Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Lightweight Cryptography for Security and Privacy

LightSec 2016: Lightweight Cryptography for Security and Privacy pp 91–109Cite as

Bitsliced Masking and ARM: Friends or Foes?

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10098))

Abstract

Software-based cryptographic implementations can be vulnerable to side-channel analysis. Masking countermeasures rank among the most prevalent techniques against it, ensuring formally the protection vs. value-based leakages. However, its applicability is halted by two factors. First, a masking countermeasure involves a computational overhead that can render implementations inefficient. Second, physical effects such as glitches and distance-based leakages can cause the reduction of the security order in practice, rendering the masking protection less effective. This paper, attempts to address both factors. In order to reduce the computational cost, we implement a high-throughput, bitsliced, 2nd-order masked implementation of the PRESENT cipher, using assembly in ARM Cortex-M4. The implementation outperforms the current state of the art and is capable of encrypting a 64-bit block of plaintext in 6,532 cycles (excluding RNG), using 1,644 bytes of data RAM and 1,552 bytes of code memory. Second, we analyze experimentally the effectiveness of masking in ARM devices, i.e. we examine the effects of distance-based leakages on the security order of our implementation. We confirm the theoretical model behind distance leakages for the first time in ARM-based architectures.

The work described in this paper has been supported by the Netherlands Organization for Scientific Research NWO under project ProFIL (628.001.007).

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    In particular, we used an STM32F417IG SoC by ST clocked at 168 MHz with 1,024 Kbytes of Flash and 196 Kbytes of RAM.

  2. 2.

    http://tinyurl.com/zw7zlkv (Accessed 24 June 2016).

  3. 3.

    http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56552 (Accessed 24 June 2016).

  4. 4.

    Bit-banding allows individual bits to be addressed as though they were bytes in RAM.

  5. 5.

    Note that implementations based on lookup tables can be prone to timing side-channel attacks in the presence of memory caches.

  6. 6.

    https://www.riscure.com/security-tools/hardware/pinata (Accessed 24 June 2016).

  7. 7.

    Knowledge about the device can often be limited in the context of black-box evaluations.

  8. 8.

    https://www.riscure.com/security-tools/hardware/current-probe (Accessed 24 June 2016).

  9. 9.

    Note that side-channel analysis usually employs two-tailed tests.

References

  1. Akkar, M.-L., Bévan, R., Goubin, L.: Two power analysis attacks against one-mask methods. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 332–347. Springer, Heidelberg (2004). doi:10.1007/978-3-540-25937-4_21

    Chapter  Google Scholar 

  2. Balasch, J., Gierlichs, B., Grosso, V., Reparaz, O., Standaert, F.-X.: On the cost of lazy engineering for masked software implementations. In: Joye, M., Moradi, A. (eds.) CARDIS 2014. LNCS, vol. 8968, pp. 64–81. Springer, Cham (2015). doi:10.1007/978-3-319-16763-3_5

    Google Scholar 

  3. Balasch, J., Gierlichs, B., Reparaz, O., Verbauwhede, I.: DPA, bitslicing and masking at 1 GHz. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 599–619. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48324-4_30

    Chapter  Google Scholar 

  4. Batina, L., Gierlichs, B., Prouff, E., Rivain, M., Standaert, F.-X., Veyrat-Charvillon, N.: Mutual information analysis: a comprehensive study. J. Cryptology 24(2), 269–291 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  5. Benadjila, R., Guo, J., Lomné, V., Peyrin, T.: Implementing lightweight block ciphers on x86 architectures. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 324–351. Springer, Heidelberg (2014). doi:10.1007/978-3-662-43414-7_17

    Chapter  Google Scholar 

  6. Biham, E.: A fast new DES implementation in software. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 260–272. Springer, Heidelberg (1997). doi:10.1007/BFb0052352

    Chapter  Google Scholar 

  7. Blömer, J., Guajardo, J., Krummel, V.: Provably secure masking of AES. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 69–83. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30564-4_5

    Chapter  Google Scholar 

  8. Bogdanov, A., Knezevic, M., Leander, G., Toz, D., Varici, K., Verbauwhede, I.: SPONGENT: the design space of lightweight cryptographic hashing. IEEE Trans. Comput. 62(10), 2041–2053 (2013)

    Article  MathSciNet  Google Scholar 

  9. Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74735-2_31

    Chapter  Google Scholar 

  10. Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y.: Hash functions and RFID tags: mind the gap. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 283–299. Springer, Heidelberg (2008). doi:10.1007/978-3-540-85053-3_18

    Chapter  Google Scholar 

  11. Bottinelli, P., Bos, J.W.: Computational aspects of correlation power analysis. IACR Cryptology ePrint Archive, 2015: 260 (2015)

