Computers & Security (2004) 23, 705e713

www.elsevier.com/locate/cose

A hybrid scheme for multicastauthentication over lossy networks

Heba K. Aslan

The Electronics Research Institute, Cairo, Egypt

Received 30 January 2004; revised 14 June 2004; accepted 18 June 2004

KEYWORDSGroup key distribution

protocols;Authentication

protocols;Multicast

communication;Digital signature

amortization;Efficient signature

schemes

Abstract For multicast communication, authentication is a challenging problem,since it requires that a large number of recipients must verify the data originator.Many of multicast applications are running over IP networks, in which several packetlosses could occur. Therefore, multicast authentication protocols must resist packetloss. Other requirements of multicast authentication protocols are: to performauthentication in real-time and to have low communication and computationoverheads. In the present paper, a hybrid scheme for authenticating real-time dataapplications, in which low delay at the sender is acceptable, is proposed. In order toprovide authentication, the proposed scheme uses both public key signature andhash functions. It is based on the idea of dividing the stream into blocks ofm packets.Then a chain of hashes is used to link each packet to the one preceding it. In order toresist packet loss, the hash of each packet is appended to another place in thestream. Finally, the first packet is signed. The proposed scheme resists packet lossand is joinable at any point. The proposed scheme is compared to other multicastauthentication protocols. The comparison shows that the proposed scheme has thefollowing advantages: first, it has low computation and communication overheads.Second, it has reasonable buffer requirements. Third, the proposed scheme hasa low delay at the sender side and no delay at the receiver side, assuming no lossoccurs. Finally, its latency equals to zero, assuming no loss occurs.ª 2004 Elsevier Ltd. All rights reserved.

Introduction

In recent years, applications that are of multicastnature (such as teleconference, pay per view,financial stock quote distribution, ., etc) have

E-mail address: hebaaslan@yahoo.com.

0167-4048/$ - see front matter ª 2004 Elsevier Ltd. All rights resedoi:10.1016/j.cose.2004.06.010

increased considerably. A paramount requirementfor multicast communication is to provide confi-dentiality and authenticity. Confidentiality meansthat only the group members could obtain groupmessages. In the literature, many solutions havebeen proposed to solve the confidentiality problem(Ateniese et al., 2000; Mittra, 1997; Perrig et al.,2001a). Authenticity means that the recipient

rved.

706 H.K. Aslan

could verify the identity of the sender and ensuresthat the received message comes from the sup-posed originator. For multicast communication,authentication is a challenging problem, since itrequires that a large number of recipients mustverify the data originator. Assume a group con-taining n members. A naı̈ve solution is to usea shared symmetric key between the sender andeach recipient to calculate different MessageAuthentication Codes (MACs). Then, the senderappends the calculated MACs to the group mes-sage. Upon receiving the message, each recipientensures the authenticity of the message using theMAC calculated by the key shared between it andthe sender. This solution has a high communicationoverhead since in order to ensure the authenticityof a message n MACs must be appended to it.Another solution is to use the private key of thesender to sign a hash of the entire message. Thissolution suffers from the high computation andcommunication overheads since the signature algo-rithms require large computation and producelarge output signatures. The abovementioned sol-utions do not resist packet loss, since the loss ofany packet of the message will cause the inabilityto authenticate the received packets. This is dueto the fact that the MAC or the signature iscalculated over the whole message. In order toresist packet loss, one solution is to calculate MACor signature for every packet. This solution willsuffer from a huge amount of communication andcomputation overheads.

Two solutions for providing multicast authenti-cation are proposed: the first is to design moreefficient signature schemes (Rohatgi, 1999; Perrig,2001; Reyzin and Reyzin, 2002; Wong and Lam,1999). The latter is to amortize signature overseveral packets (Wong and Lam, 1999; Gennaroand Rohatgi, 1997; Golle and Modadugo, 2001).While designing more efficient signature schemesovercomes the computational overhead problem,it still suffers from the communication overheadproblem. On the other hand, amortizing signatureover several packets overcomes the communica-tion overhead problem.

