We can obtain "absolutely perfect CONFIDENTIALITY" using the one-time pad. Is there such a thing as "absolutely perfect INTEGRITY"?

Question

The OTP (one-time pad) gives us perfect secrecy. This is the very best confidentiality available in this universe. (Although it does require large keys, which is beside the point of this question).

The problem is such encryption does not attain integrity. So my question is, is there such a thing as perfect integrity?

This has been asked a few times before: see http://crypto.stackexchange.com/q/15394/351, http://crypto.stackexchange.com/q/11228/351, http://crypto.stackexchange.com/q/31063/351, http://crypto.stackexchange.com/q/26960/351. — D.W., Jun 26 '16 at 21:52

J.D. · Answer 1 · 2016-06-27T01:44:26.323

Yes, there is the one-time MAC. This is a scheme which ensures that an adversary (even one with infinite computational resources) has a negligible chance of altering the message or forging a fake message without detection.

Edit to add: Mikero's comment and the other answer demonstrate that we need to be clear about what we mean by "perfect" integrity. "Perfection" is a rather nebulous term, so I will provide a rigorous definition as I understand it, and contrast it with a similar definition for "perfect" confidentiality. Hopefully, even if you disagree with my definitions you will be able to see why I think one-time MAC can provide "perfect" integrity (as I define it).

Perfect integrity and perfect confidentiality can both be defined in terms of games. Let's do the confidentiality game first:

Confidentiality Game:

You have a Challenger, an Adversary, and an encryption scheme (e.g. a block cipher using a Mode of Operation, or a stream cipher, or the OTP). The Challenger and Adversary agree upon a length limit $\ell$, which is the total length of all messages that will be encrypted by the Challenger during the game. The Challenger selects a key from the defined key-space of the encryption scheme uniformly at random (e.g. for AES-128 it would select a 128 bit string from all such strings, and for a OTP it would select a string of length $\ell$ from all such strings).

There are two phases to the game - first a query phase, and then a challenge phase. In the query phase, the Adversary can submit chosen plaintext queries to the Challenger, who encrypts them using the scheme and the selected key, and presents the resulting ciphertexts to the Adversary.

During the challenge phase, the Adversary selects two messages that are of equal length, $m_0$ and $m_1$, and submits them to the Challenger. Note that the total length of all the queries added to the length of $m_0$ must not exceed $\ell$. The Challenger selects a single bit $b$ uniformly at random, encrypts $m_b$, and presents the resulting ciphertext to the Adversary. The Adversary outputs a single bit $a$ which is its guess as to the value of $b$. If $a=b$ then the Adversary wins the game, otherwise it loses.

An encryption scheme provides $\ell$-wise perfect confidentiality if and only if there is no Adversary (not even a computationally unbounded Adversary) who can win this game with probability greater than 0.5. Note that a one-time pad provides perfect confidentiality in this sense.

Integrity Game:

You have a Challenger, an Adversary, and a MAC scheme. The Challenger and Adversary agree upon a total number of messages $n$ that the Challenger will authenticate during the game, as well as $\ell$ the total length of those messages, and a tag length $\tau$ (e.g. they can agree that the MAC tags will all be 64 bits long). The Challenger selects a key from the defined key-space of the MAC scheme uniformly at random.

As before, there is a query phase and a challenge phase. During the query phase, the Adversary can submit up to $n-1$ messages to be authenticated to the Challenger, who generates the corresponding MAC tags for those messages and presents them to the Adversary. During the challenge phase, the Adversary outputs a message $M$ (which cannot be the same as any message submitted during the query phase) and a tag $T$. The total length of the queries and $M$ cannot exceed $\ell$. The Challenger generates the MAC for $M$, and if that MAC is identical to $T$ then the Adversary wins the game, otherwise it loses.

A MAC scheme provides $(n,\ell,\tau)$-wise perfect integrity if and only if there is no Adversary (not even a computationally unbounded Adversary) who can win this game with probability greater than $1/2^{\tau}$. Note that a one-time MAC provides perfect integrity in this sense.

