Each key in the one-way key chain corresponds to a time interval. Every time a sender broadcasts a message, it appends a MAC to the message, using the key corresponding to the current time interval. The key remains secret for the next intervals, so messages sent in interval effectively disclose key . We call the key disclosure delay.
Figure 3: At the top of the figure
is the one-way key chain (using the one-way function ), and the
derived MAC keys (using the one-way function ). Time advances
left-to-right, and the time is split into time intervals of uniform
duration. At the bottom of the figure, we can see the packets that the
sender sends in each time interval. For each packet, the sender uses the key
that corresponds to the time interval to compute the MAC of the packet. For
example for packet , the sender computes a MAC of the data using
key . Assuming a key disclosure delay of two time intervals
(), packet would also carry key .
As a general rule, using the same key multiple times in different cryptographic operations is ill-advised -- it may lead to cryptographic weaknesses. So we do not want to use key both to derive key and to compute MACs. Using a pseudo-random function family , we construct the one-way function : . We use to derive the key to compute the MAC of messages: . Figure 3 depicts the one-way key chain construction and MAC key derivation. To broadcast message in interval the sender constructs packet .
Figure 3 depicts the one-way key chain derivation, the MAC key derivation, the time intervals, and some sample packets that the sender broadcasts.