AES cache timing attack

[Peter Gutmann]

Ian Grigg <iang at systemics.com> writes:

>Alternatively, if one is in the unfortunate position of being an oracle for a
>single block encryption then the packet could be augmented with a cleartext
>random block to be xor'd with the key each request.

Moves you from being an encryption oracle to a related-key oracle, and makes
the protocol non-idempotent.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com