Skip to main content
Springer Nature Link
Log in

Higher-Order Masking in Practice: A Vector Implementation of Masked AES for ARM NEON

  • Conference paper
  • First Online:
Topics in Cryptology –- CT-RSA 2015 (CT-RSA 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9048))

Included in the following conference series:

Abstract

Real-world software implementations of cryptographic algorithms need to be able to resist various kinds of side-channel attacks, in particular Differential Power Analysis (DPA). Masking is a widely-used countermeasure to protect block ciphers like the Advanced Encryption Standard (AES) against DPA attacks. The basic principle is to split all sensitive intermediate variables manipulated by the algorithm into two shares and process these shares separately. However, this approach still succumbs to higher-order DPA attacks, which exploit the joint leakage of a number of intermediate variables. A viable solution is to generalize masking such that at least \(d+1\) shares are used to protect against \(d\)-th order attacks. Unfortunately, all current higher-order masking schemes introduce a significant computational overhead compared to unmasked implementations. To facilitate the deployment of higher-order masking for the AES in practice, we developed a vector implementation of Coron et al’s masking scheme (FSE 2012) for ARM NEON processors. After a comprehensive complexity analysis, we found that Coron et al’s scheme with \(n\) shares for each sensitive variable needs \(\mathcal {O}(n^2)\) multiplications in the field GF(\(2^8\)) and \(\mathcal {O}(n^2)\) random-number generations. Both of these performance-critical operations are executed with only 15 instructions in our software, which is possible thanks to the rich functionality of the NEON instruction set. Our experimental results demonstrate that the performance penalty caused by the integration of higher-order masking is significantly lower than in generally assumed and reported in previous papers. For example, our second-order DPA-protected AES (with three shares for each sensitive variable) is merely eight times slower than an unmasked baseline implementation that resists cache-timing attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. ARM Holdings plc. NEON Programmer’s Guide, Version 1.0. (2013). http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0018a/index.html

  2. Barrett, P.: Implementing the rivest shamir and adleman public key encryption algorithm on a standard digital signal processor. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 311–323. Springer, Heidelberg (1987)

    Chapter  Google Scholar 

  3. Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  4. Caddy, T.: Differential power analysis. In: van Tilborg, H.C., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, pp. 336–338. Springer (2011)

    Google Scholar 

  5. Chari, S., Jutla, C., Rao, J.R., Rohatgi, P.: A cautionary note regarding evaluation of aes candidates on smart-cards. In: Second Advanced Encryption Standard Candidate Conference, pp. 133–147 (1999)

    Google Scholar 

  6. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  7. Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  8. Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  9. Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)

    Google Scholar 

  10. Dhem, J.-F.: Efficient modular reduction algorithm in \(\mathbb{F}_q[x]\) and its application to “left to right” modular multiplication in \(\mathbb{F}_2[x]\). In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 203–213. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  11. Gladman, B.R.: AES and combined encryption/authentication modes, June 2006. http://gladman.plushost.co.uk/oldsite/AES/index.php

  12. Grosso, V., Standaert, F.-X., Faust, S.: Masking vs. multiparty computation: how large is the gap for AES? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 400–416. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  13. Grosso, V., Standaert, F., Faust, S.: Masking vs. multiparty computation: how large is the gap for AES? J. Cryptographic Engineering 4(1), 47–57 (2014)

    Article  Google Scholar 

  14. Guajardo, J., Paar, C.: Efficient algorithms for elliptic curve cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 342–356. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  15. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  16. Kim, H.S., Hong, S., Lim, J.: A fast and provably secure higher-order masking of AES S-box. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 95–107. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  17. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  18. Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31. Springer (2008)

    Google Scholar 

  19. Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  20. Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). http://eprint.iacr.org/2010/441

    Chapter  Google Scholar 

  21. Rudra, A., Dubey, P.K., Jutla, C.S., Kumar, V., Rao, J.R., Rohatgi, P.: Efficient rijndael encryption implementation with composite field arithmetic. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 171–184. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  22. Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A Compact rijndael hardware architecture with S-box optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  23. Waddle, J., Wagner, D.: Towards efficient second-order power analysis. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Shandong University, Jinan, 250100, Shandong, China

    Junwei Wang & Qiuliang Xu

  2. Laboratory of Algorithmics, Cryptology and Security, University of Luxembourg, Walferdange, Luxembourg

    Junwei Wang, Praveen Kumar Vadnala & Johann Großschädl

Authors
  1. Junwei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Praveen Kumar Vadnala
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Johann Großschädl
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Qiuliang Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qiuliang Xu .

Editor information

Editors and Affiliations

  1. Aalto University School of Science, Espoo, Finland

    Kaisa Nyberg

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Wang, J., Vadnala, P.K., Großschädl, J., Xu, Q. (2015). Higher-Order Masking in Practice: A Vector Implementation of Masked AES for ARM NEON. In: Nyberg, K. (eds) Topics in Cryptology –- CT-RSA 2015. CT-RSA 2015. Lecture Notes in Computer Science(), vol 9048. Springer, Cham. https://doi.org/10.1007/978-3-319-16715-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16715-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16714-5

  • Online ISBN: 978-3-319-16715-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation