And only if verification succeeds, will then go ahead and
decrypt the ciphertext component to recover the message m.
What can we say about security here?
Well, it turns out that it's possible to prove that if the underlying encryption
scheme is CPA-secure and the underlying message authentication code is secure,
that is, it ensures integrity, then the combination of the two in this encrypt and
authenticate approach is CPA-secure.
That is, it does give us the secrecy that we desire for the combination of the two
when the sender uses this mechanism to send messages to the receiver.
In addition, the combination is also a secure MAC.
Now here, this is not quite true because the construction on
the previous slide doesn't quite fit into the syntactic definition of
a message authentication code.
Nevertheless, the idea should be clear and
that is that the combination does guarantee the integrity property that we
desire, essentially that the attacker cannot trick
the receiver into outputting any message that was not sent by the sender.