You are on page 1of 12

MABS: Multicast Authentication

Based on Batch Signature
Yun Zhou, Xiaoyan Zhu, and Yuguang Fang, Fellow, IEEE
Abstract—Conventional block-based multicast authentication schemes overlook the heterogeneity of receivers by letting the sender
choose the block size, divide a multicast stream into blocks, associate each block with a signature, and spread the effect of the
signature across all the packets in the block through hash graphs or coding algorithms. The correlation among packets makes them
vulnerable to packet loss, which is inherent in the Internet and wireless networks. Moreover, the lack of Denial of Service (DoS)
resilience renders most of them vulnerable to packet injection in hostile environments. In this paper, we propose a novel multicast
authentication protocol, namely MABS, including two schemes. The basic scheme (MABS-B) eliminates the correlation among packets
and thus provides the perfect resilience to packet loss, and it is also efficient in terms of latency, computation, and communication
overhead due to an efficient cryptographic primitive called batch signature, which supports the authentication of any number of packets
simultaneously. We also present an enhanced scheme MABS-E, which combines the basic scheme with a packet filtering mechanism
to alleviate the DoS impact while preserving the perfect resilience to packet loss.
Index Terms—Multimedia, multicast, authentication, signature.
Ç
1 INTRODUCTION
M
ULTICAST [1] is an efficient method to deliver multi-
media content from a sender to a group of receivers
and is gaining popular applications such as realtime stock
quotes, interactive games, video conference, live video
broadcast, or video on demand. Authentication is one of
the critical topics in securing multicast [2], [3], [4], [5], [6],
[7] in an environment attractive to malicious attacks.
Basically, multicast authentication may provide the follow-
ing security services:
1. Data integrity: Each receiver should be able to
assure that received packets have not been modified
during transmissions.
2. Data origin authentication: Each receiver should be
able to assure that each received packet comes from
the real sender as it claims.
3. Nonrepudiation: The sender of a packet shouldnot be
able to deny sending the packet to receivers in case
there is a dispute between the sender and receivers.
All the three services can be supported by an asymmetric
key technique called signature. In an ideal case, the sender
generates a signature for each packet with its private key,
which is called signing, and each receiver checks the validity
of the signature with the sender’s public key, which is
called verifying. If the verification succeeds, the receiver
knows the packet is authentic.
Designing a multicast authentication protocol is not an
easy task. Generally, there are following issues in real world
challenging the design. First, efficiency needs to be
considered, especially for receivers. Compared with the
multicast sender, which could be a powerful server,
receivers can have different capabilities and resources. The
receiver heterogeneity requires that the multicast authenti-
cation protocol be able to execute on not only powerful
desktop computers but also resource-constrained mobile
handsets. In particular, latency, computation, and commu-
nication overhead are major issues to be considered. Second,
packet loss is inevitable. In the Internet, congestion at
routers is a major reason causing packet loss. An overloaded
router drops buffered packets according to its preset control
policy. Though TCP provides a certain retransmission
capability, multicast content is mainly transmitted over
UDP, which does not provide any loss recovery support. In
mobile environments, the situation is even worse. The
instability of wireless channel can cause packet loss very
frequently. Moreover, the smaller data rate of wireless
channel increases the congestion possibility. This is not
desirable for applications like realtime online streaming or
stock quotes delivering. End users of online streaming will
start to complain if they experience constant service
interruptions due to packet loss, and missing critical stock
quotes can cause severe capital loss of service subscribers.
Therefore, for applications where the quality of service is
critical to end users, a multicast authentication protocol
should provide a certain level of resilience to packet loss.
Specifically, the impact of packet loss on the authenticity of
the already-received packets should be as small as possible.
Efficiency and packet loss resilience can hardly be
supported simultaneously by conventional multicast
982 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
. Y. Zhou is with Microsoft Corporation, 1 Microsoft Way, Redmond, WA
98052-8300. E-mail: yun.zhou@microsoft.com.
. X. Zhu is with the National Key Laboratory of Integrated Services
Networks, Xidian University, PO Box 106, 2 South Taibai Road, Xi’an,
Shaanxi 10071, China. E-mail: xyzhu@mail.xidian.edu.cn.
. Y. Fang is with the Department of Electrical and Computer Engineering,
University of Florida, 435 New Engineering Building, PO Box 116130,
Gainesville, FL 32611, and with the National Key Laboratory of Integrated
Services Networks, Xidian University, Xi’an 710071, China.
E-mail: fang@ece.ufl.edu.
Manuscript received 28 Jan. 2008; revised 30 Jan. 2009; accepted 17 Oct.
2009; published online 23 Feb. 2010.
For information on obtaining reprints of this article, please send e-mail to:
tmc@computer.org, and reference IEEECS Log Number TMC-2008-01-0026.
Digital Object Identifier no. 10.1109/TMC.2010.37.
1536-1233/10/$26.00 ß 2010 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
schemes. As is well known that existing digital signature
algorithms are computationally expensive, the ideal ap-
proach of signing and verifying each packet independently
raises a serious challenge to resource-constrained devices.
In order to reduce computation overhead, conventional
schemes use efficient signature algorithms [8], [9] or
amortize one signature over a block of packets [10], [11],
[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],
[24], [25], [26] at the expense of increased communication
overhead [8], [9], [10], [11] or vulnerability to packet loss
[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],
[24], [25], [26].
Another problem with schemes in [8], [9], [10], [11], [12],
[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],
[25], [26] is that they are vulnerable to packet injection by
malicious attackers. An attacker may compromise a multi-
cast system by intentionally injecting forged packets to
consume receivers’ resource, leading to Denial of Service
(DoS). Compared with the efficiency requirement and packet
loss problems, the DoS attack is not common, but it is still
important in hostile environments. In the literature, some
schemes [27], [28], [29], [30], [31], [32] attempt to provide the
DoS resilience. However, they still have the packet loss
problem because they are based on the same approach as
previous schemes [10], [11], [22], [23], [24], [25], [26].
Recently, we demonstrated that batch signature schemes
can be used to improve the performance of broadcast
authentication [5], [6]. In this paper, we present our
comprehensive study on this approach and propose a novel
multicast authentication protocol called MABS (in short for
Multicast Authentication based on Batch Signature). MABS
includes two schemes. The basic scheme (called MABS-B
hereafter) utilizes an efficient asymmetric cryptographic
primitive called batch signature [33], [34], [35], [36], [37], [38],
[39], [40], [41], [42], [43], [44], which supports the
authentication of any number of packets simultaneously
with one signature verification, to address the efficiency
and packet loss problems in general environments. The
enhanced scheme (called MABS-E hereafter) combines
MABS-B with packet filtering to alleviate the DoS impact
in hostile environments. MABS provides data integrity,
origin authentication, and nonrepudiation as previous
asymmetric key based protocols. In addition, we make the
following contributions:
1. Our MABS can achieve perfect resilience to packet
loss in lossy channels in the sense that no matter
how many packets are lost the already-received
packets can still be authenticated by receivers.
2. MABS-B is efficient in terms of less latency,
computation, and communication overhead. Though
MABS-E is less efficient than MABS-B since it
includes the DoS defense, its overhead is still at the
same level as previous schemes.
3. We propose two new batch signature schemes based
on BLS [36] and DSA [38] and show they are more
efficient than the batch RSA [33] signature scheme.
The rest of the paper is organized as follows: We briefly
review related work in Section 2. Then, we present a basic
scheme for lossy channels in Section 3, which also includes
three batch signature schemes based on RSA [33], BLS [36],
and DSA, respectively [38]. An enhanced scheme is
discussed in Section 4. After performance evaluation in
Section 5, the paper is concluded in Section 6.
2 RELATED WORK
Schemes in [8], [9] follow the ideal approach of signing and
verifying each packet individually, but reduce the compu-
tation overhead at the sender by using one-time signatures
[8] or /-time signatures [9]. They are suitable for RSA [33],
which is expensive on signing while cheap on verifying. For
each packet, however, each receiver needs to perform one
more verification on its one-time or /-time signature plus
one ordinary signature verification. Moreover, the length of
one-time signature is too long (on the order of 1,000 bytes).
Tree chaining was proposed in [10], [11] by constructing
a tree for a block of packets. The root of the tree is signed by
the sender. Each packet carries the signed root and multiple
hashes. When each receiver receives one packet in the block,
it uses the authentication information in the packet to
authenticate it. The buffered authentication information is
further used to authenticate other packets in the same block.
Without the buffered authentication information, each
packet is independently verifiable at a cost of per-packet
signature verification.
Graph chaining was studied in [12], [13], [14], [15], [16],
[17], [18], [19], [20], [21]. A multicast stream is divided into
blocks and each block is associated with a signature. In each
block, the hash of each packet is embedded into several
other packets in a deterministic or probabilistic way. The
hashes form a graph, in which each path links a packet to
the block signature. Each receiver verifies the block
signature and authenticates all the packets through the
paths in the graph.
Erasure codes were used in [22], [23], [24], [25], [26]. A
signature is generated for the concatenation of the hashes of
all the packets in one block and then is erasure-coded into
many pieces. Erasure codes make each receiver be capable
of recovering the block signature when receiving at least a
certain number of pieces.
All these schemes [10], [11], [12], [13], [14], [15], [16], [17],
[18], [19], [20], [21], [22], [23], [24], [25], [26] are indeed
computationally efficient since each receiver needs to verify
only one signature for a block of packets. However, they all
increase packet overhead for hashes or erasure codes and
the block design introduces latency when buffering many
packets. Another major problem is that most schemes [12],
[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],
[25], [26] are vulnerable to packet loss even though they are
designed to tolerate a certain level of packet loss. If too
many packets are lost, other packets may not be authenti-
cated. In particular, if a block signature is lost, the entire
block cannot be authenticated.
Moreover, previous schemes [8], [9], [10], [11], [12], [13],
[14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25],
[26] target at lossy channels, which are realistic in our daily
life since the Internet and wireless networks suffer from
packet loss. In a hostile environment, however, an active
attacker can inject forged packets to consume receivers’
resource, leading to DoS. In particular, schemes in [8], [9],
[10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21]
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
are vulnerable to forged signature attacks because they
require each receiver to verify each signature whereby to
authenticate data packets, and schemes in [22], [23], [24],
[25], [26] suffer from packet injection because each receiver
has to distinguish a certain number of valid packets from a
pool of a large number of packets including injected ones,
which is very time-consuming.
In order to deal with DoS, schemes in [27], [28], [29], [30],
[31], [32] were proposed. PARM [27] is similar to the tree
chaining scheme [10], [11] in the sense that multiple one-
way hash chains are used as shared keys between the
sender and receivers. Schemes in [28], [29] combine erasure
codes with one-way hash chains to detect forged packets.
Unfortunately, these schemes [27], [28], [29] are still
vulnerable to DoS because they require that one-way hash
chains are signed and transmitted to each receiver and
therefore an attacker can inject forged signatures for one-
way hash chains.
PRABS [30] uses distillation codes to deal with DoS. In
particular, valid packets and forged packets are partitioned
into disjoint sets and erasure decoding is performed over
each set. BAS [31] simply retransmits each signature
multiple times to tolerate packet loss and uses selective
verification to tolerate injected forged signatures. LTT [32]
uses error correction codes to replace erasure codes in
schemes [22], [23], [24], [25], [26]. The reason is that error
correction codes tolerate error packets. These three schemes
[30], [31], [32] are resilient to DoS, but they still have the
packet loss problem.
Some other schemes [45], [46], [47], [48], [49], [50], [51],
[52], [53] use shared symmetric keys between the sender and
receivers to authenticate multicast streams. Though they are
more efficient than those using signatures, they cannot
provide nonrepudiation as the signature approach, and they
require either time synchronization or trustful infrastruc-
tures. In this paper, we focus on the signature approach.
Though confidentiality is another important issue for
securing multicast, it can be achieved through group key
management [54]. In this paper, we focus on multicast
authentication.
3 BASIC SCHEME
Our target is to authenticate multicast streams from a sender
to multiple receivers. Generally, the sender is a powerful
multicast server managed by a central authority and can be
trustful. The sender signs each packet with a signature and
transmits it to multiple receivers through a multicast routing
protocol. Eachreceiver is aless powerful device withresource
constraints and may be managed by a nontrustworthy
person. Each receiver needs to assure that the received
packets are really from the sender (authenticity) and the
sender cannot deny the signing operation (nonrepudiation)
by verifying the corresponding signatures.
Ideally, authenticating a multicast stream can be
achieved by signing and verifying each packet. However,
the per-packet signature design has been criticized for its
high computation cost, and therefore, most previous
schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],
[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],
[32] incorporate a block-based design as shown in Section 2.
They do reduce the computation cost, but also introduce
new problems. The block design builds up correlation
among packets and makes them vulnerable to packet loss,
which is inherent in the Internet and wireless networks.
Received packets may not be authenticated because some
correlated packets are lost.
Also, the heterogeneity of receivers means that the buffer
resource at each receiver is different and can vary over the
timedependingontheoverall loadat thereceiver. Intheblock
design, the requiredblocksize, whichis chosenbythe sender,
may not be satisfied by each receiver.
Third, the correlation among packets can incur addi-
tional latency. Consider the high layer application needs
new data from the low layer authentication module in order
to render a smooth video stream to the client user. It is
desirable that the lower layer authentication module
delivers authenticated packets to the high layer application
at the time when the high layer application needs new data.
In the per-packet signature design it is not a problem, since
each packet can be independently verifiable at any time. In
the block design, however, it is possible that the packets
buffered at the low layer authentication module are not
verifiable because the correlated packets, especially the
block signatures, have not been received. Therefore, the
high layer application has to either wait, which leads to
additional latency, or return with a no-available-packets
exception, which could be interpreted as that the buffered
packets are “lost.” This latency, which is incurred at the
high layer when the high layer application waits for the
buffered packets to become verifiable, is different from the
buffering latency, which is required for the low layer
authentication protocol to buffer received packets.
In view of the problems regarding the sender-favored
block-based approach, we conceive a receiver-oriented
approach by taking into account the heterogeneity of the
receivers. As receiving devices have different computation
and communication capabilities, some could be powerful
desktop computers, while the others could be cheap
handsets with limited buffers and low-end CPUs. Mixed
with various channel loss rates, this heterogeneity poses a
demand on the capability of adjusting the buffer size and
authenticating buffered packets any time when the high
layer application requires at each receiver.
In order to fulfill the requirement, the basic scheme
MABS-B uses an efficient cryptographic primitive called
batch signature [33], [34], [35], [36], [37], [38], [39], [40], [41],
[42], [43], [44], which supports simultaneously verifying the
signatures of any number of packets. In particular, when a
receiver collects i packets:
j
i
¼ fi
i
. o
i
g. i ¼ 1. . . . . i.
where i
i
is the data payload, o
i
is the corresponding
signature, and i can be any positive integer, it can input
them into an algorithm
BatchVerifyðj
1
. j
2
. . . . . j
i
Þ 2 fTinc. 1o|:cg.
If the output is Tinc, the receiver knows the i packets are
authentic, and otherwise not.
To support authenticity and efficiency, the BatchVerifyðÞ
algorithm should satisfy the following properties:
984 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
1. Given a batch of packets that have been signed by
the sender, BatchVerifyðÞ outputs Tinc.
2. Given a batch of packets including some unauthentic
packets, the probability that BatchVerifyðÞ outputs
Tinc is very low.
3. The computation complexity of BatchVerifyðÞ is
comparable to that of verifying one signature and
is increased only gradually when the batch size i
is increased.
The computation complexity of BatchVerifyðÞ comes
with the fact that there are some additional cost on
processing multiple packets. As we will show later, those
additional computations are mostly modular additions and
multiplications, which are much faster than modular
exponentiations required in final signature verifications.
Theoretically, a concern comes when the cost grows higher
than the final signature verification if the batch size is too
large. However, it is not the case in reality. The merit of
batch signature is that the batch size is chosen by each
receiver, which can optimize its own batch size, so that the
batch size will not be unmanageably large. Most important,
we will show later that in the implementation of batch
signature a technique called signature preaggregation can be
used so that the additional processing of multiple packets is
shifted from the time of final batch verification to the time
of each packet reception and thus the cost of final batch
signature verification is exactly the same as that of original
signature verification.
In order to show the merit of signature preaggregation,
we implemented batch signature by using our Batch-BLS
(will be discussed later) as an example. We measured the
normalized time cost of batch signature verification with
the batch size growing from 1 to 1,000, and recorded the
results for two scenarios, with and without signature
preaggregation. The result is shown in Fig. 1. We can see
that the time cost of general batch verification (without
signature aggregation) is still less than that of two single
signature verifications when batch size grows up to about
270, which validates the third property of batch signature.
The other curve in Fig. 1 shows that if the signature
preaggregation is used, then the final batch verification has
the same cost of single signature verification, no matter how
large the batch size is.
MABS-B uses per-packet signature instead of per-block
signature and thus eliminates the correlation among
packets. The packet independency makes MABS-B perfect
resilient to packet loss. The Internet and wireless channels
tend to be lossy due to congestion or channel instability,
where packets can be lost according to different loss
models, such as random loss or burst loss. In MABS-B,
however, no matter how many packets are lost, the already-
received packets can still be authenticated by each receiver.
This is a significant advantage over previous schemes [10],
[11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22],
[23], [24], [25], [26], [27], [28], [29], [30], [31], [32]. Mean-
while, efficiency can also be achieved because a batch of
packets can be authenticated simultaneously through one
batch signature verification operation. The packet indepen-
dency also brings other benefits in terms of smaller latency
and communication overhead compared with previous
schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],
[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],
[32]. In particular, each receiver can verify the authenticity
of all the received packets in its buffer whenever the high
layer applications require, and there is no additional hash
or code overhead in each packet.
Next, we present three implementations. In addition to
the one based on RSA [33], we propose two new batch
signature schemes based on BLS [36] and DSA [38], which
are more efficient than batch RSA. We must point out and
will show later that MABS is independent from these
signature algorithms. This independency brings the free-
dom to optimize MABS for a particular physical system or
platform as much as possible.
3.1 Batch RSA Signature
3.1.1 RSA
RSA [33] is a very popular cryptographic algorithm in
many security protocols. In order to use RSA, a sender
chooses two large random primes 1 and Q to get ` ¼ 1Q,
and then calculates two exponents c. d 2 ZZ
Ã
`
such that
cd ¼ 1 iod cð`Þ, where cð`Þ ¼ ð1 À1ÞðQÀ1Þ. The sender
publishes ðc. `Þ as its public key and keeps d in secret as its
private key. A signature of a message i can be generated as
o ¼ ð/ðiÞÞ
d
iod `, where /ðÞ is a collision-resistant hash
function. The sender sends fi. og to a receiver that can
verify the authenticity of the message i by checking
o
c
¼ /ðiÞ iod `.
3.1.2 Batch RSA
To accelerate the authentication of multiple signatures,
the batch verification of RSA [34], [35] can be used. Given
i packets fi
i
. o
i
g. i ¼ 1. . . . . i, where i
i
is the data
payload, o
i
is the corresponding signature and i is any
positive integer, the receiver can first calculate /
i
¼ /ði
i
Þ
and then perform the following verification:
Y
i
i¼1
o
i
!
c
iod ` ¼
Y
i
i¼1
/
i
iod `. ð1Þ
If all i packets are truly from the sender, the equation holds
because
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 985
Fig. 1. Normalized time cost of Batch-BLS signature verification.
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
Y
i
i¼1
o
i
!
c
iod ` ¼
Y
i
i¼1
o
c
i
iod `
¼
Y
i
i¼1
/
cd
i
iod `
¼
Y
i
i¼1
/
i
iod `.
ð2Þ
Before the batch verification, the receiver must ensure all
the messages are distinct. Otherwise batch RSAis vulnerable
to the forgery attack [35]. This is easy to implement because
sequence numbers are widely used in many network
protocols and can ensure all the messages are distinct. It
has been proved in [35] that when all the messages are
distinct, batch RSAis resistant to signature forgery as long as
the underlying RSA algorithm is secure.
In some circumstances, an attacker may not forge
signatures but manipulate authentic packets to produce
invalid signatures. For example, given two packets fi
i
. o
i
g
and fi
,
. o
,
g for i 6¼ ,, the attacker can modify them into
fi
i
. o
i
`g and fi
,
. o
,
´`g. The modified packets can still pass
the batch verification, but the signature of each packet is not
correct (that is why batch RSA verification is called screening
in [35]). However, the attacker can do this only when it gets
fi
i
. o
i
g and fi
,
. o
,
g, which means the message i
i
and i
,
have been correctly signed by the sender. Therefore, this
attack is of no harm to the receiver [35].
3.1.3 Requirements to the Sender
In most RSA implementations, the public key c is usually
small (c ¼ 3 for instance) while the private key d is large.
Therefore, the RSA signature verification is efficient while
the signature generation is expensive. This poses a
challenge to the computation capability of the sender
because the sender needs to sign each packet. Choosing a
small private key d can improve the computation efficiency
but compromise the security. If the sender does not have
enough resource, a pair of fc. dg with comparable sizes can
achieve a certain level of trade-off between computation
efficiency and security at the sender part. If the sender is a
powerful server, then signing each packet can be affordable
in this scenario. Next, we propose two efficient batch
signature schemes based on BLS [36] and DSA [38], which
can reduce the computation complexity at the sender.
3.2 Batch BLS Signature
Here, we propose a batch signature scheme based on the
BLS signature in [36].
3.2.1 BLS
The BLS signature scheme uses a cryptographic primitive
called pairing, which can be defined as a map over two
cyclic groups G
1
and G
2
, c : G
1
ÂG
1
! G
2
, satisfying the
following properties:
1. Bilinear: For all n. . 2 G
1
and o. / 2 ZZ, we have
cðn
o
. .
/
Þ ¼ cðn. .Þ
o/
.
2. Nondegenerate: For the generator o
1
of G
1
, i.e.,
o
j
1
¼ 1 2 G
1
, where j is the order of G
1
, we have
cðo
1
. o
1
Þ 6¼ 1 2 G
2
.
The BLS signature scheme consists of three phases:
1. In the key generation phase, a sender chooses a
random integer r 2 ZZ
j
and computes n ¼ o
1
r
2 G
1
.
The private key is r and the public key is n.
2. Given a message i 2 f0. 1g
Ã
in the signing phase, the
sender first computes / ¼ /ðiÞ 2 G
1
, where /ðÞ is a
hash function, then computes o ¼ /
r
2 G
1
. The
signature of i is o.
3. In the verification phase, the receiver first computes
/¼/ðiÞ2G
1
and then check whether cð/.nÞ¼cðo.o
1
Þ.
If the verification succeeds, then the message i is authentic
because
cð/. nÞ ¼ cð/. o
1
r
Þ ¼ cð/
r
. o
1
Þ ¼ cðo. o
1
Þ. ð3Þ
One merit of the BLS signature is that it can generate
a very short signature. It has been shown in [36] that an
i-bit BLS signature can provide a security level equiva-
lent to solving a Discrete Log Problem (DLP) [39] over a
finite field of size approximately 2
6i
. Therefore, a 171-bit
BLS signature provides the same level of security as a
1,024-bit DLP-based signature scheme such as DSA [38].
This is a very nice choice in the scenario where
communication overhead is an important issue.
3.2.2 Batch BLS
Based on BLS, we propose our batch BLS scheme here.
Given i packets fi
i
. o
i
g. i ¼ 1. . . . . i, the receiver can verify
the batch of BLS signatures by first computing /
i
¼ /ði
i
Þ.
i ¼ 1. . . . . i and then checking whether cð
Q
i
i¼1
/
i
. nÞ ¼

