[Cryptography] Power analysis hardening of AES through choice of mode and IV construction
Natanael
natanael.l at gmail.com
Fri Aug 12 03:37:01 EDT 2022
Den fre 12 aug. 2022 02:43Phillip Hallam-Baker <hallam at gmail.com> skrev:
> Was at Jasper Van Woudenberg’s BlackHat talk on side channels. Had some
> thunks.
>
>
>
> According to the traditional threat model, the IV used to initialize a
> block cipher mode is not sensitive and is passed in clear text.
>
> I don’t do this in the Mesh, I generate the IV and the Key from a KDF
> using different tags. This was not done for a security reason, it just
> avoided an additional set of data. The reason for doing this was to prevent
> reuse of the IV. Every data sequence that is encrypted is encrypted using
> parameters derived from the primary key by means of a unique salt.
>
>
> But now consider the effect of using KDF generation of the IV and OCB mode
> so that the plaintext data being encrypted is tweaked before going into the
> block cipher. This has the effect of masking the plaintext before it is
> input to the block, provided that the IV is secret.
>
> This would limit the scope for side channel exploits but not eliminate
> them. An attacker could still work on the key derivation schedule, but that
> is kinda hard because it is a one-off. Another possibility would be to work
> back from the output.
>
> Perhaps if we designed a mode with integrated masking???
>
Encryption modes hiding the nonce has already been proposed.
https://dl.acm.org/doi/abs/10.1007/978-3-030-26948-7_9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220812/ff43edb7/attachment.htm>
More information about the cryptography
mailing list