## How to Sign Digital Streams (1997)

### Cached

### Download Links

- [www.research.ibm.com]
- [theory.lcs.mit.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 148 - 0 self |

### BibTeX

@INPROCEEDINGS{Gennaro97howto,

author = {Rosario Gennaro and Pankaj Rohatgi},

title = {How to Sign Digital Streams},

booktitle = {},

year = {1997},

pages = {180--197},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present a new efficient paradigm for signing digital streams. The problem of signing digital streams to prove their authenticity is substantially different from the problem of signing regular messages. Traditional signature schemes are message oriented and require the receiver to process the entire message before being able to authenticate its signature. However, a stream is a potentially very long (or infinite) sequence of bits that the sender sends to thereceiver and the receiver is required to consumes the received bits at more or less the input rate and without excessive delay. Therefore it is infeasible for the receiver to obtain the entire stream before authenticating and consuming it. Examples of streams include digitized video and audio files, data feeds and applets. We present two solutions to the problem of authenticating digital streams. The first one is for the case of a finite stream which is entirely known to the sender (say a movie). We use this constraint to devise an extremely efficient solution. The second case is for a (potentially infinite) stream which is not known in advance to the sender (for example a live broadcast). We present proofs of security of our constructions. Our techniques also have applications in other areas, for example, efficient authentication of long files when communication is at a cost and signature based filtering at a proxy server.

### Citations

2912 | L.: A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...pplications in other areas, for example, efficient authentication of long files when communication is at a cost and signature based filtering at a proxy server. 1 Introduction Digital Signatures (see =-=[6, 18]-=-) are the cryptographic answer to the problem of information authenticity. When a recipient receives digitally signed information and she is able to verify the digital signature then she can be certai... |

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ...pplications in other areas, for example, efficient authentication of long files when communication is at a cost and signature based filtering at a proxy server. 1 Introduction Digital Signatures (see =-=[6, 18]-=-) are the cryptographic answer to the problem of information authenticity. When a recipient receives digitally signed information and she is able to verify the digital signature then she can be certai... |

1113 | A public key cryptosystem and a signature scheme based on discrete logarithms - ElGamal - 1985 |

833 | A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...orithm. On input a message M and the secret key SK, it outputs a signature oe. ffl V is the verification algorithm. For every (PK; SK) = G(1 n ) and oe = S(SK; M ), it holds that V (PK; oe; M)= 1. In =-=[9] security -=-for signature schemes is defined in several variants. The strongest variant is called "existential unforgeability against adaptively chosen message attack". That is, we require that no effic... |

327 |
A certified digital signature
- Merkle
- 1990
(Show Context)
Citation Context ... The above solution can be further modified by using an authentication tree: the blocks are placed as the leaves of a binary tree and each internal node takes as a value the hash of its children (see =-=[13]-=-.) This way the sender needs to sign and send only the root of this tree. However in order to authenticate each following block the sender has to send the whole authentication path (i.e. the nodes on ... |

313 | Universal one-way hash functions and their cryptographic applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...erified) only once with a 1-time key. We also use the idea to of using old keys in order to authenticate new keys. This has appeared in several places but always for long-lived keys. Examples include =-=[1, 16, 19]-=- where this technique is used to build provably secure signature schemes. We stress that the results in [1, 16, 19] are mostly of theoretical interest and do not yield practical schemes. Our on-line s... |

288 |
A Design Principle for Hash Functions
- Damg˚ard
- 1989
(Show Context)
Citation Context ...ique of embedding the hash of the following block in the current block can be seen as a variation of the Merkle-Damgard meta-method to construct hash functions based on a simpler compression function =-=[14, 5]-=-. The novelty here is that we exploit the structure of the construction to allow fast authentication of single blocks in sequential order. It can also be seen as a weak construction of accumulators as... |

214 |
A digital signature based on a conventional encryption function
- Merkle
- 1987
(Show Context)
Citation Context ...can be amortized over the length of the block). The size of the embedded authentication information is also an issue in this case. The idea here is to use fast 1-time signature schemes (introduced in =-=[11, 12]-=-) to authenticate the internal blocks. So block i will contain a 1time public key and also the 1-time signature of itself with respect to the key contained in block i \Gamma 1. This signature authenti... |

196 | One-Way Functions Are Necessary and Sufficient for Digital Signatures
- Rompel
- 1990
(Show Context)
Citation Context ...erified) only once with a 1-time key. We also use the idea to of using old keys in order to authenticate new keys. This has appeared in several places but always for long-lived keys. Examples include =-=[1, 16, 19]-=- where this technique is used to build provably secure signature schemes. We stress that the results in [1, 16, 19] are mostly of theoretical interest and do not yield practical schemes. Our on-line s... |

