You mentioned that adding a MAC would reduce security. I'd like to understand the mechanism behind this.
In standard cryptography, authentication (MAC) and confidentiality (encryption) are orthogonal properties — an HMAC over the output reveals nothing about the plaintext, it only allows the recipient to verify the output wasn't tampered with. The standard argument is that not having authentication is strictly worse, because an attacker can modify the output and the recipient has no way to detect it.
Is there a property specific to ZOSCII where integrity verification would leak information? For example, does "weaponised ambiguity" (the property that any output could plausibly decode to multiple messages) depend on the absence of authentication — because a MAC would pin the output to exactly one valid decoding?
If that's the reasoning, it would be worth stating explicitly, because it's a novel trade-off that most reviewers wouldn't expect.
You mentioned that adding a MAC would reduce security. I'd like to understand the mechanism behind this.
In standard cryptography, authentication (MAC) and confidentiality (encryption) are orthogonal properties — an HMAC over the output reveals nothing about the plaintext, it only allows the recipient to verify the output wasn't tampered with. The standard argument is that not having authentication is strictly worse, because an attacker can modify the output and the recipient has no way to detect it.
Is there a property specific to ZOSCII where integrity verification would leak information? For example, does "weaponised ambiguity" (the property that any output could plausibly decode to multiple messages) depend on the absence of authentication — because a MAC would pin the output to exactly one valid decoding?
If that's the reasoning, it would be worth stating explicitly, because it's a novel trade-off that most reviewers wouldn't expect.