In multicast communication, two types ofcommunication exist: pre-recorded and real-timedata. In pre-recorded data, the content is knownin advance, such as films. On the other hand, forreal-time data, the content is produced in real-time, such as financial stock quotes. In thepresent paper, a hybrid scheme for authenticatingreal-time data applications is proposed wherea low delay at the sender is acceptable. In orderto provide authentication, the proposed schemeuses both public key signature and hash functions.

The proposed scheme has low computation andcommunication overheads. It is based on the workdone by Gennaro and Rohatgi (1997) and theenhancement to their work proposed by Golleand Modadugo (2001). The proposed schemeresists packet loss and has the ability to authen-ticate each packet as soon as it arrives assumingno loss occurs, which is a basic requirement forreal-time applications as will be stated in thenext section. The paper is organized as follows: inthe next section, requirements for multicastauthentication protocols are stated. Then, re-lated work is detailed. In the following section,a description of the proposed scheme is given.Then, a comparison of GennaroeRohatgi, WongeLam, GolleeModadugu, TESLA and the proposedscheme is given. Finally, the paper is concluded inthe last section.

Requirements for multicastauthentication protocols

According to Wong and Lam (1999) and Pannetratand Molva (2003), multicast authentication proto-cols have several requirements that are summa-rized below:

- Delay at sender and receiver: flows that arereal-time in nature need fast processing atsender as well as at receiver.

- Buffering resources: the number of packetsthat have to be stored in both the sender andthe receiver in order to carry out the authen-tication process.

- Robustness: the ability of the recipient toauthenticate the received packet, even in caseof losses in the network.

- Joinability: the ability of the recipient to startauthentication at any arbitrary point in the flow.

- Latency: the maximum number of packets thatneed to be received before a packet can beauthenticated.

- Computational cost: the computational cost ofthe protocol.

- Communication cost: the number of bytes perpacket that need to be appended in order toprovide multicast authentication.

An ideal protocol is the one that has the lowestpossible delay at both sender and receiver andits required buffering resources are as low aspossible. Further, it must be able to authenticate

Hybrid scheme for multicast authentication over lossy networks 707

the received packet despite losses over the net-work and it must be joinable at any point. Otherrequirements of the multicast authentication pro-tocol are: it has no latency and its communicationand computation costs are as low as possible. It isdifficult to design such an ideal protocol anda compromise must be made to obtain an efficientauthentication protocol. In the next section, somemulticast authentication protocols are given.

Related work

One solution to the multicast authentication prob-lem is to use the private key of the sender to signa hash of each packet of the message. This solutionsuffers from the high computation and communica-tion overheads since signature algorithms requirelarge computation and produce large output signa-tures about 1024 bits (Pannetrat and Molva, 2003).To solve the multicast authentication problem, twoapproaches have been proposed: design more effi-cient signature schemes and amortize the cost ofsignature over several packets. For the first ap-proach, efficient digital signature schemes havebeen proposed by Rohatgi (1999) andWong and Lam(1999). Although these schemes overcome thecomputational problem, they suffer from the com-munication overhead problem, which makes themimpractical for real-time applications. Perrig (2001)proposed BIBA, a one-time signature and broadcastauthentication protocol. BIBA has a low verificationoverhead and a relatively small signature size.Although BIBA enhances the computation overhead,its communication overhead is slightly smaller thana traditional public key signature. Reyzin andReyzin(2002) proposed a one-time signature scheme,which is faster than BIBA and has a slightly lowercommunication overhead. This scheme has thesame disadvantage which is the impractical com-munication overhead for real-time applications.

Another solution is to amortize signature overseveral packets as proposed in Wong and Lam(1999), Gennaro and Rohatgi (1997), and Golleand Modadugo (2001). Early work was done byGennaro and Rohatgi (1997). The stream is divided

into blocks of m packets (P1, P2, P3, ., Pm�2,Pm�1, Pm) and a chain of hashes is used to link eachpacket to the one preceding it. The hash of P#m(H(P#m)) is appended to Pm�1 to form a new packet(P#m�1) containing both Pm�1 and H(P#m). Then, thehash of P#m�1 (H(P#m�1)) is appended to Pm�2 toform a new packet (P#m�2), which contains bothPm�2 and H(P#m�1). The abovementioned procedureis repeated until forming P#1, which contains P1 andH(P#2) as depicted in Fig. 1. Finally, the hash of P#1(H(P#1)) is signed. Then, the stream sent to thereceivers contains: the signature on H(P#1), P#1, P#2,., P#m�1, P#m. Upon receiving the stream, eachreceiver checks the signature of the sender anduses the chain of hashes to authenticate sub-sequent packets.

