[Cryptography] Side channel nomenclature

John Gilmore gnu at toad.com
Tue Jun 23 02:58:14 EDT 2020

Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> The first, I am calling 'leakage' where an unintended side channel leaks
> information to an attacker. Timing attacks, power etc come under this
> heading.
> The second I am calling 'exfiltration' in which the system designer
> intentionally leaks information. For example, Dual EX RNG, or Moti
> Yung's smuggling the RSA seed in the top bits of an RSA modulus.
> In between there are induced side channel attacks such as hitting a chip
> with radiation while it is operating, smartcard in microwave, etc.

NSA's job is to do the second while convincing you that it's the first.

They approached Sun in the 1990s to subvert their network encryption
system, suggesting that rather than using a product of two large primes,
they should use a product of three primes (one small enough to factor
out).  I don't know what Sun would have done in other circumstances, but
they turned down that offer on the grounds that once the back door was
later discovered, it would be obvious from external examination that it
was "exfiltration" and not mere "poor design".  In other words, it
lacked deniability.

Since the only difference between first and second is the motivation
of the designer, which is unknown and unknowable, is there really a
worthwhile distinction?


More information about the cryptography mailing list