Q
i
i¼1
o
i
. o
1
Þ. This is because if all the messages are
authentic, then
c
Y
i
i¼1
/
i
. n
!
¼
Y
i
i¼1
cð/
i
. o
1
r
Þ
¼
Y
i
i¼1
c
À
/
i
r
. o
1
Á
¼ c
Y
i
i¼1
o
i
. o
1
!
.
ð4Þ
We can prove that our batch BLS is secure to signature
forgery as long as BLS is secure to signature forgery.
Theorem 1. Suppose an attacker A can break the batch BLS by
forging signatures. Then, another attacker B can break BLS
under the chosen message attack by colluding with A.
Proof. Suppose B is given i À1 messages and their valid
signatures fi
i
. o
i
g. i ¼ 1. . . . . i À1, B can forge a signa-
ture o
i
for any chosen message i
i
, such that fi
i
. o
i
g
satisfies the BLS signature scheme, by colluding with A
in the following steps:
1. B sends i messages i
i
. i ¼ 1. . . . . i and i À1
signatures o
i
. i ¼ 1. . . . . i À1 to A.
2. Because A can break the batch BLS scheme, A
generates i false signatures o
i
0
. i ¼ 1. . . . . i that
pass the batch BLS verification, then returns to B a
value \ ¼
Q
i
i¼1
o
i
0
.
3. B computes o
i
¼ \ ´
Q
iÀ1
i¼1
o
i
as the signature for
i
i
, because
986 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
c
Y
i
i¼1
/
i
. n
!
¼ cð\ . o
1
Þ
) c
Y
i
i¼1
/
i
. n
!
¼ c
Y
i
i¼1
o
i
. o
1
!
) c
Y
iÀ1
i¼1
/
i
. n
!
cð/
i
. nÞ ¼ c
Y
iÀ1
i¼1
o
i
. o
1
!
cðo
i
. o
1
Þ
) cð/
i
. nÞ ¼ cðo
i
. o
1
Þ .
ð5Þ
tu
Since BLS is forgery-secure under the chosen message
attack [36], our batch BLS scheme is also secure to forgery
under the chosen message attack.
Also like batch RSA, an attacker may not forge signatures
but manipulate authentic packets to produce invalid
signatures. For instance, two packets fi
i
. o
i
g and fi
,
. o
,
g
for i 6¼ , can be replaced with fi
i
. o
i
`g and fi
,
. o
,
´`g and
still pass the batch verification. However, it does not affect
the correctness and the authenticity of i
i
and i
,
because
they have been correctly signed by the sender.
3.2.3 Requirements to the Sender
In our batch BLS, the sender needs to sign each packet.
Because BLS can provide a security level equivalent to
conventional RSA and DSA with much shorter signature
[36], the signing operation is more efficient than the RSA
signature generation. Moreover, BLS can be implemented
over elliptic curves [55], [56], which have been shown in the
literature to be more efficient than finite integer fields on
which RSA is implemented. Therefore, we can expect that
our batch BLS is more affordable by the sender than batch
RSA and also achieve computation efficiency at the receiver.
3.3 Batch DSA Signature
DSA [38] is another popular digital signature algorithm.
Unlike RSA, which is based on the hardness of factoring
two large primes, DSA is deemed secure based on the
difficulty of solving DLP [39]. A batch DSA signature
scheme was proposed in [40], but later was found insecure
[41]. Harn improved the security of [40] in [42], [43].
Unfortunately, Boyd and Pavlovski pointed out in [44] that
Harn’s work is still vulnerable to malicious attacks. Here,
we propose a batch DSA scheme based on Harn’s work and
counteract the attack described in [44].
3.3.1 Harn DSA
In Harn DSA [43], some system parameters are defined as:
1. j, a prime longer than 512 bits.
2. c, a 160-bit prime divisor of j À1.
3. o, a generator of ZZ
Ã
j
with order c, i.e., o
c
¼ 1 iod j.
4. r, the private key of the signer, 0 < r < c.
5. n, the public key of the signer, n ¼ o
r
iod j.
6. /ðÞ, a hash function generating an output in ZZ
Ã
c
.
Given a message i, the signer generates a signature by:
1. randomly selecting an integer / with 0 < / < c,
2. computing / ¼ /ðiÞ,
3. computing i ¼ ðo
/
iod jÞ iod c, and
4. computing : ¼ i/ À/r iod c.
The signature for i is ði. :Þ.
The receiver can verify the signature by first computing
/ ¼ /ðiÞ and then checking whether
ððo
:i
À1
n
/i
À1
Þ iod jÞ iod c ¼ i.
This is because if the packet is authentic, then
ððo
:i
À1
n
/i
À1
Þ iod jÞ iod c
¼ ððo
ð:þ/rÞi
À1
Þ iod jÞ iod c
¼ ðo
/
iod jÞ iod c
¼ i.
ð6Þ
3.3.2 Harn Batch DSA
Given i packets fi
i
. ði
i
. :
i
Þg. i ¼ 1. . . . . i, the receiver can
verify the batch of signatures by first computing /
i
¼ /ði
i
Þ
and then checking whether
o
P
i
i¼1
:
i
i
i
À1
n
P
i
i¼1
/
i
i
i
À1

iod j

iod c ¼
Y
i
i¼1
i
i
iod c . ð7Þ
This is because, if the batch of packets is authentic, then
o
P
i
i¼1
:
i
i
i
À1
n
P
i
i¼1
/
i
i
i
À1

