CSC 774 Network Security

1
CSC 774 In-Class Presentation
The BiBa One-Time Signature Broadcast
Authentication Protocol
CSC 774 Network Security
Rott Adsadawuttijaroen
2
Outlines

• Introduction

• BiBa Signature Scheme

• BiBa Broadcast Authentication Protocol

• Practical Considerations

• Conclusion and possible future work

CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
3
Introduction

• Problem

- source authentication in broadcast communication
- Goal how to achieve an efficient broadcast
authentication protocol

• Related Work TESLA

• based on a chain of keys (hash chain) and timed
  release of keys by the sender

- similar to PayWord
- cannot achieve instant authentication without
sender-side buffering
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
4
Introduction

• BiBa a new way for one-time digital signature

- using one-way functions without trapdoors
(trapdoor
it is easy invert this with k)
- similar to MicroMint (by Rivest and Shamir),
which relies on the difficulty of finding
k-way collisions for one way function

• difference broker (MicroMint) must have much
  more
• computational resources than an attacker, while
  signer
• (BiBa) only need modest resources

CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
5
Introduction

• BiBa comparison to other one-way function based
  signature scheme

• Advantages

• smaller signature size
• faster verification

• Disadvantages

• public keys are larger
• signature generation overhead is higher, so time
  to
• generate signature is higher

fast verification is a desired property for
broadcast protocol
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
6
Introduction

• BiBa signature scheme is extended to yield new
• broadcast authentication protocol

Goal verify the data origin

• Desired properties for efficient broadcast
• authentication protocol

• efficient generation and verification
• real-time/instant authentication
• individual message authentication
• robustness to packet loss
• scalability
• small size of authentication information

BiBa satisfies all above except the high
generation overhead
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
7
BiBa Signature Scheme

• Notations

-
, represent pseudo random
functions (PRF), where s seed, x argument
- H() represents a hash function

• represents an instance in the hash function
  family (i.e., a set of hash functions) G selected
  with an indicator h

CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
8
BiBa Signature Scheme

• The SEALs

- MicroMint broker throws a large number of
balls (i.e., random inputs) into bins BiBa uses
SEALs as its balls
- SEALs stands for SEef-Authenticating vaLues.

• randomly generated in a way that receivers can
  authenticate
• with the BiBa public key

• Two approaches for generating SEALs

Goal efficient infeasible to find from the
public key
1. using PRF F given SEAL s, the public key is
receivers authenticate s by verifying
2. using Merkle hash tree
1 BiBa signature has multiple SEALs a public
key has multiple commitments (fs)
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
9
BiBa Signature Scheme

• Signature generation

• a collision of balls (SEALs) under a hash
  function in bins forms the signature BiBa
  stands for Bins and Balls

- exploits the birthday paradox attackers have a
low probability to forge a signature because they
have few balls

• how to generate signature k 2 (k-way
  collision)

Goal signature on message m
Gh
h ( H(m))
m
G
Hash
select
signature lts3, s4gt
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
10
BiBa Signature Scheme

• Signature Verification

- receiver receives a message m and signature
ltsi, sjgt
- assume that receiver has an efficient method to
authenticate the SEALs si, sj

• Verification process

1. check si sj
2. authenticate the SEALs si, sj (e.g. check
and )
3. computes h H(m)
4. check Gh(si) Gh(sj)
verification is very light weight
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
11
BiBa Signature Scheme

• Security of the scheme (k 2)

- the probability of at least one collision,
where t of SEALs, n of
possible output of Gh
A 1200 balls, 762460 bins Pc .61 B 10
balls (learned from 5 sig) Pc 2-13.9
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
12
BiBa Signature Scheme

• BiBa Extensions

Goal increase security
1. increase the number of SEALs and bins
size of public key increase
2. use multiple 2-way collision sig
3. use multi-way collision sig
4. use a multi-round scheme, but it is as secure
as one-round
3 is better than 2
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
13
BiBa Signature Scheme

• Implementation (only few changes)

- for message m, signer computes h H(mc), where
c is a counter that increases if a signature
cannot be found
- use k-way collision of SEALs
- BiBa signature consists of
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
14
BiBa Signature Scheme

• Security Consideration

- the probability of the attacker to forge a
signature after single trial
r of SEALs that the attacker knows
- the probability that signer can find a
signature after single trial PS, using PS 0.5
in the paper and k 11 is sufficient
- the ways to attack BiBa
1. collect SEALs disclosed in signatures (k SEALs
per sig)
2. invert the PRF F to find SEALs, which is
impractical
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
15
BiBa Broadcast Authentication Protocol
Goal support a potentially infinite stream of
messages

• Approach I (using basic BiBa signature)

- a public key which commits to a fixed number of
SEALs
- sender can disclose a small number of SEALs
- sender can sign a small number of messages
- need a way to replenish the SEALs disclosed
with each signature

• Approach II

- add new commitments (public key) for each SEAL
it discloses include all new commitments in
signature
- increase the size of the signature and not
robust to packet loss
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
16
BiBa Broadcast Authentication Protocol

• One-way SEAL Chains (a better approach)

