# Questions tagged as ['side-channel-attack']

attacks using information leaked by implementations of cryptographic algorithms to obtain information about keys or (plaintext) data, instead of (or additional to) using cryptographic weaknesses.
Score: 1
Is it okay to avoid a plaintext IV in AES?

### The scenario

Using AES 256 with CBC mode. (Authentication is done separately. Ignored here.)

### The goal (explained more later)

To avoid sending an unencrypted IV.

But since this is being done using .NET whose function forces us to use an IV, we can't just prepend 16 random bytes and then toss away the first 16 bytes after decryption.

### The plan

Prepend 16 random bytes ("IV1"), and besides that use 16 b ...

Score: 2
What is reaction attack?

In the paper of "Reaction Attacks against Several Public-Key Cryptosystems" CiteSeerX link, reaction attack is defined informally as "Obtaining information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key."

Is reaction attack explicitly defined in literature? What is the difference between fault attack and reaction attack -as defin ...

Score: 5
Post-quantum algorithms and side channel attacks

I am studying finalist algorithms of NIST Post-Quantum Cryptography Standardization. I noticed that almost all third party cryptanalysis papers consist of side-channel attacks. Why are classical cryptanalysis methods -algebraic, mathematical attacks etc.- more effective on classical algorithms than post-quantum algorithms?

In addition, I know that mathematical problems behind post-quantum algorit ...

Score: 2
Threshold implementation of ciphers

What is the principle behind threshold implementation of block ciphers and how is this protecting against side channel attacks?

Score: 3
Protecting AES via Shamir Secret Sharing

This is about the paper Protecting AES with Shamir's Secret Sharing Scheme by Louis Goubin and Ange Martinelli which describes how to use Shamir Secret Sharing to obtain masked implementations of AES.

The end of section 3.1 suggests that the $$\text{GF}(2)$$-affine transformation $$A$$ involved in the definition of the AES S-Box is compatible with SSS in the sense that if $$(x_i,y_i)$$ is an SSS sharing of

Score: 1
How is the Argon2d side channel attack performed?

How should the adversary behave in order to perform a successful side channel attack against Argon2d?

I'm trying to understand the scenario that Argon2i tries to resist against.

Score: 1
What are the security implications of RSA decryption of ciphertext >= modulus?

While reading through the sections about decryption in PKCS#1 v2.2, I noticed that the decryption algorithms are required to output the failure symbol: decryption error when the RSA maths subroutine reports ciphertext representative out of range.

While notes on security consideration says padding removal should be a "poker-face" process, it didn't say anything about ciphertext being out of the decipherabl ...

Score: 2
Randomization of ECDSA signing operations to prevent SCA

A large number of SCA papers that talk about ECDSA mention the need for blinding/randomisation of the signing process, typically with a single-sentence comment about replacing the projective coordinates (X,Y,Z) with randomised ones (lambda^2X,lambda^3Y,lambda*Z) and declaring the problem solved, but nothing really seems to provide any detail of what specific steps are required. In particular looking at  ...

Score: 1
How feasible is it to guess the private key of libsodium by taking into account generation time?

So suppose you are doing this locally (so no network noise), and know the exact specifics of your processor too. Is it feasible to figure out the private key (while having access to the public-key) generated by libsodium based on the time it takes to generate a key-pair?

What about other algorithms, how feasible is this in general?