up:: Classical Cryptography MOC
Side-Channel Analysis
Side-channel analysis is a family of attacks that recovers a secret key by measuring the physical behavior of a cryptographic implementation, how long it takes, how much power it draws, what it radiates electromagnetically, or how it uses the processor cache, rather than by solving the mathematics the algorithm rests on. The math can be provably strong and the key the right size, and the system still falls because the running code leaks the secret through a physical channel the designer never meant to expose. This is why a mathematically quantum-safe algorithm like ML-KEM or ML-DSA can still hand over its key if it is implemented carelessly, and why the post-quantum transition is a hardware and software engineering problem as much as a math problem.
The short version:
- Side-channel analysis attacks the implementation, not the algorithm. It reads a secret from a physical measurement of the running device, so the strength of the cipher on paper is beside the point.
- The four channels that matter most are timing, power consumption, electromagnetic emissions, and cache behavior. Each leaks because the physical work a chip does depends on the secret data it is processing.
- The attacks split into simple analysis (read the key from one or a few clean measurements) and statistical analysis like differential power analysis (pull a key out of thousands of noisy measurements with statistics).
- The defenses are constant-time code, masking, blinding, and hardware shielding. They cost performance and complexity, which is exactly why implementations skip them and get broken.
- Post-quantum algorithms have their own side-channel pitfalls. NIST evaluated side-channel resistance during standardization, and FIPS 203 requires implementers to destroy intermediate values precisely because those values can leak the key.
Picture a bank vault with a flawless combination lock, mathematically no easier to guess than any other lock its size. A patient safecracker ignores the combination entirely and instead presses an ear to the door, listens for the faint clicks of the tumblers, and feels the tiny changes in resistance as the dial turns. The lock is perfect; the physical machine that runs it is chatty. Side-channel analysis is that safecracker, translated into oscilloscopes, current probes, and antennas, and pointed at the chip doing the encryption instead of at the numbers inside it.
What is side-channel analysis?
Side-channel analysis is the recovery of secret information, usually a cryptographic key, from the measurable physical side effects of a computation rather than from its mathematical inputs and outputs. A “side channel” is any observable byproduct of running the algorithm that the designer treated as invisible: the wall-clock time an operation takes, the current the processor pulls from its power supply, the electromagnetic field it radiates, the sound it makes, or the state it leaves in shared microarchitectural resources like the cache. When any of those byproducts depends on the secret, measuring it leaks the secret.
The idea reframes what “breaking” a cipher means. Classical cryptanalysis treats an algorithm as a black box and tries to defeat the math, so RSA is “secure” if factoring its modulus is infeasible. Side-channel analysis opens the box and watches the machine work. It belongs to the broader field of implementation attacks, alongside its active cousin fault injection, which deliberately induces errors (voltage glitches, clock glitches, laser pulses) to make a device reveal or mis-handle a secret. Side-channel analysis is the passive half: it only observes.
Two properties make this class of attack dangerous in practice:
- It sidesteps the security proof. A proof of an algorithm’s strength says nothing about the device running it. The key can be the correct size and the algorithm a NIST standard, and a leaky implementation still gives it away.
- It can be cheap and non-invasive. Many side channels are readable without opening or damaging the target. A power trace needs a resistor in the power line; an electromagnetic trace needs an antenna near the chip; a cache attack needs nothing but ordinary code running on the same hardware as the victim.
Source: P. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” Advances in Cryptology, CRYPTO ‘96, LNCS 1109, pp. 104-113, IACR CryptoDB.
How does a side-channel attack actually work?
A side-channel attack works by finding a physical measurement that correlates with a secret-dependent step in the algorithm, collecting that measurement, and then reasoning backward from the physics to the key. The chip does more work, or different work, depending on the bits of the key, and that difference shows up in time, power, or radiation. The attack runs in a consistent sequence:
- Find the leaky operation. The attacker identifies a step whose physical cost depends on the secret. In a naive RSA exponentiation, the algorithm squares for a
0bit and squares-and-multiplies for a1bit, so the two bit values take visibly different amounts of work. - Collect measurements (traces). The attacker records the channel while the device runs the operation, once for a simple attack or many thousands of times for a statistical one. Each recording is a trace.
- Recover the secret. With a clean enough measurement, the key falls out directly. When the leak is buried in noise, statistics dig it out.
That last step divides the field into two techniques:
- Simple analysis (simple power analysis, simple electromagnetic analysis) reads the secret from the shape of a single trace, or a handful, where the secret-dependent operations are directly distinguishable. Watching the square-versus-multiply pattern in an unprotected RSA trace and reading off the exponent bit by bit is the classic example.
