Cryptography Reference
In-Depth Information
m
=
m
0
,m
1
,...,m
k
). The basic idea is to include in every block
m
i
the
hash value of the subsequent block
m
i
+1
(in addition to
m
i
) and to prepend a
block
m
0
that includes a digital signature for the hash value of
m
1
. The sender
then computes
m
as follows:
m
k
=
m
k
]
m
i
=
m
i
,h
(
m
i
+1
)] for
i
=
k
−
1
,...,
1
m
0
=
h
(
m
1
)
,s
]
Consequently,
m
k
contains
m
k
,
m
i
contains
m
i
and the hash value of
the subsequent block
m
i
+1
1
,...,
1,and
m
0
contains the hash
value of
h
(
m
1
) and a digital signature
s
for this hash value. If
k
−
1
refers to the
sender's signing key, then
s
refers to
Sign
(
k
−
1
,h
(
m
1
)). Note that all blocks
of
m
may be padded to meet a specific block length of
m
(this is particularly
true for
m
0
and
m
k
). Also note that digitally signing a stream with the off-
line solution requires a backward pass on the stream (this is why we must
make the assumption that the stream is finitely long and known in advance
to the sender). The structure of a signed digital stream is illustrated in Figure
15.4. In either case, the digital stream
m
for
i
=
k
−
is the one that is transmitted to the
recipient.
.I/
=3
.I/
=
=
I
I
=
Figure 15.4
A signed digital stream according to the offline solution of Gennaro and Rohatgi.
On receiving
m
0
, the recipient must verify that
s
is a valid signature
for
h
(
m
1
) with respect to the verification key
k
of the sender—that is,
he or she must verify that
Verify
(
k, h
(
m
1
)
,s
) retuns
valid
. Afterwards,
on receiving
m
i
=
m
i
,h
(
m
i
+1
)] for
i
=1
,...,k
1, the recipient
must accept block
m
i
as valid if and only if it hashes to the same value
that was transmitted in the preceding block
m
i−
1
−
(note that
m
i−
1
includes
