[Cryptography] The paranoid approach to crypto-plumbing

Dan McDonald danmcd at kebe.com
Tue Sep 17 19:39:58 EDT 2013

On Sep 17, 2013, at 7:18 PM, Jerry Leichter wrote:

> On Sep 17, 2013, at 6:21 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
>>> I confess I'm not sure what the current state of research is on MAC
>>> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
>> Encrypt then MAC has a couple of big advantages centering around the idea that you don't have to worry about reaction attacks, where I send you a possibly malformed ciphertext and your response (error message, acceptance, or even time differences in when you send an error message) tells me something about your secret internal state.  
> On a purely practical level, to reject a damaged message, with decrypt-then-MAC (ordering things on the receiver's side...) I have to pay the cost of a decryption plus a MAC computation; with MAC-then-decrypt, I only pay the cost of the MAC.  On top of this, decryption is often more expensive than MAC computation.  So decrypt-then-MAC makes DOS attacks easier.
> One could also imagine side-channel attacks triggered by chosen ciphertext.  Decrypt-then-MAC allows an attacker to trigger them; MAC-then-decrypt does not. (Attacks on MAC's seems somewhat less likely to be data dependent, but who knows for sure.  In any case, even if you had such an attack, it would get you the authentication key - and at that point you would be able to *start* your attack not the decryption key.

People have made these attacks mildly practical (and note how old this and the cited paper are).



More information about the cryptography mailing list