brings the freedom to optimize MABS for a particular physical system or platform as much as possible.2 Batch RSA To accelerate the authentication of multiple signatures. 3. where packets can be lost according to different loss models. so that the batch size will not be unmanageably large. such as random loss or burst loss. In addition to the one based on RSA [33]. which are more efficient than batch RSA. d 2 Z Ã such that ZN ed ¼ 1 mod ðNÞ. where mi is the data payload. the probability that BatchVerifyðÞ outputs T rue is very low. Given a batch of packets including some unauthentic packets. [28]. i is the corresponding signature and n is any positive integer. The Internet and wireless channels tend to be lossy due to congestion or channel instability. [31]. [26]. The other curve in Fig. [25]. Given a batch of packets that have been signed by the sender. efficiency can also be achieved because a batch of packets can be authenticated simultaneously through one batch signature verification operation. 3. Downloaded on May 31. i ¼ 1. [24]. and recorded the results for two scenarios. the receiver can first calculate hi ¼ hðmi Þ and then perform the following verification: !e n n Y Y i mod N ¼ hi mod N: ð1Þ i¼1 i¼1 If all n packets are truly from the sender. [29].2010 at 01:51:59 UTC from IEEE Xplore. no matter how many packets are lost. [32]. which are much faster than modular exponentiations required in final signature verifications. As we will show later. which validates the third property of batch signature. [19]. [13]. [18].1 Batch RSA Signature 3. In MABS-B. a sender chooses two large random primes P and Q to get N ¼ P Q. 1 shows that if the signature preaggregation is used. Normalized time cost of Batch-BLS signature verification. g to a receiver that can verify the authenticity of the message m by checking e ¼ hðmÞ mod N. Next. The result is shown in Fig.ZHOU ET AL. 2. The packet independency makes MABS-B perfect resilient to packet loss. the same cost of single signature verification. no matter how large the batch size is. [20]. [11]. A signature of a message m can be generated as  ¼ ðhðmÞÞd mod N. each receiver can verify the authenticity of all the received packets in its buffer whenever the high layer applications require. The merit of batch signature is that the batch size is chosen by each receiver. [17]. [13]. [24]. which can optimize its own batch size. [16]. [22]. 1. Restrictions apply. [35] can be used. a concern comes when the cost grows higher than the final signature verification if the batch size is too large. [11]. where hðÞ is a collision-resistant hash function.

NO. batch RSA is resistant to signature forgery as long as the underlying RSA algorithm is secure. a pair of fe. 2. . which can be defined as a map over two cyclic groups G1 and G2 .2 Batch BLS Based on BLS. i. then the message m is authentic because 1. . Bilinear: For all u. given two packets fmi . 1gà in the signing phase. i g. h i ¼ 1. yÞ ¼ i¼1 Q eð n i . where p is the order of G1 . the attacker can do this only when it gets fmi . vb Þ ¼ eðu. 3. Next. this attack is of no harm to the receiver [35]. n À 1. . Proof. A generates n false signatures i 0 . n À 1 to A. . It has been shown in [36] that an n-bit BLS signature can provide a security level equivalent to solving a Discrete Log Problem (DLP) [39] over a finite field of size approximately 26n . . Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. . i ¼ 1. Nondegenerate: For the generator g1 of G1 . The modified packets can still pass the batch verification. i ¼ 1. dg with comparable sizes can achieve a certain level of trade-off between computation efficiency and security at the sender part.yÞ ¼ eð. the RSA signature verification is efficient while the signature generation is expensive. . n g satisfies the BLS signature scheme. i ¼ 1.1. . which can reduce the computation complexity at the sender. However. i g and fmj . where hðÞ is a hash function. Z. n and n À 1 signatures i . the receiver can verify the batch of BLS signatures by first computingQ i ¼ hðmi Þ. then returns to B a Q value V ¼ n i 0 .2. the receiver must ensure all the messages are distinct. The signature of m is . the sender first computes h ¼ hðmÞ 2 G1 . This is because if all the messages are i¼1 authentic. g1 ¼ i¼1 n Y i¼1 ð4Þ ! i . g1 Þ. the receiver first computes h ¼ hðmÞ 2 G1 and then check whether eðh. then computes  ¼ hx 2 G1 . 3. 9. . i ¼ 1.g1Þ. g1 x Þ ¼ eðhx . the attacker can modify them into fmi . j g. . . g1 Þ 6¼ 1 2 G2 . the public key e is usually small (e ¼ 3 for instance) while the private key d is large. a 171-bit BLS signature provides the same level of security as a 1. then signing each packet can be affordable in this scenario. g1 : ¼e We can prove that our batch BLS is secure to signature forgery as long as BLS is secure to signature forgery. such that fmn . . . . which means the message mi and mj have been correctly signed by the sender. . j g for i 6¼ j. Then.e. g1 x Þ e i¼1 i¼1 n Y À Á e hi x . VOL. n that pass the batch BLS verification. Theorem 1. . 3. e : G1  G1 ! G2 . we propose our batch BLS scheme here. For example.986 n Y i¼1 IEEE TRANSACTIONS ON MOBILE COMPUTING. we have 1 eðg1 . i g. B can forge a signature n for any chosen message mn . B sends n messages mi . Suppose B is given n À 1 messages and their valid signatures fmi .3 Requirements to the Sender In most RSA implementations. Downloaded on May 31. a sender chooses a Z random integer x 2 Z p and computes y ¼ g1 x 2 G1 . If the verification succeeds. JULY 2010 !e i mod N ¼ ¼ ¼ n Y i¼1 n Y i¼1 n Y i¼1 e mod N i hed i mod N ð2Þ The BLS signature scheme consists of three phases: In the key generation phase. . satisfying the following properties: 1. Q i¼1 B computes n ¼ V = nÀ1 i as the signature for i¼1 mn . v 2 G1 and a. . Therefore. eðh.. Choosing a small private key d can improve the computation efficiency but compromise the security. Because A can break the batch BLS scheme. we propose a batch signature scheme based on the BLS signature in [36]. This is a very nice choice in the scenario where communication overhead is an important issue. The private key is x and the public key is y. If the sender does not have enough resource. but the signature of each packet is not correct (that is why batch RSA verification is called screening in [35]). i g and fmj .1 BLS The BLS signature scheme uses a cryptographic primitive called pairing.2 Batch BLS Signature Here. . In some circumstances. 