Skip to Main Content
Recently, Zhou et al. proposed a multicast authentication protocol named MABS which employs an efficient cryptographic primitive called batch verification to authenticate an arbitrary number of data packets simultaneously. Three implementations were presented: MABS-RSA, MABS-BLS, and MABS-DSA. In this comment, we are concerned with the last implementation, which is claimed to be much more efficient than the others. Our particular interest also lies in the fact that MABS-DSA was designed to thwart a known attack against its underlying batch DSA primitive and is claimed to be with increased security. After a careful revisit of the involved arithmetic, however, we find that the real issue lies in protocol correctness rather than security; the algorithm of MABS-DSA actually does not hold as one would expect. More specifically, even if each of the data packets was signed by an honest sender and securely delivered to the receiver, verification of the batch of signatures will still almost always fail.