Anonymous Credit

[David Wagner]

Ben Laurie  wrote:
>Interesting ... this reminds me of a protocol Angelos Keromytis and I
>were discussing recently (during IETF, in fact) to allow the efficient
>authentication of a stream of data without having to wait for the end.
>We feel sure this must have already been invented, but neither of us is
>aware of any previous publication. Here it is:
>
>At the head of the stream, present a signature for X_0. X_0 is the hash
>of the concenation of the first block of data and X_1. X_1 is the hash
>of the concatenation of the second block and X_2, and so forth.
>[...]
>Note that this is only applicable to a stream whose contents were known
>to the sender in advance, of course - the situation we were envisaging
>was downloading and unpacking packages on the fly, and wanting to be
>sure they haven't been subverted.

This sounds like the scheme proposed by Rosario Gennaro and Pankaj Rohatgi
at CRYPTO'97.  See <http://citeseer.nj.nec.com/gennaro97how.html> for more.