Efficient One-time Signature Schemes for Stream Authentication *

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING, 611-64 (006) Efficien One-ime Signaure Schemes for Sream Auhenicaion * YONGSU PARK AND YOOKUN CHO + College of Informaion and Communicaions Hanyang Universiy Seoul, 133-791 Korea E-mail: yspar@ssrne.snu.ac.r + School of Compuer Science and Engineering Seoul Naional Universiy Seoul, 151-74 Korea E-mail: cho@ssrne.snu.ac.r When one-ime signaures are used for sream auhenicaion, one of he mos serious drawbacs is ha heir large signaure size yields high communicaion overhead. In his paper, we presen wo efficien one-ime signaure schemes for sream auhenicaion. Compared wih he previous schemes, hese schemes have he smalles signaure sizes. Moreover, heir verificaion overheads are low. The signaure size of Scheme 1 is smaller han ha of Scheme whereas Scheme has much smaller signing cos: i requires only hash operaions in he majoriy of cases. Alhough Scheme 1 s signing cos is relaively high, i can be parallelized wihou any addiional ris because sharing he privae ey among disribued servers is no required. Keywords: informaion heory, securiy, crypography, auhenicaion, digial signaure, sream disribuion 1. INTRODUCTION Recenly he Inerne is widely used for disribuing sreamed daa. To enable widespread commercial broadcas services, i is imporan o provide daa inegriy and source auhenicaion [11, 13]. For example, a lisener may feel he need o be assured ha soc quoes or news sreams have no been alered and were made by he original broadcas saion. One-ime digial signaure schemes are digial signaure mechanisms ha sign he message a mos once. Because one-ime signaure schemes have much lower signing cos han ordinary signaure schemes, hey can be used for signing each live sream chun in order o suppor fas pace raes [9, 1]. One of he serious drawbacs in using hese schemes, however, is ha heir large signaure size yields high communicaion overhead. For example, if we use SHA-1 [6], he size of Lampor signaure [6] is 300 byes, which is much larger han he size of a single sream chun ha usually does no exceed 51 byes 1 [11, 13]. Received May 7, 004; revised April 6, 005; acceped November, 005. Communicaed by Shiuhpyng Shieh. * A preliminary version of his paper has appeared on he echnical/indusrial rac of ACNS 004. 1 In he Inerne, sreamed media is ransmied in he uni of IP pace. If a sream chun (or is signaure) is parially ransmied o he receivers by IP pace loss, i will be unverifiable. The larger he size of each chun, he more frequenly parial ransmission occurs and he more chuns will be unverifiable. Hence, he size of a chun should be much smaller han ha of IP pace which is usually 4096 byes. 611

61 YONGSU PARK AND YOOKUN CHO In [15] Rohagi proposed a mehod for efficien use of -ime signaure o reduce communicaion overhead. Recenly, new one-ime signaure schemes ha have small signaure sizes have been proposed [9, 1, 14]. Alhough Powerball [9] is claimed o have he smalles signaure size among hem, is on-line signing cos is very high. HORS (Hash o Obain Random Subse) [14] requires only a single hash operaion for signaure generaion bu is signaure size is larger han ha of BiBa [1] or Powerball. In his paper, we propose wo efficien one-ime signaure schemes for sream auhenicaion. The proposed schemes can be viewed as he improvemens of HORS by using double hash preimages and by insering a resriced condiion on signaure generaion/verificaion. Compared wih [9, 1, 14], under he same securiy level, our schemes have he smalles signaure sizes. Moreover, heir verificaion coss are low. The signaure size of Scheme 1 is smaller han ha of Scheme whereas Scheme has much smaller signing cos: i requires only hash operaions in he majoriy of cases. Alhough Scheme 1 s signing cos is relaively high, i can be parallelized wihou any addiional ris because sharing he privae ey among disribued servers is no required. This paper is organized as follows. In secion we give some preliminaries and definiions o undersand our schemes. In secion 3 we describe relaed wor and in secion 4 we propose our schemes. In secion 5, we analyze he compuaion cos of our schemes, perform securiy analysis and show he comparison resuls beween he previous schemes and he proposed schemes. Finally, conclusions are made in secion 6.. PRELIMINARIES In his secion we briefly describe definiion of one-ime/-ime signaures and hen define some noaions. One-ime digial signaure schemes are digial signaure mechanisms ha sign he message a mos once; if we use i more han once, he signaures can be forged [6]. In -ime digial signaure schemes, we can use he signing operaion a mos imes. We use he following noaions in he res of he paper. Le f: {0, 1} l {0, 1} l be a one-way funcion. Le h: {0, 1} * {0, 1} log and g h : {0, 1} * {0, 1} logn be one-way hash funcions (l,, and n are securiy parameers). Noe ha f(), h() and g h () can be implemened by using sandard hash funcions (SHA-1 or RIPEMD-160) [14]. A B denoes he concaenaion of srings A and B. If an ineger f is divisible by an ineger e, we wrie e f. C denoes he bi size of sring C. The signer and he verifier are denoed as S and V, respecively. 3. RELATED WORK Research on broadcas/mulicas sream auhenicaion can be classified ino wo caegories: firs, research for designing faser signaure schemes and second, research for amorizing each signing operaion by maing use of a single signaure o auhenicae several paces [5]. For lac of space, we explain he previous wor of only he firs approach ha is relaed o his paper (for he laer approach, refer o [4, 5, 8, 10, 11, 13, 16, 17]).