2. Given n packets fmi . Therefore. . . Suppose an attacker A can break the batch BLS by forging signatures. an attacker may not forge signatures but manipulate authentic packets to produce invalid signatures. Therefore. .2. Given a message m 2 f0. One merit of the BLS signature is that it can generate a very short signature. 2. we propose two efficient batch signature schemes based on BLS [36] and DSA [38]. n. by colluding with A in the following steps: 1. In the verification phase. It has been proved in [35] that when all the messages are distinct. another attacker B can break BLS under the chosen message attack by colluding with A. then ! n n Y Y hi . If the sender is a powerful server. . because 3. b 2 Z we have eðua . g1 Þ: ð3Þ hi mod N: Before the batch verification.024-bit DLP-based signature scheme such as DSA [38]. . gp ¼ 1 2 G1 . 3. n and then checking whether eð n hi . Restrictions apply. 7. g1 Þ ¼ eð.2010 at 01:51:59 UTC from IEEE Xplore. This is easy to implement because sequence numbers are widely used in many network protocols and can ensure all the messages are distinct. j =g. y ¼ eðhi . i g and fmj . This poses a challenge to the computation capability of the sender because the sender needs to sign each packet. i ¼ 1. yÞ ¼ eðh. . vÞab . 3. Otherwise batch RSA is vulnerable to the forgery attack [35].

2 3. Zq Given a message m. For any message set mi . . the private key of the signer. n À 2. y. 6. 0 < x < q. q. g1 eðn . y ¼ gx mod p.2 Harn Batch DSA Given n packets fmi . i ¼ 1. yÞ ¼ eðn . n. a generator of Z Ã with order q. gq ¼ 1 mod p. Moreover.3 Requirements to the Sender In our batch BLS. sÞ. [43]. computing h ¼ hðmÞ. two packets fmi . BLS can be implemented over elliptic curves [55]. a 160-bit prime divisor of p À 1. . For instance.3 The Boyd-Pavlovski Attack Boyd and Pavlovski [44] pointed out an attack against the Harn batch DSA scheme [43]. . y nÀ1 Y i¼1 hi . j g for i 6¼ j can be replaced with fmi . DSA is deemed secure based on the difficulty of solving DLP [39]. and 4. Also like batch RSA. which have been shown in the literature to be more efficient than finite integer fields on which RSA is implemented. Therefore.3. the sender needs to sign each packet. g1 Þ : ð6Þ Since BLS is forgery-secure under the chosen message attack [36]. The signature for m is ðr. 5. 2. 2. 3. si g. it does not affect the correctness and the authenticity of mi and mj because they have been correctly signed by the sender. .: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE n Y i¼1 987 ! hi . 3. if the batch of packets is authentic. . ðri . i ¼ 1. computing r ¼ ðgk mod pÞ mod q. . some system parameters are defined as: 1. n. p. .e. the signing operation is more efficient than the RSA signature generation. i g and fmj . . . Unfortunately.3.2010 at 01:51:59 UTC from IEEE Xplore. . then Pn  Pn   À1 À1 mod p mod q g i¼1 si ri y i¼1 hi ri  Pn   À1 ¼ g i¼1 ðsi þhi xÞri mod p mod q  Pn  ð8Þ ¼ g i¼1 ki mod p mod q ¼ n Y i¼1 ri mod q: 3. the signer generates a signature by: 1. . the receiver can verify the batch of signatures by first computing hi ¼ hðmi Þ and then checking whether n Pn  Pn   Y À1 À1 ri mod q : ð7Þ g i¼1 si ri y i¼1 hi ri mod p mod q ¼ i¼1 3. The process is: 1. . 2. Harn improved the security of [40] in [42]. . Choose B and C. i ¼ 1. a hash function generating an output in Z Ã . Restrictions apply. j =g and still pass the batch verification. randomly choose ri . i ¼ 1. the public key of the signer.4 Our Batch DSA In order to counteract the Boyd-Pavlovski attack. This is because.1 Harn DSA In Harn DSA [43]. Compute rnÀ1 and rn to ensure that n Y i¼1 n X i¼1 ri mod q ¼ A mod q ð9Þ ð10Þ hi ri À1 mod q ¼ C mod q: 4. our batch DSA makes an improvement to the Harn DSA algorithm. 3. 3. g. but later was found insecure [41]. Randomly choose si . Boyd and Pavlovski pointed out in [44] that Harn’s work is still vulnerable to malicious attacks. .. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. n À 1 and compute sn to ensure that n X i¼1 si ri À1 mod q ¼ B mod q: ð11Þ The probability that fmi . i.3. where an attacker can forge signatures for any chosen message set that has not been signed by the sender.3 Batch DSA Signature DSA [38] is another popular digital signature algorithm. . [56]. Downloaded on May 31. y n Y i¼1 e ¼ eðV . computing s ¼ rk À hx mod q. x. . 3. . g1 Þ ! ¼e ! n Y i¼1 nÀ1 Y i¼1 ! i . our batch BLS scheme is also secure to forgery under the chosen message attack. Here. Unlike RSA.3. an attacker may not forge signatures but manipulate authentic packets to produce invalid signatures. . i g and fmj . . which is based on the hardness of factoring two large primes. 3.2. . n are forged messages satisfying the batch verification is 1 [44]. then ððgsr yhr Þ mod pÞ mod q ¼ ððgðsþhxÞr Þ mod pÞ mod q u t ¼ ðgk mod pÞ mod q ¼ r: À1 À1 À1 À1 À1 )e )e hi . g1 Þ ð5Þ The receiver can verify the signature by first computing h ¼ hðmÞ and then checking whether ððgsr yhr Þ mod pÞ mod q ¼ r: This is because if the packet is authentic. g1 ! i . . Zp 4. calculate A ¼ ðgB yC mod pÞ mod q. we propose a batch DSA scheme based on Harn’s work and counteract the attack described in [44].ZHOU ET AL. y eðhn . i ¼ 1. a prime longer than 512 bits. yÞ ¼ e ) eðhn . randomly selecting an integer k with 0 < k < q. si Þg. Because BLS can provide a security level equivalent to conventional RSA and DSA with much shorter signature [36]. hðÞ. we can expect that our batch BLS is more affordable by the sender than batch RSA and also achieve computation efficiency at the receiver. A batch DSA signature scheme was proposed in [40]. ri . However.

