The Attack That Bypasses the Math
A cryptographic algorithm can be proven secure in the mathematical sense — unbreakable given the hardness of some well-studied problem — and still leak its secret key to an attacker who watches how the implementation runs. Side-channel attacks do not break the math. They exploit the physical behavior of the executing code: how long it takes, how much power it consumes, what electromagnetic signals it emits, which memory locations it accesses. The math stays intact; the implementation betrays the secret.
The Classic Timing Attack on String Comparison
The naive way to compare a user-supplied password against a stored value is to loop through characters and return false as soon as a mismatch is found. This returns faster when the first character is wrong than when the first twenty characters are right.
Constant-Time Comparison in Practice
The fix is to compare all characters regardless of whether a mismatch has been found, using bitwise operations to accumulate a difference flag. Python's hmac.compare_digest() and Go's subtle.ConstantTimeCompare() implement this correctly. The execution ti
Cache-Timing Attacks: Flush and Reload
The Flush+Reload attack works as follows. The attacker flushes a specific cache line using the clflush instruction. The victim process then runs and may or may not access memory backed by that cache line, depending on a secret value — for example, an AES
Spectre as a Cache Side Channel
Spectre combines speculative execution with the Flush+Reload technique. The attacker trains the branch predictor to predict a particular branch as taken, then causes a victim process to speculatively execute code that reads a secret value and uses it as a
Constant-Time Programming as a Discipline
Writing cryptographic code that does not leak timing information requires treating execution time as a security property of every code path. The rules are: no early returns based on secret values, no conditional branches whose direction depends on secret data, no memory accesses whose addresses depend on secret values (no table lookups with secret indices), no variable-time hardware instructions (some divisions are variable-time on certain CPUs). This discipline is difficult, non-obvious, and easy to violate with innocent-looking refactors. The entire AES-NI instruction set exists partly to provide constant-time AES in hardware.
Go Deeper: Hash Functions
Constant-time programming is the defense against timing attacks — but to apply it intelligently, you need to understand what the cryptographic operations are actually computing. Hash functions are the most fundamental primitive in cryptography. Understanding what makes a hash function secure, and what properties it is designed to protect, is the starting point for the rest of applied cryptography.
