[Cryptography] Power analysis hardening of AES through choice of mode and IV construction

Phillip Hallam-Baker hallam at gmail.com
Tue Aug 16 12:01:23 EDT 2022


On Fri, Aug 12, 2022 at 3:37 AM Natanael <natanael.l at gmail.com> wrote:

>
>
> Den fre 12 aug. 2022 02:43Phillip Hallam-Baker <hallam at gmail.com> skrev:
>
>> Was at Jasper Van Woudenberg’s BlackHat talk on side channels. Had some
>> thunks.
>>
>>
>>
>> According to the traditional threat model, the IV used to initialize a
>> block cipher mode is not sensitive and is passed in clear text.
>>
>> I don’t do this in the Mesh, I generate the IV and the Key from a KDF
>> using different tags. This was not done for a security reason, it just
>> avoided an additional set of data. The reason for doing this was to prevent
>> reuse of the IV. Every data sequence that is encrypted is encrypted using
>> parameters derived from the primary key by means of a unique salt.
>>
>>
>> But now consider the effect of using KDF generation of the IV and OCB
>> mode so that the plaintext data being encrypted is tweaked before going
>> into the block cipher. This has the effect of masking the plaintext before
>> it is input to the block, provided that the IV is secret.
>>
>> This would limit the scope for side channel exploits but not eliminate
>> them. An attacker could still work on the key derivation schedule, but that
>> is kinda hard because it is a one-off. Another possibility would be to work
>> back from the output.
>>
>> Perhaps if we designed a mode with integrated masking???
>>
>
> Encryption modes hiding the nonce has already been proposed.
>
> https://dl.acm.org/doi/abs/10.1007/978-3-030-26948-7_9
>

I published specifications with running code using the construction hiding
the nonce before that. I am pretty sure I raised the KDF construct here
before I used it. I usually do. It certainly seems to me that the
construction is better. The paper looks at the question in a bit more
detail.

But that is not the part of the problem that was interesting me. The bit
that I think we should take a look at is whether the OCB tweakage on the
input does make side channel cryptanalysis harder and if so whether we
should develop a version using it on the output as well.

One way to do that today would be to double encrypt in OCB mode under
separate keys and IVs.


I don't think this is going to be a sufficient concern for many
applications but it certainly will be for some.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220816/5b1c5a36/attachment.htm>


More information about the cryptography mailing list