27 views

Uploaded by Agv AG

save

- CS0128
- IJAIEM-2013-05-25-059
- Code Signing Best Practices
- MABS Multicast Authentication Based on Batch Signature
- pkivsidpkc.doc
- Public Key Cryptography
- Cryptography and Network Security
- Security on the E-Commerce Site
- HYBRID MODEL FOR DETECTING VIRUSES IN MOBILE NETWORKS
- 10.1.1.10
- e Bankbook
- A Review on Implementation of RSA Cryptosystem Using Ancient Indian Vedic Mathematics
- Constructing Fair-Exchange Protocols for E-commerce Via Distributed Computation of RSA Signatures
- 489-493
- Cryptograph
- A Review of Fair Exchange Protocols
- Recommendation for Key Management
- Tbw Ad-pki Guide Us Mj
- Securing Your Private Keys as Best Practice for Code Signing Certificates.original
- Security Review1
- Formal_Models.pdf
- Energy-aware Security in M-Commerce and the Internet of Things _Fadi Hamad, Leonid Smalov, Anne James, IETE Technical Review.pdf
- Website 1
- E-Voting Protocol Based On Public-Key Cryptography
- Cloud Seeding Research Legislation 2012 - Full Day Hansard Transcript (Legislative Council, 17 October 2012, Corrected Copy) - NSW Parliament
- ref4
- Acp120
- The Political Science of the Internet
- Chapter 1 Intro and Background
- sdfsdfdsf
- Yes Please
- The Unwinding: An Inner History of the New America
- Sapiens: A Brief History of Humankind
- The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future
- Dispatches from Pluto: Lost and Found in the Mississippi Delta
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New America
- John Adams
- The Prize: The Epic Quest for Oil, Money & Power
- The Emperor of All Maladies: A Biography of Cancer
- This Changes Everything: Capitalism vs. The Climate
- Grand Pursuit: The Story of Economic Genius
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True Story
- The New Confessions of an Economic Hit Man
- Team of Rivals: The Political Genius of Abraham Lincoln
- The Hard Thing About Hard Things: Building a Business When There Are No Easy Answers
- Smart People Should Build Things: How to Restore Our Culture of Achievement, Build a Path for Entrepreneurs, and Create New Jobs in America
- Rise of ISIS: A Threat We Can't Ignore
- The World Is Flat 3.0: A Brief History of the Twenty-first Century
- Bad Feminist: Essays
- Steve Jobs
- Angela's Ashes: A Memoir
- How To Win Friends and Influence People
- Extremely Loud and Incredibly Close: A Novel
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)
- The Silver Linings Playbook: A Novel
- Leaving Berlin: A Novel
- The Light Between Oceans: A Novel
- The Incarnations: A Novel
- You Too Can Have a Body Like Mine: A Novel
- The Love Affairs of Nathaniel P.: A Novel
- Life of Pi
- The Flamethrowers: A Novel
- Brooklyn: A Novel
- The Rosie Project: A Novel
- The Blazing World: A Novel
- We Are Not Ourselves: A Novel
- The First Bad Man: A Novel
- The Master
- Bel Canto
- A Man Called Ove: A Novel
- The Kitchen House: A Novel
- Beautiful Ruins: A Novel
- Interpreter of Maladies
- The Wallcreeper
- The Art of Racing in the Rain: A Novel
- Wolf Hall: A Novel
- The Cider House Rules
- A Prayer for Owen Meany: A Novel
- The Bonfire of the Vanities: A Novel
- Lovers at the Chameleon Club, Paris 1932: A Novel
- The Perks of Being a Wallflower
- The Constant Gardener: A Novel

You are on page 1of 12

**Based on Batch Signature
**

Yun Zhou, Xiaoyan Zhu, and Yuguang Fang, Fellow, IEEE

Abstract—Conventional block-based multicast authentication schemes overlook the heterogeneity of receivers by letting the sender

choose the block size, divide a multicast stream into blocks, associate each block with a signature, and spread the effect of the

signature across all the packets in the block through hash graphs or coding algorithms. The correlation among packets makes them

vulnerable to packet loss, which is inherent in the Internet and wireless networks. Moreover, the lack of Denial of Service (DoS)

resilience renders most of them vulnerable to packet injection in hostile environments. In this paper, we propose a novel multicast

authentication protocol, namely MABS, including two schemes. The basic scheme (MABS-B) eliminates the correlation among packets

and thus provides the perfect resilience to packet loss, and it is also efficient in terms of latency, computation, and communication

overhead due to an efficient cryptographic primitive called batch signature, which supports the authentication of any number of packets

simultaneously. We also present an enhanced scheme MABS-E, which combines the basic scheme with a packet filtering mechanism

to alleviate the DoS impact while preserving the perfect resilience to packet loss.

Index Terms—Multimedia, multicast, authentication, signature.

Ç

1 INTRODUCTION

M

ULTICAST [1] is an efficient method to deliver multi-

media content from a sender to a group of receivers

and is gaining popular applications such as realtime stock

quotes, interactive games, video conference, live video

broadcast, or video on demand. Authentication is one of

the critical topics in securing multicast [2], [3], [4], [5], [6],

[7] in an environment attractive to malicious attacks.

Basically, multicast authentication may provide the follow-

ing security services:

1. Data integrity: Each receiver should be able to

assure that received packets have not been modified

during transmissions.

2. Data origin authentication: Each receiver should be

able to assure that each received packet comes from

the real sender as it claims.

3. Nonrepudiation: The sender of a packet shouldnot be

able to deny sending the packet to receivers in case

there is a dispute between the sender and receivers.

All the three services can be supported by an asymmetric

key technique called signature. In an ideal case, the sender

generates a signature for each packet with its private key,

which is called signing, and each receiver checks the validity

of the signature with the sender’s public key, which is

called verifying. If the verification succeeds, the receiver

knows the packet is authentic.

Designing a multicast authentication protocol is not an

easy task. Generally, there are following issues in real world

challenging the design. First, efficiency needs to be

considered, especially for receivers. Compared with the

multicast sender, which could be a powerful server,

receivers can have different capabilities and resources. The

receiver heterogeneity requires that the multicast authenti-

cation protocol be able to execute on not only powerful

desktop computers but also resource-constrained mobile

handsets. In particular, latency, computation, and commu-

nication overhead are major issues to be considered. Second,

packet loss is inevitable. In the Internet, congestion at

routers is a major reason causing packet loss. An overloaded

router drops buffered packets according to its preset control

policy. Though TCP provides a certain retransmission

capability, multicast content is mainly transmitted over

UDP, which does not provide any loss recovery support. In

mobile environments, the situation is even worse. The

instability of wireless channel can cause packet loss very

frequently. Moreover, the smaller data rate of wireless

channel increases the congestion possibility. This is not

desirable for applications like realtime online streaming or

stock quotes delivering. End users of online streaming will

start to complain if they experience constant service

interruptions due to packet loss, and missing critical stock

quotes can cause severe capital loss of service subscribers.

Therefore, for applications where the quality of service is

critical to end users, a multicast authentication protocol

should provide a certain level of resilience to packet loss.

Specifically, the impact of packet loss on the authenticity of

the already-received packets should be as small as possible.

Efficiency and packet loss resilience can hardly be

supported simultaneously by conventional multicast

982 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

. Y. Zhou is with Microsoft Corporation, 1 Microsoft Way, Redmond, WA

98052-8300. E-mail: yun.zhou@microsoft.com.

. X. Zhu is with the National Key Laboratory of Integrated Services

Networks, Xidian University, PO Box 106, 2 South Taibai Road, Xi’an,

Shaanxi 10071, China. E-mail: xyzhu@mail.xidian.edu.cn.

. Y. Fang is with the Department of Electrical and Computer Engineering,

University of Florida, 435 New Engineering Building, PO Box 116130,

Gainesville, FL 32611, and with the National Key Laboratory of Integrated

Services Networks, Xidian University, Xi’an 710071, China.

E-mail: fang@ece.ufl.edu.

Manuscript received 28 Jan. 2008; revised 30 Jan. 2009; accepted 17 Oct.

2009; published online 23 Feb. 2010.

For information on obtaining reprints of this article, please send e-mail to:

tmc@computer.org, and reference IEEECS Log Number TMC-2008-01-0026.

Digital Object Identifier no. 10.1109/TMC.2010.37.

1536-1233/10/$26.00 ß 2010 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

schemes. As is well known that existing digital signature

algorithms are computationally expensive, the ideal ap-

proach of signing and verifying each packet independently

raises a serious challenge to resource-constrained devices.

In order to reduce computation overhead, conventional

schemes use efficient signature algorithms [8], [9] or

amortize one signature over a block of packets [10], [11],

[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],

[24], [25], [26] at the expense of increased communication

overhead [8], [9], [10], [11] or vulnerability to packet loss

[12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23],

[24], [25], [26].

Another problem with schemes in [8], [9], [10], [11], [12],

[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],

[25], [26] is that they are vulnerable to packet injection by

malicious attackers. An attacker may compromise a multi-

cast system by intentionally injecting forged packets to

consume receivers’ resource, leading to Denial of Service

(DoS). Compared with the efficiency requirement and packet

loss problems, the DoS attack is not common, but it is still

important in hostile environments. In the literature, some

schemes [27], [28], [29], [30], [31], [32] attempt to provide the

DoS resilience. However, they still have the packet loss

problem because they are based on the same approach as

previous schemes [10], [11], [22], [23], [24], [25], [26].

Recently, we demonstrated that batch signature schemes

can be used to improve the performance of broadcast

authentication [5], [6]. In this paper, we present our

comprehensive study on this approach and propose a novel

multicast authentication protocol called MABS (in short for

Multicast Authentication based on Batch Signature). MABS

includes two schemes. The basic scheme (called MABS-B

hereafter) utilizes an efficient asymmetric cryptographic

primitive called batch signature [33], [34], [35], [36], [37], [38],

[39], [40], [41], [42], [43], [44], which supports the

authentication of any number of packets simultaneously

with one signature verification, to address the efficiency

and packet loss problems in general environments. The

enhanced scheme (called MABS-E hereafter) combines

MABS-B with packet filtering to alleviate the DoS impact

in hostile environments. MABS provides data integrity,

origin authentication, and nonrepudiation as previous

asymmetric key based protocols. In addition, we make the

following contributions:

1. Our MABS can achieve perfect resilience to packet

loss in lossy channels in the sense that no matter

how many packets are lost the already-received

packets can still be authenticated by receivers.

2. MABS-B is efficient in terms of less latency,

computation, and communication overhead. Though

MABS-E is less efficient than MABS-B since it

includes the DoS defense, its overhead is still at the

same level as previous schemes.

3. We propose two new batch signature schemes based

on BLS [36] and DSA [38] and show they are more

efficient than the batch RSA [33] signature scheme.

The rest of the paper is organized as follows: We briefly

review related work in Section 2. Then, we present a basic

scheme for lossy channels in Section 3, which also includes

three batch signature schemes based on RSA [33], BLS [36],

and DSA, respectively [38]. An enhanced scheme is

discussed in Section 4. After performance evaluation in

Section 5, the paper is concluded in Section 6.

2 RELATED WORK

Schemes in [8], [9] follow the ideal approach of signing and

verifying each packet individually, but reduce the compu-

tation overhead at the sender by using one-time signatures

[8] or /-time signatures [9]. They are suitable for RSA [33],

which is expensive on signing while cheap on verifying. For

each packet, however, each receiver needs to perform one

more verification on its one-time or /-time signature plus

one ordinary signature verification. Moreover, the length of

one-time signature is too long (on the order of 1,000 bytes).

Tree chaining was proposed in [10], [11] by constructing

a tree for a block of packets. The root of the tree is signed by

the sender. Each packet carries the signed root and multiple

hashes. When each receiver receives one packet in the block,

it uses the authentication information in the packet to

authenticate it. The buffered authentication information is

further used to authenticate other packets in the same block.

Without the buffered authentication information, each

packet is independently verifiable at a cost of per-packet

signature verification.

Graph chaining was studied in [12], [13], [14], [15], [16],

[17], [18], [19], [20], [21]. A multicast stream is divided into

blocks and each block is associated with a signature. In each

block, the hash of each packet is embedded into several

other packets in a deterministic or probabilistic way. The

hashes form a graph, in which each path links a packet to

the block signature. Each receiver verifies the block

signature and authenticates all the packets through the

paths in the graph.

Erasure codes were used in [22], [23], [24], [25], [26]. A

signature is generated for the concatenation of the hashes of

all the packets in one block and then is erasure-coded into

many pieces. Erasure codes make each receiver be capable

of recovering the block signature when receiving at least a

certain number of pieces.

All these schemes [10], [11], [12], [13], [14], [15], [16], [17],

[18], [19], [20], [21], [22], [23], [24], [25], [26] are indeed

computationally efficient since each receiver needs to verify

only one signature for a block of packets. However, they all

increase packet overhead for hashes or erasure codes and

the block design introduces latency when buffering many

packets. Another major problem is that most schemes [12],

[13], [14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24],

[25], [26] are vulnerable to packet loss even though they are

designed to tolerate a certain level of packet loss. If too

many packets are lost, other packets may not be authenti-

cated. In particular, if a block signature is lost, the entire

block cannot be authenticated.

Moreover, previous schemes [8], [9], [10], [11], [12], [13],

[14], [15], [16], [17], [18], [19], [20], [21], [22], [23], [24], [25],

[26] target at lossy channels, which are realistic in our daily

life since the Internet and wireless networks suffer from

packet loss. In a hostile environment, however, an active

attacker can inject forged packets to consume receivers’

resource, leading to DoS. In particular, schemes in [8], [9],

[10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21]

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

are vulnerable to forged signature attacks because they

require each receiver to verify each signature whereby to

authenticate data packets, and schemes in [22], [23], [24],

[25], [26] suffer from packet injection because each receiver

has to distinguish a certain number of valid packets from a

pool of a large number of packets including injected ones,

which is very time-consuming.

In order to deal with DoS, schemes in [27], [28], [29], [30],

[31], [32] were proposed. PARM [27] is similar to the tree

chaining scheme [10], [11] in the sense that multiple one-

way hash chains are used as shared keys between the

sender and receivers. Schemes in [28], [29] combine erasure

codes with one-way hash chains to detect forged packets.

Unfortunately, these schemes [27], [28], [29] are still

vulnerable to DoS because they require that one-way hash

chains are signed and transmitted to each receiver and

therefore an attacker can inject forged signatures for one-

way hash chains.

PRABS [30] uses distillation codes to deal with DoS. In

particular, valid packets and forged packets are partitioned

into disjoint sets and erasure decoding is performed over

each set. BAS [31] simply retransmits each signature

multiple times to tolerate packet loss and uses selective

verification to tolerate injected forged signatures. LTT [32]

uses error correction codes to replace erasure codes in

schemes [22], [23], [24], [25], [26]. The reason is that error

correction codes tolerate error packets. These three schemes

[30], [31], [32] are resilient to DoS, but they still have the

packet loss problem.

Some other schemes [45], [46], [47], [48], [49], [50], [51],

[52], [53] use shared symmetric keys between the sender and

receivers to authenticate multicast streams. Though they are

more efficient than those using signatures, they cannot

provide nonrepudiation as the signature approach, and they

require either time synchronization or trustful infrastruc-

tures. In this paper, we focus on the signature approach.

Though confidentiality is another important issue for

securing multicast, it can be achieved through group key

management [54]. In this paper, we focus on multicast

authentication.

3 BASIC SCHEME

Our target is to authenticate multicast streams from a sender

to multiple receivers. Generally, the sender is a powerful

multicast server managed by a central authority and can be

trustful. The sender signs each packet with a signature and

transmits it to multiple receivers through a multicast routing

protocol. Eachreceiver is aless powerful device withresource

constraints and may be managed by a nontrustworthy

person. Each receiver needs to assure that the received

packets are really from the sender (authenticity) and the

sender cannot deny the signing operation (nonrepudiation)

by verifying the corresponding signatures.

Ideally, authenticating a multicast stream can be

achieved by signing and verifying each packet. However,

the per-packet signature design has been criticized for its

high computation cost, and therefore, most previous

schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],

[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],

[32] incorporate a block-based design as shown in Section 2.

