Vectorizing Higher-Order Masking

  title={Vectorizing Higher-Order Masking},
  author={Benjamin Gr{\'e}goire and Kostas Papagiannopoulos and Peter Schwabe and Ko Stoffelen},
  journal={IACR Cryptol. ePrint Arch.},
The cost of higher-order masking as a countermeasure against side-channel attacks is often considered too high for practical scenarios, as protected implementations become very slow. At Eurocrypt 2017, the bounded moment leakage model was proposed to study the (theoretical) security of parallel implementations of masking schemes [5]. Work at CHES 2017 then brought this to practice by considering an implementation of AES with 32 shares [26], bitsliced inside 32-bit registers of ARM Cortex-M… 
Breaking Masked Implementations with Many Shares on 32-bit Software Platforms or When the Security Order Does Not Matter
The concrete side-channel security provided by state-of-theart higher-order masked software implementations of the AES and the Clyde, in ARM Cortex-M0 and M3 devices is explored, and the evolution of the proposed attack complexities in the presence of additional countermeasures using the local random probing model proposed at CHES 2020 is extrapolated.
Fast Verification of Masking Schemes in Characteristic Two
The matrix model for non-interference (NI) probing security of masking gadgets is revisited and the theorems on which this model is based are generalised, so as to be able to apply them to masking schemes over any finite field and to analyse the strong non- Interference (SNI) security notion.
SME: Scalable Masking Extensions
This work presents SME, an instruction set extension for enabling secure and efficient software masking of cryptographic code at higher security orders, and is the first example of enabling flexible side-channel secure implementations of the official RISCV lightweight cryptography instructions.
Side-Channel Countermeasures’ Dissection
We take advantage of a recently published open source implementation of the AES protected with a mix of countermeasures against side-channel attacks to discuss both the challenges in protecting COTS
SKIVA: Flexible and Modular Side-channel and Fault Countermeasures
SKIVA is described, a customized 32-bit processor enabling the design of software countermeasures for a broad range of implementation attacks covering fault injection and side-channel analysis of timing-based and power-based leakage and as variants of bitslice programming.
Side-Channel Countermeasures' Dissection and the Limits of Closed Source Security Evaluations
We take advantage of a recently published open source implementation of the AES protected with a mix of countermeasures against side-channel attacks to discuss both the challenges in protecting COTS
Custom Instruction Support for Modular Defense against Side-channel and Fault Attacks
This is the first validated end-to-end implementation of a modular bitslice-oriented countermeasure and demonstrates and analyzes multiple versions of AES from a side-channel analysis and a fault-injection perspective.
On the Performance Gap of a Generic C Optimized Assembler and Wide Vector Extensions for Masked Software with an Ascon-{\it{p}} test case
This manuscript presents several different fully generic masked implementations for any order or multiple highly optimized (inline-)assembler instances which are quite generic (for a wide spectrum of ISAs), and provide very specific implementations targeting specific extensions.
Authenticated Encryption with Nonce Misuse and Physical Leakages : Definitions , Separation Results , and Leveled Constructions
These new definitions offer various insights on the effect of leakages in the security landscape and aim at modes that support “leveled implementations” such that the encryption and decryption operations require the use of a small constant number of evaluations of an expensive and heavily protected component, while the bulk of the computations can be performed by cheap and weakly protected block cipher implementations.
Real-time Detection and Adaptive Mitigation of Power-based Side-Channel Leakage in SoC
A real-time leakage detection and mitigation system which enables the system to monitor the side-channel leakage effects of the hardware and protect any algorithm running on it.


How Fast Can Higher-Order Masking Be in Software?
This paper investigates efficient higher-order masking techniques by conducting a case study on ARM architectures by investigating the implementation of the base field multiplication at the assembly level and investigating an alternative to these methods which is based on bitslicing at the s-box level.
Higher-Order Masking in Practice: A Vector Implementation of Masked AES for ARM NEON
A vector implementation of Coron et al’s masking scheme (FSE 2012) for ARM NEON processors is developed, demonstrating that the performance penalty caused by the integration of higher-order masking is significantly lower than in generally assumed and reported in previous papers.
Bitsliced Masking and ARM: Friends or Foes?
A high-throughput, bitsliced, 2nd-order masked implementation of the PRESENT cipher is implemented, using assembly in ARM Cortex-M4, and the theoretical model behind distance leakages is confirmed for the first time in ARM-based architectures.
Very High Order Masking: Efficient Implementation and Security Evaluation
This paper proposes a new “multi-model” evaluation methodology which takes advantage of different (more or less abstract) security models introduced in the literature and concludes that these implementations withstand worst-case adversaries with \(>\!2^{64}\) measurements under falsifiable assumptions.
Higher-Order Side Channel Security and Mask Refreshing
This paper shows that the method proposed at CHES 2010 to do mask refreshing introduces a security flaw in the overall masking scheme, and proposes a new solution which avoids the use of mask refreshing, and proves its security.
Provably Secure Higher-Order Masking of AES
This paper presents the first generic dth-order masking scheme for AES with a provable security and a reasonable software implementation overhead and can be efficiently implemented in software on any general-purpose processor.
Mind the Gap: Towards Secure 1st-Order Masking in Software
An in-depth investigation of the device-specific effects that invalidate ILA in the AVR microcontroller ATMega163 is performed, and an automated tool is provided, capable of detecting ILA violations in AVR assembly code, whichCrafts the first “hardened” 1st-order ISW-based, masked Sbox implementation, which is capable of resisting 1 first-order, univariate side-channel attacks.
Masking against Side-Channel Attacks: A Formal Security Proof
It is proved that the information gained by observing the leakage from one execution can be made negligible (in the masking order) and a formal security proof for masked implementations of block ciphers is provided.
The World is Not Enough: Another Look on Second-Order DPA
It is shown that under certain assumptions, the (so-called) standard univariate side-channel attacks using a distance-of-means test, correlation analysis and Gaussian templates are essentially equivalent, and that in the context of multivariate attacks against masked implementations, this conclusion does not hold anymore.
A Fast and Provably Secure Higher-Order Masking of AES S-Box
This paper proposes an efficient and secure higher-order masking algorithm for AES S-box that consumes the most computation time of the higher-order masked AES. During the past few years, much of the