3. An example is illustrated in Fig. Each leaf is a hash of one packet. VOL.2010 at 01:51:59 UTC from IEEE Xplore. At each receiver. leading to DoS. Though it is simple. By introducing ri into the hash operation. which means more signature verifications at each receiver. the cost of the aggregations is incurred with the final signature verification.2 . 9. ðri 0 . our method can significantly increase the security of batch DSA. if we modify the original DSA so that it takes fsrÀ1 . H1. ðHðP3 Þ. the mark of the packet P3 is fH4 . 2. Meanwhile. 2. randomly choose si 0 . we can notice that they use exactly the orignal RSA and BLS algorithms. Next. n i g after i¼1 i¼1 receiving every packet. Each set of packets comes from either the real sender or the attacker. an attacker can inject forged packets into a batch of packets to disrupt the batch signature verification. A naive approach to defeat the DoS attack is to divide the batch into multiple smaller batches and perform a batch verification over each smaller batch. . the attacker may manipulate authentic packets fmi . the aggregations Q message hashes and of P P signatures f n si ri À1 . NO. r is independent on the message m. we present an enhanced scheme called MABS-E. each receiver only needs to perform BatchVerifyðÞ over each set.3. In this section. n À 1 and solve sn 0 satisfying n X i¼1 Fig. For each packet. In particular. a mark is constructed as the set of the siblings of the nodes along the path from the packet to the root.8 ¼ HððH1. Therefore. si 0 ri À1 mod q ¼ n X i¼1 si ri À1 mod q: ð12Þ 4 ENHANCED SCHEME However. each Q Q receiver can compute and update f n hi . In some circumstances. only two modular multiplications are necessary to sign a packet. Merkle tree [57] is used to generate marks. Each internal node is the hash value on both its left and right children. When the sender starts a multicast session. If the result is T rue. For batch-DSA. H5. When the time of batch verification comes. however. . the hash values hi in (10) are unknown to the attacker. the attacker can compute ri values according to (9) and (10) because parameters A.8 Þ. and the receiver simply drops them and does not need to divide the set into smaller subsets for further batch verification.988 IEEE TRANSACTIONS ON MOBILE COMPUTING. H5. Preaggregation of Message Hashes and Signatures If we take a closer look at batch-RSA and batch-BLS. . no matter whether it is random loss or burst loss. and vice versa. Restrictions apply. . while also achieving computation efficiency at the receiver. which is unique to the packet and cannot be spoofed.8 g and the root can be recovered as H1. Like the cases in batch RSA and our batch BLS. In our batch DSA. just like batch-RSA and batch-BLS. as shown in Fig.4 The basic scheme MABS-B targets at the packet loss problem. the attacker can inject forged packets at very high frequency and expect that each receiver stops the batch operation and recovers the basic per-packet signature verification. hrÀ1 . The mark design ensures that a packet from the real sender never falls into any set of packets from the attacker. n i g as the parameters to the i¼1 i¼1 original signature algorithms. In the Boyd-Pavlovski attack. For example. ðri . Therefore. Therefore. Constructing a Merkle tree is very efficient because only hash operations are performed. si Þg to produce invalid signatures fmi . which is not in Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Therefore. rg as parameters. It has perfect resilience to packet loss. 1. The only difference is that the batch algorithms Q take the aggregations of message hashes Q and signatures f n hi . which can still pass the batch verification. the set of packets is authentic. the sender needs to compute one modular exponentiation to get r and two modular multiplications to get s.5 Requirements to the Sender In batch RSA and our batch BLS. the multicast stream is classified into disjoint sets based on marks. our batch DSA is much more efficient than batch RSA and our batch BLS at the sender. The sender constructs a binary tree for eight packets. mÞ. the set of packets is from the attacker. s. Therefore. the computation cost at each receiver can be more manageable no matter how large each batch is if signature preaggregation is enforced. which may not be viable at resource-constrained receiver devices. each receiver needs just one signature verification. i ¼ 1. n hi ri À1 . the one-way property of hash operation ensures that given the root of a Merkle tree it is infeasible to find a packet. 7. and this divide-and-conquer approach can be recursively carried out for each smaller batch. Therefore. This aggregation is independent of the final signature verification. a strong resilience to DoS due to injected packets can be provided. H4 ÞÞ. si 0 Þg. If not. Therefore. the sender needs to compute one modular exponentiation to sign each packet. the sender can generate many r values offline. In the worst case. hi values are known. The attacker can keep ri unchanged. Each leaf is a hash of one packet. then batch-DSA can take the advantage of preaggregating message hashes and signatures. which combines the basic scheme MABS-B and a packet filtering mechanism to tolerate packet injection.2 . Obviously. An example of Merkle tree. Downloaded on May 31. which is inherent in the Internet and wireless networks. In MABS-E. the sender attaches each packet with a mark. . However. it can use reserved r values to compute s values. All the other steps are the same as those in Harn’s scheme. C. rg instead of fh. n ri g are inside the i¼1 i¼1 i¼1 signature verification. this attack does not affect the correctness and authenticity of messages because they have been really signed by the sender [44]. In this way. Each internal node is the hash value on the concatenation of its left and right children. JULY 2010 We replace the hash operation hðmÞ in the signature generation and verification process with hðr. However. respectively. 3. the attacker cannot compute ri values and the forgery attack discussed in [44] is defeated. the receiver can still accept them because the batch verification succeeds.