EFFICIENT ONE-TIME SIGNATURE SCHEMES FOR STREAM AUTHENTICATION 613 In [17], Wong and Lam proposed some mehods for speeding up FFS (Feige-Fia- Shamir) signaure scheme [6] by using CRT (Chinese Remainder Theorem) [6], reducing he verificaion ey size and using precompuaion wih large memory. They showed ha he verificaion in he scheme was as fas as ha of RSA wih a small exponen and he signing operaion was much faser han hose of oher schemes (RSA, DSA, ElGamal and Rabin). Moreover, hey exended FFS o allow adjusable and incremenal verificaion, in which V can verify he signaure a differen levels: V can verify i a a lower securiy level wih a small compuaion cos, and laer increase he securiy level wih longer compuaion ime. In [4], Gennaro and Rohagi proposed an efficien broadcas auhenicaion scheme by using one-ime signaures. Compared wih he ordinary signaure schemes, one-ime (or -ime) signaure scheme shows much faser sign/verificaion raes. However, he size of one-ime (or -ime) signaure is much larger han hose of RSA or ElGamal, e.g., he size of Lampor one-ime signaure of he SHA-1 hashed message is 300byes. In [15], Rohagi used TCR (Targe Collision Resisan) funcion o reduce he signaure size and he public ey size of -ime signaure. Anoher mehod used in [15] is he opimizaion of he size of he cerificae, which furher reduced communicaion overhead. If hese mehods are combined, size overhead per sream chun is abou 300byes when on-line scheme of [4] is used. Recenly, Perrig e al. devised an efficien one-ime signaure scheme for broadcas auhenicaion, BiBa (Bins and Balls) [1]. BiBa uses he Birhday Paradox as follows. Assume ha here exiss a family of hash funcions G = {g 0,, g n-1 }. Firs, S generaes random secre values s 1,, s ha are called balls. The public ey consiss of he oupus of a one-way funcion ha aes each ball as an inpu: v i = f(s i ) (1 i ). Given a message m o be signed, S compues h = h(m) and selecs g h from G. Then, by using g h, each ball is mapped o one of n bins as follows: s i is relaed o he bin having index g h (s i ). If here exiss a bin ha conains balls, hese balls are he signaure of m. The signaure size of BiBa is much smaller and verificaion cos is much lower han hose of he previous one-ime signaure schemes. However, he signing cos is high and he public ey size is large. In [1], Perrig presened efficien broadcas auhenicaion mehods ha permi a large public ey size of one-ime signaures. Mizenmacher and Perrig proposed he Powerball signaure scheme [9], which is an improvemen of BiBa. Firs, he ey generaion in Powerball is as follows. For inpu parameers n, and, S generaes random l (= logn)-bi srings s 1,, s and hen compues p i = f(s i ), v i = f(p i ) for 1 i. The privae ey and public ey are SK = (s 1,, s ) and PK = (v 1,, v ), respecively. Second, he signaure generaion is as follows. Given a message m and SK, S compues h = h(m c) o selec g h from he family of hash funcions G, where c is a couner ha S incremens if he is unable o find a signaure. Each ball p i (1 i ) is mapped o one of n bins ha has index g h (p i ). Then, each s i (1 i ) is inerpreed as a sequence of bins, b w1 b wj b w (0 b wj < n). If S finds s i such ha each corresponding bins b wj (1 j ) is mapped o a leas one ball p ij, he signaure of m is SIG = (p i1,, p i, s i, c). Third, he signaure verificaion is as follows. Given m, SIG = (p 1,, p, s, c ) and PK, V compues h = h(m c ) and selecs g h from G. If f(p i ) (1 i ) and f(f(s )) is in PK and all he corresponding bins for s conain a leas one ball, V acceps he signaure. As will be shown in secion 5.4, even hough ey

614 YONGSU PARK AND YOOKUN CHO generaion cos of Powerball is wice larger han ha of BiBa, he signaure size and verificaion cos are smaller han hose of BiBa. Recenly, Reyzin and Reyzin proposed an efficien one-ime signaure scheme, HORS [14]. Firs, he ey generaion in HORS is as follows. For inpu parameers l, and, S generaes random l-bi srings s 1,, s and compues v i = f(s i ) for 1 i. The privae ey and public ey are SK = (s 1,, s ) and PK = (v 1,, v ), respecively. Second, he signaure generaion is as follows. Given a message m and SK, S splis h(m) ino h 1,, h, each of which is log bis long. h j is inerpreed as an ineger i j (1 i j, 1 j ). The signaure of m is SIG = (s i1,, s i ). Third, he signaure verificaion is as follows. Given m, SIG = (s 1,, s ) and PK, V splis h(m) ino h 1,, h. V inerpres h j as an ineger i j (1 j ). If f(s j ) = v ij for all j, V acceps he signaure. HORS has very low signing cos since i requires only 1 hash operaion. However, he signaure size of HORS is larger han hose of Powerball and BiBa, which will be shown in secion 5.4. 