We review previous art which deals with the problem of continuous authentication and signature of streams.
Gennaro and Rohatgi introduced techniques for signing digital streams [13]. They present two different schemes, one for the off-line case (the entire stream content is known in advance) and the other for the on-line case (the stream content is generated in real-time). For the off-line case, they suggest signing the first packet and embeding in each packet the hash of the next packet (including the hash stored in ). While this method is elegant and provides for a stream signature, it does not tolerate packet loss. The biggest disadvantage, however, is that the entire stream of packets needs to be known in advance. The on-line scheme solves this problem through a regular signature of the initial packet and embedding the public key of a one-time signature in each packet, which is used to sign the subsequent packet. The limitation is again that this scheme is not robust against packet loss. In addition, the one-time signature communication overhead is substantial.
Wong and Lam address the problem of data authenticity and integrity for delay-sensitive and lossy multicast flows [31]. They propose to use Merkle's signature trees to sign streams. Their idea to make asymmetric digital signatures more efficient is to amortize one signature generation and verification over multiple messages. Merkle describes how to construct a hash tree over all messages where the signer only digitally signs the root [20, 21]. However, to make this scheme robust against packet loss, every packet needs to contain the signature along with all the nodes necessary to compute the root, which requires large space overhead. In practice, this scheme adds around 200 bytes to each packet (assuming a 1024 bit RSA signature and a signature tree over 16 packets). Another shortcoming is that all messages need to be known to compute the signature tree. This causes delays on the sender side. Furthermore, after the signature computation, all packets are sent at the same time, causing bursty traffic patterns. This burstiness may increase the packet drop rate in the network. Although the computational overhead is amortized over multiple packets, there is still a substantial amount of computation necessary for signature verification, which can consume a substantial amount of resources on low-end receivers (for example battery power). A subtle point is that the per-packet computation increases with the packet loss rate. Since mobile receivers also have less computational power and higher packet loss, the benefit of the amortization is lost. The schemes which we propose in this paper solve these shortcomings.
Rohatgi presents a new scheme which reduces the sender delay for a packet, and which reduces the communication overhead of one-time signatures over previously proposed schemes [28]. He introduces a -time signature scheme, which is more space efficient than the one-time signatures. Despite all advantages, the scheme still uses 90 bytes for a 6-time public key (which does not include the certificate of the public key) and 300 bytes for each signature. Also, the server requires 350 off-line hash function applications and the client needs 184 hashes on average to verify the signature.
Canetti et al.construct a sender authentication scheme for multicast [7]. Their solution is to use different keys to authenticate every message with different MAC's. Every receiver knows keys and can hence verify MAC's. The keys are distributed in such a way that no coalition of receivers can forge a packet for a specific receiver. The communication overhead for this scheme is considerable, since every message carries MAC's. The server must also compute MACs before a packet is sent, which makes it more expensive than the scheme we present in this paper. Furthermore, the security of their scheme depends on the assumption that at most a bounded number (which is on the order of ) of receivers collude.
Syverson, Stubblebine, and Goldschlag propose a system which provides asymmetric and unlinkable authentication [30]. In their system, a client proves its right to access the vendor's service through a blinded signature token, which is renewed on each transaction. Through the vendor's blind signature, they achieve unlinkability of transactions. This scheme would not work for stream authentication, because the communication and computation overhead is substantial. Furthermore, the scheme provides unlinkability, which is not needed for authenticating multicast streams.
Anderson et al.[1] present a scheme which provides stream
authentication between two parties. Their Guy Fawkes protocol has the following
packet format:
, where denotes message , stands for a random
number, and is a hash function. Assuming that the receiver received an
authentication packet , it can immediately authenticate the following
packet , since contains the commitment to . Similarly, comes with a commitment for
. A drawback of this protocol is that to send message , the
following message needs to be known. Furthermore, this scheme cannot
tolerate any packet loss. They propose two methods to guarantee that the keys
are not revealed too soon. The first method is that the sender and receiver are
in lockstep, i.e. the receiver acknowledges every packet before the sender can
send the next packet. This severely limits the transfer time and does not scale
to a large number of receivers. The second method to secure their scheme is to
time-stamp each packet at a time-stamping service, which introduces additional
complexity. The Basic authentication scheme I we propose in this paper is
similar to the Guy Fawkes protocol. We improve on Guy Fawkes and construct an
efficient stream authentication scheme without these limitations.
We understand that unpublished work by Bob Briscoe at BT research, and Dan Boneh and Philippe Golle, has been proceeding along some similar lines. To the best of our knowledge, all of these groups have been working independently.