Why Live Streams Need Provenance

Recorded video can be signed at the completion of production. The file exists, it can be hashed, and the hash can be signed. Live video presents a different challenge: the content does not exist as a complete file until the broadcast ends. Waiting until the end to sign means the entire broadcast period is undocumented.

Live news broadcasts are particularly sensitive to this gap. A breaking news broadcast with manipulated footage could be presented as authentic because no provenance record exists during the live period. The same applies to government proceedings, live court testimony, sports events with rights restrictions, and live music performances.

C2PA 2.3 Section 19 addresses this by defining a provenance model for streaming content where signing happens continuously during the broadcast, not just at the end.

Per-Segment Manifests and Backwards Linking

Streaming video is divided into segments - short chunks of video data typically 2-10 seconds long in HLS (HTTP Live Streaming) and DASH (Dynamic Adaptive Streaming over HTTP) formats. Each segment is a self-contained piece of video data that can be independently decoded.

C2PA 2.3 Section 19 assigns a signed manifest to each segment. The manifest for segment N includes:

• The segment's own content hash
• The signing timestamp for this segment
• The broadcaster's identity (verified certificate)
• A hash of the previous segment's manifest (backwards link)

The backwards link is the chain's integrity mechanism. Each segment's manifest includes a cryptographic commitment to the previous segment's manifest. This means any manipulation of an earlier segment also breaks the chain for all subsequent segments. A verifier examining the complete chain can identify the exact segment where the chain breaks, localizing any tampering to a specific time range in the broadcast.

The first segment in a stream (the genesis segment) has no backwards link - it begins the chain. All subsequent segments extend it. After the broadcast ends, the complete chain provides a tamper-evident record of the entire broadcast.

Real-Time Signing at Broadcast

Live stream signing operates with millisecond latency requirements. A signing operation that adds multiple seconds to segment delivery is not compatible with live streaming. The Encypher live stream signing service is designed for sub-100ms signing latency, compatible with typical segment delivery timelines.

Integration with existing broadcast infrastructure occurs at the segment packaging stage - after the segment is encoded but before it is delivered to the CDN or streaming origin. The signing service receives the encoded segment, computes the hash, assembles the manifest with the backwards link to the previous segment, signs it, and returns the segment with the embedded manifest.

For news broadcasters using standard broadcast infrastructure, integration typically occurs at the stream packager. For direct-to-consumer streaming operations, integration occurs at the streaming origin server. The Encypher SDK provides client libraries for common broadcast software.

Use Cases

Verification After Broadcast

After a broadcast ends, the complete segment chain can be archived as a provenance record. The archive contains each segment with its manifest, forming a complete cryptographic history of the broadcast.

Verification of a specific time range requires the segments for that range and the preceding chain back to the genesis segment. The Encypher API supports range verification: submit a time range and receive a verification report covering all segments in that range, including the chain integrity status.

For news organizations preserving broadcast archives, this means every archived broadcast can include a tamper-evident provenance chain alongside the video files. The chain is separate from the video and lightweight - it is a sequence of manifest signatures, not a copy of the video itself.