Like it or not they are technically correct. SHA-256 is a one way compression and furthermore the PoW for bitcoin doesn't require a match for the entire hash.
There's loads of examples of this in the bitcoin network whenever there's been a fork and eventually orphaned blocks.
The principles are the same — it's just harder to find collisions for larger digest sizes. (Although bugs in sha-1 add an interesting wrinkle to the discussion.)
In fact one could argue that encryption without requiring infinite bandwidth or computation requires finite difficulty in math puzzles.
So our current approach to encryption is fundamentally vulnerable to (vastly) more powerful adversary computers. Only things like quantum cryptography break free of that limitation, by changing the ground rules.
Algorithmic cryptography depends on a computation time approaching infinity for perfect security. Quantum cryptography depends on a data transmission rate approaching zero for perfect security. Either way, perfect security takes forever.
Unfortunately that is the one thing I can't really answer! I moved out of this space shortly after we published this work so I'm not currently up to date with the research in the area.
That said if you like this sort of work, you should keep an eye out for papers coming out from Tromer/Genkin et. al., they often present impressive results:
and stuff from the guys at NewAE is usually well written and worth the read (although they are a startup and probably less focused on papers these days):
Constant time only reduces the chance of 'simple power analysis' (SPA) which is predominantly what the authors perform ('simple' is misleading but it's just the name for it).
There are a number of works that perform 'differential power analysis' (DPA) attacks on mobile devices that target symmetric crypto. These are generally both constant time and constant execution path. In this instance, attackers can attack the data dependancy in the EM emanations.
Simple example! a program that XORs two registers:
r1 = r1 XOR r2
If r2 has all the bits set to 1, then this will completely invert the contents of r1. This in turn consumes more energy (and hence emit more EM) in comparison to if r2 was all 0's. Hope that clarifies.
This isn't exactly a cryptography related problem to begin with, it's an implementation issue which inherently all side channels attacks are.
This doesn't mean that you can't add some resistance against side channel attacks to your cryptographic algorithm but it will cost you quite a bit in terms of performance, and for the most part it's not where it should be.
Better silicon should solve some of these issues, for example adding some additional isolation between the power section and the logic a small super-cap with decent in-band filtering might do the trick.
As far as radiating EM goes I'm not sure what can be done but some more additional shielding and EM noise reduction should add some degree of protection.
Most implementations will eventually be vulnerable to some type of side channel attacks, the complexity and cost-vs-benefit is important here.
Launching an evil USB attack on the off chance of getting a key is most likely not very scalable, but considering that NFC/wireless payments for phones will become more and more common, and that crypto-currencies might actually end up being in common day use being able to extract keys during signing from EM leakage might just be the natural evolution of ATM/Payment Cards skimmer attacks.
In the past 2-3 years we had various key extraction attacks using "strange" vectors like EM/audio extraction, temperature, cpu usage, cross platform cache attacks, these attacks can threaten cloud computing and mobile computing quite severely unless we can root them out and being to modify the devices and platforms to be much more resistant to them.
The Apple hardware perspective is mostly just a gimmick. The side-channel leaks are a direct result of the ARM IP core (also not Apple proprietary). This is arguably old news, people have been attacking ARM based mobile devices for years now.
It would be far more interesting to see if they could attack the Apple crypto hardware accelerators which AFAIK are hardened against these types of attack (as is the Apple CommonCrypto framework as of IOS 9). Apple seems to have ramped up their side-channel game in recent years.
The paper serves to demonstrate that electromagnetic side-channel attacks on mobile devices (even almighty Apple stuff) are feasible. ECDSA is just an example they chose. Also, Curve25519 is only side-channel resistant to timing side-channels, this does NOT protect it in any way against the EM side-channels exploited in this paper. You can't expect the authors to go over every possible curve out there.
I was not questioning the impact of their demonstration, which is really impressive.
However, being responsible academics, they should have done their related work research. And when doing related work research on side-channel attacks against elliptic curves, it is hardly possible to miss Curve25519 and the fact that it was designed with side-channel attacks in mind. The authors at least reference earlier work by DJB on attacking AES.
Also, Curve25519 is only side-channel resistant to timing side-channels, this does NOT protect it in any way against the EM side-channels exploited in this paper.
This only reinforces the point that performing an EM side-channel attack on Curve25519/NaCl/Sodium would have been a good contribution to the state of the art, with mentioning Curve25519 in the "Future work" section a viable second.
It's great to see this kind of work published. It is worth noting however that the US government is well aware of these kind of attacks. The Snowdon docs show that the CIA have been performing side-channel analysis since 2012 on the Iphone 4s and Ipad 2: https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-...
There's loads of examples of this in the bitcoin network whenever there's been a fork and eventually orphaned blocks.