Open aaannndddyyy opened 7 years ago
kfogel
commented
7 years ago Can you explain what is being authenticated?
Right now, the sender is implicitly authenticated because the sender has the pad -- if the receiver receives a message that can be decrypted with a specific pad, then the sender has been authenticated by that pad. But maybe I'm not understanding what you mean?
aaannndddyyy
commented
7 years ago just a successful decryption is no guarantee for an authentic message. In the case of the known plaintext attack, the adversary can insert any message he likes, and the receiver will successfully decrypt it. To prevent this there are MAC's. You already use that. But you use standard macs, not information-theoretically secure one, just like AES is a standard encryption and not information-theoretically secure. So I thought along the lines: If you already have information-theoretically secure encryption, why not use the best authentication possible, either? But form your comments in the other issues, I think I can already predict your answer: Not worth the complexity.
Since one-time pads offer information-theoretically secure encryption, what do you think about adding an option to offer information-theoretically secure authentication too? It will be crazy on pad use, and yes, another option makes code mode complex. but I think it could be done with only a few additional lines of code. a message of length L can be authed using pad of length 2L log(1/epsilon) ... using logarithm to basis two. The user would by default use the current authentication method, but by specifying an epsilon in the options, onetime would use the secure method.