RE: MABS: Multicast Authentication Based on Batch Signature

MABS: Multicast Authentication Based on Batch Signature
Multicast Authentication.pdf (Size: 2.03 MB / Downloads: 35)
Abstract
Conventional blockbased multicast authentication schemes overlook the heterogeneity of receivers by letting the sender
choose the block size, divide a multicast stream into blocks, associate each block with a signature, and spread the effect of the
signature across all the packets in the block through hash graphs or coding algorithms. The correlation among packets makes them
vulnerable to packet loss, which is inherent in the Internet and wireless networks. Moreover, the lack of Denial of Service (DoS)
resilience renders most of them vulnerable to packet injection in hostile environments. In this paper, we propose a novel multicast
authentication protocol, namely MABS, including two schemes. The basic scheme (MABSB) eliminates the correlation among packets
and thus provides the perfect resilience to packet loss, and it is also efficient in terms of latency, computation, and communication
overhead due to an efficient cryptographic primitive called batch signature, which supports the authentication of any number of packets
simultaneously. We also present an enhanced scheme MABSE, which combines the basic scheme with a packet filtering mechanism
to alleviate the DoS impact while preserving the perfect resilience to packet loss.
INTRODUCTION
[1] is an efficient method to deliver multi
media content from a sender to a group of receivers
and is gaining popular applications such as realtime stock
quotes, interactive games, video conference, live video
broadcast, or video on demand. Authentication is one of
the critical topics in securing multicast [2], [3], [4], [5], [6],
[7] in an environment attractive to malicious attacks.
Basically.
RELATED WORK
Schemes in [8], [9] follow the ideal approach of signing and
verifying each packet individually, but reduce the compu
tation overhead at the sender by using onetime signatures
[8] or ktime signatures [9]. They are suitable for RSA [33],
which is expensive on signing while cheap on verifying. For
each packet, however, each receiver needs to perform one
more verification on its onetime or ktime signature plus
one ordinary signature verification. Moreover, the length of
onetime signature is too long (on the order of 1,000 bytes).
Tree chaining was proposed in [10], [11] by constructing
a tree for a block of packets. The root of the tree is signed by
the sender. Each packet carries the signed root and multiple
hashes. When each receiver receives one packet in the block,
it uses the authentication information in the packet to
authenticate it. The buffered authentication information is
further used to authenticate other packets in the same block.
Without the buffered authentication information, each
packet is independently verifiable at a cost of perpacket
signature verification.
BASIC SCHEME
Our target is to authenticate multicast streams from a sender
to multiple receivers. Generally, the sender is a powerful
multicast server managed by a central authority and can be
trustful. The sender signs each packet with a signature and
transmits it to multiple receivers through a multicast routing
protocol. Each receiver is a less powerful device with resource
constraints and may be managed by a nontrustworthy
person. Each receiver needs to assure that the received
packets are really from the sender (authenticity) and the
sender cannot deny the signing operation (nonrepudiation)
by verifying the corresponding signatures.
Requirements to the Sender
In most RSA implementations, the public key e is usually
small (e 1⁄4 3 for instance) while the private key d is large.
Therefore, the RSA signature verification is efficient while
the signature generation is expensive. This poses a
challenge to the computation capability of the sender
because the sender needs to sign each packet. Choosing a
small private key d can improve the computation efficiency
but compromise the security. If the sender does not have
enough resource, a pair of fe; dg with comparable sizes can
achieve a certain level of tradeoff between computation
efficiency and security at the sender part. If the sender is a
powerful server, then signing each packet can be affordable
in this scenario. Next, we propose two efficient batch
signature schemes based on BLS [36] and DSA [38], which
can reduce the computation complexity at the sender.
Batch DSA Signature
DSA [38] is another popular digital signature algorithm.
Unlike RSA, which is based on the hardness of factoring
two large primes, DSA is deemed secure based on the
difficulty of solving DLP [39]. A batch DSA signature
scheme was proposed in [40], but later was found insecure
[41]. Harn improved the security of [40] in [42], [43].
Unfortunately, Boyd and Pavlovski pointed out in [44] that
Harn’s work is still vulnerable to malicious attacks. Here,
we propose a batch DSA scheme based on Harn’s work and
counteract the attack described in [44].
Comparisons of Signature Schemes
We compare the computation overhead of three batch
signature schemes in Table 4. RSA [33] and BLS [36] require
one modular exponentiation at the sender and DSA [38]
requires two modular multiplications when r value is
computed offline. Therefore, we can estimate that
the computation overhead of one 1,024bit RSA signing
operation is roughly equivalent to that of 768 DSA signing
operations (1,536 modular multiplications) and that of
6 BLS signing operations (each one is corresponding to
255 modular multiplications).
CONCLUSIONS
To reduce the signature verification overheads in the secure
multimedia multicasting, blockbased authentication
schemes have been proposed. Unfortunately, most previous
schemes have many problems such as vulnerability to
packet loss and lack of resilience to denial of service (DoS)
attack. To overcome these problems, we develop a novel
authentication scheme MABS. We have demonstrated that
MABS is perfectly resilient to packet loss due to the
elimination of the correlation among packets and can
effectively deal with DoS attack. Moreover, we also show
that the use of batch signature can achieve the efficiency less
than or comparable with the conventional schemes. Finally,
we further develop two new batch signature schemes based
on BLS and DSA, which are more efficient than the batch
RSA signature scheme. 