i. This is also true for all the literature multicast authentication schemes referenced in this paper. This guarantees that forged packets cannot fall into the set of authentic packets. We consider the random loss and the burst loss with a maximum loss length of 10 packets. Our MABS and Tree schemes [11] have perfect resilience to packet loss in the sense that all the received packets can be authenticated. 4. 5 PERFORMANCE EVALUATION In this section.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 989 Fig. we choose the erasure code ð256. the impact of DoS due to packet injection can be reduced by a factor of t.ZHOU ET AL. Once the set is authentic. underlying signature algorithm. MABS does not assume any particular underlying signature algorithm. Verification rate under the random loss model.7 chain configuration. . and SAIDA [23]. The metric here is the verification rate. For AugChain [18]. SAIDA [23] illustrates a resilience to packet loss up to a certain threshold. each receiver can choose a threshold (say t) and start batch verification over one set only when the set has no less than t packets. we choose two class priorities. and DoS resilience.3. For SAIDA [23]. In this way. We compare MABS with some well-known loss tolerant schemes EMSS [14]. tree chaining. while our MABS-B has less overhead and latency and MABS-E is resilient to DoS at the same level of overhead as Tree [11]. 128Þ. Restrictions apply. When the sender has a set of packets for multicast.1 Resilience to Packet Loss We use simulations to evaluate the resilience to packet loss. If a set has less than t packets and the root value recovered from the set has not been authenticated.2 are under the assumption that they are using the same 5. Doing the BatchVerify algorithm on each small set compromises efficiency. PiggyBack [16]. An attacker may inject small sets of forged packets or even inject single packet that does not belong to any set. Each receiver does not need to wait for a set to include all the packets under the Merkle tree. we choose the chain configuration of 5 À 11 À 17 À 24 À 36 À 39. As we will show later. which has the best performance among all the configurations of length 6 as is shown in [14]. and erasure coding schemes and are widely used in performance evaluation in the literature. As we discussed before. In this case. 3. Therefore. The reason is that graph chaining results in the correlation among packets and this correlation is vulnerable to packet loss. the threshold t can vary according to the receiver’s computation resource. Tree [11] achieves this independency by incurring large overhead and latency at the sender and each receiver and is vulnerable to DoS. all the discussions and evaluations of MABS and the literature works in Section 5. We can see that the verification rates of EMSS [14]. the receiver simply drop the set of packets without processing them and thus save computation resource. the corresponding root can be used to authenticate the rest of packets under the same Merkle tree without batch-verifying them.e.1 and Section 5. Verification rate under the burst loss model with the maximum burst length 10. The root can be recovered based on each packet and its mark. Each receiver can find whether two packets belong to the same set by checking whether they lead to the same root value. it generates a Merkle tree for the set and attaches a mark to each packet. The verification rates under different loss rates are given in Fig.. The discussion of signature algorithms is in Section 5. the recovered roots help classify received packets into disjoint sets. For EMSS [14]. because of the threshold performance of erasure codes. For PiggyBack [16]. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. we choose C3. which saves computation overhead at each receiver. Since the sets from the sender can have a large number of packets.2010 at 01:51:59 UTC from IEEE Xplore. each receiver has many small sets and each of them has only a few packets. however. 3 and Fig. For Tree chain [11]. For all these schemes. and it can batch-verify the set anytime. This is because all the packets in MABS and Tree schemes are independent from each other. we choose the block size of 256 packets and simulate over 100 blocks. 4. Downloaded on May 31. we choose binary tree. augmented chain (AugChain) [18]. Fig. For each receiver. we evaluate MABS performance in terms of resilience to packet loss. efficiency. augmented chain (AugChain) [18] and PiggyBack [16] are decreased quickly when the loss rate is increased. Therefore. tree chain (Tree) [11]. the set associated with the Merkle tree and from which there is a path to the root. These schemes are representatives of graph chaining. the ratio of the number of authenticated packets to the number of received packets.

NO. While it is not designed for lossy channels. MABS-B is perfect resilient to packet loss because of its inherent design. but it still preserves the merit of instantaneous authentication at each receiver as MABS-B. similar to SAIDA [23]. 4. 7. At each receiver. and communication overhead for efficiency evaluation under lossy channels and DoS channels. the high layer application does not need to wait because the low layer authentication module can deliver authenticated packets at any time when the high layer application needs new data.2. MABS-E can also achieve the perfect resilience to packet loss in lossy channels. The notations used here are defined in Table 1. [16] or at each receiver [14]. [23]. EMSS [14]. JULY 2010 TABLE 1 Notations within several hash operations. . This makes MABS-B pretty suitable for realtime multimedia applications.1 Comparisons over Lossy Channels Table 2 shows the comparisons between MABS-B and wellknown loss-tolerant schemes tree chain (Tree) [11]. 5. This receiver side latency is variable depending on whether the correlation among the underline buffered packets has been recovered or not when the high layer application needs new data.2010 at 01:51:59 UTC from IEEE Xplore. BAS [31]. the schemes using One thing needs to be pointed out is that we do not differentiate between MABS-B and MABS-E in Fig. Restrictions apply. and LTT [32] in the table just for comparisons even though they are not designed for lossy channels. The latency is inherent in the block design due to chaining or coding. Previous block-based schemes introduce latency either at the sender [11]. Downloaded on May 31. and its maximum value is the block size. 9. [31] or both [18]. the extracted root of the Merkle tree can be used to authenticate the rest of packets in the same set TABLE 2 Comparisons over Lossy Channels Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. which shows a threshold-based loss resilience. [30]. augmented chain (AugChain) [18]. PiggyBack [16]. MABS-E introduces latency at the sender because it includes a tree construction to counteract DoS. which is not the best choice for the lossy channel. Once the received packets are authenticated. All the evaluations are carried out over n packets. 5. 3 and Fig. and SAIDA [23]. If we set t > 1. In addition. We also include MABS-E and three DoS resilient schemes PRABS [30]. we can set the threshold t ¼ 1 (refer to Section 4) for MABS-E. the correlation among a block of packets has to be established before the sender starts sending the packets. VOL. Both the block-based schemes and MABS require one signature verification operation on a block or a batch of n packets at each receiver.2 Efficiency We consider latency. Each packet is independently sent out at the sender. [32]. In the lossy channel model. computation. At each receiver. MABS-E can tolerate up to n À t lost packets for each set of n packets. the latency is incurred when the high layer application waits for the buffered packets to be authenticated after the correlation is recovered. The results are depicted in Table 2 and Table 3. and thus each receiver can start batch-verification as long as there is at least one packet received for each set of packets constructed under the same Merkle tree. At the sender side.990 IEEE TRANSACTIONS ON MOBILE COMPUTING. MABS-B eliminates the correlation among packets. where no DoS attack is assumed to present.