    Google Scholar 

  12. Boyar, J., Peralta, R.: A new combinational logic minimization technique with applications to cryptology. In: Festa, P. (ed.) SEA 2010. LNCS, vol. 6049, pp. 178–189. Springer, Heidelberg (2010). doi:10.1007/978-3-642-13193-6_16

    Chapter  Google Scholar 

  13. Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28632-5_2

    Chapter  Google Scholar 

  14. Canright, D., Batina, L.: A very compact “perfectly masked” s-box for AES (corrected). IACR Cryptology ePrint Archive 2009:11 (2009)

    Google Scholar 

  15. Carlet, C., Goubin, L., Prouff, E., Quisquater, M., Rivain, M.: Higher-order masking schemes for S-Boxes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 366–384. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34047-5_21

    Chapter  Google Scholar 

  16. Carlet, C., Prouff, E., Rivain, M., Roche, T.: Algebraic decomposition for probing security. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 742–763. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_36

    Chapter  Google Scholar 

  17. Cazorla, M., Gourgeon, S., Marquet, K., Minier, M.: Survey and benchmark of lightweight block ciphers for MSP430 16-bit microcontroller. Secur. Commun. Netw. 8(18), 3564–3579 (2015)

    Article  Google Scholar 

  18. Chari, S., Jutla, C.S., Rao, J.R., Rohatgi, P.: Towards sound approaches to counteract power-analysis attacks. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 398–412. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_26

    Chapter  Google Scholar 

  19. Coron, J.-S.: Higher order masking of look-up tables. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 441–458. Springer, Heidelberg (2014). doi:10.1007/978-3-642-55220-5_25

    Chapter  Google Scholar 

  20. Coron, J.-S., Giraud, C., Prouff, E., Renner, S., Rivain, M., Vadnala, P.K.: Conversion of security proofs from one leakage model to another: a new issue. In: Schindler, W., Huss, S.A. (eds.) COSADE 2012. LNCS, vol. 7275, pp. 69–81. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29912-4_6

    Chapter  Google Scholar 

  21. Courtois, N., Hulme, D., Mourouzis, T.: Solving circuit optimisation problems in cryptography and cryptanalysis. IACR Cryptology ePrint Archive 2011:475 (2011)

    Google Scholar 

  22. Adam Ding, A., Chen, C., Eisenbarth, T.: Simpler, faster, and more robust t-test based leakage detection. IACR Cryptology ePrint Archive, 2015:1215 (2015)

    Google Scholar 

  23. Dinu, D., Le Corre, Y., Khovratovich, D., Perrin, L., Großschädl, J., Biryukov, A.: Triathlon of lightweight block ciphers for the internet of things. NIST Lightweight Cryptography Workshop 2015, 2015:209 (2015)

    Google Scholar 

  24. Durvaux, F., Standaert, F.-X., Veyrat-Charvillon, N., Mairy, J.-B., Deville, Y.: Efficient selection of time samples for higher-order DPA with projection pursuits. In: Mangard, S., Poschmann, A.Y. (eds.) COSADE 2014. LNCS, vol. 9064, pp. 34–50. Springer, Cham (2015). doi:10.1007/978-3-319-21476-4_3

    Chapter  Google Scholar 

  25. Eisenbarth, T., Gong, Z., Güneysu, T., Heyse, S., Indesteege, S., Kerckhof, S., Koeune, F., Nad, T., Plos, T., Regazzoni, F., Standaert, F.-X., Oldeneel tot Oldenzeel, L.: Compact implementation and performance evaluation of block ciphers in attiny devices. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 172–187. Springer, Heidelberg (2012). doi:10.1007/978-3-642-31410-0_11

    Chapter  Google Scholar 

  26. Goubin, L., Patarin, J.: DES and differential power analysis the “Duplication” method. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 158–172. Springer, Heidelberg (1999). doi:10.1007/3-540-48059-5_15

    Chapter  Google Scholar 

  27. Goudarzi, D., Rivain, M.: On the multiplicative complexity of boolean functions and bitsliced higher-order masking. IACR Cryptology ePrint Archive, 2016:557 (2016)

    Google Scholar 

  28. Grosso, V., Leurent, G., Standaert, F.-X., Varıcı, K.: LS-designs: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 18–37. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46706-0_2

    Google Scholar 

  29. Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23951-9_22

    Chapter  Google Scholar 

  30. Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45146-4_27

    Chapter  Google Scholar 

  31. Goodwill, G., Jae, J., Kenworthy, G., Cooper, J., DeMulder, E., Rohatg, P.: Test vector leakage assessment (tvla) methodology in practice

    Google Scholar 

  32. Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_25

    Chapter  Google Scholar 

  33. Larsen, R.J., Marx, M.L.: An Introduction to Mathematical Statistics and its Applications, 5th edn. Prentice Hall, Boston, MA (2012)