- Statistical analysis (differential power analysis and correlation power analysis) extracts a key even when no single trace shows anything obvious. The attacker guesses a small piece of the key, predicts an intermediate value under that guess, and then tests the prediction against thousands of traces statistically. The correct guess correlates with the measured power; the wrong guesses do not. Because the attacker attacks one small chunk of the key at a time, the total effort stays small even for a long key.
The reason statistical analysis is so powerful is that it defeats noise by averaging. A leak far too faint to see in one trace becomes unmistakable across ten thousand, which is why simply making a device “look” constant on a scope is not enough to stop a determined attacker.
Source: P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis,” Advances in Cryptology, CRYPTO ‘99, LNCS 1666, pp. 388-397, Springer.
What are the main types of side channels?
The main side channels are timing, power consumption, electromagnetic emissions, and cache behavior, and each one leaks because a different physical quantity tracks the secret the chip is handling. The table below is the field’s core map: the channel, what the attacker measures, why it carries the secret, and the seminal work that established it.
| Channel | What the attacker measures | Why it leaks the secret | Seminal work |
|---|---|---|---|
| Timing | How long an operation takes to complete | Execution time varies with secret-dependent branches, table lookups, and early-exit comparisons | Kocher 1996 |
| Power | The chip’s instantaneous power draw | The power a circuit burns depends on the data and operations it processes (roughly, the number of bits flipping) | Kocher, Jaffe, and Jun 1999 |
| Electromagnetic | The EM field the chip radiates | Switching current radiates, and the field can be captured without touching the device and localized to one region of the die | Quisquater and Samyde 2001 |
| Cache | The timing of the attacker’s own memory accesses on shared hardware | Secret-dependent table lookups load and evict cache lines that a co-resident attacker can probe for timing differences | Yarom and Falkner 2014 |
A few things sharpen how these behave in the real world:
- Timing attacks scale over networks. Because time is measurable remotely, a timing leak can sometimes be exploited across a network, reaching well beyond a probe on the bench. Kocher’s original work showed measured timing could recover Diffie-Hellman exponents and factor RSA keys.
- Power and electromagnetic attacks are close cousins. Both track the same underlying switching activity, so the statistical machinery of differential power analysis applies almost unchanged to electromagnetic traces. Electromagnetic analysis adds the ability to work without a wire in the power line and to aim at a specific area of the chip.
- Cache attacks need no physical access at all. They are software-only microarchitectural attacks that exploit shared hardware, which makes them the acute worry in cloud and multi-tenant settings. The Flush+Reload technique recovered roughly 96.7% of the bits of a secret key by watching a single decryption or signing round from another process on the same machine.
Sources: Y. Yarom, K. Falkner, “FLUSH+RELOAD, A High Resolution, Low Noise, L3 Cache Side-Channel Attack,” USENIX Security 2014, pp. 719-732, USENIX.
J.-J. Quisquater, D. Samyde, “ElectroMagnetic Analysis (EMA), Measures and Counter-Measures for Smart Cards,” E-smart 2001, LNCS 2140, Springer.
Why does side-channel analysis matter if the math is unbreakable?
Side-channel analysis matters because security lives in the running system, and an attacker takes the cheapest path to the key, which is almost never the math. The strength of AES-256 or RSA on paper describes an idealized algorithm. The thing an attacker actually faces is a smart card, a phone, a hardware security module, a TLS server, or a firmware chip, and that physical device leaks. When the implementation is unprotected, recovering the key from a power trace can be faster and more reliable than any mathematical attack will ever be.
The consequence is that a broken implementation of a strong algorithm gives the same result as a broken algorithm: the secret walks out the door. This is a recurring pattern across cryptographic history, where systems fall on how the cipher was built and operated rather than on the cipher itself. It reshapes where defensive effort belongs, because buying a bigger key or a newer algorithm does nothing for a device that leaks, and the real fixes are in how the code and the hardware are written.
The stakes are highest exactly where physical or co-located access is realistic:
- Smart cards, payment chips, and hardware tokens, which an attacker can hold, power, and probe on a bench for as long as they like.
- Hardware security modules and secure elements, whose entire job is to protect keys that must never leave, making a side channel the crack in the vault wall.
- Cloud and multi-tenant infrastructure, where a cache side channel needs no physical access at all, only code running on the same host as the victim.
- Firmware and embedded devices, which sign updates or hold long-lived keys and are often shipped with performance-optimized, unprotected crypto.
Does post-quantum cryptography have side-channel risks?