[16]. [23] since they are designed only for lossy channels. [14]. They can alleviate the impact of packet injection by a constant factor to reduce the computation cost at each receiver. In MABS. BLS [36] generates short signatures of 171 bits. Processing injected packets from the attacker always consumes a certain amount of resource. Therefore. we assume an attacker factor . [31]. MABS-B and MABSE have more communication overhead than those in [14]. which is the same case as Tree [11]. MABS can have the same level of communication efficiency as conventional schemes when BLS is used. Compared with RSA [33]. Schemes in [30]. [30]. which is comparable to previous schemes using hashing and coding. efficient signature generation is desirable at the sender. [32] require one or more signatures and up to Oðn2 Þ hashes. which is comparable to most well-known hash algorithms MD5 [58] (128 bits) and SHA-1 [59] (160 bits). [32]. [31].024-bit RSA). [23]. However. 5. [32] are designed for DoS defense. [23]. [16]. MABS-E has the same level of DoS resilience as those in [30]. MABS-B and MABS-E require n signatures and MABS-E requires additional Oðnlog2 nÞ hashes.2. For n packets. MABS-B is more efficient since there is no more hashing or decoding operations. and the ones using coding require multiple hashes and one or two decoding operations.2 Comparisons over DoS Channels DoS is a method for an attacker to deplete the resource of a receiver. [16]. Moreover. Tree [11] require an overhead of n signature and Oðnlog2 nÞ hashes. schemes in [14]. and the advance of computing technology makes it easier in the long run. [32]. Therefore. in multimedia multicast. a trade-off for perfect resilience to packet loss is that the sender needs to sign each packet. [30]. MABS-B is vulnerable to packet injection as schemes in [11]. which incurs more computation overhead than conventional block-based schemes. [18]. [31].: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 991 TABLE 3 Comparisons over DoS Channels chaining also require many hashes. [18].ZHOU ET AL. the sender is usually a powerful server and thus the per-packet signature generation can be affordable. [18]. If long signatures are used (like 1. [31]. MABS-E requires nlog2 n hashes. which is efficient in verifying but is expensive in signing. Here. BLS [36] and DSA [38] are pretty good candidates as we will show later.

. which means that for n valid packets .

the attacker can inject .n invalid packets are injected. [18]. For schemes in [11]. The computation overheads at each receiver for different schemes are depicted in Table 3. [14]. [16]. which authenticate signatures first and then authenticate packet through hash chains.

n forged signature packets because signature verification is an expensive operation. the attacker simply injects . For SAIDA [23]. which requires erasure decoding.

n forged packets because each receiver has to choose a certain number of valid packets from all the ð1 þ .

M-modular multiplication. Restrictions apply. Moreover. for 157-bit BLS are 2. Downloaded on May 31. 5. and for 1. which can have a significant number of tries. a c-bit modular exponentiation in c DLP is equivalent to a 6 -bit modular exponentiation in BLS for the same security level.87 ms.3 Comparisons of Signature Schemes We compare the computation overhead of three batch signature schemes in Table 4.Þn packet to do decoding. We also compare the length of two popular hash algorithm MD5 [58] and SHA-1 [59] and the signature length of three TABLE 4 Computational Overhead of Different Batch Schemes E-modular exponentiation. According to the report [60] on the computational overhead of signature schemes on PIII 1 GHz CPU.007-bit private key are 7. [44].4 ms. the signing and verification time for 1. and vice versa for RSA. We can observe that for BLS and DSA the signing is efficient but the verification is expensive.024-bit RSA signing operation is roughly equivalent to that of 768 DSA signing operations (1.09 ms and 4.024-bit RSA with a 1. Therefore. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. P -pairing.024-bit DSA with a 160-bit private key (without precomputing r value) are 4. Therefore. Usually one c-bit modular exponentiation is equivalent to 1:5c modular multiplications over the same field [35]. It is also meaningful to use our batch BLS and batch DSA at the receiver to save computation resources. we can save more computation resource at the sender by using our batch BLS and batch DSA than batch RSA.9 ms and 0.75 ms and 81 ms. RSA [33] and BLS [36] require one modular exponentiation at the sender and DSA [38] requires two modular multiplications when r value is computed offline. . we can estimate that the computation overhead of one 1.2010 at 01:51:59 UTC from IEEE Xplore.536 modular multiplications) and that of 6 BLS signing operations (each one is corresponding to 255 modular multiplications).