iod j

iod c
¼ o
P
i
i¼1
ð:iþ/i rÞii
À1

iod j

iod c
¼ o
P
i
i¼1
/i
iod j

iod c
¼
Y
i
i¼1
i
i
iod c.
ð8Þ
3.3.3 The Boyd-Pavlovski Attack
Boyd and Pavlovski [44] pointed out an attack against the
Harn batch DSA scheme [43], where an attacker can forge
signatures for any chosen message set that has not been
signed by the sender. The process is:
1. Choose 1 and C, calculate ¹ ¼ ðo
1
n
C
iod jÞ iod c.
2. For any message set i
i
, i ¼ 1. . . . . i, randomly
choose i
i
, i ¼ 1. . . . . i À2.
3. Compute i
iÀ1
and i
i
to ensure that
Y
i
i¼1
i
i
iod c ¼ ¹ iod c ð9Þ
X
i
i¼1
/
i
i
i
À1
iod c ¼ C iod c. ð10Þ
4. Randomly choose :
i
, i ¼ 1. . . . . i À1 and compute :
i
to ensure that
X
i
i¼1
:
i
i
i
À1
iod c ¼ 1 iod c. ð11Þ
The probability that fi
i
. i
i
. :
i
g, i ¼ 1. . . . . i are forged
messages satisfying the batch verification is
1
2
[44].
3.3.4 Our Batch DSA
In order to counteract the Boyd-Pavlovski attack, our batch
DSA makes an improvement to the Harn DSA algorithm.
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 987
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
We replace the hash operation /ðiÞ in the signature
generation and verification process with /ði. iÞ. All the
other steps are the same as those in Harn’s scheme.
Though it is simple, our method can significantly
increase the security of batch DSA. In the Boyd-Pavlovski
attack, the attacker can compute i
i
values according to (9)
and (10) because parameters ¹, C, /
i
values are known. By
introducing i
i
into the hash operation, the hash values /
i
in
(10) are unknown to the attacker. Therefore, the attacker
cannot compute i
i
values and the forgery attack discussed
in [44] is defeated.
Like the cases inbatchRSAandour batchBLS, the attacker
may manipulate authentic packets fi
i
. ði
i
. :
i
Þg to produce
invalid signatures fi
i
. ði
i
0
. :
i
0
Þg, which can still pass the
batch verification. The attacker can keep i
i
unchanged,
randomly choose :
i
0
, i ¼ 1. . . . . i À1 and solve :
i
0
satisfying
X
i
i¼1
:
i
0
i
i
À1
iod c ¼
X
i
i¼1
:
i
i
i
À1
iod c. ð12Þ
However, this attack does not affect the correctness and
authenticity of messages because they have been really
signed by the sender [44]. Therefore, the receiver can still
accept them because the batch verification succeeds.
3.3.5 Requirements to the Sender
In batch RSA and our batch BLS, the sender needs to
compute one modular exponentiation to sign each packet.
In our batch DSA, the sender needs to compute one
modular exponentiation to get i and two modular multi-
plications to get :. However, i is independent on the
message i. Therefore, the sender can generate many
i values offline. When the sender starts a multicast session,
it can use reserved i values to compute : values. In this
way, only two modular multiplications are necessary to
sign a packet. Therefore, our batch DSA is much more
efficient than batch RSA and our batch BLS at the sender,
while also achieving computation efficiency at the receiver.
3.4 Preaggregation of Message Hashes and
Signatures
If we take a closer look at batch-RSA and batch-BLS, we can
notice that they use exactly the orignal RSA and BLS
algorithms, respectively. The only difference is that the
batch algorithms take the aggregations of message hashes
and signatures f
Q
i
i¼1
/
i
.
Q
i
i¼1
o
i
g as the parameters to the
original signature algorithms. This aggregation is indepen-
dent of the final signature verification. Therefore, each
receiver can compute and update f
Q
i
i¼1
/
i
.
Q
i
i¼1
o
i
g after
receiving every packet. When the time of batch verification
comes, each receiver needs just one signature verification.
For batch-DSA, the aggregations of message hashes and
signatures f
P
i
i¼1
:
i
i
i
À1
.
P
i
i¼1
/
i
i
i
À1
.
Q
i
i¼1
i
i
g are inside the
signature verification. Therefore, the cost of the aggregations
is incurred with the final signature verification. However, if
we modify the original DSA so that it takes f:i
À1
. /i
À1
. ig
instead of f/. :. ig as parameters, then batch-DSA can take
the advantage of preaggregating message hashes and
signatures, just like batch-RSA and batch-BLS.
Obviously, the computation cost at each receiver can be
more manageable no matter how large each batch is if
signature preaggregation is enforced, as shown in Fig. 1.
4 ENHANCED SCHEME
The basic scheme MABS-B targets at the packet loss
problem, which is inherent in the Internet and wireless
networks. It has perfect resilience to packet loss, no matter
whether it is random loss or burst loss. In some circum-
stances, however, an attacker can inject forged packets into
a batch of packets to disrupt the batch signature verifica-
tion, leading to DoS. A naive approach to defeat the DoS
attack is to divide the batch into multiple smaller batches
and perform a batch verification over each smaller batch,
and this divide-and-conquer approach can be recursively
carried out for each smaller batch, which means more
signature verifications at each receiver. In the worst case,
the attacker can inject forged packets at very high frequency
and expect that each receiver stops the batch operation and
recovers the basic per-packet signature verification, which
may not be viable at resource-constrained receiver devices.
In this section, we present an enhanced scheme called
MABS-E, which combines the basic scheme MABS-B and a
packet filtering mechanism to tolerate packet injection. In
particular, the sender attaches each packet with a mark,
which is unique to the packet and cannot be spoofed. At
each receiver, the multicast stream is classified into disjoint
sets based on marks. Each set of packets comes from either
the real sender or the attacker. The mark design ensures that
a packet from the real sender never falls into any set of
packets fromthe attacker, and vice versa. Next, each receiver
only needs to perform BatchVerifyðÞ over each set. If the
result is Tinc, the set of packets is authentic. If not, the set of
packets is from the attacker, and the receiver simply drops
themand does not need to divide the set into smaller subsets
for further batch verification. Therefore, a strong resilience
to DoS due to injected packets can be provided.
In MABS-E, Merkle tree [57] is used to generate marks.
An example is illustrated in Fig. 2. The sender constructs a
binary tree for eight packets. Each leaf is a hash of one
packet. Each internal node is the hash value on the
concatenation of its left and right children. For each packet,
a mark is constructed as the set of the siblings of the nodes
along the path from the packet to the root. For example, the
mark of the packet 1
3
is fH
4
. H
1.2
. H
5.8
g and the root can be
recovered as H
1.8
¼ HððH
1.2
. ðHð1
3
Þ. H
4
ÞÞ. H
5.8
Þ.
Constructing a Merkle tree is very efficient because only
hash operations are performed. Meanwhile, the one-way
property of hash operation ensures that given the root of a
Merkle tree it is infeasible to find a packet, which is not in
988 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
Fig. 2. An example of Merkle tree. Each leaf is a hash of one packet.
Each internal node is the hash value on both its left and right children.
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
the set associated with the Merkle tree and from which
there is a path to the root. This guarantees that forged
packets cannot fall into the set of authentic packets.
When the sender has a set of packets for multicast, it
generates a Merkle tree for the set and attaches a mark to
each packet. The root can be recovered based on each
packet and its mark. Each receiver can find whether two
packets belong to the same set by checking whether they
lead to the same root value. Therefore, the recovered roots
help classify received packets into disjoint sets. Each
receiver does not need to wait for a set to include all the
packets under the Merkle tree, and it can batch-verify the
set anytime. Once the set is authentic, the corresponding
root can be used to authenticate the rest of packets under
the same Merkle tree without batch-verifying them, which
saves computation overhead at each receiver.
An attacker may inject small sets of forged packets or
even inject single packet that does not belong to any set. In
this case, each receiver has many small sets and each of
them has only a few packets. Doing the BatchVerify
algorithm on each small set compromises efficiency. Since
the sets from the sender can have a large number of packets,
each receiver can choose a threshold (say t) and start batch
verification over one set only when the set has no less than
t packets. If a set has less than t packets and the root value
recovered from the set has not been authenticated, the
receiver simply drop the set of packets without processing
them and thus save computation resource. For each
receiver, the threshold t can vary according to the receiver’s
computation resource. In this way, the impact of DoS due to
packet injection can be reduced by a factor of t.
5 PERFORMANCE EVALUATION
In this section, we evaluate MABS performance in terms of
resilience to packet loss, efficiency, and DoS resilience. As
we discussed before, MABS does not assume any particular
underlying signature algorithm. This is also true for all the
literature multicast authentication schemes referenced in
this paper. Therefore, all the discussions and evaluations of
MABS and the literature works in Section 5.1 and Section 5.2
are under the assumption that they are using the same
underlying signature algorithm. The discussion of signature
algorithms is in Section 5.3.
5.1 Resilience to Packet Loss
We use simulations to evaluate the resilience to packet
loss. The metric here is the verification rate, i.e., the ratio
of the number of authenticated packets to the number of
received packets.
We compare MABS with some well-known loss tolerant
schemes EMSS [14], augmented chain (AugChain) [18],
PiggyBack [16], tree chain (Tree) [11], and SAIDA [23].
These schemes are representatives of graph chaining, tree
chaining, and erasure coding schemes and are widely used
in performance evaluation in the literature.
For EMSS [14], we choose the chain configuration of
5 À11 À17 À24 À36 À39, which has the best performance
among all the configurations of length 6 as is shown in [14].
For AugChain [18], we choose C
3.7
chain configuration. For
PiggyBack [16], we choose two class priorities. For Tree
chain [11], we choose binary tree. For SAIDA [23], we choose
the erasure code ð256. 128Þ. For all these schemes, we choose
the block size of 256 packets and simulate over 100 blocks.
We consider the random loss and the burst loss with a
maximum loss length of 10 packets. The verification rates
under different loss rates are given in Fig. 3 and Fig. 4.
We can see that the verification rates of EMSS [14],
augmented chain (AugChain) [18] and PiggyBack [16] are
decreased quickly when the loss rate is increased. The reason
is that graph chaining results in the correlation among
packets and this correlation is vulnerable to packet loss.
SAIDA [23] illustrates a resilience to packet loss up to a
certain threshold, because of the threshold performance of
erasure codes. Our MABS andTree schemes [11] have perfect
resilience to packet loss in the sense that all the received
packets can be authenticated. This is because all the packets
in MABS andTree schemes are independent fromeach other.
As we will show later, however, Tree [11] achieves this
independency by incurring large overhead and latency at the
sender and each receiver and is vulnerable to DoS, while our
MABS-B has less overhead and latency and MABS-E is
resilient to DoS at the same level of overhead as Tree [11].
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 989
Fig. 3. Verification rate under the random loss model.
Fig. 4. Verification rate under the burst loss model with the maximum
burst length 10.
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
One thing needs to be pointed out is that we do not
differentiate between MABS-B and MABS-E in Fig. 3 and
Fig. 4. MABS-B is perfect resilient to packet loss because of
its inherent design. While it is not designed for lossy
channels, MABS-E can also achieve the perfect resilience to
packet loss in lossy channels. In the lossy channel model,
where no DoS attack is assumed to present, we can set the
threshold t ¼ 1 (refer to Section 4) for MABS-E, and thus
each receiver can start batch-verification as long as there is at
least one packet received for each set of packets constructed
under the same Merkle tree. Once the received packets are
authenticated, the extracted root of the Merkle tree can be
used to authenticate the rest of packets in the same set
within several hash operations. If we set t 1, which is not
the best choice for the lossy channel, MABS-E can tolerate up
to i Àt lost packets for each set of i packets, which shows a
threshold-based loss resilience, similar to SAIDA [23].
5.2 Efficiency
We consider latency, computation, and communication
overhead for efficiency evaluation under lossy channels
and DoS channels. The notations used here are defined in
Table 1. All the evaluations are carried out over i packets.
The results are depicted in Table 2 and Table 3.
5.2.1 Comparisons over Lossy Channels
Table 2 shows the comparisons between MABS-B and well-
known loss-tolerant schemes tree chain (Tree) [11], EMSS
[14], PiggyBack [16], augmented chain (AugChain) [18], and
SAIDA [23]. We also include MABS-E and three DoS
resilient schemes PRABS [30], BAS [31], and LTT [32] in the
table just for comparisons even though they are not
designed for lossy channels.
Previous block-based schemes introduce latency either at
the sender [11], [16] or at each receiver [14], [31] or both [18],
[23], [30], [32]. The latency is inherent in the block design
due to chaining or coding. At the sender side, the
correlation among a block of packets has to be established
before the sender starts sending the packets. At each
receiver, the latency is incurred when the high layer
application waits for the buffered packets to be authenti-
cated after the correlation is recovered. This receiver side
latency is variable depending on whether the correlation
among the underline buffered packets has been recovered
or not when the high layer application needs new data, and
its maximum value is the block size. MABS-B eliminates the
correlation among packets. Each packet is independently
sent out at the sender. At each receiver, the high layer
application does not need to wait because the low layer
authentication module can deliver authenticated packets at
any time when the high layer application needs new data.
This makes MABS-B pretty suitable for realtime multimedia
applications. MABS-E introduces latency at the sender
because it includes a tree construction to counteract DoS,
but it still preserves the merit of instantaneous authentica-
tion at each receiver as MABS-B.
Both the block-based schemes and MABS require one
signature verification operation on a block or a batch of
i packets at each receiver. In addition, the schemes using
990 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
TABLE 1
Notations
TABLE 2
Comparisons over Lossy Channels
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
chaining also require many hashes, and the ones using
coding require multiple hashes and one or two decoding
operations. MABS-B is more efficient since there is no more
hashing or decoding operations. MABS-E requires ilog
2
i
hashes, which is comparable to previous schemes using
hashing and coding.
In MABS, a trade-off for perfect resilience to packet loss
is that the sender needs to sign each packet, which incurs
more computation overhead than conventional block-based
schemes. Therefore, efficient signature generation is desir-
able at the sender. Compared with RSA [33], which is
efficient in verifying but is expensive in signing, BLS [36]
and DSA [38] are pretty good candidates as we will show
later. Moreover, in multimedia multicast, the sender is
usually a powerful server and thus the per-packet signature
generation can be affordable, and the advance of computing
technology makes it easier in the long run.
For i packets, Tree [11] require an overhead of i signature
and Oðilog
2
iÞ hashes, schemes in [14], [16], [18], [23], [30],
[31], [32] require one or more signatures and up to
Oði
2
Þ hashes. MABS-B and MABS-E require i signatures
and MABS-E requires additional Oðilog
2
iÞ hashes. If long
signatures are used (like 1,024-bit RSA), MABS-B andMABS-
E have more communication overhead than those in [14],
[16], [18], [23], [30], [31], [32], which is the same case as Tree
[11]. However, BLS [36] generates short signatures of 171 bits,
which is comparable to most well-known hash algorithms
MD5 [58] (128 bits) and SHA-1 [59] (160 bits). Therefore,
MABS can have the same level of communication efficiency
as conventional schemes when BLS is used.
5.2.2 Comparisons over DoS Channels
DoS is a method for an attacker to deplete the resource of a
receiver. Processinginjectedpackets fromthe attacker always
consumes a certain amount of resource. Here, we assume an
attacker factor u, which means that for i valid packets
ui invalid packets are injected. The computation overheads
at each receiver for different schemes are depicted in Table 3.
For schemes in [11], [14], [16], [18], which authenticate
signatures first and then authenticate packet through hash
chains, the attacker can inject ui forged signature packets
because signature verification is an expensive operation.
For SAIDA [23], which requires erasure decoding, the
attacker simply injects ui forged packets because each
receiver has to choose a certain number of valid packets