They do reduce the computation cost, but also introduce

new problems. The block design builds up correlation

among packets and makes them vulnerable to packet loss,

which is inherent in the Internet and wireless networks.

Received packets may not be authenticated because some

correlated packets are lost.

Also, the heterogeneity of receivers means that the buffer

resource at each receiver is different and can vary over the

timedependingontheoverall loadat thereceiver. Intheblock

design, the requiredblocksize, whichis chosenbythe sender,

may not be satisfied by each receiver.

Third, the correlation among packets can incur addi-

tional latency. Consider the high layer application needs

new data from the low layer authentication module in order

to render a smooth video stream to the client user. It is

desirable that the lower layer authentication module

delivers authenticated packets to the high layer application

at the time when the high layer application needs new data.

In the per-packet signature design it is not a problem, since

each packet can be independently verifiable at any time. In

the block design, however, it is possible that the packets

buffered at the low layer authentication module are not

verifiable because the correlated packets, especially the

block signatures, have not been received. Therefore, the

high layer application has to either wait, which leads to

additional latency, or return with a no-available-packets

exception, which could be interpreted as that the buffered

packets are “lost.” This latency, which is incurred at the

high layer when the high layer application waits for the

buffered packets to become verifiable, is different from the

buffering latency, which is required for the low layer

authentication protocol to buffer received packets.

In view of the problems regarding the sender-favored

block-based approach, we conceive a receiver-oriented

approach by taking into account the heterogeneity of the

receivers. As receiving devices have different computation

and communication capabilities, some could be powerful

desktop computers, while the others could be cheap

handsets with limited buffers and low-end CPUs. Mixed

with various channel loss rates, this heterogeneity poses a

demand on the capability of adjusting the buffer size and

authenticating buffered packets any time when the high

layer application requires at each receiver.

In order to fulfill the requirement, the basic scheme

MABS-B uses an efficient cryptographic primitive called

batch signature [33], [34], [35], [36], [37], [38], [39], [40], [41],

[42], [43], [44], which supports simultaneously verifying the

signatures of any number of packets. In particular, when a

receiver collects i packets:

j

i

¼ fi

i

. o

i

g. i ¼ 1. . . . . i.

where i

i

is the data payload, o

i

is the corresponding

signature, and i can be any positive integer, it can input

them into an algorithm

BatchVerifyðj

1

. j

2

. . . . . j

i

Þ 2 fTinc. 1o|:cg.

If the output is Tinc, the receiver knows the i packets are

authentic, and otherwise not.

To support authenticity and efficiency, the BatchVerifyðÞ

algorithm should satisfy the following properties:

984 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

1. Given a batch of packets that have been signed by

the sender, BatchVerifyðÞ outputs Tinc.

2. Given a batch of packets including some unauthentic

packets, the probability that BatchVerifyðÞ outputs

Tinc is very low.

3. The computation complexity of BatchVerifyðÞ is

comparable to that of verifying one signature and

is increased only gradually when the batch size i

is increased.

The computation complexity of BatchVerifyðÞ comes

with the fact that there are some additional cost on

processing multiple packets. As we will show later, those

additional computations are mostly modular additions and

multiplications, which are much faster than modular

exponentiations required in final signature verifications.

Theoretically, a concern comes when the cost grows higher

than the final signature verification if the batch size is too

large. However, it is not the case in reality. The merit of

batch signature is that the batch size is chosen by each

receiver, which can optimize its own batch size, so that the

batch size will not be unmanageably large. Most important,

we will show later that in the implementation of batch

signature a technique called signature preaggregation can be

used so that the additional processing of multiple packets is

shifted from the time of final batch verification to the time

of each packet reception and thus the cost of final batch

signature verification is exactly the same as that of original

signature verification.

In order to show the merit of signature preaggregation,

we implemented batch signature by using our Batch-BLS

(will be discussed later) as an example. We measured the

normalized time cost of batch signature verification with

the batch size growing from 1 to 1,000, and recorded the

results for two scenarios, with and without signature

preaggregation. The result is shown in Fig. 1. We can see

that the time cost of general batch verification (without

signature aggregation) is still less than that of two single

signature verifications when batch size grows up to about

270, which validates the third property of batch signature.

The other curve in Fig. 1 shows that if the signature

preaggregation is used, then the final batch verification has

the same cost of single signature verification, no matter how

large the batch size is.

MABS-B uses per-packet signature instead of per-block

signature and thus eliminates the correlation among

packets. The packet independency makes MABS-B perfect

resilient to packet loss. The Internet and wireless channels

tend to be lossy due to congestion or channel instability,

where packets can be lost according to different loss

models, such as random loss or burst loss. In MABS-B,

however, no matter how many packets are lost, the already-

received packets can still be authenticated by each receiver.

This is a significant advantage over previous schemes [10],

[11], [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22],

[23], [24], [25], [26], [27], [28], [29], [30], [31], [32]. Mean-

while, efficiency can also be achieved because a batch of

packets can be authenticated simultaneously through one

batch signature verification operation. The packet indepen-

dency also brings other benefits in terms of smaller latency

and communication overhead compared with previous

schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19],

[20], [21], [22], [23], [24], [25], [26], [27], [28], [29], [30], [31],

[32]. In particular, each receiver can verify the authenticity

of all the received packets in its buffer whenever the high

layer applications require, and there is no additional hash

or code overhead in each packet.

Next, we present three implementations. In addition to

the one based on RSA [33], we propose two new batch

signature schemes based on BLS [36] and DSA [38], which

are more efficient than batch RSA. We must point out and

will show later that MABS is independent from these

signature algorithms. This independency brings the free-

dom to optimize MABS for a particular physical system or

platform as much as possible.

3.1 Batch RSA Signature

3.1.1 RSA

RSA [33] is a very popular cryptographic algorithm in

many security protocols. In order to use RSA, a sender

chooses two large random primes 1 and Q to get ` ¼ 1Q,

and then calculates two exponents c. d 2 ZZ

Ã

`

such that

cd ¼ 1 iod cð`Þ, where cð`Þ ¼ ð1 À1ÞðQÀ1Þ. The sender

publishes ðc. `Þ as its public key and keeps d in secret as its

private key. A signature of a message i can be generated as

o ¼ ð/ðiÞÞ

d

iod `, where /ðÞ is a collision-resistant hash

function. The sender sends fi. og to a receiver that can

verify the authenticity of the message i by checking

o

c

¼ /ðiÞ iod `.

3.1.2 Batch RSA

To accelerate the authentication of multiple signatures,

the batch verification of RSA [34], [35] can be used. Given

i packets fi

i

. o

i

g. i ¼ 1. . . . . i, where i

i

is the data

payload, o

i

is the corresponding signature and i is any

positive integer, the receiver can first calculate /

i

¼ /ði

i

Þ

and then perform the following verification:

Y

i

i¼1

o

i

!

c

iod ` ¼

Y

i

i¼1

/

i

iod `. ð1Þ

If all i packets are truly from the sender, the equation holds

because

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 985

Fig. 1. Normalized time cost of Batch-BLS signature verification.

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

Y

i

i¼1

o

i

!

c

iod ` ¼

Y

i

i¼1

o

c

i

iod `

¼

Y

i

i¼1

/

cd

i

iod `

¼

Y

i

i¼1

/

i

iod `.

ð2Þ

Before the batch verification, the receiver must ensure all

the messages are distinct. Otherwise batch RSAis vulnerable

to the forgery attack [35]. This is easy to implement because

sequence numbers are widely used in many network

protocols and can ensure all the messages are distinct. It

has been proved in [35] that when all the messages are

distinct, batch RSAis resistant to signature forgery as long as

the underlying RSA algorithm is secure.

In some circumstances, an attacker may not forge

signatures but manipulate authentic packets to produce

invalid signatures. For example, given two packets fi

i

. o

i

g

and fi

,

. o

,

g for i 6¼ ,, the attacker can modify them into

fi

i

. o

i

`g and fi

,

. o

,

´`g. The modified packets can still pass

the batch verification, but the signature of each packet is not

correct (that is why batch RSA verification is called screening

in [35]). However, the attacker can do this only when it gets

fi

i

. o

i

g and fi

,

. o

,

g, which means the message i

i

and i

,

have been correctly signed by the sender. Therefore, this

attack is of no harm to the receiver [35].

3.1.3 Requirements to the Sender

In most RSA implementations, the public key c is usually

small (c ¼ 3 for instance) while the private key d is large.

Therefore, the RSA signature verification is efficient while

the signature generation is expensive. This poses a

challenge to the computation capability of the sender

because the sender needs to sign each packet. Choosing a

small private key d can improve the computation efficiency

but compromise the security. If the sender does not have

enough resource, a pair of fc. dg with comparable sizes can

achieve a certain level of trade-off between computation

efficiency and security at the sender part. If the sender is a

powerful server, then signing each packet can be affordable

in this scenario. Next, we propose two efficient batch

signature schemes based on BLS [36] and DSA [38], which

can reduce the computation complexity at the sender.

3.2 Batch BLS Signature

Here, we propose a batch signature scheme based on the

BLS signature in [36].

3.2.1 BLS

The BLS signature scheme uses a cryptographic primitive

called pairing, which can be defined as a map over two

cyclic groups G

1

and G

2

, c : G

1

ÂG

1

! G

2

, satisfying the

following properties:

1. Bilinear: For all n. . 2 G

1

and o. / 2 ZZ, we have

cðn

o

. .

/

Þ ¼ cðn. .Þ

o/

.

2. Nondegenerate: For the generator o

1

of G

1

, i.e.,

o

j

1

¼ 1 2 G

1

, where j is the order of G

1

, we have

cðo

1

. o

1

Þ 6¼ 1 2 G

2

.

The BLS signature scheme consists of three phases:

1. In the key generation phase, a sender chooses a

random integer r 2 ZZ

j

and computes n ¼ o

1

r

2 G

1

.

The private key is r and the public key is n.

2. Given a message i 2 f0. 1g

Ã

in the signing phase, the

sender first computes / ¼ /ðiÞ 2 G

1

, where /ðÞ is a

hash function, then computes o ¼ /

r

2 G

1

. The

signature of i is o.

3. In the verification phase, the receiver first computes

/¼/ðiÞ2G

1

and then check whether cð/.nÞ¼cðo.o

1

Þ.

If the verification succeeds, then the message i is authentic

because

cð/. nÞ ¼ cð/. o

1

r

Þ ¼ cð/

r

. o

1

Þ ¼ cðo. o

1

Þ. ð3Þ

One merit of the BLS signature is that it can generate

a very short signature. It has been shown in [36] that an

i-bit BLS signature can provide a security level equiva-

lent to solving a Discrete Log Problem (DLP) [39] over a

finite field of size approximately 2

6i

. Therefore, a 171-bit

BLS signature provides the same level of security as a

1,024-bit DLP-based signature scheme such as DSA [38].

This is a very nice choice in the scenario where

communication overhead is an important issue.

3.2.2 Batch BLS

Based on BLS, we propose our batch BLS scheme here.

Given i packets fi

i

. o

i

g. i ¼ 1. . . . . i, the receiver can verify

the batch of BLS signatures by first computing /

i

¼ /ði

i

Þ.

i ¼ 1. . . . . i and then checking whether cð

Q

i

i¼1

/

i

. nÞ ¼

cð

Q

i

i¼1

o

i

. o

1

Þ. This is because if all the messages are

authentic, then

c

Y

i

i¼1

/

i

. n

!

¼

Y

i

i¼1

cð/

i

. o

1

r

Þ

¼

Y

i

i¼1

c

À

/

i

r

. o

1

Á

¼ c

Y

i

i¼1

o

i

. o

1

!

.

ð4Þ

We can prove that our batch BLS is secure to signature

forgery as long as BLS is secure to signature forgery.

Theorem 1. Suppose an attacker A can break the batch BLS by

forging signatures. Then, another attacker B can break BLS

under the chosen message attack by colluding with A.

Proof. Suppose B is given i À1 messages and their valid

signatures fi

i

. o

i

g. i ¼ 1. . . . . i À1, B can forge a signa-

ture o

i

for any chosen message i

i

, such that fi

i

. o

i

g

satisfies the BLS signature scheme, by colluding with A

in the following steps:

1. B sends i messages i

i

. i ¼ 1. . . . . i and i À1

signatures o

i

. i ¼ 1. . . . . i À1 to A.

2. Because A can break the batch BLS scheme, A

generates i false signatures o

i

0

. i ¼ 1. . . . . i that

pass the batch BLS verification, then returns to B a

value \ ¼

Q

i

i¼1

o

i

0

.

3. B computes o

i

¼ \ ´

Q

iÀ1

i¼1

o

i

as the signature for

i

i

, because

986 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

c

Y

i

i¼1

/

i

. n

!

¼ cð\ . o

1

Þ

) c

Y

i

i¼1

/

i

. n

!

¼ c

Y

i

i¼1

o

i

. o

1

!

) c

Y

iÀ1

i¼1

/

i

. n

!

cð/

i

. nÞ ¼ c

Y

iÀ1

i¼1

o

i

. o

1

!

cðo

i

. o

1

Þ

) cð/

i

. nÞ ¼ cðo

i

. o

1

Þ .

ð5Þ

tu

Since BLS is forgery-secure under the chosen message

attack [36], our batch BLS scheme is also secure to forgery

under the chosen message attack.

Also like batch RSA, an attacker may not forge signatures

but manipulate authentic packets to produce invalid

signatures. For instance, two packets fi

i

. o

i

g and fi

,

. o

,

g

for i 6¼ , can be replaced with fi

i

. o

i

`g and fi

,

. o

,

´`g and

still pass the batch verification. However, it does not affect

the correctness and the authenticity of i

i

and i

,

because

they have been correctly signed by the sender.

3.2.3 Requirements to the Sender

In our batch BLS, the sender needs to sign each packet.

Because BLS can provide a security level equivalent to

conventional RSA and DSA with much shorter signature

[36], the signing operation is more efficient than the RSA

signature generation. Moreover, BLS can be implemented

over elliptic curves [55], [56], which have been shown in the

literature to be more efficient than finite integer fields on

which RSA is implemented. Therefore, we can expect that

our batch BLS is more affordable by the sender than batch

RSA and also achieve computation efficiency at the receiver.

3.3 Batch DSA Signature

DSA [38] is another popular digital signature algorithm.

Unlike RSA, which is based on the hardness of factoring

two large primes, DSA is deemed secure based on the

difficulty of solving DLP [39]. A batch DSA signature

scheme was proposed in [40], but later was found insecure

[41]. Harn improved the security of [40] in [42], [43].

Unfortunately, Boyd and Pavlovski pointed out in [44] that

Harn’s work is still vulnerable to malicious attacks. Here,

we propose a batch DSA scheme based on Harn’s work and

counteract the attack described in [44].

3.3.1 Harn DSA

In Harn DSA [43], some system parameters are defined as:

1. j, a prime longer than 512 bits.

2. c, a 160-bit prime divisor of j À1.

3. o, a generator of ZZ

Ã

j

with order c, i.e., o

c

¼ 1 iod j.

4. r, the private key of the signer, 0 < r < c.

5. n, the public key of the signer, n ¼ o

r

iod j.

6. /ðÞ, a hash function generating an output in ZZ

Ã

c

.

Given a message i, the signer generates a signature by:

1. randomly selecting an integer / with 0 < / < c,

2. computing / ¼ /ðiÞ,

3. computing i ¼ ðo

/

iod jÞ iod c, and

4. computing : ¼ i/ À/r iod c.

The signature for i is ði. :Þ.

The receiver can verify the signature by first computing

/ ¼ /ðiÞ and then checking whether

ððo

:i

À1

n

/i

À1

Þ iod jÞ iod c ¼ i.

This is because if the packet is authentic, then

ððo

:i

À1

n

/i

À1

Þ iod jÞ iod c

¼ ððo

ð:þ/rÞi

À1

Þ iod jÞ iod c

¼ ðo

/

iod jÞ iod c

¼ i.

