1

I have seen other answers here on Stack Exchange regarding MAC-Then-Encrypt vs. Encrypt-Then-MAC (and this article regarding MAC-Then-Encrypt padding oracle attacks on SSL) as well as generic Hash-Then-Encrypt vs. Encrypt-Then-Hash, but in this case I am seeking insights on the security aspects of a specific authentication protocol employing a keyed hash function:

$$Alice \xrightarrow{m||h_k(m)} Bob$$

In this setup, where $m$ denotes the transmitted message from Alice to Bob and $k$ represents the shared secret key, the message travels over a public channel susceptible to modification and message insertion by attackers.

Assume we utilize the encryption function $E_k$ of a one-key cipher and a hash function $h$. The cipher is deemed secure, and $h$ possesses the weak collision resistance property and is one-way.

Given that $m$ is public and the hash function $h$ satisfies weak collision resistance, which of the following keyed hash functions provides greater security?

  1. $$h_k(m) = h(E_k(m))$$
  2. $$h_k(m) = E_k(h(m))$$

My understanding is that Hash-Then-Encrypt might offer similar security to Encrypt-Then-Hash due to the computational infeasibility of an attacker finding another $m'$ such that $h(m) = h(m')$. Can someone confirm or provide additional insights on this?

Hero
  • 11
  • 3

2 Answers2

0

After talking to some professors at my university, I have come to the following answer, which I'd like to share:

First of all, what is called "weak collision resistance" here is also what's often referred to as the 2nd pre-image resistance property.

Now, while the 2nd pre-image resistance / weak collision resistance property is usually defined as "computationally infeasible" to compute another $m'$ such that $h(m') = h(m)$, it is still (although very unlikely) mathematically possible to find such a $m'$. It's like winning the lottery - not very likely, but still technically possible.

And since this question simply asks "which is more secure", then Encrypt-Then-Hash (1) is the more secure implementation out of the two. But if this was in a practical setting, one could argue that they both provide the same level of security.

Hero
  • 11
  • 3
0

I‘m thinking that in the case of H is not well designed(i.e h do not have the weak-collision-resistance property) The MAC-Then-Encrypt may still be secure because Ek is safe. However Encrypt-then-Mac is not safe because Any pair of collision of h must be a pair of collision of h_k

Bruce Z.
  • 1
  • 1