Quiz Entry - updated: 2026.07.14
What are the three possible orderings of encryption and integrity protection, and what are they called?
The three options are MAC-then-Encrypt, MAC-and-Encrypt, and Encrypt-then-MAC — they differ in what gets MACed and what gets encrypted.
* Encrypt-then-MAC lets the receiver verify before decrypting — the safest ordering. *
Option A: MAC-then-Encrypt (MtE)
- Compute $\text{MAC}(m)$
- Encrypt both: $E(m \| \text{MAC}(m))$
- Used by: SSL/TLS (older versions)
- The MAC is hidden inside the ciphertext
Option B: MAC-and-Encrypt (M&E)
- Compute $\text{MAC}(m)$ and $E(m)$ independently
- Send both: $E(m) \| \text{MAC}(m)$
- Used by: SSH
- The MAC is computed on plaintext but sent alongside ciphertext
Option C: Encrypt-then-MAC (EtM)
- Encrypt: $c = E(m)$
- Compute MAC on ciphertext: $\text{MAC}(c)$
- Send: $c \| \text{MAC}(c)$
- Used by: IPsec, TLS 1.3 (via AEAD)
- Considered the safest approach
Why EtM is preferred:
- The receiver can verify integrity before decrypting — rejecting tampered ciphertexts without wasting computation on decryption
- Prevents padding oracle attacks (which exploit the decrypt-then-verify pattern in MtE)
- Provably secure under standard assumptions
Modern best practice: Use AEAD modes (e.g., AES-GCM, ChaCha20-Poly1305) which implement EtM internally as a single operation.
Go deeper:
Authenticated encryption — why Encrypt-then-MAC and AEAD are preferred.