Cryptography Reference
In-Depth Information
Fig. 5.6
AONT as a DPA and
fault countermeasure
m
c
m
encryption
AONT
PET
c
r
k
k
0
5.5.1 All-or-Nothing Transforms
In [278], all-or-nothing transforms (AONTs) were introduced as a DPA countermea-
sure. The basic idea is depicted in Fig.
5.6
. The AONT takes the input message
m
and
uses the value
r
to generate the randomized message
m
.Thevalue
r
is random and
unknown to the adversary. Nor is it actually needed to reconstruct
m
from
m
.After
applying the AONT, an ordinary encryption of
m
takes place. This would be already
sufficient to counter fault attacks. However, DPA attacks can also be performed on
the ciphertext and therefore a post-encryption transformation (PET) is necessary.
The PET takes the value
c
and uses another pre-shared key
k
0
to generate
c
.
A possible realization of an AONT is optimal asymmetric encryption padding
(OAEP) [30].
5.5.2 The Message Modifying Approach
Probably the most efficient approach to protect block ciphers against fault attacks is
described in [171]. It encrypts
m
=
r
instead of
m
. Here,
r
is random but made
public together with the ciphertext. As a result, an adversary has no control over
the message to encrypt. However,
m
is known to the attacker and thus DPA attacks
are possible.
m
⊕
5.5.3 Fresh Re-keying
The third protocol-level countermeasure we look at is fresh re-keying [282]. As the
name already suggests, fault attacks are prevented by randomizing the key before
every encryption. The idea, as illustrated in Fig.
5.7
,istouseafunction
g
to derive a
session key
k
=
. Afterwards
k
is used to encrypt
m
.Thevalue
r
is random,
but made public together with the ciphertext. The scheme is more expensive than
the previous one because
g
must be more complex than a simple XOR in order to
provide DPA security. However, in contrast to the AONT approach this scheme does
not need an additional pre-shared key.
g
(
k
,
r
)