4. THE PROPOSED SCHEME In HORS, assume ha an aacer A has SIG = (s i1,, s i ) for m. Then, A can forge a signaure for anoher message by changing he posiions of elemens in SIG, e.g., if A can find m or m (m, m m) such ha h(m ) = h h 1 h 3 h or h(m ) = h 3 h h 1 h, he can creae a signaure (s i, s i1, s i3,, s i ) for m or (s i3, s i, s i1,, s i ) for m. We improved HORS by minimizing he success probabiliy of his aac. Thus, under he same securiy level, our schemes have smaller signaure sizes han ha of HORS. More specifically, we use double hash preimages and inser a resriced condiion on signaure generaion/verificaion o minimize he above aac. Our schemes have he consrain in ha. 4.1 Scheme 1 Lie HORS, Scheme 1 consiss of 3 pars: ey generaion, signaure generaion and signaure verificaion. Firs, ey generaion is as follows. For inpu parameers l, and, S generaes random l-bi srings s 1,, s and hen compues p i = f(s i ), v i = f(p i ) for 1 i. In he proposed scheme, all s a, p b, v c (1 a, b, c ) should be differen. The privae ey and public ey are SK = ((s 1,, s ), (p 1,, p )) and PK = (v 1,, v ), respecively. Second, signaure generaion is as follows. Given a message m and SK, S selecs a random value c and compues h(m c) = h 1 h. h j is inerpreed as an ineger i j (1 j ). i j (1 j ) mus mee he following equaions. If no, S repeas he above procedure for anoher c. i 1 < < i /, i /+1 < < i, {i 1,, i / } {i /+1,, i } = φ. (1) The signaure is SIG = (c, (s i1,, s i/ ), (p i/+1, v, p i )). Third, signaure verificaion is as follows. Given a message m, SIG = (c, (u 1,, u / ), (u /+1,, u )) and PK, V com- s a, p b, v c (1 a, b, c ) are l-bis srings, where usually l 80. Considering ha is on he order of 1000 (see secion 5.4), he probabiliy ha all s a, p b, v c are differen is exremely high.

EFFICIENT ONE-TIME SIGNATURE SCHEMES FOR STREAM AUTHENTICATION 615 pues h(m c ) = h 1 h. V inerpres h j as an ineger i j (1 j ). i j (1 j ) mus mee Eq. (1). If f(f(u j )) = v i'j and f(u j+/ ) = v i j+/ for 1 j /, V acceps he signaure. Example 1: Assume ha l = 80, = 4 and = 8. Firs, S generaes SK = ((s 1,, s 8 ), (p 1,, p 8 )) where s i is 80-bi sring and p i = f(s i ) (1 i 8). Then, S compues PK = (v 1,, v 8 ) where v i = f(p i ) (1 i 8). For a message m, S selecs a random value c and compues h(m c) = h 1 h h 3 h 4. S inerpres each h j as i j (1 j 4). If i 1 =, i = 7, i 3 = 4, i 4 = 8 hen i 1 < i, i 3 < i 4, and {i 1, i } {i 3, i 4 } = φ. The signaure of m is SIG = (c, (s, s 7 ), (p 4, p 8 )). Given m, SIG = (c, (u 1 = s, u = s 7 ), (u 3 = p 4, u 4 = p 8 )) and PK, V compues h(m c ) = h 1 h h 3 h 4. V inerpres each h j as i j (1 j 4). If m and SIG have no been modified, i 1 =, i = 7, i 3 = 4, i 4 = 8, which mees Eq. (1). If f(f(u 1 )) = v, f(f(u )) = v 7, f(u 3 ) = v 4 and f(u 4 ) = v 8, V acceps he signaure. Recall ha in HORS, an aacer A can forge a signaure for anoher message by changing he posiions of elemens in SIG = (s i1,, s i ). In Scheme 1, all such aacs are impossible, which resuls in significan reducion of he probabiliy of forgery. We will show his in secions 5.3 and 5.4. Noe ha we can preven his forgery aac if we simply modify HORS s.. in generaing a signaure all i 1,, i should mee he condiion, i 1 < < i. However, his naive mehod requires a large amoun of h(m) operaions o find such i 1,, i. In our scheme, he signing cos is smaller han ha of his naive mehod because we use he hash funcion wice for each s i, divide he signaure ino wo par, and use Eq. (1) ha are less resricive han he condiion of he naive mehod. (For furher dividing he signaure ino muliple pars, see Appendix.) 4. Scheme Alhough Scheme 1 has a small signaure, he signing cos is quie large, which will be seen in secion 5.4. In his secion we presen Scheme, which has a less resricive condiion in signaure generaion compared wih Eq. (1) of Scheme 1. Thus, he signing cos of Scheme is much smaller han ha of Scheme 1. Scheme also consiss of 3 pars: ey generaion, signaure generaion and signaure verificaion. Firs, ey generaion is as follows. For inpu parameers l, ( ) and, S generaes random l-bi srings s 1,, s and hen compues p i = f(s i ), v i = f(p i ) for 1 i. In he proposed scheme, all s a, p b, v c (1 a, b, c ) should be differen. The privae ey and public ey are SK = ((s 1,, s ), (p 1,, p )) and PK = (v 1,, v ), respecively. Second, signaure generaion is as follows. Given a message m and SK, S selecs a random value c and compues h(m c) = h 1 h. h j is inerpreed as an ineger i j (1 j, 1 i j ). i j (1 j ) mus mee he following condiion: i 1, v, i should be differen. If no, S repeas he above procedure for anoher c. The signaure is SIG = (c, (s i1,, s i/ ), (p i/+1,, p i )). Third, signaure verificaion is as follows. Given a message m, SIG = (c, (u 1,, u / ), (u /+1,, u )) and PK, V compues h(m c ) = h 1 h. Afer V inerpres h j as an ineger i j (1 j, 1 i j ), he verifies ha all i j are differen. If f(f(u j )) = v i i and f(u j+/ ) = v i i+/ for 1 j /, V acceps he signaure.

