The TESLA Broadcast Authentication Protocol
J. D. Tygar
One of the main challenges of securing broadcast
, or enabling
receivers of broadcast data to verify that the received
data really originates from the claimed source and was
not modified en route.
This problem is complicated
by mutually untrusted receivers and unreliable com-
munication environments where the sender does not
retransmit lost packets.
This article presents the TESLA (Timed Efficient
Stream Loss-tolerant Authentication) broadcast au-
thentication protocol, an efficient protocol with low
scales to large numbers of receivers, and tolerates
packet loss. TESLA is based on loose time synchro-
nization between the sender and the receivers.
functions (MAC functions), TESLA achieves asym-
metric properties. We discuss a PKI application based
purely on TESLA, assuming that all network nodes
are loosely time synchronized.
Broadcast communication is gaining popularity for
efficient and large-scale data dissemination.
ples of broadcast distribution networks are satellite
Most of this work was done at UC Berkeley and IBM Re-
search. The authors can be reached at
broadcasts, wireless radio broadcast, or IP multicast.
While many broadcast networks can efficiently dis-
tribute data to multiple receivers, they often also allow
a malicious user to impersonate the sender and inject
broadcast packets — we call this a
packet injection at-
. (Source-Specific Multicast (SSM, EXPRESS) is
a notable exception, and attempts to prevent this at-
tack [17, 40].)
Because malicious packet injection is easy in many
broadcast networks, the receivers want to ensure that
the broadcast packets they receive really originate
from the claimed source. A
enables the receivers to verify that a received
packet was really sent by the claimed sender.
Simply deploying the standard point-to-point au-
thentication mechanism (i.e., appending a message au-
thentication code (MAC) to each packet, computed us-
ing a shared secret key) does not provide secure broad-
cast authentication. The problem is that any receiver
with the secret key can forge data and impersonate the
sender. Consequently, it is natural to look for solutions
based on asymmetric cryptography to prevent this at-
tack; a digital signature scheme is an example of an
asymmetric cryptographic protocol.
each data packet provides secure broadcast authenti-
cation; however, it has high overhead, both in terms of
the time required to sign and verify, and in terms of
Several schemes were proposed that
mitigate this overhead by amortizing a single signa-
ture over several packets, e.g., [14, 25, 28, 33, 38, 39].
However, none of these schemes is fully satisfactory in