What is the difference between a MAC and a digital signature?

Both authenticate a message, but a MAC uses a shared secret key, so any party who can verify a tag could also have produced it — there is no non-repudiation. A digital signature uses a private key for signing and a public key for verification, so only the signer could have created it and anyone can check it.

Should I encrypt first or authenticate first?

The recommended order is encrypt-then-MAC: encrypt the plaintext, then compute the MAC over the ciphertext. This lets the receiver reject forged ciphertexts before decrypting them and avoids padding-oracle and other attacks that arise from MAC-then-encrypt orderings.

Message Authentication Codes

A message authentication code (MAC) uses a shared secret key to produce a short tag that lets a receiver verify a message's integrity and authenticity, detecting any tampering or forgery.

Cari Topik dengan PaperMindTidak lama lagiFind papers & topics

Tools & resources

Muat turun slaid

Learn & explore

VideoTidak lama lagi

Definition

A message authentication code is a symmetric primitive that, given a secret key and a message, produces a fixed-length tag such that anyone without the key cannot forge a valid tag for any new message, even after seeing tags on chosen messages.

Scope

This topic covers symmetric authentication: the security goal of existential unforgeability under chosen-message attack, MAC constructions from hash functions (HMAC) and block ciphers (CMAC, GMAC), and their combination with encryption to form authenticated encryption (encrypt-then-MAC, AES-GCM). It addresses pitfalls such as length-extension and the need for constant-time tag comparison. It excludes digital signatures, which provide public verifiability and non-repudiation using public-key cryptography.

Core questions

How does a shared key let a receiver detect any modification to a message?
What does existential unforgeability under chosen-message attack require of a secure MAC?
How are secure MACs built from hash functions (HMAC) and from block ciphers (CMAC)?
How should encryption and authentication be combined to protect both secrecy and integrity?
Why must tag comparison be constant-time, and what attacks exploit timing leaks?

Key concepts

authentication tag
existential unforgeability
chosen-message attack
HMAC
CMAC and GMAC
authenticated encryption (AEAD)
encrypt-then-MAC
constant-time comparison
replay protection

Key theories

Existential unforgeability under chosen-message attack: The standard MAC security definition: an adversary who can request tags on messages of its choice still cannot produce a valid tag on any message it has not queried, making forgery infeasible.
HMAC and authenticated encryption: HMAC nests a keyed hash twice to yield a provably secure MAC from any standard hash; combining a MAC with encryption via encrypt-then-MAC (or using AES-GCM) yields authenticated encryption that protects confidentiality and integrity together.

Mechanisms

HMAC computes H((K xor opad) || H((K xor ipad) || message)), where H is a hash function and ipad/opad are fixed pads; the nested structure defeats length-extension and is provably secure if the compression function is a pseudorandom function. Block-cipher MACs such as CMAC chain encryptions of message blocks with a final keyed adjustment. Authenticated-encryption modes like AES-GCM compute a Galois-field MAC (GMAC) over the ciphertext to bind confidentiality and integrity in one pass.

Clinical relevance

MACs authenticate nearly all secure network traffic: HMAC underpins TLS record integrity, IPsec, JSON Web Tokens, and AWS-style API request signing, while AES-GCM provides authenticated encryption in TLS 1.3 and disk encryption. Verifying a MAC is what stops an attacker from silently altering ciphertext or replaying captured messages.

Evidence & guidelines

HMAC is standardized in FIPS 198-1 and RFC 2104; CMAC in NIST SP 800-38B; GCM/GMAC in NIST SP 800-38D. Best practice favors authenticated-encryption (AEAD) constructions and the encrypt-then-MAC ordering; the MAC-then-encrypt ordering used in older TLS contributed to padding-oracle attacks.

History

Early MACs were built from DES in CBC-MAC mode. The discovery that naive keyed-hash MACs were vulnerable to length-extension motivated HMAC, introduced by Bellare, Canetti, and Krawczyk in 1996 and standardized soon after. The 2000s brought the formalization of authenticated encryption and dedicated AEAD modes such as GCM and CCM, now the default for protecting data in transit.

Key figures

Mihir Bellare
Ran Canetti
Hugo Krawczyk
Phillip Rogaway

Seminal works

bellare1996hmac
katz2020
menezes1996

Frequently asked questions

What is the difference between a MAC and a digital signature?: Both authenticate a message, but a MAC uses a shared secret key, so any party who can verify a tag could also have produced it — there is no non-repudiation. A digital signature uses a private key for signing and a public key for verification, so only the signer could have created it and anyone can check it.
Should I encrypt first or authenticate first?: The recommended order is encrypt-then-MAC: encrypt the plaintext, then compute the MAC over the ciphertext. This lets the receiver reject forged ciphertexts before decrypting them and avoids padding-oracle and other attacks that arise from MAC-then-encrypt orderings.