As embedded systems become increasingly pervasive, ensuring cryptographic security against side-channel attacks has emerged as a critical challenge. While masking schemes are a well-established countermeasure, micro-architectural features inherent to modern processors can introduce unintended leakages that fall outside the scope of classical leakage models. This work presents a first-order masked software implementation of AES-128, including the key schedule, targeting the ARM Cortex-M4 platform. The design adheres to software-specific threshold implementation principles, enforcing horizontal and vertical non-completeness as well as register-uniform masking. A bitsliced representation is adopted, with each share computed at a distinct index and cross-products evaluated independently to preserve security guarantees. The AES S-box is decomposed using a tower field representation, limiting the need to secure only 2- and 4-bit multiplications. Secure Toffoli gate constructions are employed to ensure that cross-domain multiplications adhere to TI constraints. The “changing of the guards” principle is applied to enable randomness reuse, thereby reducing the demand for fresh randomness. In contrast to prior work that prioritizes performance, this research emphasizes real-world side-channel security, validated through extensive practical evaluation using a Test Vector Leakage Assessment. The results demonstrate that secure software implementations are feasible without hardware changes, though this comes with associated performance trade-offs.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Protecting AES-128 Against First-Order Side-Channel Analysis in Micro-Architectures by Enforcing Threshold Implementation Principles

  • Charles-Antoine De Paepe,
  • John Gaspoz,
  • Dilara Toprakhisar,
  • Svetla Nikova

摘要

As embedded systems become increasingly pervasive, ensuring cryptographic security against side-channel attacks has emerged as a critical challenge. While masking schemes are a well-established countermeasure, micro-architectural features inherent to modern processors can introduce unintended leakages that fall outside the scope of classical leakage models. This work presents a first-order masked software implementation of AES-128, including the key schedule, targeting the ARM Cortex-M4 platform. The design adheres to software-specific threshold implementation principles, enforcing horizontal and vertical non-completeness as well as register-uniform masking. A bitsliced representation is adopted, with each share computed at a distinct index and cross-products evaluated independently to preserve security guarantees. The AES S-box is decomposed using a tower field representation, limiting the need to secure only 2- and 4-bit multiplications. Secure Toffoli gate constructions are employed to ensure that cross-domain multiplications adhere to TI constraints. The “changing of the guards” principle is applied to enable randomness reuse, thereby reducing the demand for fresh randomness. In contrast to prior work that prioritizes performance, this research emphasizes real-world side-channel security, validated through extensive practical evaluation using a Test Vector Leakage Assessment. The results demonstrate that secure software implementations are feasible without hardware changes, though this comes with associated performance trade-offs.