616 YONGSU PARK AND YOOKUN CHO Example : Assume ha l = 80, = 4 and = 8. Firs, S generaes SK = ((s 1,, s 8 ), (p 1,, p 8 )) where s i is a 80-bi sring and p i = f(s i ) (1 i 8). Then, S compues PK = (v 1,, v 8 ) where v i = f(p i ) (1 i 8). For a message m, S selecs a random value c and compues h(m c) = h 1 h h 3 h 4. S inerpres each h j as i j (1 j 4). If i 1 = 4, i =, i 3 = 3, i 4 = 5 hen i mees he condiion ha all i j (1 j 4) should be differen. The signaure of m is SIG = (c, (s 4, s ), (p 3, p 5 )). Given m, SIG = (c, (u 1 = s 4, u = s ), (u 3 = p 3, u 4 = p 5 )) and PK, V compues h(m c ) = h 1 h h 3 h 4. V inerpres each h j as i j (1 j 4). If m and SIG have no been modified, i 1 = 4, i =, i 3 = 3, i 4 = 5, which mees he above condiion. If f(f(u 1 )) = v 4, f(f(u )) = v, f(u 3 ) = v 3 and f(u 4 ) = v 5, V acceps he signaure. Recall ha in HORS, an aacer A can forge a signaure for anoher message by changing he posiions of elemens in SIG = (s i1,, s i ). In Scheme, all he valid signaures ha A can forge have a form of SIG = (c, (a permuaion of (s i1,, s i/ )), (a permuaion of (p i/+1,, p i ))), which resuls in significan reducion of he probabiliy of forgery. We will show his in secions 5.3 and 5.4. 5. ANALYSIS We firs calculae he compuaion cos of he proposed schemes in secion 5.1. In secion 5., we analyze he privae ey size, he public ey size and he signaure size. In secion 5.3, we perform securiy analysis of our schemes. Finally, we explain he comparison resuls beween he previous schemes and our schemes in secion 5.4. In his secion, we assume ha f() and h() are modelled as a random oracle [1]. This simplifies analysis on securiy of he proposed schemes. Moreover, under his assumpion, he oupu of h() shows a uniform disribuion, which simplifies analysis on he compuaion cos of our schemes. This assumpion is from he convenion of he previous schemes [9, 1, 14]. 5.1 Compuaion Cos We analyze he compuaion cos of our schemes in erms of he number of one-way (hash) funcions compued. In Scheme 1, ey generaion requires evaluaions of f(). For signaure verificaion, V mus compue h() once and f() 3/ imes. For signaure (!) ( )! generaion, S evaluaes h() imes on average by he following heorem. Noe! ha he oupu of h() shows a uniform disribuion over [0, log 1] since we assume ha h() is modelled as a random oracle [1]. Therefore, i 1,, i have uniform disribuions over [1, ]. Theorem 1 Assume ha i 1,, i are random variables ha have uniform disribuions! over [1, ]. In Scheme 1, he probabiliy ha Eq. (1) hold is. (!) ( )! Proof: Firs he probabiliy ha i 1 < < i / is /. When i 1,, i / (i 1 < < i / ) have already been seleced, he probabiliy ha i /+1 < < i and {i 1,, i / } {i /+1,

EFFICIENT ONE-TIME SIGNATURE SCHEMES FOR STREAM AUTHENTICATION 617, i } = φ is /.!. (!) ( )! Hence, he probabiliy ha Eq. (1) hold is = As will be shown in secion 5.4, he signing cos of Scheme 1 is relaively large. For example, if = 104 and = 8, he probabiliy ha Eq. (1) hold is 0.00169. This means ha S can obain a valid signaure afer 1/0.00169 = 59 rials of h(m c) on average. However, he signaure size is smaller han ha of any oher scheme, which will be shown in secion 5.4. In Scheme, ey generaion requires evaluaions of f(). For signaure verificaion, V mus compue h() once and f() 3/ imes. For signaure generaion, S evaluaes h() imes on average by he following heorem. ( 1) ( + 1) Theorem Assume ha i 1,, i are random variables ha have uniform disribuions ( 1)...( + 1) over [1, ]. In Scheme, he probabiliy ha all i 1,, i are differen is. Proof: Le a sample space S be {i 1, i,, i (1 i j ), (1 j )}, where each member of S means he values of i 1, i,, i. Obviously, S =. Le us consider he even E where all i j are differen. E = ( 1) ( + 1). Therefore, he probabiliy ha all i 1,, i are differen is E / S = ( 1)...( + 1). ( 1)...( + 1) If is much smaller han,. approaches 1. For example, if = 104 and = 10 (he case menioned in secion 5.4), he probabiliy ha all i 1,, i are differen is 0.9569. This means ha S can obain a valid signaure afer 1/0.9569 = 1.045 rials of h(m c) on average. In all he cases described [9, 1, 14], he average number of he required hash operaions in Scheme is far less han. Up ill now, we have deal wih he average number of rials for he proposed schemes. Now, in Schemes 1 and, consider he number of rials N s.. S can find a valid signaure wih (overwhelming) rae T (0 < T < 1). Le P denoe he probabiliy ha a valid signaure is found for a single rial of h(). In Scheme 1, P! = and in (!) ( )! ( 1)...