Lin. “Multicast-Specific Security Threats and Counter-Measures. It is clear that by using BLS or DSA. T. pp. and W-C Wong. and Applications (WASA ’06). Modadugu. 2003. “How to Sign Digital Streams. Computer. 232246. Aug. First Ann.” Proc.” Proc. Multimedia (ISM ’05).” Proc. 2006. “A Content-Aware Stream Authentication Scheme Optimized for Distortion and Overhead. block-based authentication schemes have been proposed. 1998. 4. pp. no. Lam. Second Ann. N. R. Multimedia and Expo (ICME ’06). Multimedia and Expo (ICME ’05). Y.J. ACM Symp. Song. Pollution-Attack Resistant Multicast Authentication Scheme. “Multimedia Broadcast Authentication Based on Batch Signature. 55-64.” Proc.992 IEEE TRANSACTIONS ON MOBILE COMPUTING. 2004. R. C.” IEEE Network Magazine. Network Protocols (ICNP ’98).J. Wee. 2001. Y. Canetti. Nov. Sixth Int’l Conf. H. July 2005.E. Ren. Comm. Bettahar. pp. Mar. 1995. “Multicast Routing in Internetworks and Extended LANs. “On-Line/Offline Digital Signatures. and Networking Conf. May 2001. no. Moreover. Molva. C. 72-77. and A. “On Broadcast Authentication in Wireless Sensor Networks. Security and Privacy (SP ’02). Magazine. D. Y. “BABRA: Batch-Based Broadcast Authentication in Wireless Sensor Networks. Aug. 1997. N. 2004. Staddon. Choi. Zeng. Tygar. (NDSS ’03). 227-240. Feb. (ISCC ’02). and W. Tygar. 17th Ann. Karlof. Wireless Algorithms. Shieh. Park. Perrig. . Zhang. 1988. 541-544. IEEE Symp. pp. vol. VOL.” Proc. “Stream Authentication Scheme for the Use over the IP Telephony. 2150-2155. June 2004. Computers and Comm. Wong and S. “Security Issues and Solutions in Mulicast Content Distribution: A Survey. 1999. Chong. (WCNC ’06). “A Proposal of ButterflyGraphy Based Stream Authentication over Lossy Networks. 2. Challal. 2006. Sastry.” IEEE Comm. Advances in Cryptology (CRYPTO ’97). “Digital Signatures for Flows and Multicasts. Networking. Li. [28] [29] [30] K. Crowcroft. pp. A. 2. “Efficient DoS Resistant Multicast Authentication Schemes. 2001. Security (ASIACCS ’06). Micali.” ACM Trans. Advanced Information Networking and Application (AINA ’04). 1. Given the same security level as 1. 2002 IEEE Symp. Chong. Cho. 7. 17. Cryptology. “Video Stream Authentication in Lossy Networks. May 2003. and Comm. A. Seventh IEEE Int’l Symp.” Proc. Molva. pp. pp.K.2010 at 01:51:59 UTC from IEEE Xplore. 363-368. “A2 Cast: An Adaptive Source Authentication Protocol for Multicast Streams. Siegel. Rohatgi. MABS can achieve more bandwidth efficiency than using RSA. Lam. [16] [17] [18] [19] [20] ACKNOWLEDGMENTS This work was partially supported by the US National Science Foundation under grants CNS-0916391. “A Taxonomy of Multicast Data Origin Authentication: Issues and Solutions. and S. no. 7. 18th Int’l Conf. Int’l Conf. Y. Zuckerman. and K. Q. Okada. Systems. Zhang. Song. Network and Distributed System Security Symp. 45. vol. “Efficient Authentication and Signing of Multicast Streams over Lossy Channels. ACM SIGCOMM Symp.S. 1. E. IEEE Int’l Conf. J. (NDSS ’04). 6. O. 6. pp. Park. Y. July 2002. pp. P. Seventh IEEE Int’l Symp. Feb. IEEE Int’l Conf.” Proc. Z. Surveys & Tutorials. 100-116. Network and Distributed System Security Symp. (ISCC ’04). Network and Distributed System Security Symp. Kawaguchi. NO. W-C Wong. Z. Oct. Security and Privacy (S&P ’02). (NDSS ’01). The works of Fang and Zhu were also partially supported by the 111 Project under Grant B08038. 2004. 198-209. pp. no.J. 2006.” Proc.” IEEE Comm.” Proc. 4. Int’l Conf.” Proc.D. Q. 2005. “A Compact and Fast Hybrid Signature Scheme for Multicast Packet. Fang. 9. Security and Privacy (SP ’00). Shigeno. W. vol. Bouabdallah. we further develop two new batch signature schemes based on BLS and DSA.P. vol. “Distillation Codes and Applications to DoS Resistant Multicast Authentication. and Y. July 2006.K. H. J. and D. Wu and T. and A. “Efficient Multicast Packet Authentication Using Signature Amortization. C. Feb. 502513.D.M. Lin. vol. Downloaded on May 31. 35-67. Gennaro and P. Apr. Fang. Unfortunately. “How to Sign Digital Streams. Ballardie and J. pp. Ammar. H. no. pp. Cryptology Conf. Park. we develop a novel authentication scheme MABS. P. Rohatgi. and J. Tygar. A. vol. vol. 9. Zhou and Y. Jeong. Network and Distributed System Security Symp. Perrig. Siegel.” Proc. no. we also show that the use of batch signature can achieve the efficiency less than or comparable with the conventional schemes. Eighth Ann. and could be even more efficient than conventional schemes using a large number of hashes. and H. 258-285. 8.P. Gennaro and P.” Information and Computation. J. We have demonstrated that MABS is perfectly resilient to packet loss due to the elimination of the correlation among packets and can effectively deal with DoS attack. Mar. J. Sun. Y. Feb. Information and System Security. and H. “Digital Signatures for Flows and Multicasts. S. Aug. and J. pp. Y. Li. Ueda. 30-36. IEEE Symp. pp. S. A. Rohatgi. Dec.” Proc. CNS0716450. Ninth Int’l Symp.024-bit RSA. Aug. