up:: Security Basics MOC
Integrity
Integrity is the guarantee that information has not been altered, by accident or by an attacker, without the change being detectable, so that what a recipient reads is byte-for-byte what the sender produced. It is the I in the CIA triad, and FIPS 199 defines it for all US federal information as “guarding against improper information modification or destruction,” including ensuring non-repudiation and authenticity. Cryptography delivers integrity with three tools that build on each other: a hash function fingerprints the data so a single changed bit shows, a MAC binds that fingerprint to a shared secret, and a digital signature binds it to a private key so the check also proves who produced it. The quantum threat leaves the hashes standing but breaks the signatures, because the public-key math that ties integrity to an identity is exactly what Shor’s algorithm dissolves.
The short version:
- Integrity means data hasn’t been changed without detection. It answers “is this exactly what was sent?”, a separate question from confidentiality (“who can read it?”) and authentication (“who are you?”).
- FIPS 199 codifies it as one of the three core security goals, and folds authenticity and non-repudiation into the same definition.
- Cryptography provides it in layers: a hash gives tamper-evidence, a MAC adds a shared secret, and a digital signature adds proof of origin that holds up as evidence.
- Hashes survive the quantum era with room to spare. SHA-256 loses only a manageable margin to Grover’s algorithm, so the tamper-evidence layer stays strong.
- The signatures that bind integrity to an identity do not survive. Shor’s algorithm recovers a private key from its public key, so a forged signature lets altered data look authentic. That is a real-time forgery risk, not a harvesting one.
Think about a tamper-evident seal on a bottle of medicine. The seal doesn’t hide what’s inside, and it doesn’t tell you who filled the bottle. It does one thing: it shows whether anyone opened and meddled with the contents between the factory and your hand. A cryptographic hash is the digital version of that seal, a fingerprint so sensitive that changing one character of the contents produces a completely different mark.
A signature goes one step further, pressing a seal that only the genuine manufacturer’s private stamp can make, so it proves both that nothing changed and that the real manufacturer sealed it. The quantum problem is that a forger who recovers that stamp can re-seal a tampered bottle so it looks factory-fresh.
What is data integrity?
Data integrity is the property that information stays complete and unaltered from the moment it’s created or sent to the moment it’s read, and that any unauthorized change is detectable. It is one of the three core goals of information security, alongside confidentiality and availability, and the US government defines all three in FIPS 199, drawing the wording straight from federal law (44 U.S.C. 3542). The FIPS 199 definition is worth reading in the original, because every downstream integrity control inherits it:
“Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.”
Two things in that definition catch people off guard:
- Integrity covers destruction as well as modification. Deleting or corrupting a record is an integrity failure just as much as editing one, which is why ransomware that wipes data attacks integrity directly.
- NIST folds authenticity and non-repudiation into integrity. The data really came from who it claims, and the producer can’t deny making it, so the cryptographic tools that protect integrity heavily overlap with the tools that prove identity.
A clean way to hold the three core goals apart: confidentiality is about who can read, integrity is about who can change, and availability is about whether it works at all. A tampered software update, a silently edited bank balance, and a forged certificate are all integrity failures.
Source: NIST, “Standards for Security Categorization of Federal Information and Information Systems,” FIPS 199, February 2004, FIPS 199.
How does cryptography guarantee integrity?
Cryptography guarantees integrity by computing a value over the data that changes completely if the data changes at all, then giving a verifier a way to recompute and compare it. Three primitives do the work, and they stack: each one adds a guarantee the one before it lacks.
- Cryptographic hash functions give tamper-evidence. A hash function like SHA-256 takes an input of any size and produces a fixed-length fingerprint (a digest). A good hash has the avalanche property, so flipping a single bit of input changes about half the output bits, and it’s computationally infeasible to find two inputs with the same digest (collision resistance) or to reverse a digest back to an input (preimage resistance). Publish the digest of a file and anyone can recompute it after download to confirm nothing changed. A bare hash detects accidental corruption and tampering by anyone who can’t also replace the published digest.