( + 1) Scheme, P =. Since T = 1 (1 P) N, N = log 1-P (1 T). In he above example where = 104 and = 10, for T = 0.99, N of Schemes 1 and are 73 and 1.46, respecively and for T = 0.5 (where his condiion is adoped from BiBa and Powerball papers [9, 1]), N of Schemes 1 and are 409.7 and 0., respecively. 5. Key Size and Signaure Size We calculae he ey size and signaure size of he wo schemes. Firs, he size of PK is l bis, where l denoes he bi size of a node and i may be on he order of 96 ~ 18 [9]. Second, he size of SK is l bis. However, (p 1,, p ) can be obained from (s 1,, s ) by he off-line compuaion, where he size of (s 1,, s ) is l bis. Third, he size of

618 YONGSU PARK AND YOOKUN CHO SIG is l + c bis, where c is relaed o he average number of he required hash operaions in signaure generaion. For example, if = 104 and = 8 in Scheme 1, S can obain a valid signaure afer 59 rials of h(m c) on average as menioned in he previous secion. In his case, c = 10 is sufficien. In Scheme, since he average number of h(m c) operaions is less han for mos cases, c = 1 ~ is sufficien. 5.3 Securiy Analysis Recall he assumpion ha f() and h() are modelled as a random oracle [1]. Then, he oupu of h() shows a uniform disribuion. Moreover, given a and b = h(a), he probabiliy ha anyone finds a a such ha b = h(a ) is 1/ h() = 1/ log = 1/. Under his assumpion, jus lie [1, 14] we analyze securiy of he proposed schemes agains he r-non-adapive-message aac. In he r-non-adapive-message aac, an adversary A is assumed o have r messages of his choice and heir signaures. Then, A selecs a new message m and ries o forge a signaure of m. To simplify analysis, jus lie [1, 14] we assume ha A does no aemp o inver or find a collision of one-way funcions f(). Since our schemes are one-ime signaure algorihms, we analyze only he case when r = 1. 5.3.1 Securiy analysis on Scheme 1 Assume ha an adversary A has a valid signaure SIG = (c, (s i1,, s i/ ), (p i/+1,, p i )) for a message m. Because we assumed ha A does no ry o inver or find a collision of one-way funcion f(), a valid forged signaure SIG for m should consis of he elemens of SIG excep for c, i.e., SIG = (c, S ) s.. S consiss of only he elemens of a se {s i1,, s i/, p i/+1,, p i }. Among all possible candidaes of S', S' = ((s i1,, s i/ ), (p i/+1,, p i )) is he only one o mee Eq. (1) and o be acceped in he verificaion procedure. Hence, SIG' = (c', (s i1,, s i/ ), (p i/+1,, p i )). Moreover, in order o be acceped as a valid signaure, h(m' c') = i 1 i. Because we assumed ha he oupu of h() shows a uniform disribuion, he probabiliy ha 1 1 1 h(m' c') = i 1 i is = = h() log. From above observaion, in Scheme 1, he probabiliy for any aacer o find a valid signaure afer a single rial of h() (we call his a probabiliy of forgery) is 1/. 5.3. Securiy analysis on Scheme Assume ha an adversary A has a valid signaure SIG = (c, (s i1,, s i/ ), (p i/+1,, p i )) for a message m. Because we assumed ha A does no ry o inver or find a collision of one-way funcion f(), a valid forged signaure SIG' for m' should consis of he elemens of SIG excep for c, i.e., SIG' = (c', S') s.. S' consiss of only he elemens of a se {s i1,, s i/, p i/+1,, p i }. Among all possible candidaes of S', S' = (a permuaion of (s i1,, s i/ ), a permuaion of (p i/+1,, p i )) is he only one o mee he condiion ha all i 1,, i should be differen and ha SIG' can be acceped in he verificaion procedure. Hence, SIG' = (c', (a permuaion of (s i1,, s i/ ), a permuaion of (p i/+1,, p i ))). Moreover, in order o be acceped as a valid signaure, (i' 1,, i' / ) is a permuaion

