Reference : Higher-Order Masking in Practice: A Vector Implementation of Masked AES for ARM NEON
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/25942
Higher-Order Masking in Practice: A Vector Implementation of Masked AES for ARM NEON
English
Wang, Junwei [Shandong University > School of Computer Science and Technology]
Vadnala, Praveen Kumar [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Groszschädl, Johann mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Xu, Qiuliang [Shandong University > School of Computer Science and Technology]
Apr-2015
Topics in Cryptology - CT-RSA 2015, The Cryptographer's Track at the RSA Conference 2015, San Francisco, CA, USA, April 20-24, 2015. Proceedings
Nyberg, Kaisa
Springer Verlag
Lecture Notes in Computer Science, volume 9048
181-198
Yes
International
978-3-319-16714-5
Cryptographers' Track of the 24th RSA Conference (CT-RSA 2015)
from 20-04-2015 to 24-04-2015
San Francisco
CA
[en] Advanced Encryption Standard ; Differential Power Analysis (DPA) ; DPA Countermeasures ; Higher-Order Masking ; Vector SIMD Instructions
[en] Real-world software implementations of cryptographic algorithms need to be able to resist various kinds of side-channel attacks, in particular Differential Power Analysis (DPA). Masking is a widely-used countermeasure to protect block ciphers like the Advanced Encryption Standard (AES) against DPA attacks. The basic principle is to split all sensitive intermediate variables manipulated by the algorithm into two shares and process these shares separately. However, this approach still succumbs to higher-order DPA attacks, which exploit the joint leakage of a number of intermediate variables. A viable solution is to generalize masking such that at least d+1 shares are used to protect against d-th order attacks. Unfortunately, all current higher-order masking schemes introduce a significant computational overhead compared to unmasked implementations. To facilitate the deployment of higher-order masking for the AES in practice, we developed a vector implementation of Coron et al's masking scheme (FSE 2012) for ARM NEON processors. After a comprehensive complexity analysis, we found that Coron et al's scheme with n shares for each sensitive variable needs O(n^2) multiplications in the field GF(2^8) and O(n^2) random-number generations. Both of these performance-critical operations are executed with only 15 instructions in our software, which is possible thanks to the rich functionality of the NEON instruction set. Our experimental results demonstrate that the performance penalty caused by the integration of higher-order masking is significantly lower than in generally assumed and reported in previous papers. For example, our second-order DPA-protected AES (with three shares for each sensitive variable) is merely eight times slower than an unmasked baseline implementation that resists cache-timing attacks.
http://hdl.handle.net/10993/25942
10.1007/978-3-319-16715-2_10
http://link.springer.com/chapter/10.1007/978-3-319-16715-2_10

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Limited access
CTRSA2015.pdfPublisher postprint425.68 kBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.