MAC_2(IV || Encrypt(PlainText || MAC_1(PlainText, MacKey_1), IV, CipherKey), MacKey_2)$$ĭon’t even ask how this would look if I wouldn’t be using a tag… yet, it may help understand why I opted-in to posting a hint. $$CypherText = IV || Encrypt(PlainText || MAC_1(PlainText, MacKey_1), IV, CipherKey) || \\ That’s something I honestly hadn’t anticipated… my bad. Obviously, “what is less confusing to some, is more confusing to others”. The reason to prefer posting a hint instead of a complete formula was simple: the complete formula renders/formats much less readable and could have confused some people – which I wanted to prevent. It is not meant to describe a whole formula (which I assumed be clear due to the prepended “$…$” and the fact that there is no $key$ in the above LaTeX either). Ignoring potential speed impacts and focusing strictly on the security aspects… is there any obvious reason I’m not seeing why such a scheme should not be considered in the first place? Or do related references/papers exist and I was simply too inapt to find them? (If, what should I be looking for?)Īs some confusion was expressed in the comment area – please note that the above LaTeX merely represents a readable hint at what I’m talking about. Also, I wasn’t able to find any papers discussing related schemes. Trying to research if this would introduce more problems instead of solving them, I wasn’t able to find any useful papers that provide a security analysis of this approach. What comes to mind is that it could make sense to use both to fix that “partially missing integrity” issue:
With MAC-then-Encrypt it’s the other way around: Plaintext integrity but no ciphertext integrity. Encrypt-then-MAC does provide ciphertext integrity, but no plaintext integrity.