2

I'm trying to add the authentication for my One-Time Pad implementation.
I know that to provide Unconditionally Secure Authentication I need to use the One-Time MAC authentication.

But I don't understand why a solution as the following (that's a lot more easy to implement) doesn't provide the same security level :/

ciphertext = ((plaintext || H(plaintext)) XOR OTPKey)

With:
|| = concatenation
H = SHA-2
OTPKey is long enough to encrypt the plaintext and H(plaintext)

Mallory here can't brute force the ciphertext (because of the one-time pad), so he can't get the correct plaintext nor the digest...

Is this right? Can this provide unconditionally secure authentication?

EDIT 1
I know that in practice it's vulnerable to known-plaintext attacks so please, don't consider it in this particular case. I'm interested in Unconditional Security in the sense that both the plaintext and the digest can benefit of the Information-theoretic security provided by One-Time Pad.
I'm interested in passive attacks and not in active ones.
Assume that Mallory here knows only the ciphertext ;-)

EDIT 2
In other words: can I be sure that an attacker can't obtain the plaintext exploiting possible vulnerabilities introduced by the use of a hash function for the digest calculation?

Variant
How about this variant? Can I say that it provides Information-theoretic security for the plaintext AND it is vulnerable against active attacks with complexity of 2^256?
So in this case I can provide a certain level of security against known-plaintext attacks too (even if computational security).

ciphertext = (plaintext XOR OTPKey)
message = (ciphertext || H(ciphertext || K2))

With:
K2 = 32 bytes of random key, NOT correlated with OTPKey

Thank you to everyone :)

Community
  • 1
Riccardo Leschiutta
  • 251
  • 1
  • 6

1 Answers1

3

You need to prove that there does not exist a way of finding $x$ and $y$ so that $plaintext \oplus x$ and $H(plaintext) \oplus y = H(plaintext \oplus x)$. The problem is that the attacker is unlimited in time, so the above may actually be possible. (It suffices to prove that there exist messages for which this can be done.)

In addition, in order for this to be secure, it has to behave as a secure MAC, even known the plaintext. So, saying that you don't care about known-plaintext attacks doesn't make sense. I'll explain. Assume that the distribution over the plaintext is that with probability $0.7$ the plaintext is "attack today" and with probability $0.3$ it is "don't attack". Then, an attacker can assume that the message is "attack today" and modify it to "don't attack" (by XORing in "attack today XOR don't attack" to the first part, and XORing in "H(attack today) XOR H(don't attack)" in the second part. The result will be that with probability $0.7$ the message will be changed to "don't attack" and with probability $0.3$ an invalid message will be received. This should not be allowed under any reasonable definition of security.

Yehuda Lindell
  • 28,270
  • 1
  • 69
  • 86