EFFICIENT ONE-TIME SIGNATURE SCHEMES FOR STREAM AUTHENTICATION 619 of (i 1,, i / ) and (i' /+1,, i' ) is a permuaion of (i /+1,, i ) where h(m' c') = i' 1 i'. Since we assumed ha h() is modelled as a random oracle, is oupu shows a uniform disribuion. Hence, for A s each rial of h' = h(m' c') for differen c', when h' = h' 1 h' is inerpreed as inegers i' 1,, i', all i' 1,, i' show uniform disribuions among [0, 1]. Le us consider he probabiliy ha (i' 1,, i' / ) is a permuaion of (i 1,, i / ) and (i' /+1,, i' ) is a permuaion of (i /+1,, i ) for a single rial of h(m' c'), where i 1,, i are given. Le a sample space S be {i' 1,, i' (1 i' j ), (1 j )}, where each member of S means he values of i' 1,, i'. Obviously, S =. Le us consider he even C where (i' 1,, i' / ) is a permuaion of (i 1,, i / ) and (i' /+1,, i' ) is a permuaion of (i /+1,, i ). C = ((/)!). Therefore, he probabiliy ha he even C occurs is C / S = (( / )!). Hence, in Scheme, he probabiliy for any aacer o find a valid signaure afer a single rial of h() (probabiliy of forgery) is 5.4 Comparison Resuls (( / )!). Compared schemes are BiBa [1], Powerball [9] and HORS [14]. Table 1 shows he comparison resuls under he condiion ha all schemes have he same signaure size (= l) and he same public ey size (= l), where l denoes he bi size of a node and i may be on he order of 96 ~ 18 [9]. Under his condiion, he probabiliy of forgery P f of Scheme 1 is he lowes. P f of Scheme is lower han hose of BiBa and HORS for all he possible values of (,, l) and P f of Powerball is higher han ha of Scheme (excep for he cases =, 4). Table 1. Comparison resuls where all schemes have he same SIG and PK. Scheme Signaure size (bis) Verificaion cos Key generaion cos Signing cos Public ey size (bis) BiBa [1] l + 1 l Powerball [9] l + 1 l Probabiliy of forgery! + ( 1)! + HORS [14] l + 1 1 l ( ) Scheme 1 Scheme l l 3 + 1 (( / )!) ( )!! 3 + 1 ( 1)...( + 1) l + The values are from Theorem 1 of [9] and secion 6 of [9] where P s = 1/. l 1 () (( / )!) For all he schemes, if becomes smaller (or larger), he probabiliy of forgery increases (or decreases). Hence, when all he schemes have he same probabiliy of forgery, Scheme 1 has he smalles signaure size and he nex is Scheme. Key generaion coss of our schemes are higher han ha of HORS or BiBa. How-

60 YONGSU PARK AND YOOKUN CHO ever, his may no be significan since ey generaion can be pre-processed and easily parallelized over muliple servers. Table shows he comparison resuls under he condiion adoped from [9], where he probabiliy of forgery, and message size are fixed as -80, 104 and 80bis, respecively ( has a differen value for each scheme). Under his condiion, Scheme 1 has he smalles signaure size. Scheme and Powerball are he nex ( = 10). Noe ha P f of Scheme is -86, which is much lower han ha of Powerball (= -8 ). The signaure size of HORS is larger han hose of our schemes, Powerball and BiBa. Table shows ha signing cos of Scheme is close o 1 and ha verificaion cos is low for Schemes 1 and. Table. Comparison resuls where all schemes have he same securiy level. Scheme Signaure Signing Verificaion Key generaion Public ey size (bis) cos cos cos size (bis) Lampor + [6] 80l 1 80 160 160l Merle-Winerniz + [7] 3l 1 169 355 1l Bleichenbacher-Manurer + [] 45l 1 7 18 1l BiBa + [1] 11l٩ 048 3 104 104l Powerball + [9] 10l٩ 048 1 048 104l HORS [14] 13l 1 14 104 104l Scheme 1 8l 59 13 048 104l Scheme 10l 1.045 16 048 104l + The values are adoped from Table 6 of [9]. The value (= 0) described in Table 6 of [9] is erroneous. ٩The value will be larger by 1~ [9, 1]. Because of c in SIG, he value will be larger by c (see secion 5.). Alhough on-line signing cos of Scheme 1 is higher han ha of HORS, i is lower han hose of Powerball and BiBa. A higher on-line signing cos agains HORS may no be significan due o he following reasons: Hash operaion is very cheap, e.g., for MD5 algorihm, Celeron 850Mhz can hash 805.7Mb per second [3]. Noe ha compuing h(m c) and verifying Eq. (1) do no require SK o be accessed. Hence, when signing operaion is parallelized over disribued servers, hey need no share SK. Unlie our scheme, Powerball or BiBa requires SK o be shared among he servers. If one of hese servers is compromised, SK would be exposed. The parameerized algorihm in Appendix enables he rade-off beween ey generaion cos and signing cos. Table 3 in Appendix shows ha by increasing he value d, signing cos can be reduced down o 16.4 whereas ey generaion cos is increased up o 4078. For sream auhenicaion, he signing operaion is required only for a broadcas server, whereas here are los of receivers who may have low compuing power or low bandwidh. Hence, a small signaure size and low verificaion cos can be more imporan han low signing cos.

