Editing Side-channel attack (section)

==Examples==
A '''{{visible anchor|cache side-channel attack}}''' works by monitoring security critical operations such as [[Advanced Encryption Standard|AES]] T-table entry<ref>{{cite book | chapter=Highly Efficient Algorithms for AES Key Retrieval in Cache Access Attacks | year=2016 | author1=Ashokkumar C. | title=2016 IEEE European Symposium on Security and Privacy (EuroS&P) | pages=261–275 | author2=Ravi Prakash Giri | author3=Bernard Menezes| doi=10.1109/EuroSP.2016.29 | isbn=978-1-5090-1751-5 | s2cid=11251391 }}</ref><ref>{{citation |url=http://eprint.iacr.org/2014/435.pdf |title=Wait a minute! A fast, Cross-VM attack on AES |author1=Gorka Irazoqui |author2=Mehmet Sinan Inci |author3=Thomas Eisenbarth |author4=Berk Sunar |access-date=2018-01-07 |archive-date=2017-08-11 |archive-url=https://web.archive.org/web/20170811001129/https://eprint.iacr.org/2014/435.pdf |url-status=live }}</ref><ref>{{citation |url=http://eprint.iacr.org/2013/448.pdf |title=Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack |author1=Yuval Yarom |author2=Katrina Falkner |access-date=2018-01-07 |archive-date=2017-07-05 |archive-url=https://web.archive.org/web/20170705164835/http://eprint.iacr.org/2013/448.pdf |url-status=live }}</ref> or modular exponentiation or multiplication or memory accesses.<ref>{{citation |url=http://eprint.iacr.org/2016/596.pdf |title=Cache Attacks Enable Bulk Key Recovery on the Cloud |author1=Mehmet S. Inci |author2=Berk Gulmezoglu |author3=Gorka Irazoqui |author4=Thomas Eisenbarth |author5=Berk Sunar |access-date=2018-01-07 |archive-date=2016-07-17 |archive-url=https://web.archive.org/web/20160717084327/http://eprint.iacr.org/2016/596.pdf |url-status=live }}</ref> The attacker then is able to recover the secret key depending on the accesses made (or not made) by the victim, deducing the encryption key. Also, unlike some of the other side-channel attacks, this method does not create a fault in the ongoing cryptographic operation and is invisible to the victim.

In 2017, two [[Central processing unit|CPU]] vulnerabilities (dubbed [[Meltdown (security vulnerability)|Meltdown]] and [[Spectre (security vulnerability)|Spectre]]) were discovered, which can use a cache-based side channel to allow an attacker to leak memory contents of other processes and the operating system itself.

A '''[[timing attack]]''' watches data movement into and out of the [[Central processing unit|CPU]] or memory on the hardware running the cryptosystem or algorithm. Simply by observing variations in how long it takes to perform cryptographic operations, it might be possible to determine the entire secret key. Such attacks involve statistical analysis of timing measurements and have been demonstrated across networks.<ref>{{cite web|url=http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf|title=Remote timing attacks are practical|author1=David Brumley|author2=Dan Boneh|year=2003|access-date=2010-11-05|archive-date=2011-07-28|archive-url=https://web.archive.org/web/20110728122336/http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf|url-status=live}}</ref>

A '''[[Power analysis|power-analysis]]''' attack can provide even more detailed information by observing the power consumption of a hardware device such as CPU or cryptographic circuit.  These attacks are roughly categorized into simple power analysis (SPA) and differential power analysis (DPA). One example is Collide+Power, which affects nearly all CPUs.<ref>{{Cite web |last=Kovacs |first=Eduard |date=2023-08-01 |title=Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack |url=https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collidepower-side-channel-attack/ |access-date=2023-08-02 |website=SecurityWeek |language=en-US |archive-date=2024-07-11 |archive-url=https://web.archive.org/web/20240711072553/https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collidepower-side-channel-attack/ |url-status=live }}</ref><ref name=":3">{{Cite web |last=Claburn |first=Thomas |title=Another CPU data-leak flaw found. Luckily, it's impractical |url=https://www.theregister.com/2023/08/01/collide_power_cpu_attack/ |access-date=2023-08-02 |website=www.theregister.com |language=en}}</ref><ref>{{Citation |title=Collide+Power |date=2023-08-01 |url=https://github.com/IAIK/CollidePower |access-date=2023-08-02 |publisher=Institute of Applied Information Processing and Communications (IAIK) |archive-date=2023-08-01 |archive-url=https://web.archive.org/web/20230801200906/https://github.com/iaik/CollidePower |url-status=live }}</ref> Other examples use [[machine learning]] approaches.<ref>{{cite journal |last1=Lerman |first1=Liran |last2=Bontempi |first2=Gianluca |last3=Markowitch |first3=Olivier |title=Power analysis attack: an approach based on machine learning |journal=International Journal of Applied Cryptography |date=1 January 2014 |volume=3 |issue=2 |pages=97–115 |doi=10.1504/IJACT.2014.062722 |url=https://www.inderscienceonline.com/doi/abs/10.1504/IJACT.2014.062722 |issn=1753-0563 |access-date=25 September 2020 |archive-date=25 January 2021 |archive-url=https://web.archive.org/web/20210125184717/https://www.inderscienceonline.com/doi/abs/10.1504/IJACT.2014.062722 |url-status=live |url-access=subscription }}</ref>

Fluctuations in current also generate [[electromagnetic radiation|radio waves]], enabling attacks that analyze measurements of electromagnetic (EM) emanations.  These attacks typically involve similar statistical techniques as power-analysis attacks.

A '''deep-learning-based side-channel attack''',<ref>{{cite journal |last1=Timon |first1=Benjamin |date=2019-02-28 |title=Non-Profiled Deep Learning-based Side-Channel attacks with Sensitivity Analysis |url=https://tches.iacr.org/index.php/TCHES/article/view/7387 |journal=IACR Transactions on Cryptographic Hardware and Embedded Systems |volume= |issn=2569-2925 |pages=107–131 |doi=10.13154/tches.v2019.i2.107-131 |s2cid=4052139 |access-date=2021-11-19 |archive-date=2021-11-12 |archive-url=https://web.archive.org/web/20211112113503/https://tches.iacr.org/index.php/TCHES/article/view/7387 |url-status=live }}</ref><ref>[https://ieeexplore.ieee.org/document/8806883 "X-DeepSCA: Cross-Device Deep Learning Side Channel Attack"] {{Webarchive|url=https://web.archive.org/web/20200222044307/https://ieeexplore.ieee.org/document/8806883 |date=2020-02-22 }} by D. Das, A. Golder, J. Danial, S. Ghosh, A. Raychowdhury and S. Sen, in 56th ACM/IEEE Design Automation Conference (DAC) 2019.</ref><ref>[https://ieeexplore.ieee.org/abstract/document/8777157 "Practical Approaches Toward Deep-Learning-Based Cross-Device Power Side-Channel Attack"] {{Webarchive|url=https://web.archive.org/web/20240711072555/https://ieeexplore.ieee.org/abstract/document/8777157 |date=2024-07-11 }} by A. Golder, D. Das, J. Danial, S. Ghosh, A. Raychowdhury and S. Sen, in IEEE Transactions on Very Large Scale Integration (VLSI) Systems, Vol. 27, Issue 12, 2019.</ref> using the power and EM information across multiple devices has been demonstrated with the potential to break the secret key of a different but identical device in as low as a single trace.