    Google Scholar 

  34. Matsuda, S., Moriai, S.: Lightweight cryptography for the cloud: exploit the power of bitslice implementation. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 408–425. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33027-8_24

    Chapter  Google Scholar 

  35. Messerges, T.S.: Securing the AES finalists against power analysis attacks. In: Goos, G., Hartmanis, J., Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 150–164. Springer, Heidelberg (2001). doi:10.1007/3-540-44706-7_11

    Chapter  Google Scholar 

  36. Oswald, E., Mangard, S., Herbst, C., Tillich, S.: Practical second-order DPA attacks for masked smart card implementations of block ciphers. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 192–207. Springer, Heidelberg (2006). doi:10.1007/11605805_13

    Chapter  Google Scholar 

  37. Papagiannopoulos, K., Verstegen, A.: Speed and size-optimized implementations of the PRESENT cipher for tiny AVR devices. In: Hutter, M., Schmidt, J.-M. (eds.) RFIDSec 2013. LNCS, vol. 8262, pp. 161–175. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41332-2_11

    Chapter  Google Scholar 

  38. Papapagiannopoulos, K.: High throughput in slices: the case of PRESENT, PRINCE and KATAN64 Ciphers. In: Saxena, N., Sadeghi, A.-R. (eds.) RFIDSec 2014. LNCS, vol. 8651, pp. 137–155. Springer, Cham (2014). doi:10.1007/978-3-319-13066-8_9

    Google Scholar 

  39. Poschmann, A.: Lightweight cryptography - cryptographic engineering for a pervasive world. Cryptology ePrint Archive, Report 2009/516 (2009). http://eprint.iacr.org/

  40. Prouff, E., Rivain, M.: Masking against side-channel attacks: a formal security proof. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 142–159. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38348-9_9

    Chapter  Google Scholar 

  41. Rauzy, P., Guilley, S., Najm, Z.: Formally proved security of assembly code against power analysis: A case study on balanced logic. CoRR, abs/1506.05285 (2015)

    Google Scholar 

  42. Schneider, T., Moradi, A.: Leakage assessment methodology - a clear roadmap for side-channel evaluations. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 495–513. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48324-4_25

    Chapter  Google Scholar 

  43. Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23951-9_23

    Chapter  Google Scholar 

  44. Standaert, F.-X., Malkin, T.G., Yung, M.: A unified framework for the analysis of side-channel key recovery attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 443–461. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_26

    Chapter  Google Scholar 

  45. Stoffelen, K.: Optimizing s-box implementations for several criteria using SAT solvers. IACR Cryptology ePrint Archive, 2016:198 (2016)

    Google Scholar 

  46. Keccak team.: Note on side-channel attacks and their countermeasures

    Google Scholar 

  47. Trichina, E.: Combinational logic design for AES subbyte transformation on masked data. IACR Cryptology ePrint Archive 2003:236 (2003)

    Google Scholar 

  48. Veyrat-Charvillon, N., Standaert, F.-X.: Mutual information analysis: how, when and why? In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 429–443. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04138-9_30

    Chapter  Google Scholar 

  49. Whitnall, C., Oswald, E., Mather, L.: An exploration of the kolmogorov-smirnov test as a competitor to mutual information analysis. In: Prouff, E. (ed.) CARDIS 2011. LNCS, vol. 7079, pp. 234–251. Springer, Heidelberg (2011). doi:10.1007/978-3-642-27257-8_15

    Chapter  Google Scholar 

Download references

Acknowledgments

We would like to thank Rafael Boix–Carpi from Riscure BV for his advice and help.

Author information

Authors and Affiliations

  1. Radboud University Nijmegen, Nijmegen, The Netherlands

    Kostas Papagiannopoulos, Antonio de La Piedra & Lejla Batina

  2. Eindhoven University of Technology, Eindhoven, The Netherlands

    Wouter de Groot & Erik Schneider

Authors
  1. Wouter de Groot
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kostas Papagiannopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Antonio de La Piedra
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Erik Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lejla Batina
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kostas Papagiannopoulos .

Editor information

Editors and Affiliations

  1. Technical University of Denmark, Kongens Lyngby, Denmark

    Andrey Bogdanov

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

de Groot, W., Papagiannopoulos, K., de La Piedra, A., Schneider, E., Batina, L. (2017). Bitsliced Masking and ARM: Friends or Foes?. In: Bogdanov, A. (eds) Lightweight Cryptography for Security and Privacy. LightSec 2016. Lecture Notes in Computer Science(), vol 10098. Springer, Cham. https://doi.org/10.1007/978-3-319-55714-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-55714-4_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-55713-7

  • Online ISBN: 978-3-319-55714-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation