In cryptography, an all-or-nothing transform (AONT), also known as an all-or-nothing protocol, is an encryption mode which allows the data to be understood only if all of it is known. AONTs are not encryption, but frequently make use of symmetric ciphers and may be applied before encryption. In exact terms, "an AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known." 
The original AONT, the package transform, was described by Ronald L. Rivest in his 1997 paper "All-Or-Nothing Encryption and The Package Transform". Simply put, Rivest proposed encrypting each plaintext block with a random key to form the pseudomessage, then hashing each encrypted block and XORing all the hashes together with the random key to generate the last block of the pseudomessage. The blocks are also XOR'd with an incrementing counter to prevent duplicate blocks encrypting identically. This results in a "package" that cannot be partially decoded.
Apparently at about the same time, D. R. Stinson proposed a different implementation of AONT, without any cryptographic assumptions. This implementation is a linear transform, perhaps highlighting some security weakness of the original definition.
AONTs can be used to increase the strength of encryption without increasing the key size. This may be useful to, for example, secure secrets while complying with government cryptography export regulations. AONTs help prevent several attacks.
One of the ways AONTs improve the strength of encryption is by preventing attacks which reveal only part of the information from revealing anything, as the partial information is not enough to recover any of the original message.
Another application, suggested in the original papers is to reduce the cost of security: for example, a file can be processed by AONT, and then only a small portion of it can be encrypted (e.g., on a smart-card). AONT will assure that as a result the whole file is protected. It is important to use the stronger version of the transform (such as the one by Boyko above).
Other uses of AONT can be found in optimal asymmetric encryption padding (OAEP).
- Boyko, Victor (1999). On the Security Properties of OAEP as an All-or-nothing Transform. CRYPTO Proceedings. Lecture Notes in Computer Science. 1666. pp. 503–518. doi:10.1007/3-540-48405-1_32. ISBN 978-3-540-66347-8.
- Rivest, Ronald (1997). All-or-nothing encryption and the package transform. FAST SOFTWARE ENCRYPTION Proceedings. Lecture Notes in Computer Science. 1267. pp. 210–218. doi:10.1007/BFb0052348. ISBN 978-3-540-63247-4.
- Stinson, D. R. (1 January 2001). "Something About All or Nothing (Transforms)". Designs, Codes and Cryptography. 22 (2): 133–138. doi:10.1023/A:1008304703074.
- Resch, Jason; Plank, James (February 15, 2011). AONT-RS: Blending Security and Performance in Dispersed Storage Systems (PDF). Usenix FAST'11.
- Staple, an open-source prototype All-or-nothing transform implementation.