from all the ð1 þuÞi packet to do decoding, which can have
a significant number of tries.
Schemes in [30], [31], [32] are designed for DoS defense.
They canalleviate the impact of packet injection by a constant
factor to reduce the computation cost at each receiver.
MABS-B is vulnerable to packet injection as schemes in
[11], [14], [16], [18], [23] since they are designed only for
lossy channels. MABS-E has the same level of DoS resilience
as those in [30], [31], [32].
5.3 Comparisons of Signature Schemes
We compare the computation overhead of three batch
signature schemes in Table 4. RSA [33] and BLS [36] require
one modular exponentiation at the sender and DSA [38]
requires two modular multiplications when i value is
computed offline. Usually one c-bit modular exponentiation
is equivalent to 1.5c modular multiplications over the same
field [35], [44]. Moreover, a c-bit modular exponentiation in
DLP is equivalent to a
c
6
-bit modular exponentiation in BLS
for the same security level. Therefore, we can estimate that
the computation overhead of one 1,024-bit RSA signing
operation is roughly equivalent to that of 768 DSA signing
operations (1,536 modular multiplications) and that of
6 BLS signing operations (each one is corresponding to
255 modular multiplications).
According to the report [60] on the computational over-
head of signature schemes on PIII 1 GHz CPU, the signing
andverificationtime for 1,024-bit RSAwitha 1,007-bit private
key are 7.9 ms and 0.4 ms, for 157-bit BLS are 2.75 ms and
81 ms, and for 1,024-bit DSA with a 160-bit private key
(without precomputing i value) are 4.09 ms and 4.87 ms. We
can observe that for BLS and DSA the signing is efficient but
the verification is expensive, and vice versa for RSA.
Therefore, we can save more computation resource at the
sender by using our batch BLS and batch DSA than batch
RSA. It is alsomeaningful touse our batchBLSandbatchDSA
at the receiver to save computation resources.
We alsocompare the lengthof twopopular hashalgorithm
MD5 [58] and SHA-1 [59] and the signature length of three
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 991
TABLE 4
Computational Overhead of Different Batch Schemes
1-modular exponentiation. `-modular multiplication. 1-pairing.
TABLE 3
Comparisons over DoS Channels
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
signature algorithms inTable 5. Giventhe same security level
as 1,024-bit RSA, BLS generates a 171-bit signature and 1o¹
generates a 320-bit signature. It is clear that by using BLS or
DSA, MABS can achieve more bandwidth efficiency than
using RSA, and could be even more efficient than conven-
tional schemes using a large number of hashes.
6 CONCLUSIONS
To reduce the signature verification overheads in the secure
multimedia multicasting, block-based authentication
schemes have been proposed. Unfortunately, most previous
schemes have many problems such as vulnerability to
packet loss and lack of resilience to denial of service (DoS)
attack. To overcome these problems, we develop a novel
authentication scheme MABS. We have demonstrated that
MABS is perfectly resilient to packet loss due to the
elimination of the correlation among packets and can
effectively deal with DoS attack. Moreover, we also show
that the use of batch signature can achieve the efficiency less
than or comparable with the conventional schemes. Finally,
we further develop two new batch signature schemes based
on BLS and DSA, which are more efficient than the batch
RSA signature scheme.
ACKNOWLEDGMENTS
This work was partially supported by the US National
Science Foundation under grants CNS-0916391, CNS-
0716450, and CNS-0626881. The works of Fang and Zhu
were also partially supported by the 111 Project under
Grant B08038. The work of Zhu was also partially
supported by the National Natural Science Foundation of
China under grant 60772136 and supported by the Funda-
mental Research Funds for the Central Universities.
REFERENCES
[1] S.E. Deering, “Multicast Routing in Internetworks and Extended
LANs,” Proc. ACM SIGCOMM Symp. Comm. Architectures and
Protocols, pp. 55-64, Aug. 1988.
[2] T. Ballardie and J. Crowcroft, “Multicast-Specific Security Threats
and Counter-Measures,” Proc. Second Ann. Network and Distributed
System Security Symp. (NDSS ’95), pp. 2-16, Feb. 1995.
[3] P. Judge and M. Ammar, “Security Issues and Solutions in
Mulicast Content Distribution: A Survey,” IEEE Network Magazine,
vol. 17, no. 1, pp. 30-36, Jan./Feb. 2003.
[4] Y. Challal, H. Bettahar, and A. Bouabdallah, “A Taxonomy of
Multicast Data Origin Authentication: Issues and Solutions,” IEEE
Comm. Surveys & Tutorials, vol. 6, no. 3, pp. 34-57, Oct. 2004.
[5] Y. Zhou and Y. Fang, “BABRA: Batch-Based Broadcast Authenti-
cation in Wireless Sensor Networks,” Proc. IEEE GLOBECOM,
Nov. 2006.
[6] Y. Zhou and Y. Fang, “Multimedia Broadcast Authentication
Based on Batch Signature,” IEEE Comm. Magazine, vol. 45, no. 8,
pp. 72-77, Aug. 2007.
[7] K. Ren, K. Zeng, W. Lou, and P.J. Moran, “On Broadcast
Authentication in Wireless Sensor Networks,” Proc. First Ann. Int’l
Conf. Wireless Algorithms, Systems, and Applications (WASA ’06),
Aug. 2006.
[8] S. Even, O. Goldreich, and S. Micali, “On-Line/Offline Digital
Signatures,” J. Cryptology, vol. 9, pp. 35-67, 1996.
[9] P. Rohatgi, “A Compact and Fast Hybrid Signature Scheme for
Multicast Packet,” Proc. Sixth ACM Conf. Computer and Comm.
Security (CCS ’99), Nov. 1999.
[10] C.K. Wong and S.S. Lam, “Digital Signatures for Flows and
Multicasts,” Proc. Sixth Int’l Conf. Network Protocols (ICNP ’98),
pp. 198-209, Oct. 1998.
[11] C.K. Wong and S.S. Lam, “Digital Signatures for Flows and
Multicasts,” IEEE/ACM Trans. Networking, vol. 7, no. 4, pp. 502-
513, Aug. 1999.
[12] R. Gennaro and P. Rohatgi, “How to Sign Digital Streams,”
Information and Computation, vol. 165, no. 1, pp. 100-116, Feb. 2001.
[13] R. Gennaro and P. Rohatgi, “How to Sign Digital Streams,” Proc.
17th Ann. Cryptology Conf. Advances in Cryptology (CRYPTO ’97),
Aug. 1997.
[14] A. Perrig, R. Canetti, J.D. Tygar, and D. Song, “Efficient
Authentication and Signing of Multicast Streams over Lossy
Channels,” Proc. IEEE Symp. Security and Privacy (SP ’00), pp. 56-
75, May 2000.
[15] Y. Challal, H. Bettahar, and A. Bouabdallah, “A
2
Cast: An
Adaptive Source Authentication Protocol for Multicast Streams,”
Proc. Ninth Int’l Symp. Computers and Comm. (ISCC ’04), vol. 1,
pp. 363-368, June 2004.
[16] S. Miner and J. Staddon, “Graph-Based Authentication of Digital
Streams,” Proc. IEEE Symp. Security and Privacy (SP ’01), pp. 232-
246, May 2001.
[17] Z. Zhang, Q. Sun, W-C Wong, J. Apostolopoulos, and S. Wee, “A
Content-Aware Stream Authentication Scheme Optimized for
Distortion and Overhead,” Proc. IEEE Int’l Conf. Multimedia and
Expo (ICME ’06), pp. 541-544, July 2006.
[18] P. Golle and N. Modadugu, “Authenticating Streamed Data in the
Presence of Random Packet Loss,” Proc. Eighth Ann. Network and
Distributed System Security Symp. (NDSS ’01), Feb. 2001.
[19] Z. Zhang, Q. Sun, and W-C Wong, “A Proposal of Butterfly-
Graphy Based Stream Authentication over Lossy Networks,” Proc.
IEEE Int’l Conf. Multimedia and Expo (ICME ’05), July 2005.
[20] S. Ueda, N. Kawaguchi, H. Shigeno, and K. Okada, “Stream
Authentication Scheme for the Use over the IP Telephony,” Proc.
18th Int’l Conf. Advanced Information Networking and Application
(AINA ’04), vol. 2, pp. 164-169, Mar. 2004.
[21] D. Song, D. Zuckerman, and J.D. Tygar, “Expander Graphs for
Digital Stream Authentication and Robust Overlay Networks,”
Proc. 2002 IEEE Symp. Security and Privacy (S&P ’02), May 2002.
[22] J.M. Park, E.K.P. Chong, and H.J. Siegel, “Efficient Multicast
Packet Authentication Using Signature Amortization,” Proc. IEEE
Symp. Security and Privacy (SP ’02), pp. 227-240, May 2002.
[23] J.M. Park, E.K.P. Chong, and H.J. Siegel, “Efficient Multicast
Stream Authentication Using Erasure Codes,” ACM Trans.
Information and System Security, vol. 6, no. 2, pp. 258-285, May 2003.
[24] A. Pannetrat and R. Molva, “Authenticating Real Time Packet
Streams and Multicasts,” Proc. Seventh IEEE Int’l Symp. Computers
and Comm. (ISCC ’02), pp. 490-495, July 2002.
[25] A. Pannetrat and R. Molva, “Efficient Multicast Packet Authenti-
cation,” Proc. 10th Ann. Network and Distributed System Security
Symp. (NDSS ’03), Feb. 2003.
[26] Y. Wu and T. Li, “Video Stream Authentication in Lossy
Networks,” Proc. IEEE Wireless Comm. and Networking Conf.
(WCNC ’06), vol. 4, pp. 2150-2155, Apr. 2006.
[27] Y. Lin, S. Shieh, and W. Lin, “Lightweight, Pollution-Attack
Resistant Multicast Authentication Scheme,” Proc. ACM Symp.
Information, Computer, and Comm. Security (ASIACCS ’06), Mar.
2006.
[28] J. Jeong, Y. Park, and Y. Cho, “Efficient DoS Resistant Multicast
Authentication Schemes,” Proc. Int’l Conf. Computational Science
and Its Applications (ICCSA ’05), May 2005.
[29] S. Choi, “Denial-of-Service Resistant Multicast Authentication
Protocol with Prediction Hashing and One-Way Key Chain,” Proc.
Seventh IEEE Int’l Symp. Multimedia (ISM ’05), Dec. 2005.
[30] C. Karlof, N. Sastry, Y. Li, A. Perrig, and J.D. Tygar, “Distillation
Codes and Applications to DoS Resistant Multicast Authentica-
tion,” Proc. 11th Ann. Network and Distributed System Security Symp.
(NDSS ’04), Feb. 2004.
992 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010
TABLE 5
Communication Overhead of Signature Schemes
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.
[31] C.A. Gunter, S. Khanna, K. Tan, and S. Venkatesh, “DoS
Protection for Reliably Authenticated Broadcast,” Proc. 11th Ann.
Network and Distributed System Security Symp. (NDSS ’04), Feb.
2004.
[32] A. Lysyanskaya, R. Tamassia, and N. Triandopoulos, “Multicast
Authentication in Fully Adversarial Networks,” Proc. IEEE Symp.
Security and Privacy (SP ’04), May 2004.
[33] R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining
Digital Signatures and Public-Key Cryptosystems,” Comm. ACM,
vol. 21, no. 2, pp. 120-126, Feb. 1978.
[34] L. Harn, “Batch Verifying Multiple RSA Digital Signatures,” IEE
Electronic Letters, vol. 34, no. 12, pp. 1219-1220, June 1998.
[35] M. Bellare, J.A. Garay, and T. Rabin, “Fast Batch Verification for
Modular Exponentiation and Digital Signatures,” Proc. Advances in
Cryptology (EUROCRYPT ’98), pp. 236-250, May 1998.
[36] D. Boneh, B. Lynn, and H. Shacham, “Short Signatures from the
Weil Pairing,” Proc. Seventh Int’l Conf. Theory and Application of
Cryptology and Information Security Advances in Cryptology
(ASIACRYPT ’01), pp. 514-532, Dec. 2001.
[37] S. Cui, P. Duan, and C.W. Chan, “An Efficient Identity-Based
Signature Scheme with Batch Verifications,” Proc. First Int’l Conf.
Scalable Information Systems, 2006.
[38] FIPS PUB 186, Digital Signature Standard (DSS), May 1994.
[39] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme
Based on Discrete Logarithms,” IEEE Trans. Information Theory,
vol. IT-31, no. 4, pp. 469-472, July 1985.
[40] D. Naccache, D. M’Raihi, S. Vaudenay, and D. Raphaeli, “Can
D.S.A. be Improved? Complexity Trade Offs with the Digital
Signature Standard,” Proc. Workshop Theory and Application of
Cryptographic Techniques Advances in Cryptology (EUROCRYPT ’94),
pp. 77-85, May 1995.
[41] C.H. Lim and P.J. Lee, “Security of Interactive DSA Batch
Verification,” IEE Electronic Letters, vol. 30, no. 19, pp. 1592-1593,
Sept. 1994.
[42] L. Harn, “DSA-Type Secure Interactive Batch Verification Proto-
cols,” IEE Electronic Letters, vol. 31, no. 4, pp. 257-258, Feb. 1995.
[43] L. Harn, “Batch Verifying Multiple DSA-Type Digital Signatures,”
IEE Electronic Letters, vol. 34, no. 9, pp. 870-871, Apr. 1998.
[44] C. Boyd and C. Pavlovski, “Attacking and Repairing Batch
Verification Schemes,” Proc. Sixth Int’l Conf. Theory and Application
of Cryptology and Information Security Advances in Cryptology
(ASIANCRYPT ’00), pp. 58-71, Dec. 2000.
[45] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-Receiver/Multi-
Sender Network Security: Efficient Authenticated Multicast/
Feedback,” Proc. IEEE INFOCOM, vol. 3, pp. 2045-2054, May 1992.
[46] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B.
Pinkas, “Multicast Security: A Taxonomy and Some Efficient
Constructions,” Proc. IEEE INFOCOM, vol. 2, pp. 708-716, Mar.
1999.
[47] L. Lamport, “Password Authentication with Insecure Commu-
nication,” Comm. ACM, vol. 24, no. 11, pp. 770-772, Nov. 1981.
[48] N.M. Haller, “The S/Key One-Time Password System,” Proc.
ISOC Symp. Network and Distributed Security, Feb. 1994.
[49] F. Bergadano, D. Cavagnino, and B. Crispo, “Individual Single-
Source Authentication on The Mbone,” Proc. IEEE Int’l Conf.
Multimedia and Expo (ICME ’00), vol. 1, pp. 541-544, July 2000.
[50] A. Perrig, R. Canetti, D. Song, and J. Tygar, “Efficient and Secure
Source Authentication for Multicast,” Proc. Network and Distributed
System Security Symp. (NDSS ’01), 2001.
[51] A. Perrig, “The BiBa One-Time Signature and Broadcast Authen-
tication Protocol,” Proc. Eighth ACM Conf. Computer and Comm.
Security (CCS ’01), pp. 28-37, Nov. 2001.
[52] Q. Li and W. Trappe, “Reducing Delay and Enhancing DoS
Resistance in Multicast Authentication through Multigrade
Security,” IEEE Trans. Info. Forensics and Security, vol. 1, no. 2,
pp. 190-204, June 2006.
[53] S. Xu and R. Sandhu, “Authenticated Multicast Immune to Denial-
of-Service Attack,” Proc. ACM Symp. Applied Computing (SAC ’02),
2002.
[54] S. Rafaeli and D. Hutchison, “A Survey of Key Management for
Secure Group Communication,” ACM Computing Surveys, vol. 35,
no. 3, pp. 309-329, Sept. 2003.
[55] N. Koblitz, “Elliptic Curve Cryptosystems,” Math. Computation,
vol. 48, pp. 203-209, 1987.
[56] V. Miller, “Uses of Elliptic Curves in Cryptography,” Proc. Int’l
Cryptology Conf. (CRYPTO ’85), pp. 417-426, 1986.
[57] R. Merkle, “Protocols for Public Key Cryptosystems,” Proc. IEEE
Symp. Security and Privacy, Apr. 1980.
[58] R. Rivest, “The MD5 Message-Digest Algorithm,” RFC 1319, Apr.
1992.
[59] D. Eastlake and P. Jones, “US Secure Hash Algorithm 1 (SHA1),”
RFC 3174, Sept. 2001.
[60] P. Barreto, H. Kim, B. Lynn, and M. Scott, “Efficient Algorithms
for Pairing-Based Cryptosystems,” Proc. Int’l Cryptology Conf.
(CRYPTO ’02), 2002.
Yun Zhou received the BE degree in electronic
information engineering and the ME degree in
communication and information system from the
Department of Electronic Engineering and In-
formation Science, University of Science and
Technology, Hefei, China, in 2000 and 2003,
respectively, and the PhD degree from the
Department of Electrical and Computer Engi-
neering, University of Florida, Gainesville, in
2007. He is currently with Microsoft Corporation.
His research interests include security, cryptography, wireless commu-
nications and networking, signal processing, and operating systems.
Xiaoyan Zhu received the BE, ME, and PhD
degrees from the School of Telecommunications
Engineering at Xidian University, Xi’an, China, in
2000, 2004, and 2009, respectively. She is now
a visiting research scholar in the Department of
Electrical and Computer Engineering at the
University Florida, Gainesville, on leave from
the School of Telecommunications Engineering,
Xidian University, Xi’an, China, where she is a
lecturer. Her research interests include wireless
networks, network security, and network coding.
Yuguang Fang received the PhD degree in
systems engineering from Case Western Re-
serve University in 1994 and the PhD degree in
electrical engineering from Boston University in
1997. He was an assistant professor in the
Department of Electrical andComputer Engineer-
ingat theNewJersey Instituteof Technology from
1998 to 2000. He then joined the Department of
Electrical and Computer Engineering at Univer-
sity of Florida in 2000 as an assistant professor,
got an early promotion to an associate professor with tenure in 2003, and
to a full professor in 2005. He holds a University of Florida Research
Foundation (UFRF) Professorship from 2006 to 2009, a Changjiang
scholar chair professorshipwith XidianUniversity, Xi’an, China, from2008
to 2011, and a guest chair professorship with Tsinghua University, China,
from 2009 to 2012. He has published more than 250 papers in refereed
professional journals and conferences. He received the US National
Science Foundation Faculty Early Career Award in 2001 and the US
Office of Naval Research Young Investigator Award in 2002, and is the
recipient of the Best Paper Award fromthe IEEEInternational Conference
on Network Protocols (ICNP) in 2006 and the IEEE TCGN Best Paper
Award from the IEEE High-Speed Networks Symposium, IEEE GLOBE-
COM, in 2002. He is also active in professional activities. He is currently
serving as the editor-in-chief for IEEE Wireless Communications and
serves/served on several editorial boards of technical journals including
the IEEE Transactions on Communications, the IEEE Transactions on
Wireless Communications, IEEE Wireless Communications Magazine,
and ACMWireless Networks. He was an editor for the IEEE Transactions
on Mobile Computing and currently serves on its steering committee. He
has been actively participating in professional conference organizations
such as serving as the steering committee cochair for QShine (2004-
2008), the technical program vice-chair for IEEE INFOCOM 2005, a
technical program symposium cochair for IEEE GLOBECOM 2004, an
areatechnical programcommittee chair for IEEEINFOCOM(2009-2010),
and a member of the technical program committee for IEEE INFOCOM
(1998, 2000, 2003-2008) andACMMobiHoc (2008-2009). Heis afellowof
the IEEE and the IEEE Computer Society and a member of the ACM.
ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 993
Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

