Paper 2018/173

Vectorizing Higher-Order Masking

Benjamin Grégoire, Kostas Papagiannopoulos, Peter Schwabe, and Ko Stoffelen


The cost of higher-order masking as a countermeasure against side-channel attacks is often considered too high for practical scenarios, as protected implementations become very slow. At Eurocrypt 2017, the bounded moment leakage model was proposed to study the (theoretical) security of parallel implementations of masking schemes. Work at CHES 2017 then brought this to practice by considering an implementation of AES with 32 shares, bitsliced inside 32-bit registers of ARM Cortex-M processors. In this paper we show how the NEON vector instructions of larger ARM Cortex-A processors can be exploited to build much faster masked implementations of AES. Specifically, we present AES with 4 and 8 shares, which in theory provide security against 3rd and 7th-order attacks, respectively. The software is publicly available and optimized for the ARM Cortex-A8. We use refreshing and multiplication algorithms that are proven to be secure in the bounded moment leakage model and to be strongly non-interfering. Additionally, we perform a concrete side-channel evaluation on a BeagleBone Black, using a combination of test vector leakage assessment (TVLA), leakage certification tools and information-theoretic bounds.

Available format(s)
Publication info
Published elsewhere. COSADE 2018
Higher-order maskingside-channel analysisAESARM Cortex-A8
Contact author(s)
k stoffelen @ cs ru nl
2018-02-14: received
Short URL
Creative Commons Attribution


      author = {Benjamin Grégoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen},
      title = {Vectorizing Higher-Order Masking},
      howpublished = {Cryptology ePrint Archive, Paper 2018/173},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.