How to use cryptography to assure data integrity?

Question

I only understand assurance of integrity using a hash function. How to use cryptograpy to assure data integrity?

Answer 1

If I want to ask a potentially compromised server to remember a file that I don't have room to store myself, I can pick and remember a 256-bit secret uniformly at random, and compute a short—say, 128-bit—authenticator (or MAC, message authentication code) for the file under the secret key. I keep the key on my person; I affix the authenticator to the file.

• Standard MAC algorithms include Poly1305, which is very fast but can handle only one file per secret key, and HMAC-SHA256, which is much slower but can handle many files per secret key.

If, when I ask the server to retrieve my file, the server tries to fool me into accepting a file that is different from the one I stored, I can recompute the authenticator using the secret key, and compare it to the one that was stored alongside the file. If they match, then it is almost certainly the file I stored. If they don't match, then the file was modified.

• The technical property that a MAC has is existential unforgeability under chosen-message attack: we conjecture, or prove in the case of one-time authenticators like Poly1305, that an adversary who can learn the authenticator for one or many messages of their choice has only negligible probability of finding the true authenticator themselves for any other message. That is, we consider a game where the adversary can query you, the bearer of the secret key, for the authenticator for one or many messages of their choice; then the adversary wins if they can find, without asking you, the correct authenticator on any other message.

What if I want someone else to be able to verify integrity, without their being able to forge the messages? For example, I want to make a promise in a contract, and publish the contract so that anyone can read it, but I don't want to let anyone else alter the contract. I first share a public key with everyone, and then use the corresponding private key to digitally sign the contract. Anyone can use the public key to verify the signature. Only I, with secret knowledge of the private key, can make a signature that will pass verification. So anyone can verify, but only I can sign.

• Standard signature algorithms include RSASSA-PSS, which is based on the mathematical magic of the RSA trapdoor permutation $m \mapsto m^3 \bmod n$ for $n = pq$ a product of large randomly chosen primes, and Ed25519, which is based on arithmetic in the scalar ring of the twisted Edwards elliptic curve $-x^2 + y^2 = 1 - \frac{121665}{121666} x^2 y^2$ over the finite field $\mathbb Z/(2^{255} - 19)\mathbb Z$.

  The technical property that a digital signature scheme has is also called existential unforgeability under chosen-message attack, but in the public-key setting where the adversary also has access to the public key in addition to being able to query you for the signature on any message of their choice.