[Cryptography] Side channel nomenclature

Phillip Hallam-Baker phill at hallambaker.com
Tue Jun 23 10:07:29 EDT 2020

On Tue, Jun 23, 2020 at 2:58 AM John Gilmore <gnu at toad.com> wrote:

> Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> > The first, I am calling 'leakage' where an unintended side channel leaks
> > information to an attacker. Timing attacks, power etc come under this
> > heading.
> >
> > The second I am calling 'exfiltration' in which the system designer
> > intentionally leaks information. For example, Dual EX RNG, or Moti
> > Yung's smuggling the RSA seed in the top bits of an RSA modulus.
> >
> > In between there are induced side channel attacks such as hitting a chip
> > with radiation while it is operating, smartcard in microwave, etc.
> NSA's job is to do the second while convincing you that it's the first.

That is one of their jobs.

In the wake of the Snowden breach coming out, I was at a meeting of
governmenty types where it was being discussed and the general opinion was
Alexander should not resign because PRISM etc was doing his job. I pointed
out that the NSA was responsible for protecting the nation's secrets and
had just suffered a catastrophic breach. it was shameful Alexander hadn't
resigned already. Shocked faces all round. Two weeks later he was gone and
that was now seen as inevitable.

Another major change in the NSA mission is going to come from the outcome
of the 2016 election. The policy of disrupting attempts to deploy strong
crypto has to end. It was the lack of end-to-end encryption that allowed
Putin to hack the DNC and collude with a traitor to install him in the

> They approached Sun in the 1990s to subvert their network encryption
> system, suggesting that rather than using a product of two large primes,
> they should use a product of three primes (one small enough to factor
> out).  I don't know what Sun would have done in other circumstances, but
> they turned down that offer on the grounds that once the back door was
> later discovered, it would be obvious from external examination that it
> was "exfiltration" and not mere "poor design".  In other words, it
> lacked deniability.

It also violates the NOBUS principle. Anyone who reverse engineers the code
can use the backdoor. Dual-EC-RNG only allows the party that knows the
private key to work out the sequence.

> Since the only difference between first and second is the motivation
> of the designer, which is unknown and unknowable, is there really a
> worthwhile distinction?

I think it is very useful because even if you control the entire process
and still do things in a trusted fab etc. the laws of physics still means
you face risks from leakage.

Threshold allows for separation of duties which can in turn address some of
the exfiltration attacks. And some algorithms are much more vulnerable to
exfiltration than others. RSA has the huge modulus with 1000 bits that can
be used as a side channel. ECC doesn't offer anything remotely similar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200623/b6f4d2c7/attachment.htm>

More information about the cryptography mailing list