ð6Þ

3.3.2 Harn Batch DSA

Given i packets fi

i

. ði

i

. :

i

Þg. i ¼ 1. . . . . i, the receiver can

verify the batch of signatures by first computing /

i

¼ /ði

i

Þ

and then checking whether

o

P

i

i¼1

:

i

i

i

À1

n

P

i

i¼1

/

i

i

i

À1

iod j

iod c ¼

Y

i

i¼1

i

i

iod c . ð7Þ

This is because, if the batch of packets is authentic, then

o

P

i

i¼1

:

i

i

i

À1

n

P

i

i¼1

/

i

i

i

À1

iod j

iod c

¼ o

P

i

i¼1

ð:iþ/i rÞii

À1

iod j

iod c

¼ o

P

i

i¼1

/i

iod j

iod c

¼

Y

i

i¼1

i

i

iod c.

ð8Þ

3.3.3 The Boyd-Pavlovski Attack

Boyd and Pavlovski [44] pointed out an attack against the

Harn batch DSA scheme [43], where an attacker can forge

signatures for any chosen message set that has not been

signed by the sender. The process is:

1. Choose 1 and C, calculate ¹ ¼ ðo

1

n

C

iod jÞ iod c.

2. For any message set i

i

, i ¼ 1. . . . . i, randomly

choose i

i

, i ¼ 1. . . . . i À2.

3. Compute i

iÀ1

and i

i

to ensure that

Y

i

i¼1

i

i

iod c ¼ ¹ iod c ð9Þ

X

i

i¼1

/

i

i

i

À1

iod c ¼ C iod c. ð10Þ

4. Randomly choose :

i

, i ¼ 1. . . . . i À1 and compute :

i

to ensure that

X

i

i¼1

:

i

i

i

À1

iod c ¼ 1 iod c. ð11Þ

The probability that fi

i

. i

i

. :

i

g, i ¼ 1. . . . . i are forged

messages satisfying the batch verification is

1

2

[44].

3.3.4 Our Batch DSA

In order to counteract the Boyd-Pavlovski attack, our batch

DSA makes an improvement to the Harn DSA algorithm.

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 987

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

We replace the hash operation /ðiÞ in the signature

generation and verification process with /ði. iÞ. All the

other steps are the same as those in Harn’s scheme.

Though it is simple, our method can significantly

increase the security of batch DSA. In the Boyd-Pavlovski

attack, the attacker can compute i

i

values according to (9)

and (10) because parameters ¹, C, /

i

values are known. By

introducing i

i

into the hash operation, the hash values /

i

in

(10) are unknown to the attacker. Therefore, the attacker

cannot compute i

i

values and the forgery attack discussed

in [44] is defeated.

Like the cases inbatchRSAandour batchBLS, the attacker

may manipulate authentic packets fi

i

. ði

i

. :

i

Þg to produce

invalid signatures fi

i

. ði

i

0

. :

i

0

Þg, which can still pass the

batch verification. The attacker can keep i

i

unchanged,

randomly choose :

i

0

, i ¼ 1. . . . . i À1 and solve :

i

0

satisfying

X

i

i¼1

:

i

0

i

i

À1

iod c ¼

X

i

i¼1

:

i

i

i

À1

iod c. ð12Þ

However, this attack does not affect the correctness and

authenticity of messages because they have been really

signed by the sender [44]. Therefore, the receiver can still

accept them because the batch verification succeeds.

3.3.5 Requirements to the Sender

In batch RSA and our batch BLS, the sender needs to

compute one modular exponentiation to sign each packet.

In our batch DSA, the sender needs to compute one

modular exponentiation to get i and two modular multi-

plications to get :. However, i is independent on the

message i. Therefore, the sender can generate many

i values offline. When the sender starts a multicast session,

it can use reserved i values to compute : values. In this

way, only two modular multiplications are necessary to

sign a packet. Therefore, our batch DSA is much more

efficient than batch RSA and our batch BLS at the sender,

while also achieving computation efficiency at the receiver.

3.4 Preaggregation of Message Hashes and

Signatures

If we take a closer look at batch-RSA and batch-BLS, we can

notice that they use exactly the orignal RSA and BLS

algorithms, respectively. The only difference is that the

batch algorithms take the aggregations of message hashes

and signatures f

Q

i

i¼1

/

i

.

Q

i

i¼1

o

i

g as the parameters to the

original signature algorithms. This aggregation is indepen-

dent of the final signature verification. Therefore, each

receiver can compute and update f

Q

i

i¼1

/

i

.

Q

i

i¼1

o

i

g after

receiving every packet. When the time of batch verification

comes, each receiver needs just one signature verification.

For batch-DSA, the aggregations of message hashes and

signatures f

P

i

i¼1

:

i

i

i

À1

.

P

i

i¼1

/

i

i

i

À1

.

Q

i

i¼1

i

i

g are inside the

signature verification. Therefore, the cost of the aggregations

is incurred with the final signature verification. However, if

we modify the original DSA so that it takes f:i

À1

. /i

À1

. ig

instead of f/. :. ig as parameters, then batch-DSA can take

the advantage of preaggregating message hashes and

signatures, just like batch-RSA and batch-BLS.

Obviously, the computation cost at each receiver can be

more manageable no matter how large each batch is if

signature preaggregation is enforced, as shown in Fig. 1.

4 ENHANCED SCHEME

The basic scheme MABS-B targets at the packet loss

problem, which is inherent in the Internet and wireless

networks. It has perfect resilience to packet loss, no matter

whether it is random loss or burst loss. In some circum-

stances, however, an attacker can inject forged packets into

a batch of packets to disrupt the batch signature verifica-

tion, leading to DoS. A naive approach to defeat the DoS

attack is to divide the batch into multiple smaller batches

and perform a batch verification over each smaller batch,

and this divide-and-conquer approach can be recursively

carried out for each smaller batch, which means more

signature verifications at each receiver. In the worst case,

the attacker can inject forged packets at very high frequency

and expect that each receiver stops the batch operation and

recovers the basic per-packet signature verification, which

may not be viable at resource-constrained receiver devices.

In this section, we present an enhanced scheme called

MABS-E, which combines the basic scheme MABS-B and a

packet filtering mechanism to tolerate packet injection. In

particular, the sender attaches each packet with a mark,

which is unique to the packet and cannot be spoofed. At

each receiver, the multicast stream is classified into disjoint

sets based on marks. Each set of packets comes from either

the real sender or the attacker. The mark design ensures that

a packet from the real sender never falls into any set of

packets fromthe attacker, and vice versa. Next, each receiver

only needs to perform BatchVerifyðÞ over each set. If the

result is Tinc, the set of packets is authentic. If not, the set of

packets is from the attacker, and the receiver simply drops

themand does not need to divide the set into smaller subsets

for further batch verification. Therefore, a strong resilience

to DoS due to injected packets can be provided.

In MABS-E, Merkle tree [57] is used to generate marks.

An example is illustrated in Fig. 2. The sender constructs a

binary tree for eight packets. Each leaf is a hash of one

packet. Each internal node is the hash value on the

concatenation of its left and right children. For each packet,

a mark is constructed as the set of the siblings of the nodes

along the path from the packet to the root. For example, the

mark of the packet 1

3

is fH

4

. H

1.2

. H

5.8

g and the root can be

recovered as H

1.8

¼ HððH

1.2

. ðHð1

3

Þ. H

4

ÞÞ. H

5.8

Þ.

Constructing a Merkle tree is very efficient because only

hash operations are performed. Meanwhile, the one-way

property of hash operation ensures that given the root of a

Merkle tree it is infeasible to find a packet, which is not in

988 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

Fig. 2. An example of Merkle tree. Each leaf is a hash of one packet.

Each internal node is the hash value on both its left and right children.

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

the set associated with the Merkle tree and from which

there is a path to the root. This guarantees that forged

packets cannot fall into the set of authentic packets.

When the sender has a set of packets for multicast, it

generates a Merkle tree for the set and attaches a mark to

each packet. The root can be recovered based on each

packet and its mark. Each receiver can find whether two

packets belong to the same set by checking whether they

lead to the same root value. Therefore, the recovered roots

help classify received packets into disjoint sets. Each

receiver does not need to wait for a set to include all the

packets under the Merkle tree, and it can batch-verify the

set anytime. Once the set is authentic, the corresponding

root can be used to authenticate the rest of packets under

the same Merkle tree without batch-verifying them, which

saves computation overhead at each receiver.

An attacker may inject small sets of forged packets or

even inject single packet that does not belong to any set. In

this case, each receiver has many small sets and each of

them has only a few packets. Doing the BatchVerify

algorithm on each small set compromises efficiency. Since

the sets from the sender can have a large number of packets,

each receiver can choose a threshold (say t) and start batch

verification over one set only when the set has no less than

t packets. If a set has less than t packets and the root value

recovered from the set has not been authenticated, the

receiver simply drop the set of packets without processing

them and thus save computation resource. For each

receiver, the threshold t can vary according to the receiver’s

computation resource. In this way, the impact of DoS due to

packet injection can be reduced by a factor of t.

5 PERFORMANCE EVALUATION

In this section, we evaluate MABS performance in terms of

resilience to packet loss, efficiency, and DoS resilience. As

we discussed before, MABS does not assume any particular

underlying signature algorithm. This is also true for all the

literature multicast authentication schemes referenced in

this paper. Therefore, all the discussions and evaluations of

MABS and the literature works in Section 5.1 and Section 5.2

are under the assumption that they are using the same

underlying signature algorithm. The discussion of signature

algorithms is in Section 5.3.

5.1 Resilience to Packet Loss

We use simulations to evaluate the resilience to packet

loss. The metric here is the verification rate, i.e., the ratio

of the number of authenticated packets to the number of

received packets.

We compare MABS with some well-known loss tolerant

schemes EMSS [14], augmented chain (AugChain) [18],

PiggyBack [16], tree chain (Tree) [11], and SAIDA [23].

These schemes are representatives of graph chaining, tree

chaining, and erasure coding schemes and are widely used

in performance evaluation in the literature.

For EMSS [14], we choose the chain configuration of

5 À11 À17 À24 À36 À39, which has the best performance

among all the configurations of length 6 as is shown in [14].

For AugChain [18], we choose C

3.7

chain configuration. For

PiggyBack [16], we choose two class priorities. For Tree

chain [11], we choose binary tree. For SAIDA [23], we choose

the erasure code ð256. 128Þ. For all these schemes, we choose

the block size of 256 packets and simulate over 100 blocks.

We consider the random loss and the burst loss with a

maximum loss length of 10 packets. The verification rates

under different loss rates are given in Fig. 3 and Fig. 4.

We can see that the verification rates of EMSS [14],

augmented chain (AugChain) [18] and PiggyBack [16] are

decreased quickly when the loss rate is increased. The reason

is that graph chaining results in the correlation among

packets and this correlation is vulnerable to packet loss.

SAIDA [23] illustrates a resilience to packet loss up to a

certain threshold, because of the threshold performance of

erasure codes. Our MABS andTree schemes [11] have perfect

resilience to packet loss in the sense that all the received

packets can be authenticated. This is because all the packets

in MABS andTree schemes are independent fromeach other.

As we will show later, however, Tree [11] achieves this

independency by incurring large overhead and latency at the

sender and each receiver and is vulnerable to DoS, while our

MABS-B has less overhead and latency and MABS-E is

resilient to DoS at the same level of overhead as Tree [11].

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 989

Fig. 3. Verification rate under the random loss model.

Fig. 4. Verification rate under the burst loss model with the maximum

burst length 10.

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

One thing needs to be pointed out is that we do not

differentiate between MABS-B and MABS-E in Fig. 3 and

Fig. 4. MABS-B is perfect resilient to packet loss because of

its inherent design. While it is not designed for lossy

channels, MABS-E can also achieve the perfect resilience to

packet loss in lossy channels. In the lossy channel model,

where no DoS attack is assumed to present, we can set the

threshold t ¼ 1 (refer to Section 4) for MABS-E, and thus

each receiver can start batch-verification as long as there is at

least one packet received for each set of packets constructed

under the same Merkle tree. Once the received packets are

authenticated, the extracted root of the Merkle tree can be

used to authenticate the rest of packets in the same set

within several hash operations. If we set t 1, which is not

the best choice for the lossy channel, MABS-E can tolerate up

to i Àt lost packets for each set of i packets, which shows a

threshold-based loss resilience, similar to SAIDA [23].

5.2 Efficiency

We consider latency, computation, and communication

overhead for efficiency evaluation under lossy channels

and DoS channels. The notations used here are defined in

Table 1. All the evaluations are carried out over i packets.

The results are depicted in Table 2 and Table 3.

5.2.1 Comparisons over Lossy Channels

Table 2 shows the comparisons between MABS-B and well-

known loss-tolerant schemes tree chain (Tree) [11], EMSS

[14], PiggyBack [16], augmented chain (AugChain) [18], and

SAIDA [23]. We also include MABS-E and three DoS

resilient schemes PRABS [30], BAS [31], and LTT [32] in the

table just for comparisons even though they are not

designed for lossy channels.

Previous block-based schemes introduce latency either at

the sender [11], [16] or at each receiver [14], [31] or both [18],

[23], [30], [32]. The latency is inherent in the block design

due to chaining or coding. At the sender side, the

correlation among a block of packets has to be established

before the sender starts sending the packets. At each

receiver, the latency is incurred when the high layer

application waits for the buffered packets to be authenti-

cated after the correlation is recovered. This receiver side

latency is variable depending on whether the correlation

among the underline buffered packets has been recovered

or not when the high layer application needs new data, and

its maximum value is the block size. MABS-B eliminates the

correlation among packets. Each packet is independently

sent out at the sender. At each receiver, the high layer

application does not need to wait because the low layer

authentication module can deliver authenticated packets at

any time when the high layer application needs new data.

This makes MABS-B pretty suitable for realtime multimedia

applications. MABS-E introduces latency at the sender

because it includes a tree construction to counteract DoS,

but it still preserves the merit of instantaneous authentica-

tion at each receiver as MABS-B.

Both the block-based schemes and MABS require one

signature verification operation on a block or a batch of

i packets at each receiver. In addition, the schemes using

990 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

TABLE 1

Notations

TABLE 2

Comparisons over Lossy Channels

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

chaining also require many hashes, and the ones using

coding require multiple hashes and one or two decoding

operations. MABS-B is more efficient since there is no more

hashing or decoding operations. MABS-E requires ilog

2

i

hashes, which is comparable to previous schemes using

hashing and coding.

In MABS, a trade-off for perfect resilience to packet loss

is that the sender needs to sign each packet, which incurs

more computation overhead than conventional block-based

schemes. Therefore, efficient signature generation is desir-

able at the sender. Compared with RSA [33], which is

efficient in verifying but is expensive in signing, BLS [36]

and DSA [38] are pretty good candidates as we will show

later. Moreover, in multimedia multicast, the sender is

usually a powerful server and thus the per-packet signature

generation can be affordable, and the advance of computing

technology makes it easier in the long run.

For i packets, Tree [11] require an overhead of i signature

and Oðilog

2

iÞ hashes, schemes in [14], [16], [18], [23], [30],

[31], [32] require one or more signatures and up to

Oði

2

Þ hashes. MABS-B and MABS-E require i signatures

and MABS-E requires additional Oðilog

2

iÞ hashes. If long

signatures are used (like 1,024-bit RSA), MABS-B andMABS-

E have more communication overhead than those in [14],

[16], [18], [23], [30], [31], [32], which is the same case as Tree

[11]. However, BLS [36] generates short signatures of 171 bits,

which is comparable to most well-known hash algorithms

MD5 [58] (128 bits) and SHA-1 [59] (160 bits). Therefore,

MABS can have the same level of communication efficiency

as conventional schemes when BLS is used.

5.2.2 Comparisons over DoS Channels

DoS is a method for an attacker to deplete the resource of a

receiver. Processinginjectedpackets fromthe attacker always

consumes a certain amount of resource. Here, we assume an

attacker factor u, which means that for i valid packets

ui invalid packets are injected. The computation overheads

at each receiver for different schemes are depicted in Table 3.

For schemes in [11], [14], [16], [18], which authenticate

signatures first and then authenticate packet through hash

chains, the attacker can inject ui forged signature packets

because signature verification is an expensive operation.

For SAIDA [23], which requires erasure decoding, the

attacker simply injects ui forged packets because each

receiver has to choose a certain number of valid packets

from all the ð1 þuÞi packet to do decoding, which can have

a significant number of tries.

Schemes in [30], [31], [32] are designed for DoS defense.

They canalleviate the impact of packet injection by a constant

factor to reduce the computation cost at each receiver.

MABS-B is vulnerable to packet injection as schemes in

[11], [14], [16], [18], [23] since they are designed only for

lossy channels. MABS-E has the same level of DoS resilience

as those in [30], [31], [32].

5.3 Comparisons of Signature Schemes

We compare the computation overhead of three batch

signature schemes in Table 4. RSA [33] and BLS [36] require

one modular exponentiation at the sender and DSA [38]

requires two modular multiplications when i value is

computed offline. Usually one c-bit modular exponentiation

is equivalent to 1.5c modular multiplications over the same

field [35], [44]. Moreover, a c-bit modular exponentiation in

DLP is equivalent to a

c

6

-bit modular exponentiation in BLS

for the same security level. Therefore, we can estimate that

the computation overhead of one 1,024-bit RSA signing

operation is roughly equivalent to that of 768 DSA signing

operations (1,536 modular multiplications) and that of

6 BLS signing operations (each one is corresponding to

255 modular multiplications).

According to the report [60] on the computational over-

head of signature schemes on PIII 1 GHz CPU, the signing

andverificationtime for 1,024-bit RSAwitha 1,007-bit private

key are 7.9 ms and 0.4 ms, for 157-bit BLS are 2.75 ms and

81 ms, and for 1,024-bit DSA with a 160-bit private key

(without precomputing i value) are 4.09 ms and 4.87 ms. We

can observe that for BLS and DSA the signing is efficient but

the verification is expensive, and vice versa for RSA.

Therefore, we can save more computation resource at the

sender by using our batch BLS and batch DSA than batch

RSA. It is alsomeaningful touse our batchBLSandbatchDSA

at the receiver to save computation resources.

We alsocompare the lengthof twopopular hashalgorithm

MD5 [58] and SHA-1 [59] and the signature length of three

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 991

TABLE 4

Computational Overhead of Different Batch Schemes

1-modular exponentiation. `-modular multiplication. 1-pairing.

TABLE 3

Comparisons over DoS Channels

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

signature algorithms inTable 5. Giventhe same security level

as 1,024-bit RSA, BLS generates a 171-bit signature and 1o¹

generates a 320-bit signature. It is clear that by using BLS or

DSA, MABS can achieve more bandwidth efficiency than

using RSA, and could be even more efficient than conven-

tional schemes using a large number of hashes.

6 CONCLUSIONS

To reduce the signature verification overheads in the secure

multimedia multicasting, block-based authentication

schemes have been proposed. Unfortunately, most previous

schemes have many problems such as vulnerability to

packet loss and lack of resilience to denial of service (DoS)

attack. To overcome these problems, we develop a novel

authentication scheme MABS. We have demonstrated that

MABS is perfectly resilient to packet loss due to the

elimination of the correlation among packets and can

effectively deal with DoS attack. Moreover, we also show

that the use of batch signature can achieve the efficiency less

than or comparable with the conventional schemes. Finally,

we further develop two new batch signature schemes based

on BLS and DSA, which are more efficient than the batch

RSA signature scheme.

ACKNOWLEDGMENTS

This work was partially supported by the US National

Science Foundation under grants CNS-0916391, CNS-

0716450, and CNS-0626881. The works of Fang and Zhu

were also partially supported by the 111 Project under

Grant B08038. The work of Zhu was also partially

supported by the National Natural Science Foundation of

China under grant 60772136 and supported by the Funda-

mental Research Funds for the Central Universities.

REFERENCES

[1] S.E. Deering, “Multicast Routing in Internetworks and Extended

LANs,” Proc. ACM SIGCOMM Symp. Comm. Architectures and

Protocols, pp. 55-64, Aug. 1988.

[2] T. Ballardie and J. Crowcroft, “Multicast-Specific Security Threats

and Counter-Measures,” Proc. Second Ann. Network and Distributed

System Security Symp. (NDSS ’95), pp. 2-16, Feb. 1995.

[3] P. Judge and M. Ammar, “Security Issues and Solutions in

Mulicast Content Distribution: A Survey,” IEEE Network Magazine,

vol. 17, no. 1, pp. 30-36, Jan./Feb. 2003.

[4] Y. Challal, H. Bettahar, and A. Bouabdallah, “A Taxonomy of

Multicast Data Origin Authentication: Issues and Solutions,” IEEE

Comm. Surveys & Tutorials, vol. 6, no. 3, pp. 34-57, Oct. 2004.

[5] Y. Zhou and Y. Fang, “BABRA: Batch-Based Broadcast Authenti-

cation in Wireless Sensor Networks,” Proc. IEEE GLOBECOM,

Nov. 2006.

[6] Y. Zhou and Y. Fang, “Multimedia Broadcast Authentication

Based on Batch Signature,” IEEE Comm. Magazine, vol. 45, no. 8,

pp. 72-77, Aug. 2007.

[7] K. Ren, K. Zeng, W. Lou, and P.J. Moran, “On Broadcast

Authentication in Wireless Sensor Networks,” Proc. First Ann. Int’l

Conf. Wireless Algorithms, Systems, and Applications (WASA ’06),

Aug. 2006.

[8] S. Even, O. Goldreich, and S. Micali, “On-Line/Offline Digital

Signatures,” J. Cryptology, vol. 9, pp. 35-67, 1996.

[9] P. Rohatgi, “A Compact and Fast Hybrid Signature Scheme for

Multicast Packet,” Proc. Sixth ACM Conf. Computer and Comm.

Security (CCS ’99), Nov. 1999.

[10] C.K. Wong and S.S. Lam, “Digital Signatures for Flows and

Multicasts,” Proc. Sixth Int’l Conf. Network Protocols (ICNP ’98),

pp. 198-209, Oct. 1998.

[11] C.K. Wong and S.S. Lam, “Digital Signatures for Flows and

Multicasts,” IEEE/ACM Trans. Networking, vol. 7, no. 4, pp. 502-

513, Aug. 1999.

[12] R. Gennaro and P. Rohatgi, “How to Sign Digital Streams,”

Information and Computation, vol. 165, no. 1, pp. 100-116, Feb. 2001.

[13] R. Gennaro and P. Rohatgi, “How to Sign Digital Streams,” Proc.

17th Ann. Cryptology Conf. Advances in Cryptology (CRYPTO ’97),

Aug. 1997.

[14] A. Perrig, R. Canetti, J.D. Tygar, and D. Song, “Efficient

Authentication and Signing of Multicast Streams over Lossy

Channels,” Proc. IEEE Symp. Security and Privacy (SP ’00), pp. 56-

75, May 2000.

[15] Y. Challal, H. Bettahar, and A. Bouabdallah, “A

2

Cast: An

Adaptive Source Authentication Protocol for Multicast Streams,”

Proc. Ninth Int’l Symp. Computers and Comm. (ISCC ’04), vol. 1,

pp. 363-368, June 2004.

[16] S. Miner and J. Staddon, “Graph-Based Authentication of Digital

Streams,” Proc. IEEE Symp. Security and Privacy (SP ’01), pp. 232-

246, May 2001.

[17] Z. Zhang, Q. Sun, W-C Wong, J. Apostolopoulos, and S. Wee, “A

Content-Aware Stream Authentication Scheme Optimized for

Distortion and Overhead,” Proc. IEEE Int’l Conf. Multimedia and

Expo (ICME ’06), pp. 541-544, July 2006.

[18] P. Golle and N. Modadugu, “Authenticating Streamed Data in the

Presence of Random Packet Loss,” Proc. Eighth Ann. Network and

Distributed System Security Symp. (NDSS ’01), Feb. 2001.

[19] Z. Zhang, Q. Sun, and W-C Wong, “A Proposal of Butterfly-

Graphy Based Stream Authentication over Lossy Networks,” Proc.

IEEE Int’l Conf. Multimedia and Expo (ICME ’05), July 2005.

[20] S. Ueda, N. Kawaguchi, H. Shigeno, and K. Okada, “Stream

Authentication Scheme for the Use over the IP Telephony,” Proc.

18th Int’l Conf. Advanced Information Networking and Application

(AINA ’04), vol. 2, pp. 164-169, Mar. 2004.

[21] D. Song, D. Zuckerman, and J.D. Tygar, “Expander Graphs for

Digital Stream Authentication and Robust Overlay Networks,”

Proc. 2002 IEEE Symp. Security and Privacy (S&P ’02), May 2002.

[22] J.M. Park, E.K.P. Chong, and H.J. Siegel, “Efficient Multicast

Packet Authentication Using Signature Amortization,” Proc. IEEE

Symp. Security and Privacy (SP ’02), pp. 227-240, May 2002.

[23] J.M. Park, E.K.P. Chong, and H.J. Siegel, “Efficient Multicast

Stream Authentication Using Erasure Codes,” ACM Trans.

Information and System Security, vol. 6, no. 2, pp. 258-285, May 2003.

[24] A. Pannetrat and R. Molva, “Authenticating Real Time Packet

Streams and Multicasts,” Proc. Seventh IEEE Int’l Symp. Computers

and Comm. (ISCC ’02), pp. 490-495, July 2002.

[25] A. Pannetrat and R. Molva, “Efficient Multicast Packet Authenti-

cation,” Proc. 10th Ann. Network and Distributed System Security

Symp. (NDSS ’03), Feb. 2003.

[26] Y. Wu and T. Li, “Video Stream Authentication in Lossy

Networks,” Proc. IEEE Wireless Comm. and Networking Conf.

(WCNC ’06), vol. 4, pp. 2150-2155, Apr. 2006.

[27] Y. Lin, S. Shieh, and W. Lin, “Lightweight, Pollution-Attack

Resistant Multicast Authentication Scheme,” Proc. ACM Symp.

Information, Computer, and Comm. Security (ASIACCS ’06), Mar.

2006.

[28] J. Jeong, Y. Park, and Y. Cho, “Efficient DoS Resistant Multicast

Authentication Schemes,” Proc. Int’l Conf. Computational Science

and Its Applications (ICCSA ’05), May 2005.

[29] S. Choi, “Denial-of-Service Resistant Multicast Authentication

Protocol with Prediction Hashing and One-Way Key Chain,” Proc.

Seventh IEEE Int’l Symp. Multimedia (ISM ’05), Dec. 2005.

[30] C. Karlof, N. Sastry, Y. Li, A. Perrig, and J.D. Tygar, “Distillation

Codes and Applications to DoS Resistant Multicast Authentica-

tion,” Proc. 11th Ann. Network and Distributed System Security Symp.

(NDSS ’04), Feb. 2004.

992 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 9, NO. 7, JULY 2010

TABLE 5

Communication Overhead of Signature Schemes

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

[31] C.A. Gunter, S. Khanna, K. Tan, and S. Venkatesh, “DoS

Protection for Reliably Authenticated Broadcast,” Proc. 11th Ann.

Network and Distributed System Security Symp. (NDSS ’04), Feb.

2004.

[32] A. Lysyanskaya, R. Tamassia, and N. Triandopoulos, “Multicast

Authentication in Fully Adversarial Networks,” Proc. IEEE Symp.

Security and Privacy (SP ’04), May 2004.

[33] R.L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining

Digital Signatures and Public-Key Cryptosystems,” Comm. ACM,

vol. 21, no. 2, pp. 120-126, Feb. 1978.

[34] L. Harn, “Batch Verifying Multiple RSA Digital Signatures,” IEE

Electronic Letters, vol. 34, no. 12, pp. 1219-1220, June 1998.

[35] M. Bellare, J.A. Garay, and T. Rabin, “Fast Batch Verification for

Modular Exponentiation and Digital Signatures,” Proc. Advances in

Cryptology (EUROCRYPT ’98), pp. 236-250, May 1998.

[36] D. Boneh, B. Lynn, and H. Shacham, “Short Signatures from the

Weil Pairing,” Proc. Seventh Int’l Conf. Theory and Application of

Cryptology and Information Security Advances in Cryptology

(ASIACRYPT ’01), pp. 514-532, Dec. 2001.

[37] S. Cui, P. Duan, and C.W. Chan, “An Efficient Identity-Based

Signature Scheme with Batch Verifications,” Proc. First Int’l Conf.

Scalable Information Systems, 2006.

[38] FIPS PUB 186, Digital Signature Standard (DSS), May 1994.

[39] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme

Based on Discrete Logarithms,” IEEE Trans. Information Theory,

vol. IT-31, no. 4, pp. 469-472, July 1985.

[40] D. Naccache, D. M’Raihi, S. Vaudenay, and D. Raphaeli, “Can

D.S.A. be Improved? Complexity Trade Offs with the Digital

Signature Standard,” Proc. Workshop Theory and Application of

Cryptographic Techniques Advances in Cryptology (EUROCRYPT ’94),

pp. 77-85, May 1995.

[41] C.H. Lim and P.J. Lee, “Security of Interactive DSA Batch

Verification,” IEE Electronic Letters, vol. 30, no. 19, pp. 1592-1593,

Sept. 1994.

[42] L. Harn, “DSA-Type Secure Interactive Batch Verification Proto-

cols,” IEE Electronic Letters, vol. 31, no. 4, pp. 257-258, Feb. 1995.

[43] L. Harn, “Batch Verifying Multiple DSA-Type Digital Signatures,”

IEE Electronic Letters, vol. 34, no. 9, pp. 870-871, Apr. 1998.

[44] C. Boyd and C. Pavlovski, “Attacking and Repairing Batch

Verification Schemes,” Proc. Sixth Int’l Conf. Theory and Application

of Cryptology and Information Security Advances in Cryptology

(ASIANCRYPT ’00), pp. 58-71, Dec. 2000.

[45] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-Receiver/Multi-

Sender Network Security: Efficient Authenticated Multicast/

Feedback,” Proc. IEEE INFOCOM, vol. 3, pp. 2045-2054, May 1992.

[46] R. Canetti, J. Garay, G. Itkis, D. Micciancio, M. Naor, and B.

Pinkas, “Multicast Security: A Taxonomy and Some Efficient

Constructions,” Proc. IEEE INFOCOM, vol. 2, pp. 708-716, Mar.

1999.

[47] L. Lamport, “Password Authentication with Insecure Commu-

nication,” Comm. ACM, vol. 24, no. 11, pp. 770-772, Nov. 1981.

[48] N.M. Haller, “The S/Key One-Time Password System,” Proc.

ISOC Symp. Network and Distributed Security, Feb. 1994.

[49] F. Bergadano, D. Cavagnino, and B. Crispo, “Individual Single-

Source Authentication on The Mbone,” Proc. IEEE Int’l Conf.

Multimedia and Expo (ICME ’00), vol. 1, pp. 541-544, July 2000.

[50] A. Perrig, R. Canetti, D. Song, and J. Tygar, “Efficient and Secure

Source Authentication for Multicast,” Proc. Network and Distributed

System Security Symp. (NDSS ’01), 2001.

[51] A. Perrig, “The BiBa One-Time Signature and Broadcast Authen-

tication Protocol,” Proc. Eighth ACM Conf. Computer and Comm.

Security (CCS ’01), pp. 28-37, Nov. 2001.

[52] Q. Li and W. Trappe, “Reducing Delay and Enhancing DoS

Resistance in Multicast Authentication through Multigrade

Security,” IEEE Trans. Info. Forensics and Security, vol. 1, no. 2,

pp. 190-204, June 2006.

[53] S. Xu and R. Sandhu, “Authenticated Multicast Immune to Denial-

of-Service Attack,” Proc. ACM Symp. Applied Computing (SAC ’02),

2002.

[54] S. Rafaeli and D. Hutchison, “A Survey of Key Management for

Secure Group Communication,” ACM Computing Surveys, vol. 35,

no. 3, pp. 309-329, Sept. 2003.

[55] N. Koblitz, “Elliptic Curve Cryptosystems,” Math. Computation,

vol. 48, pp. 203-209, 1987.

[56] V. Miller, “Uses of Elliptic Curves in Cryptography,” Proc. Int’l

Cryptology Conf. (CRYPTO ’85), pp. 417-426, 1986.

[57] R. Merkle, “Protocols for Public Key Cryptosystems,” Proc. IEEE

Symp. Security and Privacy, Apr. 1980.

[58] R. Rivest, “The MD5 Message-Digest Algorithm,” RFC 1319, Apr.

1992.

[59] D. Eastlake and P. Jones, “US Secure Hash Algorithm 1 (SHA1),”

RFC 3174, Sept. 2001.

[60] P. Barreto, H. Kim, B. Lynn, and M. Scott, “Efficient Algorithms

for Pairing-Based Cryptosystems,” Proc. Int’l Cryptology Conf.

(CRYPTO ’02), 2002.

Yun Zhou received the BE degree in electronic

information engineering and the ME degree in

communication and information system from the

Department of Electronic Engineering and In-

formation Science, University of Science and

Technology, Hefei, China, in 2000 and 2003,

respectively, and the PhD degree from the

Department of Electrical and Computer Engi-

neering, University of Florida, Gainesville, in

2007. He is currently with Microsoft Corporation.

His research interests include security, cryptography, wireless commu-

nications and networking, signal processing, and operating systems.

Xiaoyan Zhu received the BE, ME, and PhD

degrees from the School of Telecommunications

Engineering at Xidian University, Xi’an, China, in

2000, 2004, and 2009, respectively. She is now

a visiting research scholar in the Department of

Electrical and Computer Engineering at the

University Florida, Gainesville, on leave from

the School of Telecommunications Engineering,

Xidian University, Xi’an, China, where she is a

lecturer. Her research interests include wireless

networks, network security, and network coding.

Yuguang Fang received the PhD degree in

systems engineering from Case Western Re-

serve University in 1994 and the PhD degree in

electrical engineering from Boston University in

1997. He was an assistant professor in the

Department of Electrical andComputer Engineer-

ingat theNewJersey Instituteof Technology from

1998 to 2000. He then joined the Department of

Electrical and Computer Engineering at Univer-

sity of Florida in 2000 as an assistant professor,

got an early promotion to an associate professor with tenure in 2003, and

to a full professor in 2005. He holds a University of Florida Research

Foundation (UFRF) Professorship from 2006 to 2009, a Changjiang

scholar chair professorshipwith XidianUniversity, Xi’an, China, from2008

to 2011, and a guest chair professorship with Tsinghua University, China,

from 2009 to 2012. He has published more than 250 papers in refereed

professional journals and conferences. He received the US National

Science Foundation Faculty Early Career Award in 2001 and the US

Office of Naval Research Young Investigator Award in 2002, and is the

recipient of the Best Paper Award fromthe IEEEInternational Conference

on Network Protocols (ICNP) in 2006 and the IEEE TCGN Best Paper

Award from the IEEE High-Speed Networks Symposium, IEEE GLOBE-

COM, in 2002. He is also active in professional activities. He is currently

serving as the editor-in-chief for IEEE Wireless Communications and

serves/served on several editorial boards of technical journals including

the IEEE Transactions on Communications, the IEEE Transactions on

Wireless Communications, IEEE Wireless Communications Magazine,

and ACMWireless Networks. He was an editor for the IEEE Transactions

on Mobile Computing and currently serves on its steering committee. He

has been actively participating in professional conference organizations

such as serving as the steering committee cochair for QShine (2004-

2008), the technical program vice-chair for IEEE INFOCOM 2005, a

technical program symposium cochair for IEEE GLOBECOM 2004, an

areatechnical programcommittee chair for IEEEINFOCOM(2009-2010),

and a member of the technical program committee for IEEE INFOCOM

(1998, 2000, 2003-2008) andACMMobiHoc (2008-2009). Heis afellowof

the IEEE and the IEEE Computer Society and a member of the ACM.

ZHOU ET AL.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 993

Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Downloaded on May 31,2010 at 01:51:59 UTC from IEEE Xplore. Restrictions apply.

[16]. [12]. [25]. schemes in [8]. We propose two new batch signature schemes based on BLS [36] and DSA [38] and show they are more efficient than the batch RSA [33] signature scheme. 3. [17]. [19]. leading to DoS. In the literature. [28]. Graph chaining was studied in [12]. The rest of the paper is organized as follows: We briefly review related work in Section 2. origin authentication. [24]. [23]. [11]. [17]. [20]. 2. [16]. [17]. [19]. [30]. [13]. [26].2010 at 01:51:59 UTC from IEEE Xplore. in which each path links a packet to the block signature. [13]. MABS provides data integrity. . BLS [36]. the DoS attack is not common. if a block signature is lost. [20]. [26] target at lossy channels. In this paper. Moreover. Tree chaining was proposed in [10]. previous schemes [8]. which are realistic in our daily life since the Internet and wireless networks suffer from packet loss. [24]. MABS-B is efficient in terms of less latency. [23]. [9] or amortize one signature over a block of packets [10]. [21].: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 983 schemes. [24]. Another major problem is that most schemes [12]. [22]. [21]. [31]. its overhead is still at the same level as previous schemes. [18]. In order to reduce computation overhead. [15]. an active attacker can inject forged packets to consume receivers’ resource. MABS includes two schemes. [37]. [18]. [25]. and nonrepudiation as previous asymmetric key based protocols. [22]. [24].ZHOU ET AL. we present a basic scheme for lossy channels in Section 3. [11]. [26]. Another problem with schemes in [8]. [19]. [18]. [20]. each receiver needs to perform one more verification on its one-time or k-time signature plus one ordinary signature verification. conventional schemes use efficient signature algorithms [8]. Erasure codes were used in [22]. [10]. They are suitable for RSA [33]. [12]. The basic scheme (called MABS-B hereafter) utilizes an efficient asymmetric cryptographic primitive called batch signature [33]. [10]. [21]. computation. The enhanced scheme (called MABS-E hereafter) combines MABS-B with packet filtering to alleviate the DoS impact in hostile environments. [25]. [20]. Each packet carries the signed root and multiple hashes. [34]. [19]. the entire block cannot be authenticated. [23]. [17]. [18]. and DSA. [42]. [9]. [14]. [41]. When each receiver receives one packet in the block. [43]. In particular. [14]. [21]. [19]. [16]. [29]. [18]. [22]. [25]. respectively [38]. but reduce the computation overhead at the sender by using one-time signatures [8] or k-time signatures [9]. All these schemes [10]. we demonstrated that batch signature schemes can be used to improve the performance of broadcast authentication [5]. In addition. [15]. [24]. [17]. [16]. [15]. each packet is independently verifiable at a cost of per-packet signature verification. [18]. [15]. [9]. they still have the packet loss problem because they are based on the same approach as previous schemes [10]. A multicast stream is divided into blocks and each block is associated with a signature. the ideal approach of signing and verifying each packet independently raises a serious challenge to resource-constrained devices. [22]. [13]. [12]. 1. [17].000 bytes). Each receiver verifies the block signature and authenticates all the packets through the paths in the graph. [25]. Downloaded on May 31. [11]. [21]. other packets may not be authenticated. [26] at the expense of increased communication overhead [8]. [14]. [9] follow the ideal approach of signing and verifying each packet individually. [24]. it uses the authentication information in the packet to authenticate it. the hash of each packet is embedded into several other packets in a deterministic or probabilistic way. however. An enhanced scheme is discussed in Section 4. we present our comprehensive study on this approach and propose a novel multicast authentication protocol called MABS (in short for Multicast Authentication based on Batch Signature). [21]. Without the buffered authentication information. [22]. After performance evaluation in Section 5. Restrictions apply. Recently. Erasure codes make each receiver be capable of recovering the block signature when receiving at least a certain number of pieces. [20]. [19]. Moreover. and communication overhead. [18]. [11]. [14]. [25]. [23]. As is well known that existing digital signature algorithms are computationally expensive. [26]. [11] or vulnerability to packet loss [12]. we make the following contributions: Our MABS can achieve perfect resilience to packet loss in lossy channels in the sense that no matter how many packets are lost the already-received packets can still be authenticated by receivers. The hashes form a graph. [13]. [11]. [14]. [25]. the paper is concluded in Section 6. [23]. [26] are indeed computationally efficient since each receiver needs to verify only one signature for a block of packets. [17]. [11] by constructing a tree for a block of packets. However. Though MABS-E is less efficient than MABS-B since it includes the DoS defense. [39]. [16]. [14]. [23]. [23]. [36]. In each block. [13]. [15]. [21] Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [19]. In particular. [35]. If too many packets are lost. A signature is generated for the concatenation of the hashes of all the packets in one block and then is erasure-coded into many pieces. [44]. [15]. [26] is that they are vulnerable to packet injection by malicious attackers. [16]. which is expensive on signing while cheap on verifying. [16]. however. [10]. which also includes three batch signature schemes based on RSA [33]. [38]. [6]. [14]. [13]. [20]. [20]. Then. they all increase packet overhead for hashes or erasure codes and the block design introduces latency when buffering many packets. [23]. [25]. [18]. [10]. [11]. [24]. Compared with the efficiency requirement and packet loss problems. [40]. [22]. [13]. but it is still important in hostile environments. [22]. For each packet. [16]. [32] attempt to provide the DoS resilience. [19]. the length of one-time signature is too long (on the order of 1. [13]. to address the efficiency and packet loss problems in general environments. [26] are vulnerable to packet loss even though they are designed to tolerate a certain level of packet loss. [9]. [17]. [21]. leading to Denial of Service (DoS). [14]. In a hostile environment. However. some schemes [27]. [20]. [15]. [24]. The buffered authentication information is further used to authenticate other packets in the same block. [12]. The root of the tree is signed by the sender. 2 RELATED WORK Schemes in [8]. which supports the authentication of any number of packets simultaneously with one signature verification. [15]. [9]. [12]. An attacker may compromise a multicast system by intentionally injecting forged packets to consume receivers’ resource.

[48]. [12]. [38]. but they still have the packet loss problem. They do reduce the computation cost. PRABS [30] uses distillation codes to deal with DoS. In view of the problems regarding the sender-favored block-based approach. [24]. [25]. .984 IEEE TRANSACTIONS ON MOBILE COMPUTING. the correlation among packets can incur additional latency. it is possible that the packets buffered at the low layer authentication module are not verifiable because the correlated packets. In the block design. [50]. [22]. As receiving devices have different computation and communication capabilities. and n can be any positive integer. [23]. which is inherent in the Internet and wireless networks. or return with a no-available-packets exception. [14]. which is very time-consuming. we conceive a receiver-oriented approach by taking into account the heterogeneity of the receivers. i g. the per-packet signature design has been criticized for its high computation cost. [32] incorporate a block-based design as shown in Section 2. In this paper. [29]. NO. where mi is the data payload. [15]. schemes in [27]. [24]. . [25]. since each packet can be independently verifiable at any time. . the heterogeneity of receivers means that the buffer resource at each receiver is different and can vary over the time depending on the overall load at the receiver. [13]. and otherwise not. [35]. the BatchVerifyðÞ algorithm should satisfy the following properties: Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. [28]. we focus on the signature approach. [18]. and schemes in [22]. In this paper. [44]. [19]. In the per-packet signature design it is not a problem. . . which could be interpreted as that the buffered packets are “lost. they cannot provide nonrepudiation as the signature approach. have not been received. the required block size. [30]. Each receiver is a less powerful device with resource constraints and may be managed by a nontrustworthy person. [49]. . Ideally. is different from the buffering latency. Restrictions apply. the basic scheme MABS-B uses an efficient cryptographic primitive called batch signature [33]. [21]. The sender signs each packet with a signature and transmits it to multiple receivers through a multicast routing protocol. when a receiver collects n packets: pi ¼ fmi . These three schemes [30]. [29]. Consider the high layer application needs new data from the low layer authentication module in order to render a smooth video stream to the client user. . JULY 2010 are vulnerable to forged signature attacks because they require each receiver to verify each signature whereby to authenticate data packets. Third. Some other schemes [45]. It is desirable that the lower layer authentication module delivers authenticated packets to the high layer application at the time when the high layer application needs new data. especially the block signatures. [29] are still vulnerable to DoS because they require that one-way hash chains are signed and transmitted to each receiver and therefore an attacker can inject forged signatures for oneway hash chains. In the block design. [39]. F alseg: If the output is T rue. [23]. Therefore. these schemes [27]. i is the corresponding signature. The reason is that error correction codes tolerate error packets. . Also. i ¼ 1. [52]. which supports simultaneously verifying the signatures of any number of packets. authenticating a multicast stream can be achieved by signing and verifying each packet. [32] are resilient to DoS. 7. the receiver knows the n packets are authentic. [25]. while the others could be cheap handsets with limited buffers and low-end CPUs. n. [29] combine erasure codes with one-way hash chains to detect forged packets. valid packets and forged packets are partitioned into disjoint sets and erasure decoding is performed over each set. [28]. PARM [27] is similar to the tree chaining scheme [10].” This latency. which leads to additional latency. most previous schemes [10]. which is chosen by the sender. which is required for the low layer authentication protocol to buffer received packets. we focus on multicast authentication. [11]. . [26]. it can be achieved through group key management [54]. Downloaded on May 31. [23]. which is incurred at the high layer when the high layer application waits for the buffered packets to become verifiable. 3 BASIC SCHEME Our target is to authenticate multicast streams from a sender to multiple receivers. p2 . [27]. In order to deal with DoS. but also introduce new problems. this heterogeneity poses a demand on the capability of adjusting the buffer size and authenticating buffered packets any time when the high layer application requires at each receiver. [47]. Schemes in [28]. pn Þ 2 fT rue. Received packets may not be authenticated because some correlated packets are lost. In order to fulfill the requirement. [41]. 9. [28]. [42]. [26] suffer from packet injection because each receiver has to distinguish a certain number of valid packets from a pool of a large number of packets including injected ones. may not be satisfied by each receiver. [51]. [53] use shared symmetric keys between the sender and receivers to authenticate multicast streams. LTT [32] uses error correction codes to replace erasure codes in schemes [22]. BAS [31] simply retransmits each signature multiple times to tolerate packet loss and uses selective verification to tolerate injected forged signatures. the high layer application has to either wait. [43]. Though they are more efficient than those using signatures. Mixed with various channel loss rates. [31]. however. Unfortunately. and therefore. Though confidentiality is another important issue for securing multicast. and they require either time synchronization or trustful infrastructures. [30].2010 at 01:51:59 UTC from IEEE Xplore. [20]. [26]. VOL. [37]. [24]. it can input them into an algorithm BatchVerifyðp1 . However. [40]. [34]. [36]. [17]. the sender is a powerful multicast server managed by a central authority and can be trustful. To support authenticity and efficiency. [11] in the sense that multiple oneway hash chains are used as shared keys between the sender and receivers. some could be powerful desktop computers. In particular. [32] were proposed. In particular. [31]. The block design builds up correlation among packets and makes them vulnerable to packet loss. [46]. [16]. [31]. Each receiver needs to assure that the received packets are really from the sender (authenticity) and the sender cannot deny the signing operation (nonrepudiation) by verifying the corresponding signatures. Generally.

[26]. [18]. [13]. The other curve in Fig. and then calculates two exponents e. which are more efficient than batch RSA. The packet independency also brings other benefits in terms of smaller latency and communication overhead compared with previous schemes [10]. The sender sends fm.ZHOU ET AL. the receiver can first calculate hi ¼ hðmi Þ and then perform the following verification: !e n n Y Y i mod N ¼ hi mod N: ð1Þ i¼1 i¼1 If all n packets are truly from the sender. those additional computations are mostly modular additions and multiplications. then the final batch verification has 1. We must point out and will show later that MABS is independent from these signature algorithms. i g. [31]. . [31]. [30]. the same cost of single signature verification. [25]. and recorded the results for two scenarios. 3. it is not the case in reality. no matter how large the batch size is. We can see that the time cost of general batch verification (without signature aggregation) is still less than that of two single signature verifications when batch size grows up to about 270. such as random loss or burst loss. This independency brings the freedom to optimize MABS for a particular physical system or platform as much as possible. we present three implementations. the probability that BatchVerifyðÞ outputs T rue is very low. [19]. NÞ as its public key and keeps d in secret as its private key. Downloaded on May 31. [14]. [22]. the batch verification of RSA [34]. [13]. Given n packets fmi . which are much faster than modular exponentiations required in final signature verifications. MABS-B uses per-packet signature instead of per-block signature and thus eliminates the correlation among packets.1 RSA RSA [33] is a very popular cryptographic algorithm in many security protocols. Meanwhile. [29].1. [15]. However. g to a receiver that can verify the authenticity of the message m by checking e ¼ hðmÞ mod N. 2. Next. the alreadyreceived packets can still be authenticated by each receiver. we propose two new batch signature schemes based on BLS [36] and DSA [38]. [24]. [16]. [32]. [22]. [17]. . [29]. The packet independency makes MABS-B perfect resilient to packet loss. where hðÞ is a collision-resistant hash function. 3. [14]. As we will show later. where packets can be lost according to different loss models. which can optimize its own batch size. we will show later that in the implementation of batch signature a technique called signature preaggregation can be used so that the additional processing of multiple packets is shifted from the time of final batch verification to the time of each packet reception and thus the cost of final batch signature verification is exactly the same as that of original signature verification. and there is no additional hash or code overhead in each packet. [24]. so that the batch size will not be unmanageably large. . In particular. which validates the third property of batch signature. . This is a significant advantage over previous schemes [10]. [12]. A signature of a message m can be generated as ¼ ðhðmÞÞd mod N. no matter how many packets are lost.2 Batch RSA To accelerate the authentication of multiple signatures. [28]. The Internet and wireless channels tend to be lossy due to congestion or channel instability. [26]. [20]. i ¼ 1. [11]. [21]. [11]. The computation complexity of BatchVerifyðÞ is comparable to that of verifying one signature and is increased only gradually when the batch size n is increased. In addition to the one based on RSA [33]. 1. d 2 Z Ã such that ZN ed ¼ 1 mod ðNÞ. [30]. [16]. 1 shows that if the signature preaggregation is used. n. [23]. In order to show the merit of signature preaggregation. a sender chooses two large random primes P and Q to get N ¼ P Q. [27]. [18]. a concern comes when the cost grows higher than the final signature verification if the batch size is too large. [17]. [19]. BatchVerifyðÞ outputs T rue. 1. where ðNÞ ¼ ðP À 1ÞðQ À 1Þ. 3. Given a batch of packets including some unauthentic packets. Restrictions apply. [20]. Given a batch of packets that have been signed by the sender. The computation complexity of BatchVerifyðÞ comes with the fact that there are some additional cost on processing multiple packets. Normalized time cost of Batch-BLS signature verification. however.1 Batch RSA Signature 3. Most important. The merit of batch signature is that the batch size is chosen by each receiver. . Theoretically. efficiency can also be achieved because a batch of packets can be authenticated simultaneously through one batch signature verification operation. the equation holds because Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. In MABS-B. [28].: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 985 Fig. where mi is the data payload. each receiver can verify the authenticity of all the received packets in its buffer whenever the high layer applications require. with and without signature preaggregation.2010 at 01:51:59 UTC from IEEE Xplore. [27].000. [21]. [35] can be used.1. we implemented batch signature by using our Batch-BLS (will be discussed later) as an example. [12]. In order to use RSA. The result is shown in Fig. The sender publishes ðe. [25]. We measured the normalized time cost of batch signature verification with the batch size growing from 1 to 1. [32]. i is the corresponding signature and n is any positive integer. [23]. [15].

gp ¼ 1 2 G1 .986 n Y i¼1 IEEE TRANSACTIONS ON MOBILE COMPUTING. the sender first computes h ¼ hðmÞ 2 G1 . g1 Þ ¼ eð.2. 7. the public key e is usually small (e ¼ 3 for instance) while the private key d is large. a sender chooses a Z random integer x 2 Z p and computes y ¼ g1 x 2 G1 . In some circumstances. where hðÞ is a hash function. Z. Bilinear: For all u. It has been shown in [36] that an n-bit BLS signature can provide a security level equivalent to solving a Discrete Log Problem (DLP) [39] over a finite field of size approximately 26n . i g. Next. 2. The signature of m is . then ! n n Y Y hi . If the sender is a powerful server. an attacker may not forge signatures but manipulate authentic packets to produce invalid signatures. i g and fmj . the receiver must ensure all the messages are distinct. which can be defined as a map over two cyclic groups G1 and G2 . Q i¼1 B computes n ¼ V = nÀ1 i as the signature for i¼1 mn . This poses a challenge to the computation capability of the sender because the sender needs to sign each packet. h i ¼ 1. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. y ¼ eðhi . another attacker B can break BLS under the chosen message attack by colluding with A. i ¼ 1. B can forge a signature n for any chosen message mn . which means the message mi and mj have been correctly signed by the sender.2 Batch BLS Based on BLS. n and then checking whether eð n hi . . n g satisfies the BLS signature scheme. g1 Þ. 9. Therefore. Proof. yÞ ¼ eðh. . For example. Suppose an attacker A can break the batch BLS by forging signatures. 2. given two packets fmi . by colluding with A in the following steps: 1. n and n À 1 signatures i . i g and fmj . . Otherwise batch RSA is vulnerable to the forgery attack [35]. . . vb Þ ¼ eðu. which can reduce the computation complexity at the sender. e : G1 Â G1 ! G2 . If the sender does not have enough resource. 3. g1 ¼ i¼1 n Y i¼1 ð4Þ ! i . the receiver first computes h ¼ hðmÞ 2 G1 and then check whether eðh.1 BLS The BLS signature scheme uses a cryptographic primitive called pairing. 3. NO. Restrictions apply. i g. Theorem 1. . One merit of the BLS signature is that it can generate a very short signature. This is because if all the messages are i¼1 authentic. Suppose B is given n À 1 messages and their valid signatures fmi . . n that pass the batch BLS verification.2 Batch BLS Signature Here. B sends n messages mi . Then. then computes ¼ hx 2 G1 .yÞ ¼ eð. such that fmn . VOL. j g for i 6¼ j. 3. dg with comparable sizes can achieve a certain level of trade-off between computation efficiency and security at the sender part. i ¼ 1. . j =g. j g.024-bit DLP-based signature scheme such as DSA [38]. . . i ¼ 1. v 2 G1 and a.1. we propose two efficient batch signature schemes based on BLS [36] and DSA [38]. we have 1 eðg1 . a 171-bit BLS signature provides the same level of security as a 1. i ¼ 1. Given a message m 2 f0. g1 x Þ e i¼1 i¼1 n Y À Á e hi x . i g and fmj . This is a very nice choice in the scenario where communication overhead is an important issue. this attack is of no harm to the receiver [35]. n.2010 at 01:51:59 UTC from IEEE Xplore. . Therefore. If the verification succeeds. . g1 x Þ ¼ eðhx . This is easy to implement because sequence numbers are widely used in many network protocols and can ensure all the messages are distinct. n À 1. Downloaded on May 31. the attacker can do this only when it gets fmi . Nondegenerate: For the generator g1 of G1 . The private key is x and the public key is y. It has been proved in [35] that when all the messages are distinct. the receiver can verify the batch of BLS signatures by first computingQ i ¼ hðmi Þ. Choosing a small private key d can improve the computation efficiency but compromise the security. g1 : ¼e We can prove that our batch BLS is secure to signature forgery as long as BLS is secure to signature forgery.g1Þ. However. vÞab . batch RSA is resistant to signature forgery as long as the underlying RSA algorithm is secure. g1 Þ: ð3Þ hi mod N: Before the batch verification. . then the message m is authentic because 1. 3. where p is the order of G1 . we propose a batch signature scheme based on the BLS signature in [36].2. then signing each packet can be affordable in this scenario. eðh. . . . we propose our batch BLS scheme here. .. then returns to B a Q value V ¼ n i 0 . . satisfying the following properties: 1. the RSA signature verification is efficient while the signature generation is expensive. . . . A generates n false signatures i 0 . Given n packets fmi .3 Requirements to the Sender In most RSA implementations. yÞ ¼ i¼1 Q eð n i . . but the signature of each packet is not correct (that is why batch RSA verification is called screening in [35]). JULY 2010 !e i mod N ¼ ¼ ¼ n Y i¼1 n Y i¼1 n Y i¼1 e mod N i hed i mod N ð2Þ The BLS signature scheme consists of three phases: In the key generation phase. . 1gÃ in the signing phase. i ¼ 1. In the verification phase. 2. 3. g1 Þ 6¼ 1 2 G2 . Therefore. b 2 Z we have eðua . . The modified packets can still pass the batch verification.e. Because A can break the batch BLS scheme. the attacker can modify them into fmi . n À 1 to A. . because 3. a pair of fe. i.

the private key of the signer. i ¼ 1. a 160-bit prime divisor of p À 1.3 The Boyd-Pavlovski Attack Boyd and Pavlovski [44] pointed out an attack against the Harn batch DSA scheme [43]. n are forged messages satisfying the batch verification is 1 [44]. . Restrictions apply. . ðri . Here. a prime longer than 512 bits. A batch DSA signature scheme was proposed in [40]. an attacker may not forge signatures but manipulate authentic packets to produce invalid signatures.2 Harn Batch DSA Given n packets fmi . j g for i 6¼ j can be replaced with fmi . y eðhn . our batch BLS scheme is also secure to forgery under the chosen message attack. gq ¼ 1 mod p. then Pn Pn À1 À1 mod p mod q g i¼1 si ri y i¼1 hi ri Pn À1 ¼ g i¼1 ðsi þhi xÞri mod p mod q Pn ð8Þ ¼ g i¼1 ki mod p mod q ¼ n Y i¼1 ri mod q: 3. a hash function generating an output in Z Ã . For instance. i g and fmj .3 Requirements to the Sender In our batch BLS.3. some system parameters are defined as: 1. computing h ¼ hðmÞ. . i ¼ 1. p. . if the batch of packets is authentic. the public key of the signer. 3.4 Our Batch DSA In order to counteract the Boyd-Pavlovski attack. n À 2. the signing operation is more efficient than the RSA signature generation. The signature for m is ðr. randomly selecting an integer k with 0 < k < q. hðÞ. g1 Þ ! ¼e ! n Y i¼1 nÀ1 Y i¼1 ! i . yÞ ¼ e ) eðhn . 2 3. 2.3 Batch DSA Signature DSA [38] is another popular digital signature algorithm. we can expect that our batch BLS is more affordable by the sender than batch RSA and also achieve computation efficiency at the receiver. Zp 4. This is because.2010 at 01:51:59 UTC from IEEE Xplore. BLS can be implemented over elliptic curves [55]. . . two packets fmi . Because BLS can provide a security level equivalent to conventional RSA and DSA with much shorter signature [36]. but later was found insecure [41]. y nÀ1 Y i¼1 hi .ZHOU ET AL. n. i ¼ 1. 3. ri . 3. 2. the sender needs to sign each packet. . Unlike RSA. Compute rnÀ1 and rn to ensure that n Y i¼1 n X i¼1 ri mod q ¼ A mod q ð9Þ ð10Þ hi ri À1 mod q ¼ C mod q: 4. . 2. the signer generates a signature by: 1. i ¼ 1. Zq Given a message m. q.. 3. Randomly choose si . randomly choose ri . .3. .e. y. g1 Þ ð5Þ The receiver can verify the signature by first computing h ¼ hðmÞ and then checking whether ððgsr yhr Þ mod pÞ mod q ¼ r: This is because if the packet is authentic. computing s ¼ rk À hx mod q. 3.2.3. . which have been shown in the literature to be more efficient than finite integer fields on which RSA is implemented. . 0 < x < q. g1 ! i . Also like batch RSA. our batch DSA makes an improvement to the Harn DSA algorithm. it does not affect the correctness and the authenticity of mi and mj because they have been correctly signed by the sender.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE n Y i¼1 987 ! hi . which is based on the hardness of factoring two large primes. then ððgsr yhr Þ mod pÞ mod q ¼ ððgðsþhxÞr Þ mod pÞ mod q u t ¼ ðgk mod pÞ mod q ¼ r: À1 À1 À1 À1 À1 )e )e hi . where an attacker can forge signatures for any chosen message set that has not been signed by the sender. a generator of Z Ã with order q. However. g1 eðn . Therefore. y ¼ gx mod p. DSA is deemed secure based on the difficulty of solving DLP [39]. computing r ¼ ðgk mod pÞ mod q. g. y n Y i¼1 e ¼ eðV . Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. calculate A ¼ ðgB yC mod pÞ mod q. . j =g and still pass the batch verification. Unfortunately. the receiver can verify the batch of signatures by first computing hi ¼ hðmi Þ and then checking whether n Pn Pn Y À1 À1 ri mod q : ð7Þ g i¼1 si ri y i¼1 hi ri mod p mod q ¼ i¼1 3. Harn improved the security of [40] in [42]. n À 1 and compute sn to ensure that n X i¼1 si ri À1 mod q ¼ B mod q: ð11Þ The probability that fmi .3. n. sÞ. si g. Boyd and Pavlovski pointed out in [44] that Harn’s work is still vulnerable to malicious attacks. . . For any message set mi . si Þg. i ¼ 1. . x. 5. i g and fmj . Choose B and C. g1 Þ : ð6Þ Since BLS is forgery-secure under the chosen message attack [36]. [56]. Moreover. . i. . Downloaded on May 31. 3. 6. [43]. yÞ ¼ eðn . . . and 4. The process is: 1. we propose a batch DSA scheme based on Harn’s work and counteract the attack described in [44]. .1 Harn DSA In Harn DSA [43].

The attacker can keep ri unchanged. . The sender constructs a binary tree for eight packets. s. the sender can generate many r values offline. All the other steps are the same as those in Harn’s scheme. which is unique to the packet and cannot be spoofed. mÞ. Therefore. 2. which can still pass the batch verification. Constructing a Merkle tree is very efficient because only hash operations are performed. and this divide-and-conquer approach can be recursively carried out for each smaller batch.3. If not. this attack does not affect the correctness and authenticity of messages because they have been really signed by the sender [44]. the one-way property of hash operation ensures that given the root of a Merkle tree it is infeasible to find a packet. Each internal node is the hash value on the concatenation of its left and right children. Preaggregation of Message Hashes and Signatures If we take a closer look at batch-RSA and batch-BLS. 7. the aggregations Q message hashes and of P P signatures f n si ri À1 . the set of packets is authentic.988 IEEE TRANSACTIONS ON MOBILE COMPUTING. NO. For each packet. just like batch-RSA and batch-BLS. and vice versa. For batch-DSA. For example. At each receiver. Therefore. Meanwhile. .4 The basic scheme MABS-B targets at the packet loss problem. Therefore. each Q Q receiver can compute and update f n hi .2 . . If the result is T rue. si 0 Þg. The only difference is that the batch algorithms Q take the aggregations of message hashes Q and signatures f n hi . Obviously. The mark design ensures that a packet from the real sender never falls into any set of packets from the attacker. n ri g are inside the i¼1 i¼1 i¼1 signature verification. Each internal node is the hash value on both its left and right children. Merkle tree [57] is used to generate marks. n i g after i¼1 i¼1 receiving every packet. In this section. we can notice that they use exactly the orignal RSA and BLS algorithms. while also achieving computation efficiency at the receiver. which is inherent in the Internet and wireless networks. a strong resilience to DoS due to injected packets can be provided. n i g as the parameters to the i¼1 i¼1 original signature algorithms. the sender needs to compute one modular exponentiation to get r and two modular multiplications to get s. hrÀ1 . Like the cases in batch RSA and our batch BLS. randomly choose si 0 . ðri . then batch-DSA can take the advantage of preaggregating message hashes and signatures. rg as parameters. An example of Merkle tree.2010 at 01:51:59 UTC from IEEE Xplore. the attacker can compute ri values according to (9) and (10) because parameters A. respectively. r is independent on the message m. By introducing ri into the hash operation. 9. C. 1. the attacker can inject forged packets at very high frequency and expect that each receiver stops the batch operation and recovers the basic per-packet signature verification. which may not be viable at resource-constrained receiver devices. Each leaf is a hash of one packet.8 ¼ HððH1. 3. our method can significantly increase the security of batch DSA. si 0 ri À1 mod q ¼ n X i¼1 si ri À1 mod q: ð12Þ 4 ENHANCED SCHEME However. as shown in Fig. the multicast stream is classified into disjoint sets based on marks.5 Requirements to the Sender In batch RSA and our batch BLS. This aggregation is independent of the final signature verification. . In this way. In particular. we present an enhanced scheme called MABS-E. It has perfect resilience to packet loss. A naive approach to defeat the DoS attack is to divide the batch into multiple smaller batches and perform a batch verification over each smaller batch. and the receiver simply drops them and does not need to divide the set into smaller subsets for further batch verification. i ¼ 1. Downloaded on May 31. ðri 0 . Restrictions apply. In the Boyd-Pavlovski attack. hi values are known. n hi ri À1 . VOL. which is not in Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. each receiver needs just one signature verification. In some circumstances. the computation cost at each receiver can be more manageable no matter how large each batch is if signature preaggregation is enforced. Therefore. H5. H4 ÞÞ. When the sender starts a multicast session. 2. In the worst case. ðHðP3 Þ. si Þg to produce invalid signatures fmi . Each set of packets comes from either the real sender or the attacker. Next. When the time of batch verification comes. n À 1 and solve sn 0 satisfying n X i¼1 Fig. the mark of the packet P3 is fH4 . a mark is constructed as the set of the siblings of the nodes along the path from the packet to the root. H5. an attacker can inject forged packets into a batch of packets to disrupt the batch signature verification. our batch DSA is much more efficient than batch RSA and our batch BLS at the sender.8 g and the root can be recovered as H1. the set of packets is from the attacker. only two modular multiplications are necessary to sign a packet. However. each receiver only needs to perform BatchVerifyðÞ over each set. However. In MABS-E. no matter whether it is random loss or burst loss. which combines the basic scheme MABS-B and a packet filtering mechanism to tolerate packet injection. the sender attaches each packet with a mark. the sender needs to compute one modular exponentiation to sign each packet. it can use reserved r values to compute s values. Though it is simple. Therefore. . JULY 2010 We replace the hash operation hðmÞ in the signature generation and verification process with hðr.2 . rg instead of fh. however. if we modify the original DSA so that it takes fsrÀ1 . 3. In our batch DSA. Therefore. the receiver can still accept them because the batch verification succeeds. the attacker cannot compute ri values and the forgery attack discussed in [44] is defeated. H1. the hash values hi in (10) are unknown to the attacker. leading to DoS. the attacker may manipulate authentic packets fmi . An example is illustrated in Fig. the cost of the aggregations is incurred with the final signature verification. Each leaf is a hash of one packet. Therefore. which means more signature verifications at each receiver.8 Þ.

