We introduce the idea of signature amortization in section 2.1 and describe current research in this area. In section 2.2, we define the problem of pollution attack, which plagues the aforementioned signature amortization schemes. We also present schemes that combat pollution attack and discuss their weaknesses.
2.1. Signature amortization
Due to the considerable computation and communication overhead in digital signature based multicast authentication, signature amortization is utilized to allay these expenses by generating a single digital signature over many packets instead of each packet individually. Signature amortization schemes differ in their implementation and can be classified into several categories: hash graphs, Merkle hash trees, and erasure codes.
2.1.1. Hash Graphs
Approaches that use hash graphs [6][12][14][15] construct a directed acyclic graph where each vertex corresponds to a packet and edges indicate hash direction.
In addition, each vertex contains the hash value of the neighbors on its incoming edges. Terminating the hash graph by endorsing it with a digital signature allows a receiver to authenticate a packet in the hash graph by validating the hashes along the path to the signature packet. Unfortunately, signature flooding attacks render hash graphs vulnerable by overwhelming receivers’ computational and storage resources.
Furthermore, hash graphs suffer from deliberate signature packet loss, which prevents the authentication of any packets.
2.1.2. Merkle Hash Trees
A Merkle hash tree [20] is a binary tree whose leaves consist of the hash of its data blocks. Nodes further up the tree comprise of the hash of the concatenation of their respective children. This family of schemes [16] constructs a Merkle hash tree over a block of packets and utilizes a digital signature to sign the root of the tree.
For each packet, the sender appends the verification information, which comprises of the signed root and its authentication path, that is, the nodes in the Merkle hash tree necessary to recreate the root. By including the signed root, the receiver can immediately authenticate the packet. Unfortunately, these schemes also suffer from signature flooding. Moreover, each packet’s verification information grows logarithmically as the number of leaf nodes increases.
2.1.3. Erasure Codes
Schemes based on erasure codes [13][17][18][21] encode a message of length n blocks into a set of blocks greater than n. If the receiver obtains a sufficient number of symbols, it can accurately reconstruct the message. The rate r is the fraction of symbols required to rebuild the message. Thus, erasure codes can tolerate a maximum loss of n− symbols per message. Despite its low overhead and ability r to tolerate random packet loss, schemes utilizing erasure codes [4][5][8] are susceptible to deliberate corruption of symbols.
2.2. Pollution Attack
A pollution attack is a type of denial of service attack in which an adversary injects forged symbols into the data stream. When a receiver attempts to reconstruct the message, it expends considerable buffer space and computation power. Two schemes have been proposed to tackle pollution attack in a signature amortization
scheme: PRABS utilizes distillation codes, while PARM employs one-way hash chains.
2.2.1. Distillation Codes
Proposed by Karlof et al. [2], PRABS employs distillation codes to resist pollution attacks by distilling the valid symbols of an erasure encoding from the invalid ones. To achieve this task, the distillation encoder accumulates a set of valid symbols and appends a witness to each symbol. Because distillation codes utilize Merkle hash trees as one-way accumulators, the size of the witness increases logarithmically with the size of the accumulated set. To recover a valid message, the distillation decoder uses a symbol’s witness to partition the received symbols such that valid symbols are separate from invalid ones. When a partition collects enough symbols, it can use an erasure decoder to attempt a reconstruction of the message.
Unfortunately, the receiver requires a large amount of storage to temporarily buffer received symbols. Since the receiver has no knowledge of the root of the Merkle hash tree in advance, it must retain valid and invalid symbols alike.
2.2.2. One-Way Hash Chains
A one-way hash function [19] is a cryptographic mechanism that can quickly and easily calculate a hash value; however, it is infeasible to compute the original message using the hash value. Given a message M of variable length, its fixed-length hash value is generated by a hash function H of the form h=H(M). A secure hash function must satisfy three critical properties:
• One-way. For any given hash value y, it is computationally infeasible to find x such that h(x)= y.
• Weak collision resistance. For any given value x, it is computationally infeasible to find y≠ with x h(x)=h(y).
• Strong collision resistance. It is computationally infeasible to find any
pair )(x,y such that h(x)=h(y).
To create a one-way hash chain, the output of a hash function is repeatedly hashed until achieving the desired length of the chain. Based on a set of one-way hash chains, Lin et al. [1] designed a signature amortization scheme, PARM, which augments each packet with a set of hash values as its verification information.
Unlike PRABS, this scheme consumes constant communication overhead by assuming time synchronization between sender and receiver. A lack of synchronization, however, reduces the ability of PARM to instantly validate a received packet or even prevents its recovery to normal operations. For long hash chains, moreover, PARM expends significant computation power during validation as it recursively hashes the verification information.