Cryptology ePrint Archive: Report 2018/173

Vectorizing Higher-Order Masking

Benjamin Grégoire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen

Abstract: The cost of higher-order masking as a countermeasure against side-channel attacks is often considered too high for practical scenarios, as protected implementations become very slow. At Eurocrypt 2017, the bounded moment leakage model was proposed to study the (theoretical) security of parallel implementations of masking schemes. Work at CHES 2017 then brought this to practice by considering an implementation of AES with 32 shares, bitsliced inside 32-bit registers of ARM Cortex-M processors. In this paper we show how the NEON vector instructions of larger ARM Cortex-A processors can be exploited to build much faster masked implementations of AES. Specifically, we present AES with 4 and 8 shares, which in theory provide security against 3rd and 7th-order attacks, respectively. The software is publicly available and optimized for the ARM Cortex-A8. We use refreshing and multiplication algorithms that are proven to be secure in the bounded moment leakage model and to be strongly non-interfering. Additionally, we perform a concrete side-channel evaluation on a BeagleBone Black, using a combination of test vector leakage assessment (TVLA), leakage certification tools and information-theoretic bounds.

Category / Keywords: implementation / Higher-order masking, side-channel analysis, AES, ARM Cortex-A8

Original Publication (in the same form): COSADE 2018

Date: received 9 Feb 2018

Contact author: k stoffelen at cs ru nl

Available format(s): PDF | BibTeX Citation

Version: 20180214:124600 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]