Paper 2016/946

Bitsliced Masking and ARM: Friends or Foes?

Wouter de Groot, Kostas Papagiannopoulos, Antonio de La Piedra, Erik Schneider, and Lejla Batina


Software-based cryptographic implementations can be vulnerable to side-channel analysis. Masking countermeasures rank among the most prevalent techniques against it, ensuring formally the protection vs. value-based leakages. However, its applicability is halted by two factors. First, a masking countermeasure involves a computational overhead that can render implementations inefficient. Second, physical effects such as glitches and distance-based leakages can cause the reduction of the security order in practice, rendering the masking protection less effective. This paper, attempts to address both factors. In order to reduce the computational cost, we implement a high-throughput, bitsliced, 2nd-order masked implementation of the PRESENT cipher, using assembly in ARM Cortex-M4. The implementation outperforms the current state of the art and is capable of encrypting a 64-bit block of plaintext in 6,532 cycles (excluding RNG), using 1,644 bytes of data RAM and 1,552 bytes of code memory. Second, we analyze experimentally the effectiveness of masking in ARM devices, i.e. we examine the effects of distance-based leakages on the security order of our implementation. We confirm the theoretical model behind distance leakages for the first time in ARM-based architectures.

Available format(s)
Publication info
Published elsewhere. Lightsec 2016
Contact author(s)
kostaspap88 @ gmail com
2016-10-01: received
Short URL
Creative Commons Attribution


      author = {Wouter de Groot and Kostas Papagiannopoulos and Antonio de La Piedra and Erik Schneider and Lejla Batina},
      title = {Bitsliced Masking and ARM: Friends or Foes?},
      howpublished = {Cryptology ePrint Archive, Paper 2016/946},
      year = {2016},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.