-1

I'm trying to add the authentication for my One-Time Pad implementation.
I know that to provide Unconditionally Secure Authentication I need to use the One-Time MAC authentication.

But I don't understand why a solution as the following (that's a lot more easy to implement) doesn't provide the same security level :/

ciphertext = ((plaintext || H(plaintext)) XOR OTPKey)

With:
|| = concatenation
H = SHA-2
OTPKey is long enough to encrypt the plaintext and H(plaintext)

Mallory here can't brute force the ciphertext (because of the one-time pad), so he can't get the correct plaintext nor the digest...

Is this right? Can this provide unconditionally secure authentication?

I know that in practice it's vulnerable to known-plaintext attacks so please, don't consider it in this particular case. I'm interested in Unconditional Security in the sense that both the plaintext and the digest can benefit of the Information-theoretic security provided by One-Time Pad.
I'm interested in passive attacks and not in active ones.
Assume that Mallory here knows only the ciphertext ;-)

In other words: can I be sure that an attacker can't obtain the plaintext exploiting possible vulnerabilities introduced by the use of a hash function for the digest calculation?

Variant
How about this variant? Can I say that it provides Information-theoretic security for the plaintext AND it is vulnerable against active attacks with complexity of 2^256?
So in this case I can provide a certain level of security against known-plaintext attacks too (even if computational security).

ciphertext = (plaintext XOR OTPKey)
message = (ciphertext || H(ciphertext || K2))

With:
K2 = 32 bytes of random key, NOT correlated with OTPKey

Thank you to everyone :)

Community
  • 1
Riccardo Leschiutta
  • 199
  • 6
  • 1
    crossposted [from crypto](http://crypto.stackexchange.com/q/31063/991) without mentioning that on either site ​ ​ –  Dec 05 '15 at 19:31
  • @RickyDemer Is this not allowed? I am the same person who wrote in both forums, I hope you haven't down-vote my question for this reason :/ – Riccardo Leschiutta Dec 05 '15 at 19:42
  • Yes, 5 hours is much too soon. ​ If I wasn't fairly confident that the OPs were the same person, then I wouldn't have down-voted. ​ (Note that users can't down-vote the same question twice, so someone else also down-voted.) ​ ​ ​ ​ –  Dec 05 '15 at 19:59
  • You can _also_ say that "it is vulnerable against active attacks with complexity of" 2^1234. ​ (i.e., there are much faster active attacks.) ​ ​ ​ ​ –  Dec 06 '15 at 01:21
  • @RickyDemer "You can also say that "it is vulnerable against active attacks with complexity of" 2^1234. ​ (i.e., there are much faster active attacks.)" has ho sense to me because 2^1234 is not faster than a brute-force with complexity of 2^256. If you know to break it with lower complexity please explain. – Riccardo Leschiutta Dec 06 '15 at 07:18
  • It's "Let [m0,m1] be an internal collision [in H](https://en.wikipedia.org/wiki/Merkle–Damgård_construction), choose m arbitrarily, get the MAC for m0||m, then output [m1||m,MAC(m0||m)]." ​ ​ –  Dec 06 '15 at 07:36

1 Answers1

1

can I be sure that an attacker can't obtain the plaintext exploiting possible vulnerabilities introduced by the use of a hash function for the digest calculation?

I think you're safe. I think the only issue might be with the OTPKey implementation. You can't re-use the same key twice, it has to be truly random, and the key itself must be secure and known to both parties. Also, the contents of the message have to be completely unpredictable otherwise the key will be theoretically vulnerable to brute-force attack methods. Because of this, I would additionally implement a random value at the beginning of the message to be XORd with the rest of the message before anything. Other than that, I say all engines go.

Update

Regarding this method:

ciphertext = (plaintext XOR OTPKey)
message = (ciphertext || H(ciphertext || K2))

With:
K2 = 32 bytes of random key, NOT correlated with OTPKey

This should be effective as long as the attacker cannot get ahold of K2

Jonathan Gray
  • 1,036
  • 7
  • 11