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY./Feb. and CNS-0626881. “Authenticating Streamed Data in the Presence of Random Packet Loss. 2-16. Deering. May 2000. BLS generates a 171-bit signature and DSA generates a 320-bit signature. pp. Pannetrat and R. S. R. Bouabdallah. Feb. “Authenticating Real Time Packet Streams and Multicasts. Computer and Comm. “Denial-of-Service Resistant Multicast Authentication Protocol with Prediction Hashing and One-Way Key Chain. 2007. May 2005.” Proc.” Proc. Apostolopoulos. 490-495. E.M. S.” Proc. Bettahar. (NDSS ’95). Miner and J. vol.” IEEE/ACM Trans. vol. “Efficient Multicast Stream Authentication Using Erasure Codes. [21] [22] [23] [24] [25] [26] [27] REFERENCES [1] [2] [3] [4] [5] [6] S.S. pp. JULY 2010 TABLE 5 Communication Overhead of Signature Schemes [7] [8] [9] [10] [11] signature algorithms in Table 5. Oct. 3. P. Security (CCS ’99). D. Zhou and Y. 10th Ann. Wong and S. Sun.” J. May 2002. vol. Judge and M. Golle and N. “Efficient Multicast Packet Authentication. May 2002. 1996. To overcome these problems. pp. Architectures and Protocols.” Proc. “Lightweight. 2006. most previous schemes have many problems such as vulnerability to packet loss and lack of resilience to denial of service (DoS) attack.” Proc. Information. and P. 34-57. pp. Sixth ACM Conf. Pannetrat and R. Finally. K. Goldreich.” Proc. 1. 165. Jan.” Proc. IEEE Wireless Comm. S. Restrictions apply. 1999. IEEE GLOBECOM. “Expander Graphs for Digital Stream Authentication and Robust Overlay Networks.K. 164-169.” Proc. The work of Zhu was also partially supported by the National Natural Science Foundation of China under grant 60772136 and supported by the Fundamental Research Funds for the Central Universities. and S. Aug.” Proc. Computational Science and Its Applications (ICCSA ’05). Even.” Proc. Y.” Proc. Security and Privacy (SP ’01). Challal. which are more efficient than the batch RSA signature scheme. 11th Ann. J.D. Nov. Computers and Comm. 2003. “Graph-Based Authentication of Digital Streams. Moran. 5675.K. Lou. IEEE Symp. [12] [13] [14] 6 CONCLUSIONS [15] To reduce the signature verification overheads in the secure multimedia multicasting.

and PhD degrees from the School of Telecommunications Engineering at Xidian University. Cavagnino. pp. 2003-2008) and ACM MobiHoc (2008-2009). pp. Information Theory.” Proc. 34.A. Xidian University. Rafaeli and D.” Proc. in 2002. [51] A. (CRYPTO ’02). M’Raihi. where she is a lecturer. 541-544. and S. 35. pp. Perrig. pp. [36] D. Xi’an. IEEE Symp. Shacham. 2045-2054. Rivest. vol. Sandhu. Lynn. 257-258. Network and Distributed System Security Symp. S.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 993 [31] C. Tamassia. no. Koblitz. 1998. He was an editor for the IEEE Transactions on Mobile Computing and currently serves on its steering committee. 1994. Pavlovski. be Improved? Complexity Trade Offs with the Digital Signature Standard. Lysyanskaya. 417-426. Chan. Network and Distributed Security. and M.” Proc. vol. 2001. IEEE Symp. from 2009 to 2012. vol. Yun Zhou received the BE degree in electronic information engineering and the ME degree in communication and information system from the Department of Electronic Engineering and Information Science.W. got an early promotion to an associate professor with tenure in 2003. J.” Comm. [59] D. 28-37. 12. pp. Tygar. Merkle. J. pp. Adleman. His research interests include security.” IEEE Trans. May 2004. Desmedt. 19. and N. Dec. in 2000 and 2003. A. R. Lim and P. July 1985. Y. Garay. in 2000. “Efficient Algorithms for Pairing-Based Cryptosystems. Trappe. He is currently serving as the editor-in-chief for IEEE Wireless Communications and serves/served on several editorial boards of technical journals including the IEEE Transactions on Communications. 1986. 203-209. She is now a visiting research scholar in the Department of Electrical and Computer Engineering at the University Florida. 21. He then joined the Department of Electrical and Computer Engineering at University of Florida in 2000 as an assistant professor.” IEE Electronic Letters. June 1998.” Proc. Sept. Nov. no. 2. “Attacking and Repairing Batch Verification Schemes. Micciancio. pp. China. ISOC Symp. 2004.” Proc. “Batch Verifying Multiple DSA-Type Digital Signatures. Computer and Comm.A. Xi’an. “Efficient and Secure Source Authentication for Multicast. “Multicast Security: A Taxonomy and Some Efficient Constructions. [56] V.” Proc. vol. 514-532. “An Efficient Identity-Based Signature Scheme with Batch Verifications. 469-472. [43] L.” IEE Electronic Letters. D. ElGamal. [39] T. Boneh. 2004. in 2007. 2003. D. D. 1219-1220. May 1995. Sixth Int’l Conf.2010 at 01:51:59 UTC from IEEE Xplore.” ACM Computing Surveys. (CRYPTO ’85). on leave from the School of Telecommunications Engineering. pp. Feb. [38] FIPS PUB 186. [57] R. Computation. Xu and R. Triandopoulos. Multimedia and Expo (ICME ’00). 1980. vol. [48] N. “Password Authentication with Insecure Communication. pp. 48. Lee. [37] S. Rivest. Boyd and C. IEEE INFOCOM. no. and B. China. Apr. no.” Proc. China. Naccache. and to a full professor in 2005. He has been actively participating in professional conference organizations such as serving as the steering committee cochair for QShine (20042008).S. Gainesville. 