- MACs add a shared secret, so an attacker can’t forge the fingerprint. A MAC, such as HMAC, mixes a secret key into the hash, producing a tag only holders of that key can compute or check. This closes the gap a bare hash leaves: an attacker who alters the data can’t produce a matching tag without the key. A MAC proves the data is unaltered and came from someone holding the shared key, but because both parties hold the same secret, it can’t prove which one produced it.
- Digital signatures add proof of origin that holds up as evidence. A digital signature computes the integrity value with a private key that only the signer holds, and anyone verifies it with the matching public key. Because only one party can produce it, a signature proves integrity plus authenticity plus non-repudiation, the full FIPS 199 bundle. This is the layer behind TLS certificates, code signing, and signed documents.
The through-line is that integrity always reduces to a hash. A signature or a MAC doesn’t sign the whole document directly; it signs the document’s hash, because public-key and keyed operations are slow and work on fixed-size inputs. That’s why the strength of an integrity guarantee depends on the strength of the hash underneath it, and why a broken hash function (as SHA-1 eventually became) is an integrity emergency.
| Mechanism | What it proves | Key model | Catches a malicious editor? | Proves who produced it? |
|---|---|---|---|---|
| Hash (e.g. SHA-256) | Data is unchanged since the digest was taken | No key | Only if the attacker can’t also replace the published digest | No |
| MAC (e.g. HMAC) | Data is unchanged and came from a key holder | Symmetric (one shared secret) | Yes | No, either key holder could have made it |
| Digital signature | Data is unchanged and came from one specific signer | Asymmetric (private signs, public verifies) | Yes | Yes, only the private-key holder could sign |
Sources: NIST, “Secure Hash Standard (SHS),” FIPS 180-4, August 2015, FIPS 180-4.
NIST, “The Keyed-Hash Message Authentication Code (HMAC),” FIPS 198-1, July 2008, FIPS 198-1.
NIST, “Digital Signature Standard (DSS),” FIPS 186-5, February 2023, FIPS 186-5.
How is integrity different from confidentiality and authentication?
Integrity, confidentiality, and authentication are three separate promises, and conflating them is a common source of security bugs. Integrity asks whether the data changed. Confidentiality asks whether an unauthorized party could read it. Authentication asks whether a party is who it claims to be. A message can satisfy any one without the others: a plaintext file with a published hash has integrity and no confidentiality, while an encrypted file with no integrity check can be corrupted or bit-flipped in transit without the reader knowing.
The reason these blur is that a digital signature delivers integrity and authentication at once, which makes them feel like one thing. They aren’t. Integrity is the guarantee about the data; authentication is the guarantee about the identity behind it. The relationship runs one direction: strong authentication of a producer is only meaningful if you can also trust the data wasn’t altered after they produced it, so integrity underwrites authentication rather than the reverse.
- Integrity without confidentiality: a signed but unencrypted press release. Everyone can read it, and everyone can verify it wasn’t edited.
- Confidentiality without integrity: raw encryption with no authentication tag. The data is unreadable to an eavesdropper, yet an attacker can still flip ciphertext bits and corrupt the decrypted result undetected, which is why modern schemes use authenticated encryption that bundles an integrity check in.
- Integrity plus authentication: a code-signed software update. The signature proves the binary wasn’t tampered with and that the real vendor produced it.
How does the quantum threat break integrity?
The quantum threat splits integrity down the middle: the hash layer survives, and the signature layer breaks. That split is the whole reason the post-quantum transition concentrates where it does.
The hashes hold up. Grover’s algorithm is the best known quantum attack on a hash function, and it gives only a quadratic speedup on brute-force search, which effectively halves a hash’s preimage-resistance strength. SHA-256 keeps roughly 128 bits of preimage resistance even against Grover, comfortably out of reach, so tamper-evidence built on strong hashes stays strong. NIST’s post-quantum assessment says exactly this: symmetric and hash-based primitives are not significantly threatened and larger output sizes restore any lost margin, unlike the public-key algorithms, which are broken outright.
The signatures do not hold up. A digital signature ties integrity to an identity through public-key math, RSA, ECDSA, and Ed25519, all resting on integer factorization or the discrete logarithm problem. A cryptographically relevant quantum computer running Shor’s algorithm solves both problems efficiently, so it recovers the private key from the public key that’s already sitting inside every certificate. Once an attacker holds the private key, they can forge a valid signature over altered data, and the alteration passes every integrity check that trusts that key. This is a Non-HNDL threat, and the way it fails is worth holding onto:
- It targets trust, not secrecy. Unlike Harvest Now, Decrypt Later, which records encrypted data now to decrypt later, signature forgery has nothing to record. The attack is real-time impersonation and tampering once the machine exists.
- The forgery is undetectable. A signature’s entire job is to certify integrity. When the signing key is forged, altered data carries a valid-looking seal, so the mechanism that was supposed to catch tampering now vouches for it. There’s no clean after-the-fact recovery.
- The worst case is PKI collapse. Breaking a single root Certificate Authority signing key makes every certificate beneath it forgeable at once, so an attacker can vouch for the integrity of anything across a whole trust domain.
The reason this is a present-day problem, even though the machine is years out, is the trust-forgery clock. NIST IR 8547 puts classical signature algorithms on a deprecation-then-disallowance schedule (deprecated in 2030, disallowed for federal use in 2035), and rebuilding certificate hierarchies and trust stores takes years, so the migration has to finish before a quantum computer arrives. Anything signed today that still needs to be trusted afterward is already living on borrowed time.
| Integrity layer | Quantum attack | Effect | Status |
|---|---|---|---|
| Hashes (SHA-256) | Grover’s algorithm | Halves brute-force strength; SHA-256 keeps ~128-bit preimage resistance | Survives, larger output sizes restore any margin |
| MACs (HMAC) | Grover’s algorithm on the key | Manageable margin loss, mitigated by key size | Survives |
| Signatures (RSA, ECDSA, Ed25519) | Shor’s algorithm | Private key recovered from public key, arbitrary forgery | Broken, must move to ML-DSA / SLH-DSA |
Sources: L. Chen et al., NIST, “Report on Post-Quantum Cryptography,” NIST IR 8105, April 2016, NIST IR 8105.
P. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM J. Computing, 1997, quant-ph/9508027.
What replaces the broken integrity mechanisms?
The hashes mostly stay, and the signatures get replaced by post-quantum standards. Because the hash layer survives, integrity built on SHA-256 or SHA-3 needs no wholesale swap; the migration work lands on the signature layer that ties integrity to an identity. NIST finalized two post-quantum signature standards in August 2024, with a third in draft, and the choice depends on the role:
- ML-DSA is the general-purpose default for TLS certificates, code signing, and tokens.
- SLH-DSA is the conservative choice for long-lived roots of trust, resting on plain hash functions rather than lattice math.
- FIPS 206 (FN-DSA) is the compact choice for size-sensitive roles, still in draft as of NIST’s late-2024 signature work.
These are not drop-in swaps. Post-quantum signatures and keys are much larger than elliptic-curve ones (the smallest ML-DSA signature runs over 2,400 bytes versus roughly 64 bytes for ECDSA P-256), so the cost lands on certificates, parsers, and trust stores. The common transitional pattern carries both a classical and a post-quantum signature (dual signatures or composite certificates) so verifiers upgrade at their own pace, and designing for that flexibility is crypto-agility.
Sources: NIST, “Module-Lattice-Based Digital Signature Standard,” FIPS 204, August 2024, FIPS 204.
NIST, “Stateless Hash-Based Digital Signature Standard,” FIPS 205, August 2024, FIPS 205.
