Message Confidentiality and Integrity - Prepend Hash versus Append Hash

Hi All,

Given a message m, are the two below equivalent (prepending a hash
versus appending a hash):

E_k( h(m) || m ) and E_k( m || h(m) )

Handbook of Applied Cryptography tells me to use E_k( m || h(m) ) to
achieve confidentiality and integrity [1].

In practice, appending the hash is more difficult (in terms of
programming logic) if the message is not on a BLOCKSIZE boundary,
since we have to deal with 'tail bytes' before padding.

Things become much simpler if I can perform E_k( h(m) || m ) since
h(m) is always on a BLOCKSIZE boundary.


[1] Online book:, p. 365.

Relevant Pages