[cryptography] "Combined" cipher modes

tor.bjorstad at accenture.com tor.bjorstad at accenture.com
Mon Feb 20 10:54:49 EST 2012

[ianG, 2012-02-20]
> A good plaintext packet design can push strong variation into the first
> bytes. e.g., the MAC can go at the beginning not the end.  It used to be
> customary to put the MAC at the end because hardware calculated it and
> streamed it at the same time, but software doesn't work that way.
> (There was a paper suggesting that encrypt-then-mac was better than mac-
> then-encrypt, but I vaguely recall this result only applies under some
> circumstances.  Does anyone recall how important this issue was?)

As I recall it:

Either mode should be secure in practice if implemented using a secure cipher
and a secure MAC and used correctly.  Using Encrypt-then-MAC yields better
provable security properties, see the paper by Bellare and Namprempre for
details (<http://cseweb.ucsd.edu/~mihir/papers/oem.html>) "Authenticated
Encryption: Relations among notions and analysis of the generic composition

The main advantage of Encrypt-then-MAC (both in theory and in practice) is
that EtM lets you reject all invalid ciphertexts without having to decrypt.
This both makes the proof easier, and saves you some cycles whenever a bad
packet comes along.

Cheers, Tor

Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy.


More information about the cryptography mailing list