Anonymous Credit

[Ben Laurie]

Richard Clayton wrote:
> People interested in schemes for publishing a sequence of messages in
> such a way as to show linkage between them might consider the "Guy
> Fawkes Protocol" [a suitable scheme for Guy Fawkes to claim
> responsibility for his groups actions without risking people forging
> claims in his name]. It's described in this (PDF) paper:

Interesting ... this reminds me of a protocol Angelos Keromytis and I
were discussing recently (during IETF, in fact) to allow the efficient
authentication of a stream of data without having to wait for the end.
We feel sure this must have already been invented, but neither of us is
aware of any previous publication. Here it is:

At the head of the stream, present a signature for X_0. X_0 is the hash
of the concenation of the first block of data and X_1. X_1 is the hash
of the concatenation of the second block and X_2, and so forth.

The final hash could either be the hash of the final block alone, or
possibly there's some value in appending a random number instead of
H_{n+1}, but I can't really imagine what.

Note that this is only applicable to a stream whose contents were known
to the sender in advance, of course - the situation we were envisaging
was downloading and unpacking packages on the fly, and wanting to be
sure they haven't been subverted.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff