Paper 2022/327

Provable Secure Software Masking in the Real-World

Arthur Beckers, Lennert Wouters, Benedikt Gierlichs, Bart Preneel, and Ingrid Verbauwhede


We evaluate eight implementations of provable secure side-channel masking schemes that were published in top-tier academic venues such as Eurocrypt, Asiacrypt, CHES and SAC. Specifically, we evaluate the side-channel attack resistance of eight open-source and first-order side-channel protected AES-128 software implementations on the Cortex-M4 platform. Using a T-test based leakage assessment we demonstrate that all implementations produce first-order leakage with as little as 10,000 traces. Additionally, we demonstrate that all except for two Inner Product Masking based implementations are vulnerable to a straightforward correlation power analysis attack. We provide an assembly level analysis showing potential sources of leakage for two implementations. Some of the studied implementations were provided for benchmarking purposes. We demonstrate several flaws in the benchmarking procedures and question the usefulness of the reported performance numbers in the face of the implementations’ poor side-channel resistance. This work serves as a reminder that practical evaluations cannot be omitted in the context of side-channel analysis.

Available format(s)
Publication info
Published elsewhere. Minor revision. Workshop on Constructive Side-Channel Analysis and Secure Design 2022
Side-Channel AnalysisLeakage AssessmentMasking in Software
Contact author(s)
lennert wouters @ esat kuleuven be
benedikt gierlichs @ esat kuleuven be
2022-03-14: received
Short URL
Creative Commons Attribution


      author = {Arthur Beckers and Lennert Wouters and Benedikt Gierlichs and Bart Preneel and Ingrid Verbauwhede},
      title = {Provable Secure Software Masking in the Real-World},
      howpublished = {Cryptology ePrint Archive, Paper 2022/327},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.