Cryptology ePrint Archive: Report 2016/946

Bitsliced Masking and ARM: Friends or Foes?

Wouter de Groot and Kostas Papagiannopoulos and Antonio de La Piedra and Erik Schneider and Lejla Batina

Abstract: Software-based cryptographic implementations can be vulnerable to side-channel analysis. Masking countermeasures rank among the most prevalent techniques against it, ensuring formally the protection vs. value-based leakages. However, its applicability is halted by two factors. First, a masking countermeasure involves a computational overhead that can render implementations inefficient. Second, physical effects such as glitches and distance-based leakages can cause the reduction of the security order in practice, rendering the masking protection less effective. This paper, attempts to address both factors. In order to reduce the computational cost, we implement a high-throughput, bitsliced, 2nd-order masked implementation of the PRESENT cipher, using assembly in ARM Cortex-M4. The implementation outperforms the current state of the art and is capable of encrypting a 64-bit block of plaintext in 6,532 cycles (excluding RNG), using 1,644 bytes of data RAM and 1,552 bytes of code memory. Second, we analyze experimentally the effectiveness of masking in ARM devices, i.e. we examine the effects of distance-based leakages on the security order of our implementation. We confirm the theoretical model behind distance leakages for the first time in ARM-based architectures.

Category / Keywords: implementation / PRESENT, ARM, masking, bitslicing

Original Publication (in the same form): Lightsec 2016

Date: received 30 Sep 2016

Contact author: kostaspap88 at gmail com

Available format(s): PDF | BibTeX Citation

Version: 20161001:184353 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]