114 | One-way accumulators: a decentralized alternative to digital signatures
- Benaloh, Mare
- 1993
(Show Context)
Citation Context ...ere is that we exploit the structure of the construction to allow fast authentication of single blocks in sequential order. It can also be seen as a weak construction of accumulators as introduced in =-=[2]-=-. An accumulator for k blocks B 1 ; : : : ; B k is a single value ACC that allows a signer to quickly authenticate any of the blocks in any particular order. Accumulators based on the RSA assumption w... |

103 |
Constructing digital signatures from a one-way function
- Lamport
- 1979
(Show Context)
Citation Context ...can be amortized over the length of the block). The size of the embedded authentication information is also an issue in this case. The idea here is to use fast 1-time signature schemes (introduced in =-=[11, 12]-=-) to authenticate the internal blocks. So block i will contain a 1time public key and also the 1-time signature of itself with respect to the key contained in block i \Gamma 1. This signature authenti... |

60 |
On-line/off-fine digital signatures
- Even, Goldreich, et al.
(Show Context)
Citation Context ...s, since we exploit the property that the blocks must be authenticated in a specific order. Mixing "regular" signatures with 1-time signatures, for the purpose of improving efficiency is dis=-=cussed in [8]-=-. However in that paper the focus is in making the signing operation of a message M efficient by dividing it in two parts. An off-line part in which the signer signs a 1-time public key with his long-... |

35 |
The MD5 Message Digest Algorithm,” Internet RFC 131
- Rivest
- 1992
(Show Context)
Citation Context ...orithm who is given as input the values H(x i ) on several adaptively chosen values x i , finds a collision, i.e. a pair (x; y) such that x 6= y and H(x) = H(y), only with negligible probability. MD5 =-=[17]-=- and SHA-1 [15] are conjectured collision-resistant hash functions. Signature Schemes. A signature scheme is a triplet (G; S; V ) of probabilistic polynomialtime algorithms satisfying the following pr... |

33 | How to sign given any trapdoor permutation
- Bellare, Micali
- 1992
(Show Context)
Citation Context ...erified) only once with a 1-time key. We also use the idea to of using old keys in order to authenticate new keys. This has appeared in several places but always for long-lived keys. Examples include =-=[1, 16, 19]-=- where this technique is used to build provably secure signature schemes. We stress that the results in [1, 16, 19] are mostly of theoretical interest and do not yield practical schemes. Our on-line s... |

25 | On the efficiency of one-time digital signatures
- Bleichenbacher, Maurer
(Show Context)
Citation Context ...apdoor functions as RSA. However these schemes cannot be used to sign an arbitrary number of messages but only a prefixed number of them (usually one). Several other 1-time schemes have been proposed =-=[8, 3, 4]-=-; in Section 6 we discuss possible instantiations for our purpose. In this case also the stream is split into blocks. Initially the sender sends a signed public key for a 1-time signature scheme. Then... |

19 | Optimal tree-based one-time digital signature schemes
- Bleichenbacher, Maurer
- 1996
(Show Context)
Citation Context ...apdoor functions as RSA. However these schemes cannot be used to sign an arbitrary number of messages but only a prefixed number of them (usually one). Several other 1-time schemes have been proposed =-=[8, 3, 4]-=-; in Section 6 we discuss possible instantiations for our purpose. In this case also the stream is split into blocks. Initially the sender sends a signed public key for a 1-time signature scheme. Then... |

17 |
One-way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ...ique of embedding the hash of the following block in the current block can be seen as a variation of the Merkle-Damgard meta-method to construct hash functions based on a simpler compression function =-=[14, 5]-=-. The novelty here is that we exploit the structure of the construction to allow fast authentication of single blocks in sequential order. It can also be seen as a weak construction of accumulators as... |

3 |
communication
- Personal
- 1971
(Show Context)
Citation Context ...eme is based on a 1-way function F in a domain D. It also uses a collision resistant hash function H . The scheme allows signing of a single m-bit message. It is based on a combinations of ideas from =-=[11, 20]-=-. Here are the details of the scheme. Key Generation. Choose m+ log m elements in D, let them be a 1 ; : : : ; am+logm . This is the secret key. The public key is pk = H(F (a 1 ); : : : ; F (a m+logm ... |

1 |
Asymmetric MACs. Rump talk at Crypto'96
- Itkis
(Show Context)
Citation Context ... the first such signature they encounter to start their authentication chain. A different method to authenticate broadcasted streams, with weaker non-repudiation properties than ours, was proposed in =-=[10]-=-. Long Files when Communication is at Cost. Our solution can be used also to authenticate long files in a way to reduce communication cost in case of tampering. Suppose that a receiver is downloading ... |