Protecting AES-128 Against First-Order Side-Channel Analysis in Micro-Architectures by Enforcing Threshold Implementation Principles
摘要
As embedded systems become increasingly pervasive, ensuring cryptographic security against side-channel attacks has emerged as a critical challenge. While masking schemes are a well-established countermeasure, micro-architectural features inherent to modern processors can introduce unintended leakages that fall outside the scope of classical leakage models. This work presents a first-order masked software implementation of AES-128, including the key schedule, targeting the ARM Cortex-M4 platform. The design adheres to software-specific threshold implementation principles, enforcing horizontal and vertical non-completeness as well as register-uniform masking. A bitsliced representation is adopted, with each share computed at a distinct index and cross-products evaluated independently to preserve security guarantees. The AES S-box is decomposed using a tower field representation, limiting the need to secure only 2- and 4-bit multiplications. Secure Toffoli gate constructions are employed to ensure that cross-domain multiplications adhere to TI constraints. The “changing of the guards” principle is applied to enable randomness reuse, thereby reducing the demand for fresh randomness. In contrast to prior work that prioritizes performance, this research emphasizes real-world side-channel security, validated through extensive practical evaluation using a Test Vector Leakage Assessment. The results demonstrate that secure software implementations are feasible without hardware changes, though this comes with associated performance trade-offs.