EFFICIENT ONE-TIME SIGNATURE SCHEMES FOR STREAM AUTHENTICATION 61 The condiion ha he probabiliy of forgery is equal o -80 is very sric because [1, 14] assumed he probabiliy o be -58 or -43. If he probabiliy of forgery is higher, i is possible ha and could be smaller, which in urn would significanly reduce he on-line signing cos of Scheme 1. 6. CONCLUSIONS In his paper, we proposed wo efficien one-ime signaure schemes for sream auhenicaion. Compared wih BiBa, Powerball and HORS, he proposed schemes have he smalles signaure sizes. Moreover, our schemes have low verificaion overheads. The signaure size of Scheme 1 is smaller han ha of Scheme whereas Scheme has much smaller signing cos: i requires only hash operaions in he majoriy of cases. In Scheme 1, relaively high signing cos can be parallelized wihou any addiional ris because sharing he privae ey among disribued servers is no required. REFERENCES 1. M. Bellare and P. Rogaway, Random oracles are pracical: a paradigm for designing efficien proocols, in Proceedings of 1s ACM Conference on Compuer and Communicaion Securiy, 1993, pp. 6-73.. D. Bleichenbacher and U. Maurer, Opimal ree-based one-ime digial signaure schemes, in Proceedings of 13h Symposium on Theoreical Aspecs of Compuer Science, LNCS 1046, Springer-Verlag, 1996, pp. 363-374. 3. W. Dai, Crypo++ benchmars, hp://www.esimo.com/~weidai/benchmars. hml. 4. R. Gennaro and P. Rohagi, How o sign digial sreams, in Proceedings of CRYPTO 97, LNCS 194, Springer-Verlag, 1997, pp. 180-197. 5. P. Golle and N. Modadugu, Auhenicaing sreamed daa in he presence of random pace loss, in Proceedings of he Symposium on Newor and Disribued Sysems Securiy, 001, pp. 13-. 6. A. J. Menezes, P. C. van Oorscho, and S. A. Vansone, Handboo of Applied Crypography, CRC Press, 1997. 7. R. C. Merle, A digial signaure based on a convenional encrypion funcion, in Proceedings of CRYPTO 87, LNCS 93, Springer-Verlag, 1987, pp. 369-378. 8. S. Miner and J. Saddon, Graph-based auhenicaion of digial sreams, in Proceedings of IEEE Securiy and Privacy Symposium, 001, pp. 3-46. 9. M. Mizenmacher and A. Perrig, Bounds and improvemens for BiBa signaure schemes, No. TR-0-0, Compuer Science Group, Harvard Universiy, U.S.A., 00. 10. J. M. Par, E. K. P. Chong, and H. J. Siegel, Efficien mulicas pace auhenicaion using signaure amorizaion, in Proceedings of he IEEE Securiy and Privacy Symposium, 00, pp. 7-40. 11. Y. Par, T. Chung, and Y. Cho, An efficien sream auhenicaion scheme using ree chaining, Informaion Processing Leers, Vol. 86, 003, pp. 1-8 1. A. Perrig, The BiBa one-ime signaure and broadcas auhenicaion proocol, in

6 YONGSU PARK AND YOOKUN CHO Proceedings of 8h ACM Conference on Compuer and Communicaion Securiy, 001, pp. 8-37. 13. A. Perrig, R. Canei, D. Song, and J. D. Tygar, Efficien auhenicaion and signing of mulicas sreams over lossy channels, in Proceedings of he IEEE Securiy and Privacy Symposium, 000, pp. 56-73. 14. L. Reyzin and N. Reyzin, Beer han BiBa: Shor one-ime signaures wih fas signing and verifying, in Proceedings of he Ausralian Conference on Informaion Securiy and Privacy, 00, pp. 114-153. 15. P. Rohagi, A compac and fas hybrid signaure scheme for mulicas pace auhenicaion, in Proceedings of 6h ACM Conference on Compuer and Communicaion Securiy, 1999, pp. 93-100. 16. D. Song, D. Zucerman, and J. D. Tygar, Expander graphs for digial sream auhenicaion and robus overlay newors, in Proceedings of he IEEE Securiy and Privacy Symposium, 00, pp. 58-70. 17. C. K. Wong and S. S. Lam, Digial signaures for flows and mulicass, IEEE/ACM Transacions on Neworing, Vol. 7, 1999, pp. 50-513. APPENDIX On-line compuaion cos of Scheme 1 is larger han ha of HORS, where HORS requires ha h() compuaion be conduced only once for signing operaion. However,! our algorihm requires h() compuaions by Theorem 1 described in secion (!) ( )! 5. We propose a parameerized algorihm in which he rade-off beween ey generaion cos and signing cos is possible by selecing a value d. Scheme 1 described in secion 4.1 is idenical o his algorihm wih d =. Firs, ey generaion is as follows. For inpu parameers l,, and d, S generaes 0 0 random l-bi srings,...,. j j 1 s1 s Then, S compues si = f( s i ) for 1 i and 1 j d. b All s a (1 a <, 0 b d) should be differen. The privae ey and public ey are SK = 0 0 d 1 d 1 d d (( s1,..., s ),..., ( s1,..., s )) and PK = ( s1,..., s ), respecively. Second, signaure generaion is as follows. Given a message m and SK, S selecs a random value c and compues h(m c) = h 1 h. h j is inerpreed as an ineger i j (1 j ). i j (1 j ) mus mee he following equaions. If no, S repeas above procedure for anoher c. i 1 < < i /d, i /d +1 < < i /d,, i (d-1)/d+1 < < i, {i 1,, i /d }, {i /d+1,, i /d },, {i (d-1)/d+1,, i } are pairwise disjoin. () 0 0 d 1 d 1 The signaure is SIG = ( cs, i,..., s ),..., (,..., )). 