Although this approach solves the computationand communication overheads problem, it hasa major drawback that, in case of any packet loss,the authentication chain is broken and subsequentpackets cannot be authenticated. Many of multi-cast applications are running over IP networkswhere several packet losses could occur. There-fore, multicast authentication protocols must re-sist packet loss. Golle and Modadugo (2001) solvethis problem by appending the hash of a packetinto two places: the first is in the next packet andthe second is in the packet succeeding by a placesand only the final packet P#m is signed using theprivate key of the sender. Fig. 2 illustrates thebasic scheme designed by Golle and Modadugu.Their solution is based on the property that lossover the Internet occurs in bursts as stated inPaxon (1999) and can resist several bursts ofa certain number of packets. Other enhancementsto the basic scheme were proposed in order toresist a larger burst. Although they solve theproblem of loss over networks, their solutionsuffers from the fact that the communicationoverhead for some packets equals to five hashes(Golle and Modadugo, 2001). For an SHA hash, thehash output is of 20 bytes; therefore, the commu-nication overhead will be equal to 100 bytes,which is comparable to a signature length.

Wong and Lam (1999) proposed another solutionto solve the problem of packet loss. In their

P’m

P1 P2 P3 Pm-2 Pm-1 Pm

H(P’m-1) H(P’m)H(P’4)H(P’3)H(P’2)H(P’1)

P’m-1P’3P’2P’1 P’m-2

Figure 1 Gennaro and Rohatgi multicast authentication scheme.

708 H.K. Aslan

P1 P2 P3 Pm-2 Pm-1 Pm

H(P’m-2) H(P’m-1)H(P’m-3)H(P’1) H(P’2)

P’m-1P’3P’2P’1 P’m-2 P’mP’a+1

Pa+1 Pa+2

P’a+2

H(P’a) H(P’a+1)

H(P’1) H(P’2) H(P’m-2-a) H(P’m-1-a) H(P’m-a)

Figure 2 GolleeModadugu basic multicast authentication scheme.

proposal, the stream is divided into blocks of mpackets (P1, P2, P3, ., Pm�2, Pm�1, Pm) and a treeof hashes of degree 2 is constructed. The hashes ofthe m packets correspond to the leaves of the treeand only the root of the tree needs to be signed.Each parent corresponds to the hash of its chil-dren. For example, H1e2Z hash of (H1 and H2).Fig. 3 shows the tree construction for a blockcontaining eight packets. In order to authenticateany packet, the siblings of each node along its pathto the root and the packet signature must beappended. For example, to authenticate P5, thefollowing sequence must be received: P5, H6, H7e8,H1e4, H1e8, and signature on H1e8. The receivercalculates H#5e6 using H5 and H6. Then, it calculatesH#5e8 using H#5e6 and H7e8. Finally, it calculates H#1e8

using H#5e8 and H1e4 and checks that H#1e8 equalsH1e8 using the received signature. If the check iscorrect, the received packet will be authenti-cated. Since each packet carries the informationrequired for its authentication, any packet loss willnot affect the ability of the receiver to authenti-cate packets arrived after the loss. On the otherhand, this solution suffers from a high communi-cation overhead, since it requires the appending oflog2(m)C 1 hashes to each packet.