Yes. Post-quantum algorithms are quantum-safe in their mathematics, and that quantum-safety says nothing about whether a given implementation leaks. A post-quantum scheme that resists Shor’s algorithm perfectly can still surrender its key to a power or cache attack if it is coded without side-channel defenses, so migrating to ML-KEM or ML-DSA does not by itself close this exposure. NIST treated this as a first-class concern rather than an afterthought.
NIST broke with decades of precedent on this point. Historically, dating to the AES standardization process, most side-channel analysis happened in the years after a standard shipped. For the post-quantum process, NIST asked the community to contribute side-channel analyses early in the standardization cycle, and researchers responded with a large body of work on the lattice-based candidates in particular. After extended study, NIST concluded that the differences in the difficulty of protecting the finalist algorithms against side channels “appear to be small,” so no single finalist won or lost on side-channel grounds alone.
The concern is written into the standards themselves. FIPS 203 states plainly that conforming to the standard does not by itself ensure a secure implementation, which remains the implementer’s responsibility, and its Requirements for ML-KEM Implementations section includes a “Destruction of intermediate values” rule: “Data used in intermediate computation steps of KEM algorithms could be used by an adversary to compromise security,” so intermediate data must be destroyed the moment the algorithm is finished with it. That is a side-channel and memory-disclosure requirement sitting in the middle of a math standard.
The specific pitfalls in the post-quantum schemes are real and well studied:
- Lattice KEMs and signatures (ML-KEM, ML-DSA) contain secret-dependent steps, including the decryption comparison inside their Fujisaki-Okamoto transform, polynomial arithmetic, and rejection sampling, that have been targeted by power, electromagnetic, and chosen-ciphertext side-channel attacks. This has driven an active research line on masking ML-KEM and ML-DSA implementations.
- The compact lattice signature FN-DSA (FALCON) relies on floating-point Gaussian sampling that is notably hard to make constant-time, which NIST flagged as a practical implementation hazard, especially on constrained devices where side-channel protection matters most.
- The hash-based signature SLH-DSA (SPHINCS+) largely reduces its side-channel exposure to the problem of protecting a keyed hash implementation, which is comparatively well understood.
Sources: NIST IR 8413-upd1, “Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process,” 2022, csrc.nist.gov.
NIST FIPS 203, “Module-Lattice-Based Key-Encapsulation Mechanism Standard,” Section 3.3, August 2024, FIPS 203.
How do you defend against side-channel attacks?
Defending against side-channel analysis means removing the correlation between the secret and the physical measurement, and it is done at both the software and the hardware level. The goal is a device whose timing, power, and emissions look the same no matter what key it holds. These are the established techniques the field uses:
- Constant-time implementation. The code is written so that its execution time carries no dependence on secret data: no secret-dependent branches, no secret-indexed table lookups, and comparisons that always run to completion instead of returning early. This is the baseline defense against timing and cache attacks, because both feed on secret-dependent timing.
- Masking. Every secret intermediate value is split into several random shares that are processed separately and only recombined at the end, so any single measured value is randomized and uncorrelated with the real secret. Higher-order masking uses more shares to resist stronger statistical attacks, at a real performance cost. Masking is the primary countermeasure researchers are building for lattice schemes like ML-KEM and ML-DSA.
- Blinding. The inputs to an operation are randomized before it runs and corrected afterward, so an attacker never sees the operation applied to a known, fixed value. RSA blinding, which randomizes the message before exponentiation, is the classic example and defeats many timing and power attacks on RSA.
- Shuffling and hiding. The order of independent operations is randomized, or noise is added, so the attacker cannot line up traces cleanly for averaging. This raises the number of measurements an attack needs rather than closing the leak outright.
- Hardware countermeasures. Physical shielding, filtering, balanced (dual-rail) logic that draws constant power, and on-chip noise generators attack the leak at its source. This lineage runs straight back to the shielding and filtering developed under the TEMPEST program.
No single measure is a complete answer, and real high-assurance implementations layer several. The honest tradeoff is that every one of these costs performance, memory, or design complexity, which is the structural reason unprotected implementations keep shipping and keep getting broken.
Has this happened before?
The oldest documented cryptographic side channel is TEMPEST, and it was discovered by accident in 1943. Engineers at Bell Telephone Laboratories, working on the Army’s 131-B2 mixer that encrypted teleprinter traffic with a one-time tape, noticed that a freestanding oscilloscope across the lab spiked every time the machine enciphered a character. On a closer look, those electromagnetic spikes could be read back as the plaintext the “secure” machine was processing. The cipher was a one-time tape, the one provably unbreakable scheme in all of cryptography, and the equipment running it was broadcasting the message in the clear through an unintended physical emission.