2 are under the assumption that they are using the same 5. Our MABS and Tree schemes [11] have perfect resilience to packet loss in the sense that all the received packets can be authenticated. augmented chain (AugChain) [18]. Tree [11] achieves this independency by incurring large overhead and latency at the sender and each receiver and is vulnerable to DoS. We can see that the verification rates of EMSS [14]. Verification rate under the burst loss model with the maximum burst length 10. Each receiver does not need to wait for a set to include all the packets under the Merkle tree. 3. The metric here is the verification rate. For all these schemes. we evaluate MABS performance in terms of resilience to packet loss. tree chain (Tree) [11]. i. The discussion of signature algorithms is in Section 5. If a set has less than t packets and the root value recovered from the set has not been authenticated.ZHOU ET AL. The verification rates under different loss rates are given in Fig. Therefore. 4. Fig.e. the impact of DoS due to packet injection can be reduced by a factor of t. tree chaining. As we will show later.7 chain configuration. each receiver has many small sets and each of them has only a few packets. For AugChain [18]. the ratio of the number of authenticated packets to the number of received packets. When the sender has a set of packets for multicast. all the discussions and evaluations of MABS and the literature works in Section 5. 128Þ. we choose the erasure code ð256. For PiggyBack [16]. In this case. This is because all the packets in MABS and Tree schemes are independent from each other. The root can be recovered based on each packet and its mark. Downloaded on May 31. 5 PERFORMANCE EVALUATION In this section. This guarantees that forged packets cannot fall into the set of authentic packets.. we choose binary tree. and DoS resilience. MABS does not assume any particular underlying signature algorithm. the recovered roots help classify received packets into disjoint sets. The reason is that graph chaining results in the correlation among packets and this correlation is vulnerable to packet loss. we choose two class priorities. Doing the BatchVerify algorithm on each small set compromises efficiency.3.2010 at 01:51:59 UTC from IEEE Xplore. We consider the random loss and the burst loss with a maximum loss length of 10 packets. 3 and Fig. Restrictions apply. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. SAIDA [23] illustrates a resilience to packet loss up to a certain threshold.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 989 Fig. the threshold t can vary according to the receiver’s computation resource. In this way. For SAIDA [23]. however. the corresponding root can be used to authenticate the rest of packets under the same Merkle tree without batch-verifying them. Once the set is authentic. we choose the chain configuration of 5 À 11 À 17 À 24 À 36 À 39. . Since the sets from the sender can have a large number of packets. efficiency. PiggyBack [16]. Therefore. each receiver can choose a threshold (say t) and start batch verification over one set only when the set has no less than t packets. An attacker may inject small sets of forged packets or even inject single packet that does not belong to any set. These schemes are representatives of graph chaining. For each receiver.1 Resilience to Packet Loss We use simulations to evaluate the resilience to packet loss. because of the threshold performance of erasure codes. while our MABS-B has less overhead and latency and MABS-E is resilient to DoS at the same level of overhead as Tree [11]. We compare MABS with some well-known loss tolerant schemes EMSS [14]. we choose C3. For EMSS [14]. which saves computation overhead at each receiver. underlying signature algorithm. Each receiver can find whether two packets belong to the same set by checking whether they lead to the same root value. For Tree chain [11]. it generates a Merkle tree for the set and attaches a mark to each packet. and erasure coding schemes and are widely used in performance evaluation in the literature.1 and Section 5. Verification rate under the random loss model. which has the best performance among all the configurations of length 6 as is shown in [14]. the receiver simply drop the set of packets without processing them and thus save computation resource. As we discussed before. and it can batch-verify the set anytime. the set associated with the Merkle tree and from which there is a path to the root. and SAIDA [23]. we choose the block size of 256 packets and simulate over 100 blocks. 4. augmented chain (AugChain) [18] and PiggyBack [16] are decreased quickly when the loss rate is increased. This is also true for all the literature multicast authentication schemes referenced in this paper.

we can set the threshold t ¼ 1 (refer to Section 4) for MABS-E. the latency is incurred when the high layer application waits for the buffered packets to be authenticated after the correlation is recovered. All the evaluations are carried out over n packets. At each receiver. MABS-E can tolerate up to n À t lost packets for each set of n packets. similar to SAIDA [23]. [23].2. BAS [31]. and its maximum value is the block size. augmented chain (AugChain) [18]. and LTT [32] in the table just for comparisons even though they are not designed for lossy channels. 5. [16] or at each receiver [14]. the extracted root of the Merkle tree can be used to authenticate the rest of packets in the same set TABLE 2 Comparisons over Lossy Channels Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Each packet is independently sent out at the sender. This makes MABS-B pretty suitable for realtime multimedia applications. the schemes using One thing needs to be pointed out is that we do not differentiate between MABS-B and MABS-E in Fig. computation. The results are depicted in Table 2 and Table 3. JULY 2010 TABLE 1 Notations within several hash operations. and communication overhead for efficiency evaluation under lossy channels and DoS channels. and SAIDA [23]. which shows a threshold-based loss resilience. We also include MABS-E and three DoS resilient schemes PRABS [30]. PiggyBack [16].1 Comparisons over Lossy Channels Table 2 shows the comparisons between MABS-B and wellknown loss-tolerant schemes tree chain (Tree) [11]. [30]. VOL.2010 at 01:51:59 UTC from IEEE Xplore. [32]. While it is not designed for lossy channels. Previous block-based schemes introduce latency either at the sender [11]. but it still preserves the merit of instantaneous authentication at each receiver as MABS-B. In addition. . At the sender side. EMSS [14]. which is not the best choice for the lossy channel. MABS-B is perfect resilient to packet loss because of its inherent design. 5. 3 and Fig. MABS-E can also achieve the perfect resilience to packet loss in lossy channels. Downloaded on May 31.990 IEEE TRANSACTIONS ON MOBILE COMPUTING. Once the received packets are authenticated. the high layer application does not need to wait because the low layer authentication module can deliver authenticated packets at any time when the high layer application needs new data. 7. If we set t > 1. 4. and thus each receiver can start batch-verification as long as there is at least one packet received for each set of packets constructed under the same Merkle tree. MABS-B eliminates the correlation among packets. NO. the correlation among a block of packets has to be established before the sender starts sending the packets. The notations used here are defined in Table 1. where no DoS attack is assumed to present. Restrictions apply. [31] or both [18]. This receiver side latency is variable depending on whether the correlation among the underline buffered packets has been recovered or not when the high layer application needs new data.2 Efficiency We consider latency. In the lossy channel model. 9. At each receiver. MABS-E introduces latency at the sender because it includes a tree construction to counteract DoS. Both the block-based schemes and MABS require one signature verification operation on a block or a batch of n packets at each receiver. The latency is inherent in the block design due to chaining or coding.

ZHOU ET AL. [32] are designed for DoS defense.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 991 TABLE 3 Comparisons over DoS Channels chaining also require many hashes. [31]. However. MABS-E has the same level of DoS resilience as those in [30]. [18]. Processing injected packets from the attacker always consumes a certain amount of resource. [16]. [23]. MABS-B is vulnerable to packet injection as schemes in [11]. which is efficient in verifying but is expensive in signing. which is comparable to most well-known hash algorithms MD5 [58] (128 bits) and SHA-1 [59] (160 bits). MABS can have the same level of communication efficiency as conventional schemes when BLS is used. [30]. MABS-E requires nlog2 n hashes. in multimedia multicast.024-bit RSA). [16]. [14]. For n packets. BLS [36] and DSA [38] are pretty good candidates as we will show later. If long signatures are used (like 1. MABS-B and MABS-E require n signatures and MABS-E requires additional Oðnlog2 nÞ hashes. [23] since they are designed only for lossy channels. [32]. [16]. which incurs more computation overhead than conventional block-based schemes. [32] require one or more signatures and up to Oðn2 Þ hashes. Therefore. [18]. [30]. the sender is usually a powerful server and thus the per-packet signature generation can be affordable. [31].2 Comparisons over DoS Channels DoS is a method for an attacker to deplete the resource of a receiver. [18]. [23]. which is comparable to previous schemes using hashing and coding. [31]. a trade-off for perfect resilience to packet loss is that the sender needs to sign each packet. 5. BLS [36] generates short signatures of 171 bits. MABS-B and MABSE have more communication overhead than those in [14]. Therefore. Here. Moreover. schemes in [14]. efficient signature generation is desirable at the sender. [31].2. and the ones using coding require multiple hashes and one or two decoding operations. They can alleviate the impact of packet injection by a constant factor to reduce the computation cost at each receiver. Schemes in [30]. Compared with RSA [33]. [32]. which is the same case as Tree [11]. and the advance of computing technology makes it easier in the long run. we assume an attacker factor . Tree [11] require an overhead of n signature and Oðnlog2 nÞ hashes. MABS-B is more efficient since there is no more hashing or decoding operations. In MABS.

. which means that for n valid packets .

the attacker can inject .n invalid packets are injected. For schemes in [11]. [16]. The computation overheads at each receiver for different schemes are depicted in Table 3. [18]. which authenticate signatures first and then authenticate packet through hash chains. [14].

n forged signature packets because signature verification is an expensive operation. which requires erasure decoding. the attacker simply injects . For SAIDA [23].

n forged packets because each receiver has to choose a certain number of valid packets from all the ð1 þ .

09 ms and 4. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY.024-bit DSA with a 160-bit private key (without precomputing r value) are 4.536 modular multiplications) and that of 6 BLS signing operations (each one is corresponding to 255 modular multiplications).024-bit RSA signing operation is roughly equivalent to that of 768 DSA signing operations (1. It is also meaningful to use our batch BLS and batch DSA at the receiver to save computation resources. Therefore. Usually one c-bit modular exponentiation is equivalent to 1:5c modular multiplications over the same field [35]. Moreover. According to the report [60] on the computational overhead of signature schemes on PIII 1 GHz CPU. 5. .024-bit RSA with a 1. M-modular multiplication.3 Comparisons of Signature Schemes We compare the computation overhead of three batch signature schemes in Table 4. the signing and verification time for 1. We also compare the length of two popular hash algorithm MD5 [58] and SHA-1 [59] and the signature length of three TABLE 4 Computational Overhead of Different Batch Schemes E-modular exponentiation. We can observe that for BLS and DSA the signing is efficient but the verification is expensive. we can estimate that the computation overhead of one 1.4 ms. P -pairing. Therefore. Downloaded on May 31.Þn packet to do decoding.87 ms. we can save more computation resource at the sender by using our batch BLS and batch DSA than batch RSA.007-bit private key are 7. a c-bit modular exponentiation in c DLP is equivalent to a 6 -bit modular exponentiation in BLS for the same security level. and vice versa for RSA. which can have a significant number of tries. RSA [33] and BLS [36] require one modular exponentiation at the sender and DSA [38] requires two modular multiplications when r value is computed offline.2010 at 01:51:59 UTC from IEEE Xplore. for 157-bit BLS are 2. and for 1. Restrictions apply.75 ms and 81 ms.9 ms and 0. [44].

