collision resistance with added permutation

Question

Suppose we have an $n$ bit ciphertext $c$ protected by a $k$ bit $MAC$, with $k < n$. Generally, we expect collisions after $O(2^{k/2})$ ciphertext/MAC pairs are seen.

Consider the following modifcation:

1. Adversary chooses $m \in \{0, 1\}^n$ and sends to oracle.
2. Oracle sends back $\sigma((c) || MAC(c))$, where $c=E(m)$ is a randomized encryption, and $\sigma$ is a permutation on $n+k$ bits. $\sigma$ remains unknown to the adversary.

Suppose $\sigma$ stays constant. It seems that we either attack the MAC/Encryption, or figure out the permutation. If the MAC and Encryption are perfect, then I don't see how we can find the MAC bits: any k element subset of the n+k bits will have the same birthday paradox probability of collisions. In fact, if we take $2^k + 1$ messages, the pigeonhole principle gives collisions to all subsets.

It seems our only help is if the MAC/Encryption has statistical biases that we can detect among the $O(2^{k/2})$ messages, but this seems that we must analyze all message k bit projections, which may be huge. Can we do better?

If we can't do better, what is the drawback of such a scheme? Is it impractical to have the hidden permutation be a shared secret? What about a set of such permutations?

Thanks

Answer 1

If the permutation is a shared secret, I don't see how that's different from normal HMAC; in the sense that you can't find a collision unless you know the key, the amount of permutations would be too many to calculate; but HMAC has those same cryptographic properties, even for a less-than-ideal hashing algorithm.

Update:

Here I explain the details of the number of possible permutations of the input bits (fun fact: this calculation actually comes into play when designing block ciphers). The issue is, while the number of ways you could permute the bits is extraordinarily high, the number of possible states will be upper-bounded at $2^n$ for $n$ bits. For an $m P n$ case (you select $n$ bits from set of bits $M$) you will be bounded by the number of possible $M$, as well as the possible $N$, making $2^n$ still your upper limit.

You cannot exceed the security provided by a normal $2^n$ bit hash, you can only match it with more permutation. Since any decent hashing algorithm already does this (and more), you end up with no change in your level of security. We're comparing internal states with input/output possibilities, and the input/output possibilities will always cap your security level. For this reason, I fail to see how it is different from a normal cryptographic hash.