Paper 2021/1110

Secure and Efficient Software Masking on Superscalar Pipelined Processors

Barbara Gigerl, Robert Primas, and Stefan Mangard


Physical side-channel attacks like power analysis pose a serious threat to cryptographic devices in real-world applications. Consequently, devices implement algorithmic countermeasures like masking. In the past, works on the design and verification of masked software implementations have mostly focused on simple microprocessors that find usage on smart cards. However, many other applications such as in the automotive industry require side-channel protected cryptographic computations on much more powerful CPUs. In such situations, the security loss due to complex architectural side-effects, the corresponding performance degradation, as well as discussions of suitable probing models and verification techniques are still vastly unexplored research questions. We answer these questions and perform a comprehensive analysis of more complex processor architectures in the context of masking-related side effects. First, we analyze the RISC-V SweRV core — featuring a 9-stage pipeline, two execution units, and load/store buffers — and point out a significant gap between security in a simple software probing model and practical security on such CPUs. More concretely, we show that architectural side effects of complex CPU architectures can significantly reduce the protection order of masked software, both via formal analysis in the hardware probing model, as well as empirically via gate-level timing simulations. We then discuss the options of fixing these problems in hardware or leaving them as constraints to software. Based on these software constraints, we formulate general rules for the design of masked software on more complex CPUs. Finally, we compare several implementation strategies for masking schemes and present in a case study that designing secure masked software for complex CPUs is still possible with overhead as low as 13%.

Available format(s)
Publication info
Published by the IACR in ASIACRYPT 2021
maskingverificationside-channel analysisswervglitchesapplication-level processorscocoprobing model
Contact author(s)
barbara gigerl @ iaik tugraz at
robert primas @ iaik tugraz at
stefan mangard @ iaik tugraz at
2021-08-31: received
Short URL
Creative Commons Attribution


      author = {Barbara Gigerl and Robert Primas and Stefan Mangard},
      title = {Secure and Efficient Software Masking on Superscalar Pipelined Processors},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1110},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.