Common misconceptions
- “Integrity means the data is secret.” It doesn’t. Integrity proves data wasn’t altered while leaving it fully readable. Secrecy is confidentiality, a separate goal handled by encryption, and a signed press release has integrity with no confidentiality at all.
- “Encryption gives you integrity for free.” Plain encryption protects confidentiality, and an attacker can still flip ciphertext bits to corrupt the decrypted result undetectably. Integrity needs its own mechanism, which is why modern systems use authenticated encryption that bundles a MAC or tag alongside the ciphertext.
- “A hash by itself stops a determined attacker.” A bare hash catches accidental corruption and casual tampering, but an attacker who alters the data can also replace the published digest. Stopping a malicious editor needs a keyed mechanism, a MAC or a signature.
- “Quantum computing breaks data integrity.” It breaks the signature layer that binds integrity to an identity, through forgery. The hash layer that provides tamper-evidence survives, because SHA-256 only loses a manageable margin to Grover’s algorithm.
- “Integrity is only about editing data.” FIPS 199 covers improper destruction too, so deleting or corrupting records is an integrity failure, which is why ransomware that encrypts or wipes data attacks integrity as well as availability.
- “If the signature checks out, the data must be trustworthy.” A valid signature proves the data wasn’t changed and came from a specific key holder. It says nothing about whether that key was stolen or whether the signer is honest, so integrity is necessary for trust but not sufficient on its own.
Questions people ask
What’s the difference between integrity and confidentiality? Integrity guarantees data wasn’t altered without detection; confidentiality guarantees only authorized parties can read it. They’re independent, so a plaintext file with a published hash has integrity and no confidentiality, and a raw-encrypted file can have confidentiality with no integrity.
How does a hash provide integrity? A hash function produces a fixed-size fingerprint of the data where changing one bit changes the whole fingerprint. Publish the fingerprint, and anyone can recompute it later to confirm the data is unchanged. A bare hash catches accidental corruption and casual tampering, but stopping a malicious editor who can also swap the fingerprint needs a MAC or a signature.
What’s the difference between integrity and authentication? Integrity is a guarantee about the data (it wasn’t changed); authentication is a guarantee about the identity behind it (they’re really who they claim). A digital signature delivers both at once, which is why they blur, but they answer different questions.
Does the quantum threat break hashes? Not in a way that matters for strong ones. Grover’s algorithm roughly halves a hash’s brute-force strength, so SHA-256 keeps about 128 bits of preimage resistance, well out of reach. NIST assesses hash and symmetric primitives as not significantly threatened, with larger sizes restoring any lost margin.
Then how does quantum computing threaten integrity at all? Through the signatures that bind integrity to an identity. Shor’s algorithm recovers a signing private key from its public key, so an attacker can forge a valid signature over altered data, and the tampering passes every check that trusts that key.
Is the integrity threat a harvest-now problem like encrypted data? No. Signature forgery is a Non-HNDL threat with nothing to record in advance. It’s real-time forgery and impersonation once a quantum computer exists, unlike Harvest Now, Decrypt Later, where harvested traffic waits for the machine.
What do I replace to protect integrity in the quantum era? Keep strong hashes like SHA-256, and move the signature layer to post-quantum standards: ML-DSA for general-purpose signing and SLH-DSA for long-lived roots of trust.
Is integrity part of the CIA triad? Yes. It’s the I in confidentiality, integrity, and availability, the three core security goals defined in FIPS 199, which also folds authenticity and non-repudiation into its integrity definition.
Go deeper
The other core goals: Confidentiality · Availability · Authentication · Non-repudiation
The cryptography that delivers integrity: hashing · SHA-256 · MACs · digital signatures
What the quantum threat does to it: Shor’s algorithm · Grover’s algorithm · Non-HNDL · PKI Collapse. This note sits under Security Basics.
Everything here is the map, given freely. When your team needs the signatures and certificates behind its own data integrity found, sized, and moved onto a post-quantum footing, that’s the work I do. Request an alignment briefing.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.