[Cryptography] Perfect Integrity?

Peter Fairbrother peter at tsto.co.uk
Wed Aug 8 13:14:27 EDT 2018 

On 05/08/18 14:56, Kristian Gjøsteen wrote:
> 4. aug. 2018 kl. 21:44 skrev Peter Fairbrother <peter at tsto.co.uk>:
[...]
>> A one-bit W-C MAC will give an attacker no advantage in guessing the bit - but he will still have a 50% chance of guessing right.
> 
> For ciphers, «information theoretic security» has a specific meaning that roughly translates into «an adversary with unlimited computing power does not learn anything from the ciphertext».

Ouch. I'd prefer: "information theoretic security" means that without 
information an adversary doesn't have access to he can learn nothing 
about a plaintext from its ciphertext."

The OP was talking about Perfect Integrity, not Information Theoretic 
Integrity, and while I suppose there are differences, I am not entirely 
sure what they are.

To stay with security for a moment, an OTP is said to be perfectly 
secure; an attacker can learn nothing about the plaintext from the 
ciphertext - except maybe it's length. Chtsghjydsor might possibly 
decrypt as "attack at dawn" or "retreat at dusk", but it doesn't decrypt 
as "watch it, Hannibal is crossing the Alps with elephants", as it isn't 
long enough.

Could be important if eg the General habitually sends long messages when 
about to retreat, and short ones when about to attack. Or vice-versa.

Of course you can add padding, but exactly how much padding is needed to 
make a message information-theoretic secure?

So. is a "perfect" OTP information theoretic secure? Is anything? An OTP 
hotline discloses nothing ... but it's existence.

And a "perfect" OTP is basically a stream cipher, with the disadvantages 
of stream ciphers, eg plaintext manipulation etc.


> This definition does not make sense for integrity, so information theoretic has to get a new meaning with respect to integrity.
> 
> First, the context. We have a function f that takes a key and a message and outputs a tag. There are n distinct tags. Alice sends (m,t) to Bob, where t = f(k,m) and k is a shared key. Bob receives (m’, t’) and checks if f(k,m’) == t’.
> 
> Note (as has been said, already) that - regardless of what f is - Eve has a 1/n chance of creating a valid tag by choosing t’ at random. (At this point, some people say that information theoretic security is impossible and stop. Even though we haven’t defined what information theoretic security means yet…)
> 
> There are now two possible ways to define security: (a) no adversary should have greater than 1/n chance of creating a forgeryand (b) no adversary should have greater than eps chance of creating a 
forgery, for some small eps.

There is at least a third way - c) no adversary should have greater than 
1/|m| chance of creating a forgery, where |m| is the number of possible 
messages.

> (b) is the most convenient content of «information theoretic integrity»,and we may reserve the prefix «perfect» to denote (a)

I do not understand that.

[..]
> 
> Next, an example that works: k = (a,b), f(k,m) = a*m + b. First, since b is random, Eve learns nothing about a from t. Next, suppose Eve sets m’ = m + Delta and t’ = t + Delta’. If Eve wins, then Delta’ = a*Delta. Since Delta is non-zero, the odds of that is exactly 1/n.

This is trivially insecure as written, even for a one-off-tag - unless 
the calculations are done mod a large prime p, when it becomes secure.

(one-off-tag attack scenario: Alice calculates tag t from message m, Eve 
intercepts message, prevents it's delivery, wants to forge a different 
message for Bob)

Now the maximum message size is p-1 - if larger messages are allowed it 
is trivial to create a message which equals m modulo p. Also, a and b 
should be chosen at random from 1 to p-1.

So |a| = |b| = |t| = |m|, = |p| roughly.

I may have been a bit loose in nomenclature here, using |x| both for the 
size of x and the number of possible x's, hope you follow me.

We could truncate t without giving anything away about a and b, except 
the chance of forgery would increase - so using the working example, 
there is a natural size to a MAC tag which is the same as the size of 
the message.

I think there is something more fundamental [1] going on as well; so if 
I may I will call a MAC tag like that, calculated in a (loosely, 
~information theoretic~) secure way with size equal to the message, a 
"perfect" tag.


-- Peter Fairbrother

[1] working on it..

More information about the cryptography mailing list