Historical analogues to modern side-channel attacks are known.  A recently declassified [[National Security Agency|NSA]] document reveals that as far back as 1943, an engineer with [[Bell Telephone Company|Bell telephone]] observed decipherable spikes on an oscilloscope associated with the decrypted output of a certain encrypting teletype.<ref>{{cite magazine|url=https://www.wired.com/2008/04/nsa-releases-se/|title=Declassified NSA document reveals the secret history of TEMPEST|magazine=Wired|publisher=Wired.com|date=April 29, 2008|access-date=May 2, 2008|archive-date=May 1, 2008|archive-url=https://web.archive.org/web/20080501092403/http://blog.wired.com/27bstroke6/2008/04/nsa-releases-se.html|url-status=live}}</ref> According to former [[MI5]] officer [[Peter Wright (MI5 officer)|Peter Wright]], the British Security Service analyzed emissions from French cipher equipment in the 1960s.<ref>{{Cite web|url=https://www.sans.org/reading-room/whitepapers/privacy/introduction-tempest-981|title=An Introduction to TEMPEST &#124; SANS Institute|access-date=2015-10-06|archive-date=2017-09-05|archive-url=https://web.archive.org/web/20170905172700/https://www.sans.org/reading-room/whitepapers/privacy/introduction-tempest-981|url-status=live}}</ref> In the 1980s, [[KGB|Soviet]] eavesdroppers were suspected of having planted [[Surveillance bug|bugs]] inside IBM [[Selectric]] typewriters to monitor the electrical noise generated as the type ball rotated and pitched to strike the paper; the characteristics of those signals could determine which key was pressed.<ref>{{cite magazine|url=http://www.time.com/time/magazine/article/0,9171,964052-2,00.html|archive-url=https://web.archive.org/web/20110604062749/http://www.time.com/time/magazine/article/0,9171,964052-2,00.html|archive-date=June 4, 2011|title=The Art of High-Tech Snooping|magazine=Time| last= Church |first= George|date=April 20, 1987|access-date=January 21, 2010}}</ref>

Power consumption of devices causes heating, which is offset by cooling effects.  Temperature changes create thermally induced mechanical stress. This stress can create low level [[acoustics|acoustic]] emissions from operating CPUs (about 10&nbsp;kHz in some cases). Recent research by [[Adi Shamir|Shamir]] et al. has suggested that information about the operation of cryptosystems and algorithms can be obtained in this way as well. This is an '''acoustic cryptanalysis attack'''.

If the surface of the CPU chip, or in some cases the CPU package, can be observed, [[infrared]] images can also provide information about the code being executed on the CPU, known as a '''thermal-imaging attack'''.{{citation needed|date=July 2016}}

An '''optical side-channel attack''' examples include gleaning information from the hard disk activity indicator<ref>{{citation |url=http://www.securityweek.com/hard-drive-led-allows-data-theft-air-gapped-pcs |title=Hard Drive LED Allows Data Theft From Air-Gapped PCs |author=Eduard Kovacs |date=February 23, 2017 |access-date=2018-03-18 |work=Security Week |archive-date=2017-10-07 |archive-url=https://web.archive.org/web/20171007112737/http://www.securityweek.com/hard-drive-led-allows-data-theft-air-gapped-pcs |url-status=live }}</ref> to reading a small number of photons emitted by transistors as they change state.<ref>{{citation |url=http://digital-library.theiet.org/content/journals/10.1049/iet-ifs_20080038 |title=When AES blinks: introducing optical side channel |author1=J. Ferrigno |author2=M. Hlaváč |journal=IET Information Security |volume=2 |issue=3 |date=September 2008 |pages=94–98 |doi=10.1049/iet-ifs:20080038 |access-date=2017-03-16 |archive-date=2018-01-11 |archive-url=https://web.archive.org/web/20180111224141/http://digital-library.theiet.org/content/journals/10.1049/iet-ifs_20080038 |url-status=live |url-access=subscription }}</ref>

'''Allocation-based side channels''' also exist and refer to the information that leaks from the allocation (as opposed to the use) of a resource such as network bandwidth to clients that are concurrently requesting the contended resource.<ref>{{citation |url=https://eprint.iacr.org/2020/287.pdf |title=Private resource allocators and their Applications |author1=S. Angel |author2=S. Kannan |author3=Z. Ratliff |journal=Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2020. |access-date=2020-06-23 |archive-date=2020-06-24 |archive-url=https://web.archive.org/web/20200624113142/https://eprint.iacr.org/2020/287.pdf |url-status=live }}</ref>