[cryptography] "Combined" cipher modes

Jean-Philippe Aumasson jeanphilippe.aumasson at gmail.com
Mon Feb 20 11:07:10 EST 2012


hey Tor! ;)

Colin Percival also had interesting comments re encrypt-then-mac vs others:
http://www.daemonology.net/blog/2009-06.html



On Mon, Feb 20, 2012 at 4:54 PM,  <tor.bjorstad at accenture.com> wrote:
> [ianG, 2012-02-20]
>> A good plaintext packet design can push strong variation into the first
>> bytes. e.g., the MAC can go at the beginning not the end.  It used to be
>> customary to put the MAC at the end because hardware calculated it and
>> streamed it at the same time, but software doesn't work that way.
>>
>> (There was a paper suggesting that encrypt-then-mac was better than mac-
>> then-encrypt, but I vaguely recall this result only applies under some
>> circumstances.  Does anyone recall how important this issue was?)
>
> As I recall it:
>
> Either mode should be secure in practice if implemented using a secure cipher
> and a secure MAC and used correctly.  Using Encrypt-then-MAC yields better
> provable security properties, see the paper by Bellare and Namprempre for
> details (<http://cseweb.ucsd.edu/~mihir/papers/oem.html>) "Authenticated
> Encryption: Relations among notions and analysis of the generic composition
> paradigm").
>
> The main advantage of Encrypt-then-MAC (both in theory and in practice) is
> that EtM lets you reject all invalid ciphertexts without having to decrypt.
> This both makes the proof easier, and saves you some cycles whenever a bad
> packet comes along.
>
> Cheers, Tor
>
> ________________________________
> Subject to local law, communications with Accenture and its affiliates including telephone calls and emails (including content), may be monitored by our systems for the purposes of security and the assessment of internal compliance with Accenture policy.
> ______________________________________________________________________________________
>
> www.accenture.com
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list