18th Int’l Conf. Tygar. IEEE Symp. “On-Line/Offline Digital Signatures. Architectures and Protocols. 2001. Cho. 258-285./Feb. Network and Distributed System Security Symp.024-bit RSA. and Applications (WASA ’06). (NDSS ’01). Zhang. pp.” Proc. “Authenticating Real Time Packet Streams and Multicasts. Network and Distributed System Security Symp. Shieh. 1995. no. Zhou and Y. “Graph-Based Authentication of Digital Streams. W. Second Ann. Information. Chong. W-C Wong. Wong and S. It is clear that by using BLS or DSA. and CNS-0626881. C. “A2 Cast: An Adaptive Source Authentication Protocol for Multicast Streams.” Proc. Golle and N. Advances in Cryptology (CRYPTO ’97). N. Zhou and Y. 1. 2006. 1999. Feb. and H. Downloaded on May 31. “Multicast-Specific Security Threats and Counter-Measures.” Proc. Molva. Sun. 165. . 363-368. J. Jan. R. 1998. 164-169. 2. May 2000. Staddon. N. E. and Networking Conf. no. we further develop two new batch signature schemes based on BLS and DSA. and P. pp. “A Compact and Fast Hybrid Signature Scheme for Multicast Packet. P. (NDSS ’03). Y. S. Y. Zhang. Security (ASIACCS ’06). 1. “Security Issues and Solutions in Mulicast Content Distribution: A Survey. May 2002. Perrig. 1999. Karlof.P. and K. Perrig.D. Tygar. 100-116. A.S.” Proc. pp. Ballardie and J. “Multimedia Broadcast Authentication Based on Batch Signature. and H. VOL. Apr. 2004.P. Pannetrat and R.” Proc. Sun. [16] [17] [18] [19] [20] ACKNOWLEDGMENTS This work was partially supported by the US National Science Foundation under grants CNS-0916391. (ISCC ’04). Multimedia and Expo (ICME ’06). Ninth Int’l Symp. H. 227-240. Sixth Int’l Conf. ACM SIGCOMM Symp. vol. 7. 2003. H. pp.” Proc. Security and Privacy (SP ’02). Unfortunately. A. T.D. Restrictions apply. vol.” Proc. (ISCC ’02). “A Content-Aware Stream Authentication Scheme Optimized for Distortion and Overhead. R. “Digital Signatures for Flows and Multicasts. J. Siegel. no. 3.992 IEEE TRANSACTIONS ON MOBILE COMPUTING. Zuckerman. vol.” Proc. 17th Ann. Y. (WCNC ’06). Cryptology Conf. vol. “Efficient DoS Resistant Multicast Authentication Schemes. 232246. pp. Seventh IEEE Int’l Symp. 9.” Proc. Pannetrat and R. Sixth ACM Conf. Miner and J. vol. pp. 541-544. Siegel. Bouabdallah. pp. 2004. Park. pp.” Proc. Networking. A. 198-209. “Stream Authentication Scheme for the Use over the IP Telephony. Gennaro and P. Nov. Rohatgi. Surveys & Tutorials.” Proc.” J. (NDSS ’95). Li. IEEE GLOBECOM. Feb. July 2006.D. S. most previous schemes have many problems such as vulnerability to packet loss and lack of resilience to denial of service (DoS) attack. no. J. pp. 2005. pp. D. Song.” IEEE Comm. Systems. vol. BLS generates a 171-bit signature and DSA generates a 320-bit signature. Q. and J. we develop a novel authentication scheme MABS. IEEE Wireless Comm.” Proc. Chong. 17. 11th Ann. Aug. Canetti. “Digital Signatures for Flows and Multicasts. Okada. Lam. May 2005. “Authenticating Streamed Data in the Presence of Random Packet Loss. IEEE Int’l Conf.” Proc. Security and Privacy (SP ’00).K.K. vol. Wu and T.K. 2006. Z. Micali.” Proc. (NDSS ’04). Int’l Conf. and W. Finally.J. Gennaro and P. “On Broadcast Authentication in Wireless Sensor Networks. 2007.” IEEE Network Magazine. and A. May 2002. 4. H. NO. Aug. CNS0716450. “Video Stream Authentication in Lossy Networks. pp. Ammar.J.J. Computer. 1988. block-based authentication schemes have been proposed.” Proc. R.” ACM Trans.M. Feb. IEEE Int’l Conf.M. 2-16. Deering. Even. [12] [13] [14] 6 CONCLUSIONS [15] To reduce the signature verification overheads in the secure multimedia multicasting.” Proc.” Proc. Pollution-Attack Resistant Multicast Authentication Scheme.” Proc. pp. Sastry. Y. and Y. Feb. Judge and M. Wee. pp. “Efficient Multicast Packet Authentication. K. Molva. First Ann. and S. 502513. 5675. July 2005. Park. IEEE Symp. Goldreich. Advanced Information Networking and Application (AINA ’04).” IEEE Comm. Magazine. Security and Privacy (SP ’01). “A Taxonomy of Multicast Data Origin Authentication: Issues and Solutions. IEEE Symp. Moreover. Q. Dec. Eighth Ann. and W-C Wong. JULY 2010 TABLE 5 Communication Overhead of Signature Schemes [7] [8] [9] [10] [11] signature algorithms in Table 5. 2001. Lou. 2003. Int’l Conf. Seventh IEEE Int’l Symp. Aug. The works of Fang and Zhu were also partially supported by the 111 Project under Grant B08038. Bouabdallah. vol. P. S. Given the same security level as 1. 35-67. Oct. Ren.S. 1996. To overcome these problems. Comm. 10th Ann. Lin. A. 4. Challal. 2150-2155. “Multicast Routing in Internetworks and Extended LANs. Security (CCS ’99). Computational Science and Its Applications (ICCSA ’05).” Proc.2010 at 01:51:59 UTC from IEEE Xplore. pp. “How to Sign Digital Streams. “Efficient Authentication and Signing of Multicast Streams over Lossy Channels. Choi. 8. Z. Zeng. and J.K. Network and Distributed System Security Symp. J. and S. “Lightweight. “Expander Graphs for Digital Stream Authentication and Robust Overlay Networks. Li. vol.” Proc. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. Network Protocols (ICNP ’98). 72-77. “A Proposal of ButterflyGraphy Based Stream Authentication over Lossy Networks. Multimedia (ISM ’05). The work of Zhu was also partially supported by the National Natural Science Foundation of China under grant 60772136 and supported by the Fundamental Research Funds for the Central Universities. C. vol. “Efficient Multicast Stream Authentication Using Erasure Codes. P. Lam. Computers and Comm. 7. Lin. pp. 2. 2006. Rohatgi. Tygar. Oct.” Proc. Nov. 2004. Mar. 2006. no. Kawaguchi. 1997. C. which are more efficient than the batch RSA signature scheme. Fang. Shigeno. Challal.E. Network and Distributed System Security Symp. S. no. “Denial-of-Service Resistant Multicast Authentication Protocol with Prediction Hashing and One-Way Key Chain. 34-57. Aug. “Distillation Codes and Applications to DoS Resistant Multicast Authentication. 1. pp. E. Y. 6. Y. and Comm. Modadugu. [28] [29] [30] K. “BABRA: Batch-Based Broadcast Authentication in Wireless Sensor Networks. May 2001. pp.” Information and Computation. Wireless Algorithms. MABS can achieve more bandwidth efficiency than using RSA. July 2002. S. 6. Computer and Comm. 45. Information and System Security. Y. Security and Privacy (S&P ’02). We have demonstrated that MABS is perfectly resilient to packet loss due to the elimination of the correlation among packets and can effectively deal with DoS attack. D. and A. Aug. June 2004.” Proc. Moran. Park. Song. Rohatgi. Fang. ACM Symp. Bettahar. Ueda. Multimedia and Expo (ICME ’05). Crowcroft. 55-64. Y. Apostolopoulos. Cryptology. Computers and Comm. Wong and S. and D.” Proc. 2002 IEEE Symp. J. O. “Efficient Multicast Packet Authentication Using Signature Amortization. 30-36. 9. and could be even more efficient than conventional schemes using a large number of hashes. Bettahar. “How to Sign Digital Streams. pp. [21] [22] [23] [24] [25] [26] [27] REFERENCES [1] [2] [3] [4] [5] [6] S. we also show that the use of batch signature can achieve the efficiency less than or comparable with the conventional schemes. Jeong. 490-495. Feb.” IEEE/ACM Trans. May 2003. Mar.

vol. Network and Distributed System Security Symp. He holds a University of Florida Research Foundation (UFRF) Professorship from 2006 to 2009. . Adleman.: MABS: MULTICAST AUTHENTICATION BASED ON BATCH SIGNATURE 993 [31] C. Shacham. Venkatesh. cryptography. May 1994.S. S. Info. His research interests include security. Feb. Network and Distributed Security. 4. Xu and R. respectively. [59] D. no. Lim and P. First Int’l Conf. Cui. Canetti. Rivest. Forensics and Security. Computation. China. IEEE Symp. July 2000. pp. He then joined the Department of Electrical and Computer Engineering at University of Florida in 2000 as an assistant professor. [48] N. [51] A. 1981. “Multicast Security: A Taxonomy and Some Efficient Constructions. Perrig. Lysyanskaya. pp. [54] S. 34. June 1998. 4. and B. Jones. A.” Comm.” Proc. “The MD5 Message-Digest Algorithm. Raphaeli. (CRYPTO ’02).” Proc. [34] L. pp. 2. Tan. Sandhu. Restrictions apply. no. and J.” Proc. pp.” Proc. Cavagnino. from 2009 to 2012. 1987. vol. 2. [52] Q.A. no. [53] S. got an early promotion to an associate professor with tenure in 2003. D. 2004. Scott. M’Raihi. “Security of Interactive DSA Batch Verification.” IEE Electronic Letters. Advances in Cryptology (EUROCRYPT ’98). [47] L. IEEE INFOCOM.” Proc. “Efficient Algorithms for Pairing-Based Cryptosystems. 514-532. be Improved? Complexity Trade Offs with the Digital Signature Standard. “Efficient and Secure Source Authentication for Multicast. Hefei. 1994. respectively. “Batch Verifying Multiple RSA Digital Signatures. “Multicast Authentication in Fully Adversarial Networks. Mar. Xi’an. IEEE Symp. “The BiBa One-Time Signature and Broadcast Authentication Protocol. [44] C. Frankel. pp. 469-472. 9. Feb. [49] F. H. IEEE INFOCOM. [38] FIPS PUB 186. on leave from the School of Telecommunications Engineering. University of Florida. and to a full professor in 2005. Scalable Information Systems. 2001. Canetti. Hutchison.” RFC 3174. Garay. China. “US Secure Hash Algorithm 1 (SHA1).” Proc. ME. 2002. 203-209.” Proc. Yung. and S. no. “Can D. Chan. Eighth ACM Conf. Eastlake and P. Feb. R. ACM. (NDSS ’01).” RFC 1319. network security. and a member of the technical program committee for IEEE INFOCOM (1998. Rivest. Itkis. 2001. Nov. He received the US National Science Foundation Faculty Early Career Award in 2001 and the US Office of Naval Research Young Investigator Award in 2002. 35. 1. pp. 770-772. [43] L. ElGamal. Dec. 1999. ACM. Nov.” Comm. from 2008 to 2011. no. no. vol. 48. and B. ACM Symp. University of Science and Technology. pp. Lamport. and a guest chair professorship with Tsinghua University. Xidian University. Int’l Cryptology Conf. Authorized licensed use limited to: GOVERNMENT COLLEGE OF TECHNOLOGY. 2003. [55] N. D. May 1992. 2002. Naccache. Sept. “Protocols for Public Key Cryptosystems. Security and Privacy. 2003-2008) and ACM MobiHoc (2008-2009). 58-71. (CRYPTO ’85). 541-544. He was an editor for the IEEE Transactions on Mobile Computing and currently serves on its steering committee. “Reducing Delay and Enhancing DoS Resistance in Multicast Authentication through Multigrade Security. [46] R. and ACM Wireless Networks. 11th Ann. 870-871. “Multi-Receiver/MultiSender Network Security: Efficient Authenticated Multicast/ Feedback. Harn. Pinkas. Xiaoyan Zhu received the BE. Apr.” Proc. in 2000 and 2003. pp. 31. [41] C. Apr. 11.” Proc. Garay. in 2002. “Password Authentication with Insecure Communication. no. Perrig. Y. 24. Sixth Int’l Conf. D. [57] R. Sept. and C. Computer and Comm.J. He was an assistant professor in the Department of Electrical and Computer Engineering at the New Jersey Institute of Technology from 1998 to 2000. 1995. Haller. D. and network coding. 3. “Elliptic Curve Cryptosystems. Downloaded on May 31. K.” Proc. Boyd and C. He is a fellow of the IEEE and the IEEE Computer Society and a member of the ACM. Feb. May 1998. 2000. 2004. Barreto.” Proc. vol. Theory and Application of Cryptology and Information Security Advances in Cryptology (ASIANCRYPT ’00). 19.” Proc. 1986. Li and W. July 1985. “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Network and Distributed System Security Symp. 2001. Duan. Micciancio. [36] D. pp. 417-426. 3. Harn. vol. “Uses of Elliptic Curves in Cryptography. and T. Pavlovski. Lee. Miller. Yun Zhou received the BE degree in electronic information engineering and the ME degree in communication and information system from the Department of Electronic Engineering and Information Science. Rafaeli and D. where she is a lecturer. vol. 1998.H. Xi’an. He is currently serving as the editor-in-chief for IEEE Wireless Communications and serves/served on several editorial boards of technical journals including the IEEE Transactions on Communications. [37] S. [45] Y. vol. J. China. pp. vol. and D. “An Efficient Identity-Based Signature Scheme with Batch Verifications. Harn. J.” Proc. Naor. [58] R. no. [60] P. a technical program symposium cochair for IEEE GLOBECOM 2004. pp. pp. vol. 309-329. 77-85. Crispo. the IEEE Transactions on Wireless Communications. and operating systems. 236-250. IEEE Wireless Communications Magazine. “DoS Protection for Reliably Authenticated Broadcast. [33] R. vol. Merkle. Song.A. 30.” IEE Electronic Letters. and the PhD degree from the Department of Electrical and Computer Engineering. pp. [42] L. “Fast Batch Verification for Modular Exponentiation and Digital Signatures. a Changjiang scholar chair professorship with Xidian University. Bergadano. no. Applied Computing (SAC ’02). Dec. June 2006. R. Tamassia. Khanna. 2000.W. Xi’an. Trappe. vol.” IEEE Trans.” Proc. “The S/Key One-Time Password System. an area technical program committee chair for IEEE INFOCOM (2009-2010). “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. “Authenticated Multicast Immune to Denialof-Service Attack. 2001. 34. Koblitz. 2045-2054. Lynn. 120-126. and 2009. Gainesville. China. He is currently with Microsoft Corporation. Her research interests include wireless networks. (NDSS ’04). Int’l Cryptology Conf. Bellare. Yuguang Fang received the PhD degree in systems engineering from Case Western Reserve University in 1994 and the PhD degree in electrical engineering from Boston University in 1997. May 2004. B. May 1995. Triandopoulos. [56] V. M. Security and Privacy (SP ’04). “Short Signatures from the Weil Pairing. pp. China. IEEE Int’l Conf. S. pp. and PhD degrees from the School of Telecommunications Engineering at Xidian University. 1592-1593. and N. Desmedt. Shamir. 2006. Tygar. Seventh Int’l Conf. He has been actively participating in professional conference organizations such as serving as the steering committee cochair for QShine (20042008). [35] M.” Proc. 28-37. IEEE GLOBECOM. vol. B. 257-258. Boneh. Security (CCS ’01). pp. 1. “Attacking and Repairing Batch Verification Schemes. 1980. 2. G. [39] T. the technical program vice-chair for IEEE INFOCOM 2005. 1978. Digital Signature Standard (DSS). He has published more than 250 papers in refereed professional journals and conferences. IT-31. “DSA-Type Secure Interactive Batch Verification Protocols.ZHOU ET AL. 1219-1220. ISOC Symp. Apr. pp.” IEE Electronic Letters. Rabin. He is also active in professional activities. 12. Kim.” Proc. Sept. “Individual SingleSource Authentication on The Mbone. [50] A. in 2007. Theory and Application of Cryptology and Information Security Advances in Cryptology (ASIACRYPT ’01). and L. 21. 190-204.A. [32] A. “Batch Verifying Multiple DSA-Type Digital Signatures.M.2010 at 01:51:59 UTC from IEEE Xplore. wireless communications and networking. She is now a visiting research scholar in the Department of Electrical and Computer Engineering at the University Florida.L. 708-716. Information Theory. 1994. and M.” IEE Electronic Letters.” ACM Computing Surveys. and is the recipient of the Best Paper Award from the IEEE International Conference on Network Protocols (ICNP) in 2006 and the IEEE TCGN Best Paper Award from the IEEE High-Speed Networks Symposium.” Math. Gainesville. P. Lynn.” Proc. Gunter. 1992. signal processing. and H. [40] D. Multimedia and Expo (ICME ’00). pp. “A Survey of Key Management for Secure Group Communication. and M. in 2000. Workshop Theory and Application of Cryptographic Techniques Advances in Cryptology (EUROCRYPT ’94). Vaudenay. pp.” IEEE Trans. vol.

- CS0128Uploaded byvidyasagaruppu
- IJAIEM-2013-05-25-059Uploaded byAnonymous vQrJlEN
- Code Signing Best PracticesUploaded byEder Souza
- MABS Multicast Authentication Based on Batch SignatureUploaded byMerlin James
- pkivsidpkc.docUploaded byToby Lau
- Public Key CryptographyUploaded byMajid Khan
- Cryptography and Network SecurityUploaded byrejinr007
- Security on the E-Commerce SiteUploaded byJoel Brown
- HYBRID MODEL FOR DETECTING VIRUSES IN MOBILE NETWORKSUploaded byeditor3854
- 10.1.1.10Uploaded byMohamed Adel
- e BankbookUploaded byGentha Wijaya
- A Review on Implementation of RSA Cryptosystem Using Ancient Indian Vedic MathematicsUploaded byEditor IJRITCC
- Constructing Fair-Exchange Protocols for E-commerce Via Distributed Computation of RSA SignaturesUploaded byliardiary
- 489-493Uploaded byIjarcet Journal
- CryptographUploaded byRavijosan
- A Review of Fair Exchange ProtocolsUploaded byAIRCC - IJCNC
- Recommendation for Key ManagementUploaded byThierry Falissard
- Tbw Ad-pki Guide Us MjUploaded bygchani
- Securing Your Private Keys as Best Practice for Code Signing Certificates.originalUploaded bypraepruw
- Security Review1Uploaded byaksh_sat89
- Formal_Models.pdfUploaded byJulio C. Jordán A
- Energy-aware Security in M-Commerce and the Internet of Things _Fadi Hamad, Leonid Smalov, Anne James, IETE Technical Review.pdfUploaded bykid4888
- Website 1Uploaded byRavijosan
- E-Voting Protocol Based On Public-Key CryptographyUploaded byAIRCC - IJNSA
- Cloud Seeding Research Legislation 2012 - Full Day Hansard Transcript (Legislative Council, 17 October 2012, Corrected Copy) - NSW ParliamentUploaded byCarl Cord
- ref4Uploaded byvidhyaadhiyaman
- Acp120Uploaded byapi-3731349
- The Political Science of the InternetUploaded byapi-26020996
- Chapter 1 Intro and BackgroundUploaded by2eaa889c
- sdfsdfdsfUploaded byCindy