Finally, Perrig et al. (2000, 2001b, 2002) proposedefficient solutions for the authentication problemnamed Timed for Efficient Stream Loss-tolerantAuthentication (TESLA) and Efficient Multi-chainedStream Signature (EMSS). TESLA is based on authen-ticating packets using MACs and revealing the MAC

P1 P2 P3 P4 P5 P6 P7 P8

H1 H2 H3 H4 H5 H6 H7 H8

H1-2 H3-4

H1-4

H1-8

H5-6 H7-8

H5-8

Figure 3 Tree chaining of the Wong and Lam scheme.

keys after a certain time interval. First, the streamis divided into blocks ofmpackets. Then, the senderpicks a random key Km and calculates m keys byapplying a pseudo random function (F)m times. Forexample, Km�1Z F(Km) and Km�2Z F(Km�1) and soon. These keys are used to calculate MACs toauthenticate the received stream. Considering thetransmitted packet P#i�1, it consists of packet Pi�1

itself, the calculated key Ki�2, and aMAC calculatedover Pi�1 and Ki�2 using Ki�1. Packet P#i�1 is authen-ticated after receiving P#i where Ki�1 is revealed.Fig. 4 illustrates TESLA multicast authenticationscheme.

EMSS, the second solution proposed by Perriget al. (2000), is based on the chain of hashes. Thestream is divided into m packets. To achieverobustness against packet loss, each packet con-tains multiple hashes of previous packets. Only thefinal packet of the block is signed. Although thesesolutions have low communication and computa-tional overhead, they have a major drawback thatthey require that the sender and the receiversmaintain the synchronization of their clocks. In thenext section, description of the hybrid schemeproposed for multicast authentication over lossychannels is illustrated.

Description of the hybrid scheme formulticast authentication over lossynetworks

In this section, a description of a scheme designedto solve the problem of authentication in multicast

Pi-1Ki-2

MAC(Pi-1, Ki-2, Ki-1)

P’i-1

PiKi-1

MAC(Pi, Ki-1, Ki)

P’i

Pi+1Ki

MAC(Pi+1, Ki, Ki+1)

P’i+1

Figure 4 TESLA multicast authentication scheme(Perrig et al., 2000).

Hybrid scheme for multicast authentication over lossy networks 709

communication is detailed. The proposed scheme,which uses a hybrid of public key signature andhash functions, is used for authenticating real-time data applications where low delay at thesender is acceptable. It is based on the work doneby Gennaro and Rohatgi (1997) and the enhance-ment to their work proposed by Golle andModadugo (2001). As mentioned in section ‘‘Re-quirements for multicast authentication proto-cols’’, the major drawback of GennaroeRohatgischeme is that it is not tolerant to packet loss.GolleeModadugu scheme uses the fact that theloss over the Internet occurs in bursts. Althoughthey overcome the problem of packet loss, theirsolution suffers from the fact that the communi-cation overhead for some packets equals to fivehashes, which is comparable to a signature length.Another disadvantage of the GolleeModaduguscheme is that authentication at the receiveris not performed on real-time basis. The aim ofthe proposed scheme is to achieve authenticationwith low computation and communication over-heads and overcome the abovementioned prob-lems of GennaroeRohatgi and GolleeModaduguschemes.

The stream is divided into blocks of m packets(P1, P2, P3, ., Pm�2, Pm�1, Pm) and a chaining ofhashes is used to link each packet to the onepreceding it as in the GennaroeRohatgi scheme. Inorder to avoid the effect of packet loss, the hashof a packet is appended into two packets: the onepreceding and the packet preceding it by a places.The procedure of authentication is given below forthe sender and the receivers.

At the sender side. The process of authentica-tion is as follows: the hash of P#m (H(P#m)) isappended to two places: Pm�1 and to Pm�a. Then,the hash of P#m�1 (H(P#m�1)) is appended to Pm�2

and to Pm�1�a. The abovementioned procedure isrepeated until forming P#1, which contains: P1,H(P#2) and H(P#aC1) as depicted in Fig. 5. Finally,the hash of P#1 (H(P#1)) is signed. Then, the streamsent to the receivers contains: the signature onH(P#1), P#1, P#2, ., P#m�1, P#m.