[16]. [12]. [25]. schemes in [8]. We propose two new batch signature schemes based on BLS [36] and DSA [38] and show they are more efficient than the batch RSA [33] signature scheme. 3. [17]. [19]. leading to DoS. In the literature. [28]. Graph chaining was studied in [12]. The rest of the paper is organized as follows: We briefly review related work in Section 2. origin authentication. [24]. [23]. [11]. [17]. [20]. 2. [16]. [17]. [19]. [30]. [13]. [26].2010 at 01:51:59 UTC from IEEE Xplore. in which each path links a packet to the block signature. [13]. MABS provides data integrity. . BLS [36]. the DoS attack is not common. if a block signature is lost. [20]. [26] target at lossy channels. In this paper. Moreover. Tree chaining was proposed in [10]. previous schemes [8]. which are realistic in our daily life since the Internet and wireless networks suffer from packet loss. [24]. MABS-B is efficient in terms of less latency. [23]. [9] or amortize one signature over a block of packets [10]. [21].: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983 schemes. [24]. Another major problem is that most schemes [12]. [22]. [21]. [31]. its overhead is still at the same level as previous schemes. [18]. In order to reduce computation overhead. [15]. an active attacker can inject forged packets to consume receivers’ resource. MABS includes two schemes. [37]. [18]. [25]. and nonrepudiation as previous asymmetric key based protocols. [22]. [24].ZHOU ET AL. we present a basic scheme for lossy channels in Section 3. [11]. [26]. Another problem with schemes in [8]. [19]. [18]. [20]. each receiver needs to perform one more verification on its one-time or k-time signature plus one ordinary signature verification. conventional schemes use efficient signature algorithms [8]. Erasure codes were used in [22]. [10]. They are suitable for RSA [33]. [12]. The basic scheme (called MABS-B hereafter) utilizes an efficient asymmetric cryptographic primitive called batch signature [33]. [10]. [21]. computation. The enhanced scheme (called MABS-E hereafter) combines MABS-B with packet filtering to alleviate the DoS impact in hostile environments. [25]. [20]. Each packet carries the signed root and multiple hashes. [34]. [19]. the entire block cannot be authenticated. [23]. [17]. [18]. and DSA. [42]. [9]. [14]. [41]. When each receiver receives one packet in the block. [43]. In particular. [14]. [21]. [19]. [16]. [29]. [18]. [22]. [25]. respectively [38]. but reduce the computation overhead at the sender by using one-time signatures [8] or k-time signatures [9]. All these schemes [10]. we demonstrated that batch signature schemes can be used to improve the performance of broadcast authentication [5]. In addition. [15]. [24]. [17]. [16]. [15]. each packet is independently verifiable at a cost of per-packet signature verification. [18]. [15]. [9]. they still have the packet loss problem because they are based on the same approach as previous schemes [10]. A multicast stream is divided into blocks and each block is associated with a signature. the ideal approach of signing and verifying each packet independently raises a serious challenge to resource-constrained devices. [22]. [13]. [12]. 1. [17].000 bytes). Each receiver verifies the block signature and authenticates all the packets through the paths in the graph. [25]. Downloaded on May 31. [11]. [21]. other packets may not be authenticated. [26] at the expense of increased communication overhead [8]. [14]. [9] follow the ideal approach of signing and verifying each packet individually. [24]. it uses the authentication information in the packet to authenticate it. the hash of each packet is embedded into several other packets in a deterministic or probabilistic way. however. An enhanced scheme is discussed in Section 4. we present our comprehensive study on this approach and propose a novel multicast authentication protocol called MABS (in short for Multicast Authentication based on Batch Signature). [21]. Without the buffered authentication information. [22]. After performance evaluation in Section 5. Restrictions apply. Recently. Erasure codes make each receiver be capable of recovering the block signature when receiving at least a certain number of pieces. [20]. [19]. Moreover. and communication overhead. [18]. [11]. [14]. [25]. [23]. As is well known that existing digital signature algorithms are computationally expensive. [26]. [11] or vulnerability to packet loss [12]. we make the following contributions: Our MABS can achieve perfect resilience to packet loss in lossy channels in the sense that no matter how many packets are lost the already-received packets can still be authenticated by receivers. The hashes form a graph. [13]. [11]. [14]. [25]. the paper is concluded in Section 6. [23]. [26] are indeed computationally efficient since each receiver needs to verify only one signature for a block of packets. [17]. [11] by constructing a tree for a block of packets. However. Though MABS-E is less efficient than MABS-B since it includes the DoS defense. [39]. [16]. [14]. [23]. [23]. [36]. In each block. [13]. [15]. [21] Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [19]. In particular. [35]. If too many packets are lost. A signature is generated for the concatenation of the hashes of all the packets in one block and then is erasure-coded into many pieces. [44]. [15]. [26] is that they are vulnerable to packet injection by malicious attackers. [16]. which is expensive on signing while cheap on verifying. [16]. however. [10]. which also includes three batch signature schemes based on RSA [33]. [38]. [6]. [14]. [13]. [20]. [20]. Then. they all increase packet overhead for hashes or erasure codes and the block design introduces latency when buffering many packets. [23]. [25]. [18]. [10]. [11]. [24]. Compared with the efficiency requirement and packet loss problems. [40]. [22]. [13]. but it is still important in hostile environments. [22]. For each packet. [16]. [32] attempt to provide the DoS resilience. [19]. the length of one-time signature is too long (on the order of 1. [13]. to address the efficiency and packet loss problems in general environments. [26] are vulnerable to packet loss even though they are designed to tolerate a certain level of packet loss. [9]. [17]. [21]. leading to Denial of Service (DoS). [14]. In a hostile environment. However. some schemes [27]. [20]. [15]. [24]. The buffered authentication information is further used to authenticate other packets in the same block. [12]. The root of the tree is signed by the sender. 2 RELATED WORK Schemes in [8]. which supports the authentication of any number of packets simultaneously with one signature verification. [15]. [9]. [12]. An attacker may compromise a multicast system by intentionally injecting forged packets to consume receivers’ resource.

[48]. [12]. [38]. but they still have the packet loss problem. They do reduce the computation cost. PRABS [30] uses distillation codes to deal with DoS. In view of the problems regarding the sender-favored block-based approach. [24]. [25]. .984 IEEE TRANSACTIONS ON MOBILE COMPUTING. the correlation among packets can incur additional latency. it is possible that the packets buffered at the low layer authentication module are not verifiable because the correlated packets. In the block design. [50]. [22]. As receiving devices have different computation and communication capabilities. and n can be any positive integer. [23]. which is inherent in the Internet and wireless networks. or return with a no-available-packets exception. [14]. which is very time-consuming. we conceive a receiver-oriented approach by taking into account the heterogeneity of the receivers. i g. the per-packet signature design has been criticized for its high computation cost. [32] incorporate a block-based design as shown in Section 2. In this paper. [29]. NO. where mi is the data payload. [15]. schemes in [27]. [24]. . [25]. since each packet can be independently verifiable at any time. . the heterogeneity of receivers means that the buffer resource at each receiver is different and can vary over the time depending on the overall load at the receiver. [13]. and otherwise not. [35]. the BatchVerifyðÞ algorithm should satisfy the following properties: Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [28]. we focus on the signature approach. [18]. and schemes in [22]. In this paper. [44]. [19]. In the per-packet signature design it is not a problem. . . which could be interpreted as that the buffered packets are “lost. they cannot provide nonrepudiation as the signature approach. have not been received. the required block size. [30]. Each receiver is a less powerful device with resource constraints and may be managed by a nontrustworthy person. [49]. . Ideally. is different from the buffering latency. Restrictions apply. the basic scheme MABS-B uses an efficient cryptographic primitive called batch signature [33]. [21]. The sender signs each packet with a signature and transmits it to multiple receivers through a multicast routing protocol. when a receiver collects n packets: pi ¼ fmi . These three schemes [30]. [29]. Consider the high layer application needs new data from the low layer authentication module in order to render a smooth video stream to the client user. . JULY 2010 are vulnerable to forged signature attacks because they require each receiver to verify each signature whereby to authenticate data packets. Third. Some other schemes [45]. It is desirable that the lower layer authentication module delivers authenticated packets to the high layer application at the time when the high layer application needs new data. especially the block signatures. [29] are still vulnerable to DoS because they require that one-way hash chains are signed and transmitted to each receiver and therefore an attacker can inject forged signatures for oneway hash chains. In the block design. [39]. F alseg: If the output is T rue. [23]. Therefore. these schemes [27]. i is the corresponding signature. The reason is that error correction codes tolerate error packets. . Also. i ¼ 1. [52]. which supports simultaneously verifying the signatures of any number of packets. authenticating a multicast stream can be achieved by signing and verifying each packet. [32] are resilient to DoS. 7. the receiver knows the n packets are authentic. [25]. while the others could be cheap handsets with limited buffers and low-end CPUs. n. [29] combine erasure codes with one-way hash chains to detect forged packets. valid packets and forged packets are partitioned into disjoint sets and erasure decoding is performed over each set. [28]. PARM [27] is similar to the tree chaining scheme [10].” This latency. which leads to additional latency. most previous schemes [10]. which is chosen by the sender. which is required for the low layer authentication protocol to buffer received packets. we focus on multicast authentication. [11]. . [26]. it can be achieved through group key management [54]. Downloaded on May 31. [23]. which is incurred at the high layer when the high layer application waits for the buffered packets to become verifiable. 3 BASIC SCHEME Our target is to authenticate multicast streams from a sender to multiple receivers. p2 . [27]. In order to deal with DoS. but also introduce new problems. this heterogeneity poses a demand on the capability of adjusting the buffer size and authenticating buffered packets any time when the high layer application requires at each receiver. [47]. Schemes in [28]. pn Þ 2 fT rue. Received packets may not be authenticated because some correlated packets are lost. In order to fulfill the requirement. [41]. 9. [28]. [42]. [26] suffer from packet injection because each receiver has to distinguish a certain number of valid packets from a pool of a large number of packets including injected ones. may not be satisfied by each receiver. [51]. [53] use shared symmetric keys between the sender and receivers to authenticate multicast streams. LTT [32] uses error correction codes to replace erasure codes in schemes [22]. BAS [31] simply retransmits each signature multiple times to tolerate packet loss and uses selective verification to tolerate injected forged signatures. the high layer application has to either wait. [43]. Though they are more efficient than those using signatures. Mixed with various channel loss rates. [31]. however. Unfortunately. and therefore. Though confidentiality is another important issue for securing multicast. and they require either time synchronization or trustful infrastructures. [30].2010 at 01:51:59 UTC from IEEE Xplore. [20]. [26]. VOL. [37]. [24]. it can input them into an algorithm BatchVerifyðp1 . However. [40]. [34]. [36]. [17]. the sender is a powerful multicast server managed by a central authority and can be trustful. To support authenticity and efficiency. [11] in the sense that multiple oneway hash chains are used as shared keys between the sender and receivers. some could be powerful desktop computers. In particular. [32] were proposed. In particular. [31]. The block design builds up correlation among packets and makes them vulnerable to packet loss. [46]. [16]. [31]. Each receiver needs to assure that the received packets are really from the sender (authenticity) and the sender cannot deny the signing operation (nonrepudiation) by verifying the corresponding signatures. Generally.

