2

I am currently studying authenticated encryption and I was wondering if there was a difference between using a MAC and authenticated encryption. It seemed like authenticated encryption schemes use MAC's in order to provide a level of integrity to the ciphertext.

However, I was unsure if there were specific modes of operation for different ciphers that inherently provided a level of authenticated encryption or if a MAC was always necessary to provide authenticated encryption?

Any examples would be of great help.

winsticknova
  • 269
  • 2
  • 6

2 Answers2

3

A mac is basically applied after encryption is totally complete, where "authenticated encryption" usually refers to something like a mode of operation that builds an authentication tag as the process of encryption moves along. The goal of the "authenticated encryption" is basically doing the same job as a mac in less passes/applications of crypto primitives.

Examples of "authenticated encryption" include GCM mode and the duplex mode offered by the sponge construction. Using either of these will produce an authentication tag with the ciphertext. If data was encrypted using either of these, then application of HMAC after encryption is not necessary.

Suppose a mode of operation like CBC was used instead. It does not produce an authentication tag, and in order to assure integrity and authentication we would require the application of HMAC. This must wait until after encryption was complete. Because this is essentially two totally separate operations, it is relatively slow compared to GCM mode.

Ella Rose
  • 19,971
  • 6
  • 56
  • 103
3

There is at least one authenticated mode of encryption that uses a "single pass" for both encryption and authentication. It's called OCB mode and was invented by Philip Rogaway who patented it. Although the IP rights is waved for most applications it is still not used much because of it.

Single pass means that the plaintext is only processed once by a symmetric cipher, and that no additional complex mathematical operations are required to authenticate each byte of plaintext or ciphertext (some pre-processing or post processing is allowed).

There are also schemes where something more lightweight can be used to create an authentication tag. GCM uses GHASH which is basically just Galois field multiplication. The hash is then secured by encrypting it with the cipher stream generated by the block cipher. So in the end there is a not-so-complex mathematical operation over each block and a single block encrypt at the end. Because of this it is sometimes called a 1.5 pass authenticated mode of operation (where 1 pass is CTR mode, and the additional 0.5 pass is the Galois field multiplication).

To finish it off we can take a look at CCM and EAX modes of operation. Both simply use a MAC (AES-CMAC to be precise) to accomplish authentication. These modes are basically specific constructs of a cipher (again in CTR mode) and a MAC. There is even an RFC that (tries to) standardize the well known CBC + HMAC mode of operation. The deterministic SIV mode is another. These are all two-pass modes of operation - and in general those simply use a MAC construction internally.

Of course all authenticated modes require something like an authentication tag. You need the ciphertext + authentication tag to be larger than the plaintext to provide authenticity / integrity (if you assume that the binary encoded plaintext messages may contain any value).

Community
  • 1
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323