Using Fig. 5, the output stream P#i can beexpressed as follows:

P#mZ Pm

P#iZ PiC H(P#iC1) for iZm� 1, m� 2, . ,m� aC 1

P#iZ PiC H(P#iC1)C H(P#iCa) for iZm� a, m� a� 1, . , 1

At the receiver side. The authentication processat the receiver contains two procedures: the first incase of no packet loss, and the second in case ofpacket loss. Upon receiving the stream, assumingno loss occurs, each receiver checks the signatureon the first packet (H(P#1)) and uses the chain ofhashes, of the second row of Fig. 5, to authenticatesubsequent packets. The loss over the Internet ischaracterized by the fact that it occurs in burst asstated in Paxon (1999). A burst starts at any loca-tion and remains for a random number of packets.The proposed scheme resists bursts of length L,where L must be less than a. In case of packet loss,the hashes in the third row of Fig. 5 are used tocontinue the process of authentication. The re-ceiver uses the hashes of the packet immediatelybefore the burst. Assume the burst begins at P#i andlasts to packet P#iCL. The packet preceding P#i (P#i�1)contains both H(P#i) and H(P#iCa�1). Therefore, afterreceiving the packet (P#iCa�1), the receiver canverify it and any received packet preceding itobtained after the burst, using the chain of hashesof the second row of Fig. 5. It has to be noted thatin order to perform the proposed scheme, thereceivers must obtain the first packet containingthe signature. Consequently, this packet could besent several times or upon request if one of thereceivers does not get it.

The following notations, for the buffer re-sources at sender and the receivers, are used:

- Send_Packet: number of packets that need tobe buffered at the sender before transmission.

P’m

P1 P2 P3 Pm-2 Pm-1 Pm

H(P’m-1) H(P’m)H(P’4)H(P’3)H(P’2)

P’m-1P’3P’2P’1 P’m-2P’m-aP’m-a-1

Pm-aPm-a-1

H(P’m-a+1)H(P’m-a)

H(P’m)H(P’m-1)H(P’a+3)H(P’a+2)H(P’a+1)H(P’1)

Figure 5 The proposed multicast authentication scheme.

710 H.K. Aslan

- Send_Hash: number of hashes that need to bebuffered at the sender before transmission.

- Rec_Packet: number of packets that need to bebuffered at the receiver before authenticatingthe stream, in case of no loss.

- Rec_Packet_Loss: number of packets that needto be buffered at the receiver before authen-ticating the stream, in case of loss.

- Rec_Hash: number of hashes that need to bebuffered at the receiver before authenticatingthe stream, in case of no loss.

- Rec_Hash_Loss: number of hashes that need tobe buffered at the receiver before authenti-cating the stream, in case of loss.

According to Fig. 5, the following buffer resour-ces are needed in order to accurately perform theproposed scheme: Send_Packet equals to m,Send_Hash equals to a, Rec_Packet equals toone, the maximum value of Rec_Packet_Lossequals to a� 1, Rec_Hash equals to one, andRec_Hash_Loss equals to a. The maximum numberof hashes appended to a given packet equals totwo. In order to resist packet loss, the burst of lossmust be less than a. a must be chosen carefully,small values of a leads to the probability that L islarger than a. In contrast, large values of a leads tothe need of larger buffer resources. Studies madeby Paxon (1999) show that the average packet lossover the Internet given certain conditions is about5% (the reader could refer to Paxon (1999) formore details of the study). Therefore, choosinga greater than 0.05 m, taking into considerationthe buffering resources at the receivers, could bea reasonable selection. Network conditions mustbe examined periodically and according to changesin network statistics the value of a must beadjusted dynamically. In case of higher value ofpacket loss, the value of a must be increased. Incontrary, lower value of packet loss could lead tothe decrease of a.

The proposed scheme is characterized by thefollowing: first, in order to perform authentica-tion, the proposed scheme has a delay equals tothe processing of transmission of m packets at thesender side and no delay at the receiver sideassuming no loss occurs. Second, the requiredbuffer resources at the sender equals to m packetsand a hashes. On the other hand, the requiredbuffer resources at the receiver equals to a maxi-mum of a� 1 packets and a hashes. Third, it is ableto authenticate the received packet despite lossesover the network and it is joinable at any point.Fourth, in case of no loss over the network, thescheme latency equals to zero. On the other hand,the maximum value of latency in case of packet

loss equals to a� 1. Finally, the communicationoverhead of the proposed scheme equals to twohashes. Its computation overhead equals to thecalculation of one signature over m packets andthe calculation of m hashes. In the next section,comparison of the hybrid scheme with GennaroeRohatgi, WongeLam, GolleeModadugu and TESLAschemes is detailed.