1 i s / d i s ( d 1) / d+ 1 i Third, signaure verifycaion is as follows. Given a message m, SIG = ( c,( s 1,..., s / d),..., ( s ( d 1) / d + 1,..., s )) and PK, V compues h(m c') = h' 1 h'. V inerpres h' j as an ineger i' j (1 j d n d ). i' j (1 j ) mus mee Eq. (). If f ( s j) = si for n/d < j (n + 1)/d and 0 n j d 1 (where f 1 () = f() and f n () = f(f n -1 ())), V acceps he signaure. The above algorihm has he consrain ha d. A full descripion of he general

EFFICIENT ONE-TIME SIGNATURE SCHEMES FOR STREAM AUTHENTICATION 63 algorihm ha does no have his consrain is in Algorihm 1, Algorihm and Algorihm 3. The compuaion cos can be calculaed by using he mehods described in secion 5.1. Table 3 shows he comparison resuls of he compuaion cos under he condiion described in secion 5.4. Table 3. The parameerized algorihm vs. he algorihm described in secion 4.1. Scheme Signaure size (bis) Verificaion cos Key generaion cos Signing cos Public ey size (bis) Scheme 1 in Secion 4.1 8l 13 048 59 104l Parameerized algorihm (d=) 8l 13 048 59 104l Parameerized algorihm (d=3) 8l 16 307 74 104l Parameerized algorihm (d=4) 8l 1 4096 16.5 104l Because he parameerized algorihm wih d = is idenical o Scheme 1 described in secion 4.1, each value of he second row is he same as ha of he hird row in Table 3. As d is larger, ey generaion cos and verificaion cos become larger whereas on-line signing cos becomes smaller. Algorihm 1 Key generaion module 1. Inpu: l,, and d.. Oupu: SK and PK. 0 0 3. S generaes random l-bi srings s,...,. 1 s j j 1 4. S compues si = f( s i ) for 1 i and 1 j d. 0 0 d 1 d 1 d d 5. SK = (( s1,..., s ),..., ( s1,..., s )) and PK = ( s1,..., s ), where all <, 0 b d) should be differen. b s a (1 a Algorihm Signaure generaion module 1. Inpu: l,,, d, m and SK.. Oupu: SIG. 3. r = /d /d. 4. repea 5. Selec a random value c and compue h(m c) = h 1 h. 6. h j is inerpreed as an ineger i j (1 j ). 7. unil i j (1 j ) mus mee he following equaions: i 1 < < i /d + 1 r, i /d + 1 r +1 < i /d + r,, i (d-1) /d + (d-1)r +1, < < i, ({i 1,, i /d + 1 r }, {i /d + 1 r +1,, i /d + r },, {i (d-1) /d + (d-1)r +1,, i } are pairwise disjoin). 0 0 d 1 d 1 8. SIG = ( c,( s,..., s ),..., ( s,..., s )). i1 i / d 1 r i( d 1) / d ( d 1) r 1 i + + +

64 YONGSU PARK AND YOOKUN CHO Algorihm 3 Signaure verificaion module 1. Inpu: l,,, d, m, PK and SIG = ( c, ( s 1,..., s ),..., ( s,..., / d + 1 r ( d 1) / d + ( d 1) r + 1 s )), where r = /d /d.. Oupu: success or failure. 3. Selec a random value c and compue h(m c ) = h 1 h. 4. Inerpre h j as an ineger i j (1 j ). 5. if i j (1 j ) do no mee he equaions in sep 7 of Algorihm hen 6. Oupu failure. 7. end if d n d 8. if f ( s j) = si for n /d + nr < j (n + 1) /d + (n + 1)r and 0 n d 1 j hen 9. Oupu success. 10. else 11. Oupu failure. 1. end if Yongsu Par received he B.E. degree in Compuer Science from Korea Advance Insiue of Science and Technology (KAIST), Souh Korea, in 1996. He received he M.E. degree and he Ph.D. degree in Compuer Engineering from Seoul Naional Universiy in 1998 and 003, respecively. He is currenly an assisan professor in he College of Informaion and Communicaions a Hanyang Universiy, Seoul, Korea. His main research ineress include compuer sysem securiy, newor securiy, and crypography. Yooun Cho received he B.E. degree from Seoul Naional Universiy, Seoul, Korea, in 1971, and he Ph.D. degree in Compuer Science from Universiy of Minnesoa a Minneapolis, Minnesoa, U.S.A., in 1978. He has been wih he School of Compuer Science and Engineering, Seoul Naional Universiy since 1979, where currenly he is a professor. He was a visiing assisan professor a he Universiy of Minnesoa during 1985, and a direcor of Educaional and Research Compuing Cener a Seoul Naional Universiy from 1993 o 1995. He was he member of program commiee of he IPPS/SPDP 98 in 1997, and he Inernaional Conference on High Performance Compuing from 1995 o 1997. He was he presiden of he Korea Informaion Science Sociey from 001 o 00. He is a member of he Naional Academy of Engineering of Korea. His research ineress include operaing sysems, algorihms, sysem securiy, and faul-oleran compuing sysems.