[26]. [18]. [13]. The other curve in Fig. and then calculates two exponents e. which are more efficient than batch RSA. The packet independency also brings other benefits in terms of smaller latency and communication overhead compared with previous schemes [10]. The sender sends fm.ZHOU ET AL. the receiver can first calculate hi ¼ hðmi Þ and then perform the following verification: !e n n Y Y i mod N ¼ hi mod N: ð1Þ i¼1 i¼1 If all n packets are truly from the sender. those additional computations are mostly modular additions and multiplications. then the final batch verification has 1. We must point out and will show later that MABS is independent from these signature algorithms. i g. [31]. . [31]. [30]. the same cost of single signature verification. [25]. and recorded the results for two scenarios. 3. it is not the case in reality. no matter how large the batch size is. We can see that the time cost of general batch verification (without signature aggregation) is still less than that of two single signature verifications when batch size grows up to about 270. such as random loss or burst loss. This independency brings the freedom to optimize MABS for a particular physical system or platform as much as possible. we present three implementations. the probability that BatchVerifyðÞ outputs T rue is very low. [19]. NÞ as its public key and keeps d in secret as its private key. Downloaded on May 31. [14]. [22]. the batch verification of RSA [34]. [13]. Given n packets fmi . which are much faster than modular exponentiations required in final signature verifications. MABS-B uses per-packet signature instead of per-block signature and thus eliminates the correlation among packets.1 RSA RSA [33] is a very popular cryptographic algorithm in many security protocols. Meanwhile. [29].1. [15]. However. g to a receiver that can verify the authenticity of the message m by checking e ¼ hðmÞ mod N. 2. Next. the alreadyreceived packets can still be authenticated by each receiver. we propose two new batch signature schemes based on BLS [36] and DSA [38]. [24]. [16]. [32]. [22]. [17]. . [29]. The packet independency makes MABS-B perfect resilient to packet loss. where hðÞ is a collision-resistant hash function. 3. [14]. As we will show later. where packets can be lost according to different loss models. which can optimize its own batch size. we will show later that in the implementation of batch signature a technique called signature preaggregation can be used so that the additional processing of multiple packets is shifted from the time of final batch verification to the time of each packet reception and thus the cost of final batch signature verification is exactly the same as that of original signature verification. and there is no additional hash or code overhead in each packet. [24]. so that the batch size will not be unmanageably large. . In particular. which validates the third property of batch signature. . This is a significant advantage over previous schemes [10]. [12]. A signature of a message m can be generated as  ¼ ðhðmÞÞd mod N. no matter how many packets are lost.2 Batch RSA To accelerate the authentication of multiple signatures. [28]. The Internet and wireless channels tend to be lossy due to congestion or channel instability. [26]. [20]. i ¼ 1. [11]. [21]. [11]. The computation complexity of BatchVerifyðÞ is comparable to that of verifying one signature and is increased only gradually when the batch size n is increased. In addition to the one based on RSA [33]. 1. d 2 Z Ã such that ZN ed ¼ 1 mod ðNÞ. [30]. [16]. 1 shows that if the signature preaggregation is used. n. [23]. In order to show the merit of signature preaggregation. a sender chooses two large random primes P and Q to get N ¼ P Q. [27]. [18]. a concern comes when the cost grows higher than the final signature verification if the batch size is too large. [17]. [19]. BatchVerifyðÞ outputs T rue. 1. where ðNÞ ¼ ðP À 1ÞðQ À 1Þ. 3. Given a batch of packets including some unauthentic packets. Restrictions apply. [20]. Given a batch of packets that have been signed by the sender. The computation complexity of BatchVerifyðÞ comes with the fact that there are some additional cost on processing multiple packets. Normalized time cost of Batch-BLS signature verification. however.1 Batch RSA Signature 3. Most important. The merit of batch signature is that the batch size is chosen by each receiver. . Theoretically. efficiency can also be achieved because a batch of packets can be authenticated simultaneously through one batch signature verification operation. the equation holds because Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. In MABS-B. [28].: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 985 Fig. where mi is the data payload. each receiver can verify the authenticity of all the received packets in its buffer whenever the high layer applications require. with and without signature preaggregation.2010 at 01:51:59 UTC from IEEE Xplore. [27].000. [21]. [35] can be used.1. we implemented batch signature by using our Batch-BLS (will be discussed later) as an example. [12]. In order to use RSA. The result is shown in Fig. The sender publishes ðe. [25]. We measured the normalized time cost of batch signature verification with the batch size growing from 1 to 1. [32]. i is the corresponding signature and n is any positive integer. [23]. [15].

gp ¼ 1 2 G1 .986 n Y i¼1 IEEE TRANSACTIONS ON MOBILE COMPUTING. the sender first computes h ¼ hðmÞ 2 G1 . g1 Þ ¼ eð.2. 7. the public key e is usually small (e ¼ 3 for instance) while the private key d is large. a sender chooses a Z random integer x 2 Z p and computes y ¼ g1 x 2 G1 . In some circumstances. where hðÞ is a hash function. Z. Bilinear: For all u. It has been shown in [36] that an n-bit BLS signature can provide a security level equivalent to solving a Discrete Log Problem (DLP) [39] over a finite field of size approximately 26n . i g. Next. 2. The signature of m is . then ! n n Y Y hi . If the sender is a powerful server. an attacker may not forge signatures but manipulate authentic packets to produce invalid signatures. i g and fmj . the receiver must ensure all the messages are distinct. which can be defined as a map over two cyclic groups G1 and G2 . Q i¼1 B computes n ¼ V = nÀ1 i as the signature for i¼1 mn . This poses a challenge to the computation capability of the sender because the sender needs to sign each packet. h i ¼ 1. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. y ¼ eðhi . another attacker B can break BLS under the chosen message attack by colluding with A. i ¼ 1. B can forge a signature n for any chosen message mn . which means the message mi and mj have been correctly signed by the sender.2 Batch BLS Based on BLS. n and then checking whether eð n hi . . n g satisfies the BLS signature scheme. g1 Þ. 9. Therefore. Proof. yÞ ¼ eðh. . For example. Suppose an attacker A can break the batch BLS by forging signatures. 2. given two packets fmi . by colluding with A in the following steps: 1. n and n À 1 signatures i . i g and fmj . . Otherwise batch RSA is vulnerable to the forgery attack [35]. . . vb Þ ¼ eðu. which can reduce the computation complexity at the sender. e : G1  G1 ! G2 . If the sender does not have enough resource. 3. g1 ¼ i¼1 n Y i¼1 ð4Þ ! i . the receiver first computes h ¼ hðmÞ 2 G1 and then check whether eðh.1 BLS The BLS signature scheme uses a cryptographic primitive called pairing. 3. NO. Restrictions apply. i g. Theorem 1. . One merit of the BLS signature is that it can generate a very short signature. This is because if all the messages are i¼1 authentic. Suppose B is given n À 1 messages and their valid signatures fmi . . n that pass the batch BLS verification.2 Batch BLS Signature Here. B sends n messages mi . Then. then computes  ¼ hx 2 G1 .yÞ ¼ eð. such that fmn . VOL. j g for i 6¼ j. 3. dg with comparable sizes can achieve a certain level of trade-off between computation efficiency and security at the sender part. i ¼ 1. . j =g. j g.024-bit DLP-based signature scheme such as DSA [38]. . . i ¼ 1. v 2 G1 and a.1. we propose two efficient batch signature schemes based on BLS [36] and DSA [38]. we have 1 eðg1 . a 171-bit BLS signature provides the same level of security as a 1. i ¼ 1. Given a message m 2 f0. g1 x Þ e i¼1 i¼1 n Y À Á e hi x . i g and fmj . This is a very nice choice in the scenario where communication overhead is an important issue. this attack is of no harm to the receiver [35]. n.2010 at 01:51:59 UTC from IEEE Xplore. . Therefore. If the verification succeeds. . g1 x Þ ¼ eðhx . This is easy to implement because sequence numbers are widely used in many network protocols and can ensure all the messages are distinct. n À 1. Downloaded on May 31. the attacker can do this only when it gets fmi . Nondegenerate: For the generator g1 of G1 . The private key is x and the public key is y. It has been proved in [35] that when all the messages are distinct. the receiver can verify the batch of BLS signatures by first computingQ i ¼ hðmi Þ. Choosing a small private key d can improve the computation efficiency but compromise the security. g1 : ¼e We can prove that our batch BLS is secure to signature forgery as long as BLS is secure to signature forgery.g1Þ. However. vÞab . batch RSA is resistant to signature forgery as long as the underlying RSA algorithm is secure. g1 Þ: ð3Þ hi mod N: Before the batch verification. . then the message m is authentic because 1. 3. where p is the order of G1 . we propose a batch signature scheme based on the BLS signature in [36].2. then signing each packet can be affordable in this scenario. eðh. . . . we propose our batch BLS scheme here. .. then returns to B a Q value V ¼ n i 0 . . satisfying the following properties: 1. the RSA signature verification is efficient while the signature generation is expensive. . . . A generates n false signatures i 0 . Given n packets fmi .3 Requirements to the Sender In most RSA implementations. yÞ ¼ i¼1 Q eð n i . . but the signature of each packet is not correct (that is why batch RSA verification is called screening in [35]). JULY 2010 !e i mod N ¼ ¼ ¼ n Y i¼1 n Y i¼1 n Y i¼1 e mod N i hed i mod N ð2Þ The BLS signature scheme consists of three phases: In the key generation phase. . 1gà in the signing phase. i ¼ 1. In the verification phase. 2. 3. g1 Þ 6¼ 1 2 G2 . Therefore. b 2 Z we have eðua . . The modified packets can still pass the batch verification.e. Because A can break the batch BLS scheme. the attacker can modify them into fmi . n À 1 to A. . because 3. a pair of fe. i.

the private key of the signer. i ¼ 1. a 160-bit prime divisor of p À 1.3 The Boyd-Pavlovski Attack Boyd and Pavlovski [44] pointed out an attack against the Harn batch DSA scheme [43]. n are forged messages satisfying the batch verification is 1 [44]. . Restrictions apply. . ðri . Here. a prime longer than 512 bits. A batch DSA signature scheme was proposed in [40]. an attacker may not forge signatures but manipulate authentic packets to produce invalid signatures.2 Harn Batch DSA Given n packets fmi . j g for i 6¼ j can be replaced with fmi . y eðhn . our batch BLS scheme is also secure to forgery under the chosen message attack. gq ¼ 1 mod p. then Pn  Pn   À1 À1 mod p mod q g i¼1 si ri y i¼1 hi ri  Pn   À1 ¼ g i¼1 ðsi þhi xÞri mod p mod q  Pn  ð8Þ ¼ g i¼1 ki mod p mod q ¼ n Y i¼1 ri mod q: 3. a hash function generating an output in Z Ã . For instance. i g and fmj .3 Requirements to the Sender In our batch BLS.3. some system parameters are defined as: 1. computing h ¼ hðmÞ. . i ¼ 1. p. . if the batch of packets is authentic. the public key of the signer. 3.4 Our Batch DSA In order to counteract the Boyd-Pavlovski attack. n À 2. the signing operation is more efficient than the RSA signature generation. The signature for m is ðr. randomly selecting an integer k with 0 < k < q. hðÞ. g1 Þ ! ¼e ! n Y i¼1 nÀ1 Y i¼1 ! i . yÞ ¼ e ) eðhn . 2 3. 2.3 Batch DSA Signature DSA [38] is another popular digital signature algorithm. we can expect that our batch BLS is more affordable by the sender than batch RSA and also achieve computation efficiency at the receiver. Zp 4. This is because.2010 at 01:51:59 UTC from IEEE Xplore. BLS can be implemented over elliptic curves [55]. . . two packets fmi . Because BLS can provide a security level equivalent to conventional RSA and DSA with much shorter signature [36]. but later was found insecure [41]. y nÀ1 Y i¼1 hi .ZHOU ET AL. n. i ¼ 1. 3. ri . 3. 2. the sender needs to sign each packet. . Unlike RSA. Compute rnÀ1 and rn to ensure that n Y i¼1 n X i¼1 ri mod q ¼ A mod q ð9Þ ð10Þ hi ri À1 mod q ¼ C mod q: 4. . 2. the signer generates a signature by: 1. i ¼ 1. Zq Given a message m. q.. 3. Randomly choose si . randomly choose ri . .3. .e. y. g1 Þ ð5Þ The receiver can verify the signature by first computing h ¼ hðmÞ and then checking whether ððgsr yhr Þ mod pÞ mod q ¼ r: This is because if the packet is authentic. computing s ¼ rk À hx mod q. 3.2.3. . which have been shown in the literature to be more efficient than finite integer fields on which RSA is implemented. . 0 < x < q. g1 ! i . Also like batch RSA. our batch DSA makes an improvement to the Harn DSA algorithm. it does not affect the correctness and the authenticity of mi and mj because they have been correctly signed by the sender.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE n Y i¼1 987 ! hi . which is based on the hardness of factoring two large primes. then ððgsr yhr Þ mod pÞ mod q ¼ ððgðsþhxÞr Þ mod pÞ mod q u t ¼ ðgk mod pÞ mod q ¼ r: À1 À1 À1 À1 À1 )e )e hi . where an attacker can forge signatures for any chosen message set that has not been signed by the sender. a generator of Z Ã with order q. However. g1 eðn . Therefore. y ¼ gx mod p. DSA is deemed secure based on the difficulty of solving DLP [39]. computing r ¼ ðgk mod pÞ mod q. g. y n Y i¼1 e ¼ eðV . Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. calculate A ¼ ðgB yC mod pÞ mod q. . j =g and still pass the batch verification. Unfortunately. the receiver can verify the batch of signatures by first computing hi ¼ hðmi Þ and then checking whether n Pn  Pn   Y À1 À1 ri mod q : ð7Þ g i¼1 si ri y i¼1 hi ri mod p mod q ¼ i¼1 3. Harn improved the security of [40] in [42]. n À 1 and compute sn to ensure that n X i¼1 si ri À1 mod q ¼ B mod q: ð11Þ The probability that fmi .3. n. sÞ. si g. Boyd and Pavlovski pointed out in [44] that Harn’s work is still vulnerable to malicious attacks. . . For any message set mi . si Þg. i ¼ 1. . x. 5. i g and fmj . Choose B and C. g1 Þ : ð6Þ Since BLS is forgery-secure under the chosen message attack [36]. [56]. Moreover. . i. . Downloaded on May 31. 3. 6. [43]. yÞ ¼ eðn . . . and 4. The process is: 1. we propose a batch DSA scheme based on Harn’s work and counteract the attack described in [44]. .1 Harn DSA In Harn DSA [43].