236-250. May 1998. vol. Lynn. IEEE GLOBECOM. S. “DSA-Type Secure Interactive Batch Verification Protocols. Apr. Shamir. “Batch Verifying Multiple RSA Digital Signatures.” Proc. Venkatesh. [40] D. Her research interests include wireless networks. 1994. China.M. Hutchison. Yuguang Fang received the PhD degree in systems engineering from Case Western Reserve University in 1994 and the PhD degree in electrical engineering from Boston University in 1997. vol. IEEE Int’l Conf. 2002. 2001. Info.J. Scott. and a guest chair professorship with Tsinghua University. and B. Downloaded on May 31. ACM. and the PhD degree from the Department of Electrical and Computer Engineering.” Proc. “The BiBa One-Time Signature and Broadcast Authentication Protocol. 9. Frankel. [47] L. 1987. “Protocols for Public Key Cryptosystems. Harn. “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. 708-716. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. 309-329. 3. Scalable Information Systems. Harn. and is the recipient of the Best Paper Award from the IEEE International Conference on Network Protocols (ICNP) in 2006 and the IEEE TCGN Best Paper Award from the IEEE High-Speed Networks Symposium. Song. 4. ACM Symp. Sept. Applied Computing (SAC ’02). [34] L. Int’l Cryptology Conf. and H. pp. and L. Security and Privacy (SP ’04). 2000. Int’l Cryptology Conf. “Multi-Receiver/MultiSender Network Security: Efficient Authenticated Multicast/ Feedback. and D. a Changjiang scholar chair professorship with Xidian University. (NDSS ’01). Advances in Cryptology (EUROCRYPT ’98). 2006. Itkis.” IEEE Trans. “A Survey of Key Management for Secure Group Communication. D. Perrig. “DoS Protection for Reliably Authenticated Broadcast. 4. He is a fellow of the IEEE and the IEEE Computer Society and a member of the ACM.” Proc. [42] L. “Reducing Delay and Enhancing DoS Resistance in Multicast Authentication through Multigrade Security. First Int’l Conf. [60] P. vol. pp. IEEE Wireless Communications Magazine. 11.L. He holds a University of Florida Research Foundation (UFRF) Professorship from 2006 to 2009. Seventh Int’l Conf. Dec. University of Science and Technology. M. Theory and Application of Cryptology and Information Security Advances in Cryptology (ASIACRYPT ’01). Gunter. [32] A. 2000. and operating systems. He has published more than 250 papers in refereed professional journals and conferences.ZHOU ET AL. 2001. [44] C. pp. 1981. R. May 1992. and T. Duan. Xi’an. 2002. He is also active in professional activities. Theory and Application of Cryptology and Information Security Advances in Cryptology (ASIANCRYPT ’00). 770-772. China. Eighth ACM Conf.” IEE Electronic Letters. Security (CCS ’01). B. Miller.” Proc. Rabin. pp.” Math. pp.” Comm. vol. Garay. Canetti. and a member of the technical program committee for IEEE INFOCOM (1998. 1978. “Can D. IEEE INFOCOM. July 2000. Digital Signature Standard (DSS). University of Florida. Naor. Yung. Raphaeli. Restrictions apply. Network and Distributed System Security Symp. vol. 190-204. 3. no. Khanna. Gainesville. [41] C. pp. Harn. 1992. no. Workshop Theory and Application of Cryptographic Techniques Advances in Cryptology (EUROCRYPT ’94). ME. “Elliptic Curve Cryptosystems. “Uses of Elliptic Curves in Cryptography. 24. no. [55] N. He is currently with Microsoft Corporation. Security and Privacy.” Proc. and 2009. vol. P. 120-126. the IEEE Transactions on Wireless Communications. pp. vol. G. from 2008 to 2011. 1. 30. 2. [35] M. and network coding. Apr. 11th Ann. Bellare. wireless communications and networking.” Proc. pp. an area technical program committee chair for IEEE INFOCOM (2009-2010). 34. Kim. 1. 31. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. [33] R. Jones. vol. network security. “Security of Interactive DSA Batch Verification. a technical program symposium cochair for IEEE GLOBECOM 2004. (NDSS ’04).A. Pinkas. Vaudenay. IT-31. “Fast Batch Verification for Modular Exponentiation and Digital Signatures. B. Feb. Bergadano. 1592-1593. “Individual SingleSource Authentication on The Mbone. no. 870-871.H. respectively. He was an assistant professor in the Department of Electrical and Computer Engineering at the New Jersey Institute of Technology from 1998 to 2000. [50] A. 2. H. cryptography. ACM. “The S/Key One-Time Password System. K. 2001. Tan. 1999. . [49] F. “US Secure Hash Algorithm 1 (SHA1). [58] R. the technical program vice-chair for IEEE INFOCOM 2005. pp.” Proc. and ACM Wireless Networks. He received the US National Science Foundation Faculty Early Career Award in 2001 and the US Office of Naval Research Young Investigator Award in 2002. Hefei.” Proc. [54] S. [52] Q.” Proc. and J. no. Li and W.” RFC 3174. June 2006. May 1994. Eastlake and P.” IEE Electronic Letters. Canetti. 77-85. and C. Barreto. and M. Feb. [46] R. “Authenticated Multicast Immune to Denialof-Service Attack. “Multicast Authentication in Fully Adversarial Networks. “Short Signatures from the Weil Pairing. pp. Feb. Xiaoyan Zhu received the BE. Nov. 58-71. Crispo. Cui. Sept. Lamport. signal processing. Forensics and Security. Mar. Haller.” RFC 1319. [53] S.” Proc. “The MD5 Message-Digest Algorithm. respectively. [45] Y. 1995.

Sign up to vote on this title
UsefulNot useful