# Questions tagged as ['side-channel-attack']

### The scenario

Using AES 256 with CBC mode. (Authentication is done separately. Ignored here.)

### The goal (explained more later)

To avoid sending an unencrypted IV.

But since this is being done using .NET whose function forces us to use an IV, we can't just prepend 16 random bytes and then toss away the first 16 bytes after decryption.

### The plan

Prepend 16 random bytes ("**IV1**"), and besides that use 16 b ...

In the paper of **" Reaction Attacks against Several Public-Key Cryptosystems"** CiteSeerX link, reaction attack is defined informally as

**"Obtaining information about the private key or plaintext by watching the reaction of someone decrypting a given ciphertext with the private key."**

Is reaction attack explicitly defined in literature? What is the difference between fault attack and reaction attack -as defin ...

I am studying finalist algorithms of NIST Post-Quantum Cryptography Standardization. I noticed that almost all third party cryptanalysis papers consist of side-channel attacks. Why are classical cryptanalysis methods -algebraic, mathematical attacks etc.- more effective on classical algorithms than post-quantum algorithms?

In addition, I know that mathematical problems behind post-quantum algorit ...

What is the principle behind threshold implementation of block ciphers and how is this protecting against side channel attacks?

This is about the paper Protecting AES with Shamir's Secret Sharing Scheme by Louis Goubin and Ange Martinelli which describes how to use Shamir Secret Sharing to obtain masked implementations of AES.

The end of section 3.1 suggests that the $\text{GF}(2)$-affine transformation $A$ involved in the definition of the AES S-Box is compatible with SSS in the sense that if $(x_i,y_i)$ is an SSS sharing of

How should the adversary behave in order to perform a successful side channel attack against Argon2d?

I'm trying to understand the scenario that Argon2i tries to resist against.

While reading through the sections about decryption in PKCS#1 v2.2, I noticed that the decryption algorithms are required to output the failure symbol: `decryption error`

when the RSA maths subroutine reports `ciphertext representative out of range`

.

While notes on security consideration says padding removal should be a "poker-face" process, it didn't say anything about ciphertext being out of the decipherabl ...

A large number of SCA papers that talk about ECDSA mention the need for blinding/randomisation of the signing process, typically with a single-sentence comment about replacing the projective coordinates (X,Y,Z) with randomised ones (lambda^2*X,lambda^3*Y,lambda*Z) and declaring the problem solved, but nothing really seems to provide any detail of what specific steps are required. In particular looking at ...

So suppose you are doing this locally (so no network noise), and know the exact specifics of your processor too. Is it feasible to figure out the private key (while having access to the public-key) generated by libsodium based on the time it takes to generate a key-pair?

What about other algorithms, how feasible is this in general?