I think this answer is conflating perfect security (zero probability of failure) with information-theoretic security (security against computationally unbounded adversaries). You cannot have perfectly secure integrity, since integrity refers to the adversary's probability of guessing some data. That probability must always be nonzero. I guess, given this fact, you can redefine "perfect" to mean "best possible" in this case, but generally "perfect" security means zero-error. — Mikero, Jun 26 '16 at 15:45
@Mikero - you are correct - I was conflating "perfect" and "information theoretic". Even with a one time MAC there is always a non-zero chance that the adversary can get lucky and forge a fake message. However, this is also the case for confidentiality - even with a OTP a lucky adversary might correctly guess the message. No scheme is immune to luck. All you can do is ensure that an adversary has the same chances (of guessing the message or forging another message) both before and after seeing the ciphertext. That is how I interpret "perfect" security. — J.D., Jun 26 '16 at 16:57
@J.D. the difference is that with a lucky guess on the message contents the attacker gains nothing - there is no way to confirm they are right and there is no reason to think their guess is any likelier than other possible messages. In contrast, by correctly guessing the MAC an attacker an get a message accepted, confirming the guess. — otus, Jun 27 '16 at 08:04
@otus - you are assuming that information about whether the forged message was accepted or not will get back to the integrity attacker in some way (e.g. by seeing the receiver behave as if they have believed the forged message). By why assume that for integrity attacks but not assume that the confidentiality attacker also has some way of confirming that they correctly guessed the contents of the message? E.g. you guess the message means "attack at dawn", and the attack is at dawn. Or you guess the message is "open sesame" and saying that lets you into Ali Baba's cave. — J.D., Jun 27 '16 at 11:17
@J.D. if the attacker guesses a MAC value and it verifies, then that MAC passed off as valid and was accepted. If the attacker guesses a message without getting any information from the ciphertext, they cannot make any more use of that guess than they would have just acting randomly or by observing other channels of information. — otus, Jun 27 '16 at 12:18
@otus - and this distinction leads you to conclude that the OTP gives "perfect" confidentiality but the OTM does not give "perfect" integrity, (or otherwise that "perfect" integrity is impossible)? How are you defining "perfect" integrity (perhaps we can chat elsewhere)? — J.D., Jun 27 '16 at 12:30
@J.D. all I'm saying is that the best possible confidentiality is in a sense stronger than the best possible (finite) MAC. That's why I would not call it "perfect" MAC security, but information theoretic or unconditional. A longer MAC is always theoretically "better". — otus, Jun 28 '16 at 05:44
@otus - that's a good point about longer MACs being "better", and thus any finite MAC being not "perfect". But, the OTP leaks the length of the messages (less than or equal to the ciphertexts), and also leaks the fact that messages were sent (traffic analysis). Arguably that is not "perfect" confidentiality. Both can be fixed by sending a constant stream of ciphertext forever (with blank plaintext when no messages are being sent), but that requires an infinitely long key. So perhaps "perfection" in both cases requires infinity. — J.D., Jun 28 '16 at 11:20

ispiro · Answer 2 · 2016-06-27T11:25:13.983

1

I'm not an expert, but as far as I understand that would be impossible. My reasoning follows.

In the case of encryption - even if an attacker guesses correctly - he doesn't know that. So secrecy can be perfect.

With integrity, on the other hand, even if an attacker doesn't know he guessed correctly, the attacked will be fooled into believing the integrity of the message.

I've answered according to the wording of your question which is asking

is there such a thing as perfect integrity?

edited Jun 27 '16 at 11:25

answered Jun 26 '16 at 21:56

ispiro

2,005
2
18
29

But multiple candidate keys would appear to authenticate the message—the attacker cannot know that the key he has chosen is the correct one, and so cannot be certain that the recipient will be fooled: this is the analog of the attacker against perfect confidentiality identifying a key that produces valid plaintext without knowing its correctness. Indeed, the probability of the chosen key being correct is the same in both cases—and in both cases the attacked will only discover that their communication has been compromised by the attacker actively acting upon their knowledge. – eggyal Jun 27 '16 at 04:17
@eggyal Yes, but the key is not what the attacker is after. Integrity is about being able to verify if the integrity / authenticity of messages. If a different message gets accepted than the one that was sent then obviously the scheme is not perfect. What you are talking about is key confirmation, but even HMAC can offer that, and that scheme is obviously not perfectly secure. – Maarten Bodewes Mar 14 '24 at 22:27

We can obtain "absolutely perfect CONFIDENTIALITY" using the one-time pad. Is there such a thing as "absolutely perfect INTEGRITY"?

2 Answers2