The attacker can keep ri unchanged. . The sender constructs a binary tree for eight packets. s. the sender can generate many r values offline. All the other steps are the same as those in Harn’s scheme. which is unique to the packet and cannot be spoofed. mÞ. Therefore. 2. which can still pass the batch verification. Constructing a Merkle tree is very efficient because only hash operations are performed. and this divide-and-conquer approach can be recursively carried out for each smaller batch.3. If not. this attack does not affect the correctness and authenticity of messages because they have been really signed by the sender [44]. the one-way property of hash operation ensures that given the root of a Merkle tree it is infeasible to find a packet. Each internal node is the hash value on the concatenation of its left and right children. Preaggregation of Message Hashes and Signatures If we take a closer look at batch-RSA and batch-BLS. 7. the aggregations Q message hashes and of P P signatures f n si ri À1 . the set of packets is authentic.988 IEEE TRANSACTIONS ON MOBILE COMPUTING. NO. For each packet. just like batch-RSA and batch-BLS. and vice versa. For batch-DSA. For example. At each receiver. Therefore. Meanwhile. .4 The basic scheme MABS-B targets at the packet loss problem. Therefore. each Q Q receiver can compute and update f n hi .2 . . If the result is T rue. si 0 Þg. The only difference is that the batch algorithms Q take the aggregations of message hashes Q and signatures f n hi . Obviously. The mark design ensures that a packet from the real sender never falls into any set of packets from the attacker. n ri g are inside the i¼1 i¼1 i¼1 signature verification. Each internal node is the hash value on both its left and right children. Merkle tree [57] is used to generate marks. n i g after i¼1 i¼1 receiving every packet. In this section. we can notice that they use exactly the orignal RSA and BLS algorithms. while also achieving computation efficiency at the receiver. which is inherent in the Internet and wireless networks. a strong resilience to DoS due to injected packets can be provided. n i g as the parameters to the i¼1 i¼1 original signature algorithms. the sender needs to compute one modular exponentiation to get r and two modular multiplications to get s. hrÀ1 . Like the cases in batch RSA and our batch BLS. randomly choose si 0 . ðri . then batch-DSA can take the advantage of preaggregating message hashes and signatures. rg as parameters. An example of Merkle tree.2010 at 01:51:59 UTC from IEEE Xplore. the attacker can compute ri values according to (9) and (10) because parameters A. respectively. r is independent on the message m. By introducing ri into the hash operation. 9. C. 1. the attacker can inject forged packets at very high frequency and expect that each receiver stops the batch operation and recovers the basic per-packet signature verification. which may not be viable at resource-constrained receiver devices. Each leaf is a hash of one packet.8 ¼ HððH1. 3. our method can significantly increase the security of batch DSA. si 0 ri À1 mod q ¼ n X i¼1 si ri À1 mod q: ð12Þ 4 ENHANCED SCHEME However. as shown in Fig. the multicast stream is classified into disjoint sets based on marks.5 Requirements to the Sender In batch RSA and our batch BLS. This aggregation is independent of the final signature verification. . In this way. In particular. we present an enhanced scheme called MABS-E. It has perfect resilience to packet loss. A naive approach to defeat the DoS attack is to divide the batch into multiple smaller batches and perform a batch verification over each smaller batch. and the receiver simply drops them and does not need to divide the set into smaller subsets for further batch verification. i ¼ 1. Downloaded on May 31. ðri 0 . Restrictions apply. In the Boyd-Pavlovski attack. hi values are known. n hi ri À1 . VOL. which is not in Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. each receiver needs just one signature verification. In some circumstances. the computation cost at each receiver can be more manageable no matter how large each batch is if signature preaggregation is enforced. Therefore. H5. H4 ÞÞ. When the sender starts a multicast session. 2. In the worst case. ðHðP3 Þ. si Þg to produce invalid signatures fmi . Each set of packets comes from either the real sender or the attacker. Next. When the time of batch verification comes. n À 1 and solve sn 0 satisfying n X i¼1 Fig. the mark of the packet P3 is fH4 . a mark is constructed as the set of the siblings of the nodes along the path from the packet to the root. H5. an attacker can inject forged packets into a batch of packets to disrupt the batch signature verification. our batch DSA is much more efficient than batch RSA and our batch BLS at the sender.8 g and the root can be recovered as H1. the set of packets is from the attacker. only two modular multiplications are necessary to sign a packet. However. each receiver only needs to perform BatchVerifyðÞ over each set. However. In MABS-E. no matter whether it is random loss or burst loss. which combines the basic scheme MABS-B and a packet filtering mechanism to tolerate packet injection. the sender attaches each packet with a mark. the sender needs to compute one modular exponentiation to sign each packet. it can use reserved r values to compute s values. Though it is simple. Therefore. . JULY 2010 We replace the hash operation hðmÞ in the signature generation and verification process with hðr.2 . rg instead of fh. however. if we modify the original DSA so that it takes fsrÀ1 . 3. In our batch DSA. Therefore. the receiver can still accept them because the batch verification succeeds. the attacker cannot compute ri values and the forgery attack discussed in [44] is defeated. H1. the hash values hi in (10) are unknown to the attacker. leading to DoS. the attacker may manipulate authentic packets fmi . An example is illustrated in Fig. the cost of the aggregations is incurred with the final signature verification. Each leaf is a hash of one packet. Therefore. which means more signature verifications at each receiver.8 Þ.

2 are under the assumption that they are using the same 5. Our MABS and Tree schemes [11] have perfect resilience to packet loss in the sense that all the received packets can be authenticated. augmented chain (AugChain) [18]. Tree [11] achieves this independency by incurring large overhead and latency at the sender and each receiver and is vulnerable to DoS. We can see that the verification rates of EMSS [14]. Verification rate under the burst loss model with the maximum burst length 10. Each receiver does not need to wait for a set to include all the packets under the Merkle tree. 3. The metric here is the verification rate. For all these schemes. we evaluate MABS performance in terms of resilience to packet loss. tree chain (Tree) [11]. i. The discussion of signature algorithms is in Section 5. If a set has less than t packets and the root value recovered from the set has not been authenticated.ZHOU ET AL. The verification rates under different loss rates are given in Fig. Therefore. 4. Fig.e. the impact of DoS due to packet injection can be reduced by a factor of t. tree chaining. As we will show later.7 chain configuration. each receiver has many small sets and each of them has only a few packets. For AugChain [18]. the ratio of the number of authenticated packets to the number of received packets. When the sender has a set of packets for multicast. all the discussions and evaluations of MABS and the literature works in Section 5. 128Þ. we choose the erasure code ð256. For PiggyBack [16]. In this case. This is because all the packets in MABS and Tree schemes are independent from each other. The root can be recovered based on each packet and its mark. Downloaded on May 31. 5 PERFORMANCE EVALUATION In this section. This guarantees that forged packets cannot fall into the set of authentic packets.. we choose binary tree. and DoS resilience. MABS does not assume any particular underlying signature algorithm. the recovered roots help classify received packets into disjoint sets. The reason is that graph chaining results in the correlation among packets and this correlation is vulnerable to packet loss. we choose two class priorities. Doing the BatchVerify algorithm on each small set compromises efficiency.3.2010 at 01:51:59 UTC from IEEE Xplore. We consider the random loss and the burst loss with a maximum loss length of 10 packets. 3 and Fig. Restrictions apply. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. SAIDA [23] illustrates a resilience to packet loss up to a certain threshold.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 989 Fig. the threshold t can vary according to the receiver’s computation resource. In this way. For SAIDA [23]. however. the corresponding root can be used to authenticate the rest of packets under the same Merkle tree without batch-verifying them. Once the set is authentic. we choose the chain configuration of 5 À 11 À 17 À 24 À 36 À 39. . Since the sets from the sender can have a large number of packets. efficiency. PiggyBack [16]. Therefore. each receiver can choose a threshold (say t) and start batch verification over one set only when the set has no less than t packets. An attacker may inject small sets of forged packets or even inject single packet that does not belong to any set. These schemes are representatives of graph chaining. For each receiver.1 Resilience to Packet Loss We use simulations to evaluate the resilience to packet loss. because of the threshold performance of erasure codes. while our MABS-B has less overhead and latency and MABS-E is resilient to DoS at the same level of overhead as Tree [11]. We compare MABS with some well-known loss tolerant schemes EMSS [14]. we choose C3. For EMSS [14]. which saves computation overhead at each receiver. underlying signature algorithm. Each receiver can find whether two packets belong to the same set by checking whether they lead to the same root value. For Tree chain [11]. it generates a Merkle tree for the set and attaches a mark to each packet. and erasure coding schemes and are widely used in performance evaluation in the literature.1 and Section 5. Verification rate under the random loss model. which has the best performance among all the configurations of length 6 as is shown in [14]. the receiver simply drop the set of packets without processing them and thus save computation resource. As we discussed before. and it can batch-verify the set anytime. the set associated with the Merkle tree and from which there is a path to the root. and SAIDA [23]. we choose the block size of 256 packets and simulate over 100 blocks. 4. augmented chain (AugChain) [18] and PiggyBack [16] are decreased quickly when the loss rate is increased. This is also true for all the literature multicast authentication schemes referenced in this paper.

we can set the threshold t ¼ 1 (refer to Section 4) for MABS-E. the latency is incurred when the high layer application waits for the buffered packets to be authenticated after the correlation is recovered. All the evaluations are carried out over n packets. At each receiver. MABS-E can tolerate up to n À t lost packets for each set of n packets. similar to SAIDA [23]. [23].2. BAS [31]. and its maximum value is the block size. augmented chain (AugChain) [18]. and LTT [32] in the table just for comparisons even though they are not designed for lossy channels. 5. [16] or at each receiver [14]. the extracted root of the Merkle tree can be used to authenticate the rest of packets in the same set TABLE 2 Comparisons over Lossy Channels Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Each packet is independently sent out at the sender. This makes MABS-B pretty suitable for realtime multimedia applications. the schemes using One thing needs to be pointed out is that we do not differentiate between MABS-B and MABS-E in Fig. computation. The results are depicted in Table 2 and Table 3. JULY 2010 TABLE 1 Notations within several hash operations. and communication overhead for efficiency evaluation under lossy channels and DoS channels. and SAIDA [23]. which shows a threshold-based loss resilience. We also include MABS-E and three DoS resilient schemes PRABS [30]. PiggyBack [16].1 Comparisons over Lossy Channels Table 2 shows the comparisons between MABS-B and wellknown loss-tolerant schemes tree chain (Tree) [11]. [30]. VOL.2010 at 01:51:59 UTC from IEEE Xplore. [32]. While it is not designed for lossy channels. Previous block-based schemes introduce latency either at the sender [11]. but it still preserves the merit of instantaneous authentication at each receiver as MABS-B. In addition. . At the sender side. EMSS [14]. which is not the best choice for the lossy channel. MABS-B is perfect resilient to packet loss because of its inherent design. 5. 3 and Fig. MABS-E can also achieve the perfect resilience to packet loss in lossy channels. Downloaded on May 31.990 IEEE TRANSACTIONS ON MOBILE COMPUTING. Once the received packets are authenticated. the high layer application does not need to wait because the low layer authentication module can deliver authenticated packets at any time when the high layer application needs new data. 7. If we set t > 1. 4. and thus each receiver can start batch-verification as long as there is at least one packet received for each set of packets constructed under the same Merkle tree. MABS-B eliminates the correlation among packets. NO. the correlation among a block of packets has to be established before the sender starts sending the packets. The notations used here are defined in Table 1. where no DoS attack is assumed to present. Restrictions apply. [31] or both [18]. This receiver side latency is variable depending on whether the correlation among the underline buffered packets has been recovered or not when the high layer application needs new data.2 Efficiency We consider latency. In the lossy channel model. 9. At each receiver. MABS-E introduces latency at the sender because it includes a tree construction to counteract DoS. Both the block-based schemes and MABS require one signature verification operation on a block or a batch of n packets at each receiver. The latency is inherent in the block design due to chaining or coding.

ZHOU ET AL. [32] are designed for DoS defense.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 991 TABLE 3 Comparisons over DoS Channels chaining also require many hashes. [31]. However. MABS-E has the same level of DoS resilience as those in [30]. [18]. Processing injected packets from the attacker always consumes a certain amount of resource. [16]. [23]. MABS-B is vulnerable to packet injection as schemes in [11]. which is efficient in verifying but is expensive in signing. which is comparable to most well-known hash algorithms MD5 [58] (128 bits) and SHA-1 [59] (160 bits). MABS can have the same level of communication efficiency as conventional schemes when BLS is used. [30]. MABS-E requires nlog2 n hashes. in multimedia multicast.024-bit RSA). [16]. [14]. For n packets. BLS [36] and DSA [38] are pretty good candidates as we will show later. If long signatures are used (like 1. MABS-B and MABS-E require n signatures and MABS-E requires additional Oðnlog2 nÞ hashes. [23] since they are designed only for lossy channels. [32]. [16]. which incurs more computation overhead than conventional block-based schemes. [32] require one or more signatures and up to Oðn2 Þ hashes. Therefore. [18]. [30]. the sender is usually a powerful server and thus the per-packet signature generation can be affordable. [31].2 Comparisons over DoS Channels DoS is a method for an attacker to deplete the resource of a receiver. [18]. [23]. which is comparable to previous schemes using hashing and coding. [31]. a trade-off for perfect resilience to packet loss is that the sender needs to sign each packet. 5. BLS [36] generates short signatures of 171 bits. MABS-B and MABSE have more communication overhead than those in [14]. Therefore. Here. Moreover. schemes in [14]. efficient signature generation is desirable at the sender. [31].2. and the ones using coding require multiple hashes and one or two decoding operations. They can alleviate the impact of packet injection by a constant factor to reduce the computation cost at each receiver. Schemes in [30]. Compared with RSA [33]. [32]. which is the same case as Tree [11]. and the advance of computing technology makes it easier in the long run. we assume an attacker factor . Tree [11] require an overhead of n signature and Oðnlog2 nÞ hashes. MABS-B is more efficient since there is no more hashing or decoding operations. In MABS.

. which means that for n valid packets .

the attacker can inject .n invalid packets are injected. For schemes in [11]. [16]. The computation overheads at each receiver for different schemes are depicted in Table 3. [18]. which authenticate signatures first and then authenticate packet through hash chains. [14].

n forged signature packets because signature verification is an expensive operation. which requires erasure decoding. the attacker simply injects . For SAIDA [23].

n forged packets because each receiver has to choose a certain number of valid packets from all the ð1 þ .

09 ms and 4. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY.024-bit DSA with a 160-bit private key (without precomputing r value) are 4.536 modular multiplications) and that of 6 BLS signing operations (each one is corresponding to 255 modular multiplications).024-bit RSA signing operation is roughly equivalent to that of 768 DSA signing operations (1. It is also meaningful to use our batch BLS and batch DSA at the receiver to save computation resources. Therefore. Usually one c-bit modular exponentiation is equivalent to 1:5c modular multiplications over the same field [35]. Moreover. According to the report [60] on the computational overhead of signature schemes on PIII 1 GHz CPU. 5. .024-bit RSA with a 1. M-modular multiplication.3 Comparisons of Signature Schemes We compare the computation overhead of three batch signature schemes in Table 4. the signing and verification time for 1. We also compare the length of two popular hash algorithm MD5 [58] and SHA-1 [59] and the signature length of three TABLE 4 Computational Overhead of Different Batch Schemes E-modular exponentiation. We can observe that for BLS and DSA the signing is efficient but the verification is expensive. we can estimate that the computation overhead of one 1.4 ms. P -pairing. Therefore. Downloaded on May 31.Þn packet to do decoding.87 ms. we can save more computation resource at the sender by using our batch BLS and batch DSA than batch RSA.007-bit private key are 7. a c-bit modular exponentiation in c DLP is equivalent to a 6 -bit modular exponentiation in BLS for the same security level. and vice versa for RSA. which can have a significant number of tries. RSA [33] and BLS [36] require one modular exponentiation at the sender and DSA [38] requires two modular multiplications when r value is computed offline.2010 at 01:51:59 UTC from IEEE Xplore. for 157-bit BLS are 2. and for 1. Restrictions apply.75 ms and 81 ms.9 ms and 0. [44].

