[JoachimSchipper]

Side-channel-resistance is a property of the algorithm, not of the implementation.

As technion says, ChaCha20 was designed such that the evident software implementation resists such attacks; however, Schwabe and Kasper also have a high-quality software implementation of AES.

Hardware implementations are a different beast altogether, and a lot of expertise has gone into making hardened AES implementations in hardware (as forg0t_username says, masking helps - but this is an entire field of study. Look at some CHES conference papers to get an idea.)

[SAI_Peregrinus]

Side channel resistance can be increased in the implementation. Some things like comparisons can be done in constant time or in variable time. If the algorithm includes comparisons it might be side-channel resistant only with certain implementations.

[oconnor663]

> Side-channel-resistance is a property of the algorithm, not of the implementation.

I don't think this part is true. There are constant time software implementations of AES: https://crypto.stackexchange.com/a/92/21442

[JoachimSchipper]

Oops, sorry, I absolutely meant it the other way round: "Side-channel-resistance is a property of the implementation, not of the algorithm."

(Designing easier-to-implement-securely algorithms does help.)

[marcosdumay]

ChaCha20 does not survive tempest attacks like this one. No algorithm does.

This attack is reading data directly from the bus between RAM and the CPU. You can not make an algorithm that survives that.

[JoachimSchipper]

To clarify: in one of the attacks discussed we mostly picked up a signal from the address lines - that is, we exploited the fact that AES' RAM access patterns correlate with the key.

ChaCha20 is sufficiently constant-everything (which includes not having any key-dependent RAM access patterns) that we'd probably need to pick up the data (not just address) lines. That turns out to be (mildly?) harder in this particular combination of attack target and measurement setup.

We do make appliances designed to survive (or at least strongly resist) such attacks, but admittedly we don't rely on naive software AES implementations operating on external RAM. ;-)