[Cryptography] The paranoid approach to crypto-plumbing

John Kelsey crypto.jmk at gmail.com
Tue Sep 17 18:21:47 EDT 2013

On Sep 17, 2013, at 11:41 AM, "Perry E. Metzger" <perry at piermont.com> wrote:

> I confess I'm not sure what the current state of research is on MAC
> then Encrypt vs. Encrypt then MAC -- you may want to check on that.

Encrypt then MAC has a couple of big advantages centering around the idea that you don't have to worry about reaction attacks, where I send you a possibly malformed ciphertext and your response (error message, acceptance, or even time differences in when you send an error message) tells me something about your secret internal state.  

> Perry


More information about the cryptography mailing list