Integrity and MAC games should require safety in the presence of a verification oracle

[cryslith]

Protocols which use integrity protection often additionally require that an attacker cannot, for instance, gain information about the key by learning whether some (message, tag) combination is valid. The MAC game should additionally allow the adversary to make arbitrary queries of the form "is tag T valid for message M?" in order to capture this requirement.

[lgarron]

Sounds plausible, but we'd have to figure out how to convey multiple versions of the game.(also see #7).

Do you have a reference for when this is part of the game?

[cryslith]

There is a discussion of the issue in The Power of Verification Queries in Message Authentication and Authenticated Encryption (Bellare, Goldreich, Mityagin)

[lgarron]

Thanks for the reference. I don't really know how to pick the right definition, but I think good rule of thumb is probably to do something that matches up with Wikipedia.

I don't have time for that myself, but am happy to accept contributions.