The military reaction was disbelief followed by decades of countermeasures. The vulnerability was rediscovered by the CIA around 1951, when analysts recovered plaintext from the emissions of U.S. cipher equipment at a distance, and it grew into the NSA’s TEMPEST program of shielding, filtering, and emission-masking standards that still govern how classified equipment is built. That 1943 oscilloscope is the direct ancestor of the modern electromagnetic and power attacks in this note. The lesson has held for more than eighty years: the mathematics can be perfect, and the physical machine that runs it still leaks, which is the entire premise of side-channel analysis.
Source: NSA, “TEMPEST, A Signal Problem” (declassified 2007), Cryptologic Spectrum, nsa.gov FOIA reading room.
Common misconceptions
- “A strong algorithm means a secure system.” The proof covers the algorithm, and the attacker faces the device. A NIST-standard cipher with a full-size key still leaks if the implementation running it is not side-channel protected.
- “Side-channel attacks need a lab and physical access to the chip.” Some do, but cache attacks are software-only and work from another process on the same machine, and timing attacks can reach across a network. Co-location, not a bench probe, is often all that is required.
- “A bigger key stops side-channel analysis.” Key size defends against mathematical attacks. A side channel reads the key from a physical measurement, so enlarging it changes almost nothing; a longer key just leaks over slightly more of a trace.
- “Post-quantum algorithms are safe from this because they are new and quantum-resistant.” Quantum-resistance is a property of the math. Lattice schemes like ML-KEM and ML-DSA have secret-dependent operations that have been broken in unprotected implementations, which is why NIST studied their side-channel resistance and FIPS 203 mandates destroying intermediate values.
- “Constant-time code is enough.” Constant-time coding closes timing and cache leaks, and it does nothing about power and electromagnetic emissions, which need masking and hardware measures. Full protection layers several countermeasures.
- “Making the leak invisible on an oscilloscope solves it.” Statistical attacks like differential power analysis average away noise across thousands of traces and recover secrets no human could see in a single trace. Defeating the eye is not defeating the statistics.
Questions people ask
Is side-channel analysis a real-world threat or a lab curiosity? It is a real and repeatedly demonstrated threat. Power and electromagnetic attacks have pulled keys from smart cards, payment chips, and hardware tokens, and cache attacks like Flush+Reload have recovered cryptographic keys across processes on shared servers. Any device an attacker can hold, co-locate with, or measure remotely is in scope.
What is the difference between a side-channel attack and fault injection? Side-channel analysis is passive: it only observes the device’s timing, power, or emissions while it runs normally. Fault injection is active: it deliberately disturbs the device with voltage or clock glitches or laser pulses to force an error that reveals a secret. They are cousins in the broader field of implementation attacks and are often used together.
Does end-to-end encryption or a longer key protect me from side channels? No. Side-channel analysis targets the endpoint that performs the cryptography, not the encrypted data in transit, and it reads the key from a physical measurement rather than by breaking the math. A longer key does almost nothing against it; the fix is a side-channel-resistant implementation.
Are post-quantum algorithms more or less vulnerable to side channels than classical ones? Neither category is inherently safe. Post-quantum schemes have their own secret-dependent operations, and lattice-based ML-KEM and ML-DSA have been attacked in unprotected implementations. NIST evaluated side-channel resistance during standardization and found the difficulty of protecting the finalists to be broadly similar.
What is masking and why does it come up so much with post-quantum crypto? Masking splits each secret value into random shares that are processed separately, so no single measured value correlates with the real secret. It comes up constantly for lattice schemes because their arithmetic has many secret-dependent intermediate steps, and masking is the leading software countermeasure researchers are developing for ML-KEM and ML-DSA.
Who discovered side-channel attacks? Paul Kocher published the first modern timing attack in 1996 and, with Joshua Jaffe and Benjamin Jun, differential power analysis in 1999. The physical principle is older still: the NSA’s TEMPEST work traces to a 1943 discovery that cipher equipment leaks plaintext through electromagnetic emissions.
Can I tell whether a product is side-channel resistant? Not from the algorithm name alone, because two products using the same standard can differ enormously in implementation quality. Meaningful assurance comes from independent evaluation and certification of the physical implementation, such as testing under FIPS 140-3 and related lab programs, rather than from the cipher on the datasheet.
Everything here is the map, given freely. When your team needs to know whether the implementations behind its post-quantum migration actually hold up against attacks like these, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.