Paper 2018/173

Benjamin Grégoire, Kostas Papagiannopoulos, Peter Schwabe, and Ko Stoffelen

Abstract

The cost of higher-order masking as a countermeasure against side-channel attacks is often considered too high for practical scenarios, as protected implementations become very slow. At Eurocrypt 2017, the bounded moment leakage model was proposed to study the (theoretical) security of parallel implementations of masking schemes. Work at CHES 2017 then brought this to practice by considering an implementation of AES with 32 shares, bitsliced inside 32-bit registers of ARM Cortex-M processors. In this paper we show how the NEON vector instructions of larger ARM Cortex-A processors can be exploited to build much faster masked implementations of AES. Specifically, we present AES with 4 and 8 shares, which in theory provide security against 3rd and 7th-order attacks, respectively. The software is publicly available and optimized for the ARM Cortex-A8. We use refreshing and multiplication algorithms that are proven to be secure in the bounded moment leakage model and to be strongly non-interfering. Additionally, we perform a concrete side-channel evaluation on a BeagleBone Black, using a combination of test vector leakage assessment (TVLA), leakage certification tools and information-theoretic bounds.

Available format(s)
Category
Implementation
Publication info
Keywords
Contact author(s)
k stoffelen @ cs ru nl
History
Short URL
https://ia.cr/2018/173

CC BY

BibTeX

@misc{cryptoeprint:2018/173,
author = {Benjamin Grégoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen},
howpublished = {Cryptology ePrint Archive, Paper 2018/173},
year = {2018},
note = {\url{https://eprint.iacr.org/2018/173}},
url = {https://eprint.iacr.org/2018/173}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.