Is it undesirable for authentication to require decrypting a ciphertext?

Melab

6/14/24, 2:48 AM

A couple years ago, I devised some primitives for block ciphers and block cipher modes of operation; I was partly inspired by CAESAR. What these designs all had in common is that the encryption/decryption process would produce a bit string $T_i$ for each block and all of these bit strings would be combined together to make the authentication tag $T$.

Today I remembered some of the reasons why encrypt-then-MAC is preferred over other authentication methods, so now I'd like to know if the authenticated encryption schene described above is undesirable.

1 + 0

block-cipher

modes-of-operation

authenticated-encryption

Score:1

Crypto

Richard Thiessen

6/14/24, 12:39 PM

That sounds like OCB. OCB and similar schemes are fine. Security bounds are usually a little weaker than non-integrated Encrypt then MAC(EtM) constructions but not enough to matter.

But creating your own? OCB-like constructions are subtle and can break very very badly. OCB2 was shown to be completely insecure for example. EtM constructions are pretty easy to get right. If building your own EtM construction is like cutting down a tree, creating an OCB-like construction would be juggling running chainsaws.

Side channel attacks

If side channel attacks are a concern, then EtM constructions help in that decryption keys are never touched until the authentication tag is checked. If the attacker is mounting a side channel attack to recover the encryption keys that adds an additional inconvenience (need to recover the MAC key first).

+ 2

samuel-lucas6

6/15/24, 11:35 AM

Note that OCB and current standardised/popular schemes (e.g. AES-GCM, ChaCha20-Poly1305) have a design flaw in that they're [not committing](https://eprint.iacr.org/2022/1260). This causes [vulnerabilities](https://eprint.iacr.org/2020/1456) in [certain](https://eprint.iacr.org/2019/016) scenarios like for [messaging apps](https://breakingthe3ma.app/). Sponge-based constructions are a simple fix for this problem assuming they have a large enough tag, like [AEGIS](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-aegis-aead). Encrypt-then-MAC done properly also solves this problem.

Melab

6/22/24, 3:03 PM

I don't know if it's OCB-like or not. I'm pretty sure it's more general than OCB. What I mean is is it undesirable for the same reasons MAC-then-encrypt or encrypt-and-MAC are? Like, how the decrypted data is vulnerable to handling without authentication.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it undesirable for authentication to require decrypting a ciphertext?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.