Short description of encryption methods?

jp flag

I can't seem to wrap my head around these encryption methods. I can't find a brief description for any of them.

  • Hash then encrypt
  • MAC then encrypt
  • Encrypt and MAC
  • Encrypt then MAC
jp flag
I invite you to read the answers on this [question]( If you another question or you want more information don't hesitate to ask.
Patriot avatar
cn flag
Does this answer your question? [Should we MAC-then-encrypt or encrypt-then-MAC?](
Gilles 'SO- stop being evil' avatar
cn flag
@Patriot While there's a very informative answer there, I don't think it fits this question. It assumes the reader already knows what those terms mean, and takes it from there. It doesn't have the basic explanation. It's also somewhat dated in not mentioning that the correct answer is “none of the above”. It's also missing hash-then-encrypt.
Patriot avatar
cn flag
@Gilles'SO-stopbeingevil' That makes sense. Perhaps a moderator can step in and decide what to do.
cn flag

If you're a user of cryptography: all of these are obsolete. There is no reason in this day and age to combine a MAC or hash with encryption. Use a standard AEAD algorithm, which combines confidentiality and authenticity protection in a way that's been vetted by cryptographers. It might use MAC-then-encrypt, encrypt-then-MAC or encrypt-and-MAC under the hood, or something that doesn't fit into any of those three frameworks, but you don't need to care.

If you're a designer of cryptographic primitives: all of these are potential ways to provide authenticated encryption. Authenticated encryption of a message guarantees two properties: confidentiality (only entities who have the secret key can recover the message from the ciphertext) and authenticity (only entities who have the secret key can craft a valid ciphertext).

A MAC guarantees authenticity. Encryption guarantees confidentiality under certain assumptions (encryption without authenticity can be vulnerable to oracle attacks, for example padding oracle attacks against the popular CBC mode). You can combine a MAC primitive M with an encryption primitive E on a message m in various ways (|| is concatenation):

  • E(M) || M(E(m)): encrypt-then-MAC. Encrypt the message, and append the MAC of the encryption.
  • E(m || M(m)): MAC-then-encrypt. Append the MAC of the message to the message, and encrypt the result.
  • E(M) || M(m): encrypt-and-MAC. Encrypt the message, and append the MAC of the original message.

It's possible to get each of them right. It's also possible to get each of them wrong. For a review of the upsides and downsides of each approach, read Should we MAC-then-encrypt or encrypt-then-MAC?

Hash-then-encrypt is the same thing as MAC-then-encrypt, except that it uses a hash function instead of a MAC: E(M || H(h)). This has a good chance of guaranteeing confidentiality since everything is encrypted. Authenticity is more fragile: it relies on the adversary not being able to craft the encryption of the hash. I'm not aware of a working construction that uses this framework, but it's possible that one exists.

Bonus question: why not encrypt-then-hash or encrypt-and-hash?

Those cannot possibly work. Encrypt-then-hash (E(m) || H(E(m))) allows anyone to forge arbitrary messages by just making up a ciphertext and appending its hash. (And the adversary may even be able to know the message content; for example, truncating a ciphertext often corresponds to truncating a message, so an adversary can freely truncate an existing message.) Encrypt-and-hash (E(m) || H(m)) reveals the hash of the message, so anyone can at least guess what the message might be and verify their guess.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.