Comparison of the proposed schemewith GennaroeRohatgi, WongeLam,TESLA and GolleeModadugu schemes

In order to conduct a comparison between theproposed scheme and the following schemes:GennaroeRohatgi, WongeLam, GolleeModaduguand TESLA, the following general assumptions areconsidered:

- The stream to be authenticated is divided intoblocks of m packets.

- In order to provide authentication, one signa-ture is needed for each block.

- All the compared schemes are based on theamortization of signature over several packets.Therefore, in the following discussion, signa-ture will not be included in the calculation ofboth the computation and communicationoverheads.

- The calculations are specified for the authen-tication of one block.

- For the proposed scheme, the hash of eachpacket is appended to the previous packet andto the packet preceding it by a places. On theother hand, for GolleeModadugu scheme, thehash of each packet is appended to the nextpacket and to the packet succeeding it bya places. Finally, for TESLA protocol, the key,which is used to examine authentication, isrevealed after a packets.

The comparison will be undertaken according tothe following criteria:

- The computation overhead: the total numberof packets to be hashed at the sender or at thereceiver for m packets.

- The communication overhead: the averagenumber of hashes appended to each packet inorder to achieve authentication.

- Buffering resources: the maximum expectednumber of packets or hashes to be stored in thefollowing buffers: Send_Packet, Send_Hash,Rec_Packet, Rec_Packet_Loss, Rec_Hash, Rec_Hash_Loss. In order to compare with TESLA

Hybrid scheme for multicast authentication over lossy networks 711

scheme, two other buffers are added: the firstis the Send_Key, which represents the numberof keys needed to perform MAC operations andto be stored at the sender. The latter is theRec_Key, which represents the number of keysto be stored at the receiver.

- Delay at the sender and the receiver: delay atthe sender (in number of hashes to becalculated) to set up the information requiredto achieve authentication and at the receiver(in number of hashes to be calculated) toauthenticate a stream of packets assuming noloss occurs.

- Latency: the maximum number of packets thatneed to be received before a packet can beauthenticated.

- Resistance to packet loss: the type of loss thatthe scheme resists.

Table 1 shows the comparison betweenGennaroeRohatgi scheme, WongeLam scheme,GolleeModadugu, TESLA and the proposedschemes. Since GennaroeRohatgi scheme doesnot resist packet loss, the values of Rec_Packet_loss, Rec_Hash_Loss, and the latency are not de-termined in the table. The following facts could bededuced from Table 1:

- WongeLam scheme resists any type of packetloss, which is considered an essential require-ment from the point of view of security.

However, it has the following disadvantagescompared to the other schemes:- It has the highest communication and com-putation overheads as shown in Fig. 6.

- It requires the highest buffer resources at thesender.

- It has the longest delay at the sender.- GennaroeRohatgi scheme has the lowest com-putation and communication overheads asshown in Fig. 6. Further, it requires the lowestbuffer resources at both the sender and thereceivers. However, it has a major drawbackthat it cannot resist any type of packet loss.

- Comparing TESLA protocol with the proposedscheme, TESLA has a lower communicationoverhead and can resist a length of packet lossgreater than the proposed scheme. On theother hand, the proposed scheme has thefollowing advantages over TESLA:- It has a lower computation overhead as shownin Fig. 6. This is due to the fact that forperforming authentication the sender needsto calculate one MAC for every packet, aswell as one key for every packet using oneway functions.

- It requires a lower buffering resources asshown in Table 1.

- It does not depend on time synchronization asfor TESLA.

