Is there a cryptographic algorithm which is immune to side channel attacks?

Question

Is there any cryptographic algorithm immune to side channel attacks based on scan chain? In VLSI point of view.

Answer 1

A cryptographical algorithm can't be immune or not immune to side channel attacks; this is because a side channel attack attacks the implementation and not the actual algorithm. Any algorithm that uses secret data can be implemented in a way that has side channel attacks, and any algorithm can be implemented in a way that may be resistant (the hard-core side channel attack guys will say that no implementation is totally immune) to side channel attacks.

That said, there are certainly algorithms that are easier to implement in a way that resists side channel attacks.

Answer 2

Often people build hardware that contains cryptographic algorithms, and they are worried about what happens if that hardware falls into the hands of an attacker.

Historically, there have been several approaches to making it harder for the attacker, often used in some combination:

• Hardware and cryptographic algorithms specifically chosen or designed to comply with Kerckhoffs's principle: "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge." Then switch to a new, fresh key whenever an old key may have fallen into the hands of an attacker. (Perhaps also use zeroisation to make it less likely that an old key will fall into the hands of an attacker).

• cryptographic algorithms specifically chosen or designed or re-implemented to be isochronous -- i.e., with data-independent runtime -- making them completely immune to timing attacks. (A good assembly-language programmer writing for a typical smartcard, which has no cache, can do this fairly easily. A FPGA designer can do this fairly easily. People writing code for processors that have a cache find that writing isochronous code is much more difficult, but often possible). (Unfortunately, this often makes such hardware slightly easier to attack with a differential power analysis side-channel attack).

  * Braun, Jana, Boneh. Robust and Efficient Elimination of Cache and Timing Side Channels". arXiv:1506.00189 discussion: https://news.ycombinator.com/item?id=9679762

  * Torbjorn Granlund. "Defeating modexp side-channel attacks with data-independent execution traces". https://gmplib.org/~tege/modexp-silent.pdf

• A white-box algorithm is completely immune to side-channel attacks. white-box cryptography white-box http://www.whiteboxcrypto.com/ . White-box cryptographic algorithms are designed such that, even if the attacker knows everything about the system, including the keys for the hardware he has in his hand, he still cannot break the rest of the system. This was widely believed to be impossible, until ephemeral encryption keys, public key encryption, and public key signature authentication was developed. There have been some promising breakthroughs in homomorphic-encryption and host-proof algorithms that seem to show that algorithms with useful white-box cryptographic properties are possible, and a few have already been useful in practice: (Public-key authentication using some certificate authority's public key happens every time a web browser accesses a "https://" website). (Ephemeral encryption happens every time a laptop or smartphone communicates with a recent WiFi access point). Unfortunately, we do not yet have a practical white-box algorithm for lots of other things we would like to do.

• various techniques such as shuffling, dummy operations, etc. to make timing and power side-channel attacks more expensive and less likely to succeed

  * Stottinger, Malipatlolla, Tian. "Survey of Methods to Improve Side-Channel Resistance on Partial Reconfigurable Platforms." doi: 10.1007/978-3-642-16767-6_4

• tamper resistance to make probing attacks more expensive and less likely to succeed.

Answer 3

As others mentioned side-channel attacks are an issue of algorithm implementation.

djb implemented a full suit of cryptographic primitives specifically with side-channel resistance in mind.

The idea is to prevent infromation flow from your secrets (private keys, messages, etc.) to those pieces of hardware which can be easily attacked, like CPU branch predictors, caches, TLBs, etc. You can read in detail here.