Higher-Order Masking in Practice: A Vector Implementation of Masked AES for ARM NEON

  • Junwei Wang
  • Praveen Kumar Vadnala
  • Johann Großschädl
  • Qiuliang XuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9048)


Real-world software implementations of cryptographic algorithms need to be able to resist various kinds of side-channel attacks, in particular Differential Power Analysis (DPA). Masking is a widely-used countermeasure to protect block ciphers like the Advanced Encryption Standard (AES) against DPA attacks. The basic principle is to split all sensitive intermediate variables manipulated by the algorithm into two shares and process these shares separately. However, this approach still succumbs to higher-order DPA attacks, which exploit the joint leakage of a number of intermediate variables. A viable solution is to generalize masking such that at least \(d+1\) shares are used to protect against \(d\)-th order attacks. Unfortunately, all current higher-order masking schemes introduce a significant computational overhead compared to unmasked implementations. To facilitate the deployment of higher-order masking for the AES in practice, we developed a vector implementation of Coron et al’s masking scheme (FSE 2012) for ARM NEON processors. After a comprehensive complexity analysis, we found that Coron et al’s scheme with \(n\) shares for each sensitive variable needs \(\mathcal {O}(n^2)\) multiplications in the field GF(\(2^8\)) and \(\mathcal {O}(n^2)\) random-number generations. Both of these performance-critical operations are executed with only 15 instructions in our software, which is possible thanks to the rich functionality of the NEON instruction set. Our experimental results demonstrate that the performance penalty caused by the integration of higher-order masking is significantly lower than in generally assumed and reported in previous papers. For example, our second-order DPA-protected AES (with three shares for each sensitive variable) is merely eight times slower than an unmasked baseline implementation that resists cache-timing attacks.


Smart Card Advance Encryption Standard Linear Feedback Shift Register Modular Reduction True Random Number Generator 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    ARM Holdings plc. NEON Programmer’s Guide, Version 1.0. (2013).
  2. 2.
    Barrett, P.: Implementing the rivest shamir and adleman public key encryption algorithm on a standard digital signal processor. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 311–323. Springer, Heidelberg (1987) CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J., Schwabe, P.: NEON crypto. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 320–339. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  4. 4.
    Caddy, T.: Differential power analysis. In: van Tilborg, H.C., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, pp. 336–338. Springer (2011)Google Scholar
  5. 5.
    Chari, S., Jutla, C., Rao, J.R., Rohatgi, P.: A cautionary note regarding evaluation of aes candidates on smart-cards. In: Second Advanced Encryption Standard Candidate Conference, pp. 133–147 (1999)Google Scholar
  6. 6.
    Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  7. 7.
    Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  8. 8.
    Coron, J.-S., Prouff, E., Rivain, M., Roche, T.: Higher-order side channel security and mask refreshing. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 410–424. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  9. 9.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer (2002)Google Scholar
  10. 10.
    Dhem, J.-F.: Efficient modular reduction algorithm in \(\mathbb{F}_q[x]\) and its application to “left to right” modular multiplication in \(\mathbb{F}_2[x]\). In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 203–213. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  11. 11.
    Gladman, B.R.: AES and combined encryption/authentication modes, June 2006.
  12. 12.
    Grosso, V., Standaert, F.-X., Faust, S.: Masking vs. multiparty computation: how large is the gap for AES? In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 400–416. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  13. 13.
    Grosso, V., Standaert, F., Faust, S.: Masking vs. multiparty computation: how large is the gap for AES? J. Cryptographic Engineering 4(1), 47–57 (2014)CrossRefGoogle Scholar
  14. 14.
    Guajardo, J., Paar, C.: Efficient algorithms for elliptic curve cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 342–356. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  15. 15.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  16. 16.
    Kim, H.S., Hong, S., Lim, J.: A fast and provably secure higher-order masking of AES S-box. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 95–107. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  17. 17.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  18. 18.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31. Springer (2008)Google Scholar
  19. 19.
    Messerges, T.S.: Using second-order power analysis to attack DPA resistant software. In: Koç, Ç.K., Paar, C. (eds.) CHES 2000. LNCS, vol. 1965, pp. 238–251. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  20. 20.
    Rivain, M., Prouff, E.: Provably secure higher-order masking of AES. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 413–427. Springer, Heidelberg (2010). CrossRefGoogle Scholar
  21. 21.
    Rudra, A., Dubey, P.K., Jutla, C.S., Kumar, V., Rao, J.R., Rohatgi, P.: Efficient rijndael encryption implementation with composite field arithmetic. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 171–184. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  22. 22.
    Satoh, A., Morioka, S., Takano, K., Munetoh, S.: A Compact rijndael hardware architecture with S-box optimization. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 239–254. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  23. 23.
    Waddle, J., Wagner, D.: Towards efficient second-order power analysis. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 1–15. Springer, Heidelberg (2004) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Junwei Wang
    • 1
    • 2
  • Praveen Kumar Vadnala
    • 2
  • Johann Großschädl
    • 2
  • Qiuliang Xu
    • 1
    Email author
  1. 1.School of Computer Science and TechnologyShandong UniversityJinanChina
  2. 2.Laboratory of Algorithmics, Cryptology and SecurityUniversity of LuxembourgWalferdangeLuxembourg

Personalised recommendations