- GolleeModadugu and the proposed schemehave requirements that are comparable to

Table 1 Comparison between GennaroeRohatgi, WongeLam, GolleeModadugu, TESLA and the proposedschemes

GennaroeRohatgi

WongeLam GolleeModadugu

TESLA Proposedscheme

Computation overhead m 2log2ðmÞC1 � 1 m 2m mCommunication overhead 1 log2(m)C 1 2 1 2

Buffering resourcesSend_Packet m m 1 1 mSend_Hash 1 2log2ðmÞC1 � 1 a 1 aRec_Packet 1 1 m a 1Rec_Packet_Loss e 0 m a� 1 a� 1Rec_Hash 1 log2(m)C 1 1 a 1Rec_Hash_Loss e 0 a a aSend_Key 0 0 0 m 0Rec_Key 0 0 0 1 0

DelayAt the sender m 2log2ðmÞC1 � 1 0 m mAt the receiver (assumeno packet is lost)

0 0 m 0 0

Latency (in case of loss) e 0 m a� 1 a� 1Resistance to packet loss No resistance

to packet lossAny Burst of

specifiedlengthZ a

Burst ofspecifiedlengthZm

Burst ofspecifiedlengthZ a

712 H.K. Aslan

0

20

40

60

80

100

120

140

0 8 16 24 32 40 48 56 64

Number of packets per block

Com

puta

tion

over

head

num

ber

of h

ashe

s

Gennaro-Rohatgi, Golle-Modadugu and the proposed scheme

Wong-Lam and Testla schemes

0

2

4

6

8

10

0 8 16 24 32 40 48 56 64

Number of packets per block

Com

mun

icat

ion

over

head

num

ber

of h

ashe

s

Golle-Modadugu and the proposed scheme

Wong-Lam

Gennaro-Rohatgi and Tesla

a. b.

Figure 6 Comparison of the overheads of: GennaroeRohatgi, WongeLam, GolleeModadugu, TESLA and theproposed schemes: (a) for the computation overhead; (b) for the communication overhead.

those of the GennaroeRohatgi scheme. Theyhave the same computation overhead and theircommunication overhead is two hashes insteadof one hash in the GennaroeRohatgi scheme.Furthermore, their buffer resources are almostthe same as those of the GennaroeRohatgischeme. On the other hand, they can resista burst of packet loss given that the length ofthe burst is less than a certain length a.

- Comparing the proposed scheme with GolleeModadugu scheme, GolleeModadugu schemehas a delay at the sender, which is less thanthat of the proposed scheme. On the otherhand, the proposed scheme has the followingadvantages: first, its latency is less than that ofGolleeModadugu scheme. Second, the delay atthe receiver is less than that of GolleeModadugu scheme and authentication can beperformed on real-time basis. Third, for GolleeModadugu scheme as stated in Golle andModadugo (2001), the communication over-head for some packets equals to five hashes,which is comparable to a signature length. Forthe proposed scheme, the maximum number ofhashes appended to any packet is two.

Conclusions

In the present paper, the problem of securingmulticast communication is discussed. Many solu-tions have been proposed to solve the multicastauthentication problem. One solution is to designmore efficient signature schemes. Although thissolution overcomes the computational problem, itsuffers from the communication overhead prob-lem. In order to overcome the communica-tion overhead problem, another solution is toamortize signature over several packets as pro-posed in GennaroeRohatgi,WongeLam, andGolleeModadugu schemes. Many of multicast applicationsare running over IP networks where several packet

losses could occur. Therefore, multicast authenti-cation protocols must resist packet loss and mustbe joinable at any point. Other requirements ofmulticast authentication protocols are to performauthentication in real-time and to have no latency.Furthermore, the requiredbuffering resourcesmustbe as low as possible and have low communicationand computation overheads.

In the present paper, a hybrid scheme forauthenticating real-time data applications wherelow delay is acceptable is proposed. It is based onwork done by GennaroeRohatgi and GolleeModadugu. In order to provide authentication,the proposed scheme uses both public key signa-ture and hash functions. It is based on the idea ofdividing the stream into blocks of m packets anda chain of hashes is used to link each packet to theone preceding it as proposed in GennaroeRohatgi.In order to resist the packet loss, the hash of eachpacket is appended to another place in the streamas in GolleeModadugu. Finally, the first packet issigned. The proposed scheme is compared toGennaroeRohatgi, WongeLam, GolleeModaduguand TESLA schemes. Comparison of the proposedscheme with GennaroeRohatgi scheme shows thatthe major advantage of the proposed scheme isthat it resists packet loss and it is joinable at anypoint. On the other hand, comparison of theproposed scheme with WongeLam scheme showsthat the proposed scheme has the following ad-vantages: first, it has lower computation andcommunication overheads. Second, it has lowerbuffer requirements. Finally, the proposed schemehas a lower delay at the sender. While comparingTESLA with the proposed scheme, TESLA hasa lower communication overhead and can resista length of packet loss greater than the proposedscheme. On the other hand, the proposed schemehas the following advantages over TESLA: first,it has a lower computation overhead. Second, itrequires lower buffering resources. Finally, itdoes not depend on time synchronization. Whilst

