14 November 2014

Quote from “Principles of Computer System Design: An Introduction”:

For both confidentiality and authentication, Alice first encrypts and then signs the encrypted message (i.e., SIGN(ENCRYPT(M , K_encrypt ), K_sign )), or, the other way around. (If good implementations of SIGN and VERIFY are used, it doesn’t matter for correctness in which order the operations are applied.)

A recent paper on the topic on the order of authentication and encrypting suggests that first encrypting and then computing an authentication tag may cover up certain weaknesses in some implementations of the encrypting primitives. Also, cryptographic transformations have been proposed that perform the transformation for encrypting and computing an authentication tag in a single pass over the message, saving time compared to first encrypting and then computing an authentication tag.