[wizeman]

Are there any modern crypto algorithms that are, by design, immune from an attack such as this? Would not having any key-dependent code paths be sufficient to prevent this attack?

If it is possible to be immune by design to power analysis, timing and tempest attacks, is there a list of such algorithms somewhere that I can look it up? My google-fu hasn't returned anything useful.

[5gaKanchAFD2]

No algorithm is secure by design against these DPA attacks. They exploit data-dependencies.

The only 'provably secure' (e.g., on paper (+)) countermeasure you can apply to these symmetric schemes is something typically called masking. You can view masking as using secret sharing techniques to split up all intermediate computation into independent operations. To defeat masking an attacker needs to be able to re-combine the data dependent information leakage associated with all the split components. This is always a possibility.

Thus it becomes a risk/cost tradeoff. The more you mask, the more secure you become, but at a cost of speed/area/power draw.

(+) It's decidedly non-trivial to implement a masking scheme such that you get the theoretical security. This is an active research area.

[simias]

How about a "security through obscurity" countermeasure for sensitive systems where we'd use a special compiler that adds a bunch of "noise" in the generated algorithm (useless instructions etc...)?

Or alternatively run the algorithm through an emulator that does the same thing.

[JoachimSchipper]

Modern tooling will look for correlations; (fixed) useless instructions per se don't help, since the signal can still be found in the original instructions.

However, the attacks all rely on reducing noise by combining measurements. Introducing sufficiently-long random delays or sufficiently-big variations in clock speed can make it harder to combine measurements, and can thus stop such attacks. Unfortunately, making trace alignment hard is not so much a provably-correct fix as a contest between the hardware designer's ability to be really annoying and the attacker's intuition (to find usable synchronization points) and sheer persistence.

(If you want to rely on such things, you really need to get a top-notch hardware attack lab such as Riscure to look at your countermeasures; you really want to test against an experienced attacker's intuition.)

[5gaKanchAFD2]

Yeah techniques like instruction re-ordering, messing with the clock, etc are legitimate options. However all they will effectively do is decrease the signal-to-noise ratio of the system; increasing the number of measurements the adversary will need to require.

The power of averaging is such that these extra security added by these types of countermeasure can rapidly drop to zero. Despite this there are some use cases and deployment environments in which this might still be worth doing.

Ultimately the game for people deploying SCA-resistant hardware is effectively to fix a period of time in which a single key is used, and add sufficient countermeasures to ensure that the attacker can't get the key within that period. 'Perfect' security isn't a strict requirement at all, nor is it possible to achieve.

[technion]

Chacha20 was designed to be immune to timing attacks. It's discussed on page three:

https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-chacha...

[JoachimSchipper]

Side-channel-resistance is a property of the algorithm, not of the implementation.

As technion says, ChaCha20 was designed such that the evident software implementation resists such attacks; however, Schwabe and Kasper also have a high-quality software implementation of AES.

Hardware implementations are a different beast altogether, and a lot of expertise has gone into making hardened AES implementations in hardware (as forg0t_username says, masking helps - but this is an entire field of study. Look at some CHES conference papers to get an idea.)

[SAI_Peregrinus]

Side channel resistance can be increased in the implementation. Some things like comparisons can be done in constant time or in variable time. If the algorithm includes comparisons it might be side-channel resistant only with certain implementations.

[oconnor663]

> Side-channel-resistance is a property of the algorithm, not of the implementation.

I don't think this part is true. There are constant time software implementations of AES: https://crypto.stackexchange.com/a/92/21442

[JoachimSchipper]

Oops, sorry, I absolutely meant it the other way round: "Side-channel-resistance is a property of the implementation, not of the algorithm."

(Designing easier-to-implement-securely algorithms does help.)

[marcosdumay]

ChaCha20 does not survive tempest attacks like this one. No algorithm does.

This attack is reading data directly from the bus between RAM and the CPU. You can not make an algorithm that survives that.

[JoachimSchipper]

To clarify: in one of the attacks discussed we mostly picked up a signal from the address lines - that is, we exploited the fact that AES' RAM access patterns correlate with the key.

ChaCha20 is sufficiently constant-everything (which includes not having any key-dependent RAM access patterns) that we'd probably need to pick up the data (not just address) lines. That turns out to be (mildly?) harder in this particular combination of attack target and measurement setup.

We do make appliances designed to survive (or at least strongly resist) such attacks, but admittedly we don't rely on naive software AES implementations operating on external RAM. ;-)

[alephnil]

The most vulnerable part of symmetric crypto algorithms is the S-box tables, (8 to 8 bits in AES) in most AES implementation realized as 8 to 32 bit T-tables. It is possible, but harder and slower to implement AES without, so it is usually not done.

Of software implementations, the Serpent algorithm, that was one of the candidates for AES, can be implemented without any lookup tables and fully key-independent memory access patters. That will make an attack like this very unlikely to succeed.

[forg0t_username]

The keyword you're looking for is masking. Masked implementations of AES resist this exact attack without problem. Higher-order attacks are then needed, and those require exponentially more computation.

[calculat0r]

Check out Leakage-Resilient cryptography, which aims to provide security against a bounded number of bits leaking. Here's a good survey paper from 2010: https://cseweb.ucsd.edu/~pmol/Documents/RE.pdf

[JoachimSchipper]

Leakage-resilient cryptography is cool, but it's very much a mathematics-first approach: the independence assumptions required for the mathematical proofs simply don't hold in the physical world, and it's not clear what an assumption about "may not leak more than lambda effective bits" means (the attacker has 10 GB of measurements, mostly noise; can we expect to remain secure?)

The leakage-resilient work with which I'm most familiar also looks more like "algorithmic countermeasures" (e.g. changing keys frequently) than like something which would protect an AES core per se; but that's also a function of the work I'm most familiar with (the work of my old advisor Pietrzak.)