[Cryptography] Power analysis hardening of AES through choice of mode and IV construction

[Phillip Hallam-Baker]

Was at Jasper Van Woudenberg’s BlackHat talk on side channels. Had some thunks.


According to the traditional threat model, the IV used to initialize a block cipher mode is not sensitive and is passed in clear text.

I don’t do this in the Mesh, I generate the IV and the Key from a KDF using different tags. This was not done for a security reason, it just avoided an additional set of data. The reason for doing this was to prevent reuse of the IV. Every data sequence that is encrypted is encrypted using parameters derived from the primary key by means of a unique salt.


But now consider the effect of using KDF generation of the IV and OCB mode so that the plaintext data being encrypted is tweaked before going into the block cipher. This has the effect of masking the plaintext before it is input to the block, provided that the IV is secret.

This would limit the scope for side channel exploits but not eliminate them. An attacker could still work on the key derivation schedule, but that is kinda hard because it is a one-off. Another possibility would be to work back from the output.

Perhaps if we designed a mode with integrated masking???


Get Outlook for iOS<https://aka.ms/o0ukef>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220811/0bb6f88b/attachment.htm>