Broadcast Authentication in Group Communication Rei Safavi-Naini 1 and Huaxiong Wang 2 1 School of IT and CS, University of Wollongong, Australia rei@uow.edu.au 2 Department of Computer Science, National University of Singapore, Singapore wanghx@comp.nus.edu.sg Abstract. Traditional point-to-point message authentication systems have been extensively studied in the literature. In this paper we consider authentication for group communication. The basic primitive is a mul- tireceiver authentication system with dynamic sender (DMRA-code). In a DMRA-code any member of a group can broadcast an authenticated message such that all other group members can individually verify its authenticity. In this paper first we give a new and flexible ‘synthesis’ construction for DMRA-codes by combining an authentication code (A- code) and a key distribution pattern. Next we extend DMRA-codes to tDMRA-codes in which t senders are allowed. We give two constructions for tDMRA-codes, one algebraic and one by ‘synthesis’ of an A-code and a perfect hash family. To demonstrate the usefulness of DMRA sys- tems, we modify a secure dynamic conference key distribution system to construct a key-efficient secure dynamic conference system that provides secrecy and authenticity for communication among conferencees. The sys- tem is key-efficient because the key requirement is essentially the same as the original conference key distribution system and so authentication is effectively obtained without any extra cost. We show universality of ‘synthesis’ constructions for unconditional and computational security model that suggests direct application of our results to real-life multi- casting scenarios in computer networks. We discuss possible extensions to this work. 1 Introduction Collaborative and multi-user applications, such as teleconferences and electronic commerce applications, require secure communication among members of a group. Compared to providing confidentiality, ensuring integrity and authentic- ity of information is much more difficult as in the latter subgroups of participants can participate in a coordinated attack against other group members, while in the former they are passive. It is also worth emphasizing that the two goals of confidentiality and authenticity in group communications are independent and achieving one goal does not give assurance about the other goal. We consider the following scenario. There is a group of users and a Trusted Authority (TA). During the initialization of the system, TA generates keys for K. Y. Lam, E. Okamoto and C. Xing (Eds.): ASIACRYPT’99, LNCS 1716, pp. 399–412, 1999. c  Springer-Verlag Berlin Heidelberg 1999