Does an information theoretically secure hash function exist? (By exist I mean is discovered/invented and implemented, not whether it could exist.)
Asked
Active
Viewed 483 times
2
09182736471890
- 516
- 4
- 9
1 Answers
2
The Gilbert-MacWilliams-Sloane MAC referred to by @SqueamishOssifrage in the comments is information theoretically secure "for single use", at the cost of having hashes that have length $2\ell$ for fixed length messages of length $\ell.$
Poly1305 is not information theoretically secure.
It is much more flexible, can take essentially arbitrary length inputs, and has a low probability $p$ of being spoofed which depends on four factors, $\delta,C,D,L$ and which is essentially $\delta$ plus a tiny correction factor, so $$p\leq \delta+f(L,D)2^{-106}.$$ See the original paper by Bernstein (Springer LNCS vol. 3557, also available at his site https://cr.yp.to/mac/poly1305-20050329.pdf) :
- One can have up to $C\leq 2^{64}$ authenticated messages
- Messages are of maximum length $L.$
- One can attempt up to $D$ forgeries
- $\delta$ is the probability of distinguishing AES output from a random permutation
To start with, we don't know what $\delta$ is. AES could be replaced if it was found to be weak, but the big issue is that, there is no way of handling arbitrary input length messages with a probability distribution, which would enable one to define information theoretic security, which depends on entropy, a well defined functional of a probability distribution.
kodlu
- 25,146
- 2
- 30
- 63