- SEALs can be instantly authenticated upon
receiving
- SEALs are automatically replenished
- same idea as S/Key and PayWord
- this approach implement 2 types of one-way hash
chains
1. 1 one-way salt chain of length l (
)
- use PRF F as a hash function
- randomly select Kl (initial salt)
2. a set of one-way SEAL chains (
)
- use PRF F as a hash function
- randomly select (initial
set of SEALs)
- for each value of i,
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
17
BiBa Broadcast Authentication Protocol
- in each time period i, the SEALs Slt-,igt and the
salt Ki are active
- as time advances, an entire row of SEALs
expires and a new row becomes active
- sender publishes each salt at the beginning of
the time period
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
18
BiBa Broadcast Authentication Protocol

• Authentication of a message

- assume the receiver knows the authentic salt Ki
of time period i
1. check that
2. make sure that all the SEALs in signature are
different.
3. authenticate SEALs by following the one-way
SEAL chain back to a SEAL that it knows is
authentic
4. authenticate signature by testing k-way
collision
- for a new receiver, assume sender sends it all
the SEALs and the salt of a previous time period
over an authenticated channel
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
19
BiBa Broadcast Authentication Protocol

• Security Condition

Goal ensure that attacker knows few active SEALs
- r max of SEALs that attacker can know
- k of SEALs revealed in a signature because
of k-way collision
sender is limited to sign messages for
one time period
- max time synchronization error between
sender and receivers

• after signing the above of messages, sender
  has to wait for time
• before disclose the SEALs of next time period

• to send continuously, use multiple BiBA
  instances in a round-robin fashion

CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
20
BiBa Broadcast Authentication Protocol

• BiBa Broadcast Protocol Extension

Goal achieve an optimal protocol
- an optimal protocol would satisfy
1. low receiver computation overhead (as low as
the BiBa signature protocol)
2. low communication overhead (only disclosed
SEALs in packets)
3. perfect robustness to packet loss
- the standard one cannot satisfy 1 since it
needs a lot of hash operation to verify SEALs
- so far, no protocol satisfies all the three
properties
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
21
BiBa Broadcast Authentication Protocol

• BiBa Broadcast Protocol Extension A

- provides 1 and 2, but does not tolerate
packet loss
- reduces of hash operations of SEAL
authentication by using every SEAL of each
one-way SEAL chain
- uses concept of SEAL boundary
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
22
BiBa Broadcast Authentication Protocol

• BiBa Broadcast Protocol Extension A (conts)

- SEALs above the boundary are disclosed
(commitments for the SEALs below)
- only SEALs adjacent to (below) the boundary are
used
- assume sender and receivers always know the
SEAL boundary
Attack
- not secure if attacker can slow down the
traffic to collect enough SEALs (below the
boundary at the receivers)
Countermeasure
- time synchronization receivers know the
sending schedule of packet s
- sender signs SEALs directly above the current
boundary
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
23
BiBa Broadcast Authentication Protocol

• BiBa Broadcast Protocol Extension B

- also uses SEAL boundary
- tolerate packet loss but add more communication
overhead
- add SEAL boundary information to packets
Method to encode SEAL boundary info
1. absolute encoding (Slt0, jgt, , Sltt, jgt), e.g.
(0,2,3,0,1,2)
2. relative encoding the changes of the SEAL
boundary with respect to a previous boundary
Attack
- attacker collects SEALs during a long period of
packet loss, then forge a packet with a bogus
SEAL boundary
Countermeasure
- receiver needs to receive at least one packet
every packets
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
24
Practical Considerations

• Selection of BiBa Parameters

- sender has t 1024 SEALs

• Pf Prob attacker finds a signature in one
  trail with knowing
• at most r SEALs

- min of hash operation for attacker is

• Ps Prob sender finds a signature in one trial
  0.5

- if sender needs to send gt packets per time
period , of BiBa instances ,
packet sending rate
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
25
Practical Considerations

• Selection of BiBa Parameters (conts)

- throwing 1024 balls and set PS 0.5 and k 12
n 222 bins
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
26
Practical Considerations

• Selection of BiBa Parameters (conts)

- use n 222, k 12 pick of SEALs attacker
knows Pf
- if Pf is too high, increase k
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
27
Practical Considerations

• BiBa Overhead

- TF, TG, and TH denote the time to compute
function F, G, H
- salts are m1 bit long, SEALs are m2 bits long
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
28
Practical Considerations

• Efficient Public-Key Distribution

- sending the public key to all receivers is
bottleneck since the public key size is large
- more efficient approach requires a longer time
for new receivers to be able to authenticate SEALs
- periodically broadcasts a signed (RSA) message
containing the hash of all SEALs and the salt of
one time period
- once receiver collects all SEAL chains, it can
authenticate SEALs (using digital signature and
series of hash functions)
- receiver needs to collect about
SEALs before it has one SEAL of each SEAL chain
with high probability
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol
29
Conclusion and possible future work

• Conclusion

- BiBa signature is based on k-way collision of
hash function
- BiBa broadcast authentication is built from
BiBa signature
- satisfies all the properties of the efficient
broadcast authentication protocol, except high
sender overhead

• Possible future work

- improved mechanism to reduce the sender
overhead in generating authentication information
CSC 774 Network Security
The BiBa One-Time Signature and Broadcast
Authentication Protocol