Hybrid scheme for multicast authentication over lossy networks 713

comparing the proposed scheme with GolleeModadugu scheme, GolleeModadugu scheme hasa delay at the sender, which is less than that of theproposed scheme. On the other hand, the pro-posed scheme has the following advantages: first,its latency is less than that of GolleeModaduguscheme. Second, the delay at the receiver is lessthan that of GolleeModadugu scheme and authen-tication can be performed on real-time basis.Third, for the proposed scheme, the maximumnumber of hashes appended to any packet is two.While, the communication overhead of GolleeModadugu scheme for some packets equals to fivehashes, which is comparable to a signature length.In conclusion, the proposed scheme achieves thegoal of multicast authentication and overcomesthe problems of previous schemes.

References

Ateniese G, Steiner M, Tsudik G. New multi-party authentica-tion services and key agreement protocols. IEEE Journal onSelected Areas in Communications April 2000:628e39.

Gennaro R, Rohatgi P. How to sign digital streams. In: Proceed-ings of CRYPTO’97. California, USA; August 1997. p. 180e97.

Golle P, Modadugo N. Streamed authentication in the presenceof random packet loss. In: Proceedings of the ISOC networkand distributed system security symposium. California, USA;February 2001. p. 13e22.

Mittra S. Iolus: a framework for scalable secure multicasting. In:Proceedings of the ACM SIGCOMM’97. France; September1997. p. 277e88.

Pannetrat A, Molva R. Efficient multicast packet authentication.In: Proceedings of the ISOC network and distributed system

security symposium. California, USA; February 2003. p.251e62.

Paxon V. End-to-end internet packet dynamics. IEEE/ACMTransactions on Networking June 1999;7(3):277e92.

Perrig A. The BIBA one-time signature and broadcast authenti-cation protocol. In: Proceedings of the 8th ACM conferenceon computer and communications security. Pennsylvania,USA; November 2001. p. 28e37.

Perrig A, Canetti R, Tygar JD, Song D. Efficient authenticationand signing of multicast streams over lossy channels.Proceedings of IEEE Symposium on Security and PrivacyMay 2000:56e73.

Perrig A, Song D, Tygar JD. ELK, a new protocol for efficientlarge-group key distribution. Proceedings of IEEE Symposiumon Security and Privacy May 2001a:247e62.

Perrig A, Canneti R, Song D, Tygar JD. Efficient and securesource authentication for multicast. In: Proceedings of theISOC network and distributed system security symposium.California, USA; February 2001b. p. 35e46.

Perrig A, Canetti R, Tygar JD, Song D. The TESLA broadcastauthentication protocol. RSA CryptoBytes 2002;5:2e13.

Reyzin L, Reyzin R. Better than BIBA: short one-time signatureswith fast signing and verifying. In: Proceedings of the 7thAustralian Conference on Information Security and Privacy.Melbourne, Australia; July 2002. p. 144e53.

Rohatgi R. A compact and fast hybrid signature scheme formulticast packet authentication. In: Proceedings of the 6thACM Conference on Computer and Communications Security.Singapore; November 1999. p. 93e100.

Wong CK, Lam SS. Digital signatures for flows and multicasts.IEEE/ACM Transactions on Networking 1999;7(4):502e13.

Heba Aslan is an assistant professor at the InformaticsDepartment in the Electronics Research Institute, Egypt. Herfields of interest include encryption protocols, key distributionprotocols, group key distribution protocols and intrusion de-tection systems. She obtained a BSc, MSc and PhD fromElectronics and Communications Department, Faculty of Engi-neering, Cairo University, Egypt, in 1990, 1994 and 1998,respectively.