0Pricing
Cryptology Academy · Lesson

Why Encrypt-Then-MAC Beats MAC-Then-Encrypt

Understand the cryptographic argument for combining encryption and authentication in the correct order.

Three Composition Orders

When combining encryption and a MAC, three orderings exist: Encrypt-then-MAC (EtM), MAC-then-Encrypt (MtE), and Encrypt-and-MAC (E&M). Each has fundamentally different security properties, and only one is provably secure in all settings.

Encrypt-then-MAC Defined

In Encrypt-then-MAC, the plaintext is first encrypted to produce ciphertext, and then the MAC is computed over that ciphertext. The receiver can verify the MAC before ever attempting decryption, which means a tampered message is rejected immediately without revealing information.

All lessons in this course

  1. Why Encrypt-Then-MAC Beats MAC-Then-Encrypt
  2. SIV Mode: Nonce-Misuse Resistant AEAD
  3. AEGIS: High-Speed Authenticated Encryption
  4. Selecting AEAD for Production Systems
← Back to Cryptology Academy