18th Int’l Conf. Tygar. IEEE Symp. “On-Line/Offline Digital Signatures. Architectures and Protocols. 2001. Cho. 258-285./Feb. Network and Distributed System Security Symp.024-bit RSA. and Applications (WASA ’06). (NDSS ’01). Zhang. pp.” Proc. “Authenticating Real Time Packet Streams and Multicasts. Network and Distributed System Security Symp. Shieh. 1995. no. Zhou and Y. “Graph-Based Authentication of Digital Streams. W. Second Ann. Information. Chong. W-C Wong. Wong and S. It is clear that by using BLS or DSA. and CNS-0626881. C. “A2 Cast: An Adaptive Source Authentication Protocol for Multicast Streams.” Proc. Golle and N. Advances in Cryptology (CRYPTO ’97). N. Zhou and Y. 1. 2006. 1999. Feb. and H. Downloaded on May 31. “Multicast-Specific Security Threats and Counter-Measures.” Proc. Molva. Sun. 165. . 363-368. J. Jan. R. 1998. 164-169. 2. May 2000. Staddon. N. E. and Networking Conf. no. we further develop two new batch signature schemes based on BLS and DSA. and P. pp. “A Compact and Fast Hybrid Signature Scheme for Multicast Packet. P. (NDSS ’03). Y. S. Y. Zhang. Security (ASIACCS ’06). 1. “Security Issues and Solutions in Mulicast Content Distribution: A Survey. May 2002. Perrig. 1999. Karlof.P. and K. Perrig.D. Tygar. 100-116. A.S.” Proc. pp. Ballardie and J. “Multimedia Broadcast Authentication Based on Batch Signature. and H. VOL. Apr. 2004.P. Pannetrat and R.” Proc. Sun. [16] [17] [18] [19] [20] ACKNOWLEDGMENTS This work was partially supported by the US National Science Foundation under grants CNS-0916391. (ISCC ’04). Multimedia and Expo (ICME ’06). Ninth Int’l Symp. H. 227-240. Sixth Int’l Conf. ACM SIGCOMM Symp. vol. 7. 2003. H. pp.” Proc. Security and Privacy (SP ’02). Unfortunately. A. T.D. Restrictions apply. vol.” Proc. (ISCC ’02). “A Content-Aware Stream Authentication Scheme Optimized for Distortion and Overhead. R. “Digital Signatures for Flows and Multicasts. J. Siegel. no. 3.992 IEEE TRANSACTIONS ON MOBILE COMPUTING. Zuckerman. vol.” Proc. 17th Ann. Y. (WCNC ’06). Cryptology Conf. vol. “Efficient DoS Resistant Multicast Authentication Schemes. 232246. pp. Seventh IEEE Int’l Symp. 9.” Proc. Pannetrat and R. Sixth ACM Conf. Miner and J. vol. pp. 541-544. Siegel. Bouabdallah. pp. 2004. Park. pp.” Proc. Networking. A. 198-209. “Stream Authentication Scheme for the Use over the IP Telephony. Gennaro and P. Nov. Rohatgi. Surveys & Tutorials.” Proc.” J. (NDSS ’95). Li. IEEE GLOBECOM. Feb. July 2006.D. S. most previous schemes have many problems such as vulnerability to packet loss and lack of resilience to denial of service (DoS) attack. no. J. pp. 2005. pp. D. Song.” IEEE Comm. Systems. vol. BLS generates a 171-bit signature and DSA generates a 320-bit signature. Q. and J. we develop a novel authentication scheme MABS. IEEE Wireless Comm.” Proc. Chong. 17. 11th Ann. Aug. Canetti. “Digital Signatures for Flows and Multicasts. Okada. Lam. May 2005. “Authenticating Streamed Data in the Presence of Random Packet Loss. IEEE Int’l Conf.” Proc. Security and Privacy (SP ’00).K.K. vol. Wu and T.K. 2006. Z. Micali.” Proc. (NDSS ’04). Int’l Conf. and W. Finally.J. Gennaro and P. “On Broadcast Authentication in Wireless Sensor Networks. 2007.” IEEE Network Magazine. and A. May 2002. 4. H. NO. Aug. CNS0716450. “Video Stream Authentication in Lossy Networks. pp. Ammar.J.J. Computer. 1988. block-based authentication schemes have been proposed.” Proc. R.” ACM Trans.M. Feb. IEEE Int’l Conf.M. 2-16. Deering. Even. [12] [13] [14] 6 CONCLUSIONS [15] To reduce the signature verification overheads in the secure multimedia multicasting.” Proc.” Proc. Pollution-Attack Resistant Multicast Authentication Scheme.” Proc. pp. Sastry. Y. and Y. Feb. Judge and M. Wee. pp. “Efficient Multicast Packet Authentication. K. Molva. First Ann. and S. 502513. 5675. July 2005. Park. IEEE Symp. Goldreich. Advanced Information Networking and Application (AINA ’04).” IEEE Comm. Magazine. Security and Privacy (SP ’01). “A Taxonomy of Multicast Data Origin Authentication: Issues and Solutions. IEEE Symp. Moreover. Q. Dec. Eighth Ann. and W-C Wong. JULY 2010 TABLE 5 Communication Overhead of Signature Schemes [7] [8] [9] [10] [11] signature algorithms in Table 5. 2001. Lou. 2003. Int’l Conf. Seventh IEEE Int’l Symp. Aug. The works of Fang and Zhu were also partially supported by the 111 Project under Grant B08038. Bouabdallah. vol. P. S. Given the same security level as 1. 35-67. Oct. Ren.S. 1996. To overcome these problems. Comm. 10th Ann. Lin. A. 4. Challal. 2150-2155. “Multicast Routing in Internetworks and Extended LANs. Security (CCS ’99). Computational Science and Its Applications (ICCSA ’05).” Proc.2010 at 01:51:59 UTC from IEEE Xplore. pp. “How to Sign Digital Streams. “Efficient Authentication and Signing of Multicast Streams over Lossy Channels. Choi. 8. Z. Zeng. and J.K. Network and Distributed System Security Symp. J. and S. “Lightweight. “Expander Graphs for Digital Stream Authentication and Robust Overlay Networks. Li. vol.” Proc. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Network Protocols (ICNP ’98). 72-77. “A Proposal of ButterflyGraphy Based Stream Authentication over Lossy Networks. Multimedia (ISM ’05). The work of Zhu was also partially supported by the National Natural Science Foundation of China under grant 60772136 and supported by the Fundamental Research Funds for the Central Universities. C. vol. “Efficient Multicast Stream Authentication Using Erasure Codes. P. Lam. Computers and Comm. 7. Lin. pp. 2. 2006. Rohatgi. Tygar. Oct.” Proc. Nov. 2004. Mar. 2006. no. Kawaguchi. 1997. C. which are more efficient than the batch RSA signature scheme. Fang. Shigeno. Challal.E. Network and Distributed System Security Symp. S. no. “Denial-of-Service Resistant Multicast Authentication Protocol with Prediction Hashing and One-Way Key Chain. 34-57. Aug. “Distillation Codes and Applications to DoS Resistant Multicast Authentication. 1. pp. E. Y. 6. Y. and Comm. Modadugu. [28] [29] [30] K. “BABRA: Batch-Based Broadcast Authentication in Wireless Sensor Networks. May 2001. pp.” Information and Computation. Wireless Algorithms. MABS can achieve more bandwidth efficiency than using RSA. July 2002. S. 6. Computer and Comm. 45. Information and System Security. Y. Security and Privacy (S&P ’02). We have demonstrated that MABS is perfectly resilient to packet loss due to the elimination of the correlation among packets and can effectively deal with DoS attack. D. and A. Aug. June 2004.” Proc. Moran. Park. Song. Rohatgi. Fang. ACM Symp. Bettahar. Ueda. Multimedia and Expo (ICME ’05). Crowcroft. 55-64. Y. Apostolopoulos. Cryptology. Computers and Comm. Wong and S. and D.” Proc. 2002 IEEE Symp. J. O. “Efficient Multicast Packet Authentication Using Signature Amortization. 30-36. 9. and could be even more efficient than conventional schemes using a large number of hashes. Bettahar. “How to Sign Digital Streams. pp. [21] [22] [23] [24] [25] [26] [27] REFERENCES [1] [2] [3] [4] [5] [6] S. we also show that the use of batch signature can achieve the efficiency less than or comparable with the conventional schemes. Jeong. 490-495. Feb.” IEEE/ACM Trans. May 2003. Mar.

vol. Network and Distributed System Security Symp. He holds a University of Florida Research Foundation (UFRF) Professorship from 2006 to 2009. . Adleman.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 993 [31] C. Shacham. Venkatesh. cryptography. May 1994.S. S. Info. His research interests include security. Feb. Network and Distributed Security. 4. Xu and R. respectively. [59] D. no. Lim and P. First Int’l Conf. Cui. Canetti. Rivest. Forensics and Security. Computation. China. IEEE Symp. July 2000. pp. He then joined the Department of Electrical and Computer Engineering at University of Florida in 2000 as an assistant professor. [48] N. [51] A. 1981. “Multicast Security: A Taxonomy and Some Efficient Constructions. Perrig. Lysyanskaya. pp. [54] S. 34. June 1998. 4. and B. Jones. A.” Comm.” Proc. “The MD5 Message-Digest Algorithm. Raphaeli. (CRYPTO ’02).” Proc. [34] L. pp. 2. Tan. Sandhu. Restrictions apply. no. and J.” Proc. pp.” Proc. Cavagnino. from 2009 to 2012. 1987. vol. 2. [52] Q.A. no. [53] S. got an early promotion to an associate professor with tenure in 2003. D. 2004. Scott. M’Raihi. “Security of Interactive DSA Batch Verification.” IEE Electronic Letters. Advances in Cryptology (EUROCRYPT ’98). [47] L. IEEE INFOCOM.” Proc. “Efficient Algorithms for Pairing-Based Cryptosystems. 514-532. be Improved? Complexity Trade Offs with the Digital Signature Standard. “Efficient and Secure Source Authentication for Multicast. Hefei. 1994. respectively. “Batch Verifying Multiple RSA Digital Signatures. “Multicast Authentication in Fully Adversarial Networks. Mar. Xi’an. IEEE Symp. “The BiBa One-Time Signature and Broadcast Authentication Protocol. [44] C. Frankel. pp. 469-472. 9. Feb. [49] F. H. IEEE INFOCOM. [38] FIPS PUB 186. on leave from the School of Telecommunications Engineering. University of Florida. and to a full professor in 2005. Scalable Information Systems. 2001. Canetti. Hutchison.” RFC 3174. Garay. China. “US Secure Hash Algorithm 1 (SHA1).” Proc. ME. 2002. 203-209.” Proc. Yung. and S. no. “Can D. Chan. Eighth ACM Conf. Eastlake and P. Feb. R. ACM. (NDSS ’01).” RFC 1319. network security. and a member of the technical program committee for IEEE INFOCOM (1998. Rivest. Itkis. 2001. Nov. He received the US National Science Foundation Faculty Early Career Award in 2001 and the US Office of Naval Research Young Investigator Award in 2002. 35. 1. pp. 770-772. [43] L. ElGamal. Dec. 1999. ACM. Nov.” Comm. from 2008 to 2011. no. no. vol. 48. and B. ACM Symp. University of Science and Technology. pp. Lamport. and a guest chair professorship with Tsinghua University. Xidian University. Int’l Cryptology Conf. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. 2003. [55] N. D. May 1992. 2002. Naccache. Sept. “Protocols for Public Key Cryptosystems. Security and Privacy. 2003-2008) and ACM MobiHoc (2008-2009). 58-71. (CRYPTO ’85). 541-544. He was an editor for the IEEE Transactions on Mobile Computing and currently serves on its steering committee. “Reducing Delay and Enhancing DoS Resistance in Multicast Authentication through Multigrade Security. [46] R. and ACM Wireless Networks. 11th Ann. 870-871. “Multi-Receiver/MultiSender Network Security: Efficient Authenticated Multicast/ Feedback. Harn. Pinkas. Xiaoyan Zhu received the BE. Apr.” Proc. in 2000 and 2003. pp. 31. [41] C. Apr. 11.” Proc. Garay. in 2002. “Password Authentication with Insecure Communication. no. Perrig. Y. 24. Sixth Int’l Conf. D. [57] R. Sept. and C. Computer and Comm.J. He was an assistant professor in the Department of Electrical and Computer Engineering at the New Jersey Institute of Technology from 1998 to 2000. 1995. Haller. D. and network coding. 3. “Elliptic Curve Cryptosystems. Downloaded on May 31. K.” Proc. Boyd and C. He is a fellow of the IEEE and the IEEE Computer Society and a member of the ACM. Feb. May 1998. 2000. 2004. Barreto.” Proc. vol. Theory and Application of Cryptology and Information Security Advances in Cryptology (ASIANCRYPT ’00). 19.” Proc. 1986. Li and W. July 1985. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Network and Distributed System Security Symp. 2001. Duan. Micciancio. [36] D. pp. 417-426. 3. Harn. vol. “Uses of Elliptic Curves in Cryptography. and T. Pavlovski. Lee. Miller. Yun Zhou received the BE degree in electronic information engineering and the ME degree in communication and information system from the Department of Electronic Engineering and Information Science. Rafaeli and D. where she is a lecturer. vol. 1998.H. Xi’an. He is currently serving as the editor-in-chief for IEEE Wireless Communications and serves/served on several editorial boards of technical journals including the IEEE Transactions on Communications. [37] S. [45] Y. vol. J. China. pp. vol. and D. “An Efficient Identity-Based Signature Scheme with Batch Verifications. Harn. J.” Proc. Naor. [58] R. no. [60] P. a technical program symposium cochair for IEEE GLOBECOM 2004. pp. pp. vol. 309-329. 77-85. Crispo. the IEEE Transactions on Wireless Communications. and operating systems. 236-250. IEEE Wireless Communications Magazine. “DoS Protection for Reliably Authenticated Broadcast. [33] R. vol. Merkle. Song.A. 30.” IEE Electronic Letters. and the PhD degree from the Department of Electrical and Computer Engineering. pp. [42] L. “Fast Batch Verification for Modular Exponentiation and Digital Signatures. a Changjiang scholar chair professorship with Xidian University. Bergadano. no. Applied Computing (SAC ’02). Dec. June 2006. R. Tamassia. Khanna. 2000.W. Xi’an. Trappe. vol.” IEEE Trans.” Proc. “The S/Key One-Time Password System. an area technical program committee chair for IEEE INFOCOM (2009-2010). “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. “Authenticated Multicast Immune to Denialof-Service Attack. 2001. 34. Koblitz. 2045-2054. Lynn. 120-126. and 2009. Gainesville. China. He is currently with Microsoft Corporation. Her research interests include wireless networks. (NDSS ’04). Int’l Cryptology Conf. Bellare. Yuguang Fang received the PhD degree in systems engineering from Case Western Reserve University in 1994 and the PhD degree in electrical engineering from Boston University in 1997. May 2004. B. May 1995. Triandopoulos. [56] V. M. Security and Privacy (SP ’04). “Short Signatures from the Weil Pairing. pp. China. IEEE Int’l Conf. S. pp. and PhD degrees from the School of Telecommunications Engineering at Xidian University. 1592-1593. and N. Desmedt. Shamir. 2006. Tygar. Seventh Int’l Conf. He has been actively participating in professional conference organizations such as serving as the steering committee cochair for QShine (20042008). [35] M.” Proc. 28-37. IEEE GLOBECOM. vol. B. 257-258. Boneh. Security (CCS ’01). pp. 1. “Attacking and Repairing Batch Verification Schemes. 1980. 2. G. [39] T. the technical program vice-chair for IEEE INFOCOM 2005. 1978. Digital Signature Standard (DSS). He has published more than 250 papers in refereed professional journals and conferences. IT-31. “DSA-Type Secure Interactive Batch Verification Protocols.ZHOU ET AL. 1219-1220. ISOC Symp. Apr. pp.” IEE Electronic Letters. Rabin. He is also active in professional activities. 12. Kim.” Proc. Sept. “Individual SingleSource Authentication on The Mbone. [50] A. in 2007. Theory and Application of Cryptology and Information Security Advances in Cryptology (ASIACRYPT ’01). and L. 21. 190-204.A. [32] A. “Batch Verifying Multiple DSA-Type Digital Signatures.M.2010 at 01:51:59 UTC from IEEE Xplore. wireless communications and networking. She is now a visiting research scholar in the Department of Electrical and Computer Engineering at the University Florida.L. 708-716. Information Theory. 1994. and M.” IEE Electronic Letters.” ACM Computing Surveys. and is the recipient of the Best Paper Award from the IEEE International Conference on Network Protocols (ICNP) in 2006 and the IEEE TCGN Best Paper Award from the IEEE High-Speed Networks Symposium.” Math. Gainesville. P. Lynn.” Proc. Gunter. 1992. signal processing. and H. [40] D. Multimedia and Expo (ICME ’00). pp. “A Survey of Key Management for Secure Group Communication. and M. in 2000. Workshop Theory and Application of Cryptographic Techniques Advances in Cryptology (EUROCRYPT ’94). Vaudenay. pp.” IEEE Trans. vol.