This repository provides some material related to the article
How Fast Can Higher-Order Masking Be in Software?
published at Eurocrypt 2017. The repository includes the source codes of the different masking schemes optimised in ARMv7 assembly as depicted in the paper.
- Dahmun Goudarzi
- Matthieu Rivain
Copyright © 2018, CryptoExperts License GNU General Public License v3 (GPLv3)
-
This code does not aim to be strong against side-channel attacks but to benchmark higher-order masking. Strength against side-channel attacks might require a mix of masking and other countermeasures. In particular, no measures were taken to avoid transition leakage (which is hardware dependent). It is likely that a n-share implementation suffers some (n/2)-order flaw because of transition hardware effects.
-
The code has been completely refactored for portability and open sourcing since the publication at Eurocrypt 2017. The target now differs from the one on which the timing were benchmarked in the original paper, which may introduce some differences. In essence the code and its optimisations are unchanged and should still lead to comparable performances.
All the ARMv7 assembly source files can be found in the files called src.
- 1_fieldmult.s: different field multiplications.
- 2_secmult_cprr.s: CPRR evaluation.
- 2_secmult_isw.s: ISW multiplication.
- 2_secmult_iswand.s: ISW-AND multiplication.
- 2_secmult_refresh.s: ISW-based refresh.
- 3_secsbox_bsaes.s: bitslice AES s-box.
- 3_secsbox_bspresent.s: bitslice PRESENT s-box.
- 3_secsbox_fog.s: FoG PRESENT s-box.
- 3_secsbox_khl.s: KHL AES s-box.
- 3_secsbox_rp.s: RP AES s-box.
- 4_seccipher_bsaes.s: bitslice AES encryption.
- 4_seccipher_bspresent.s: bitslice PRESENT encryption.
- 4_seccipher_regaes.s: regular AES encryption.
- 4_seccipher_regpresent.s: regular PRESENT encryption.
- random.s: random generation.
- parameter.h: Header files containing different sets of parameters.
- mode.h: Header files containing different modes for specific functions.
- main.c: Main file containing function to set up shares/unmasked shares according to mode chosen and testing the correctness.
- FIELDSIZE: sets the bit-size of the elements. Range from 4 to 10. On specific s-boxes such as AES and PRESENT needs to be set to 8 and 4 resp. in order to work.
- NBSHARES: sets the number of shares used to protect the implementation. Ranges from 2 to 10.
- MULT_MODE: sets the field multiplication algorithm. The possible values are listed in mode.h.
- CODE_MODE: sets the parallelisation level for the implementation. The possibles values are listed in mode.h. The code was developed for a 32-bit architecture. Hence consider that FIELDSIZE * CODE_MODE should not exceed 32.
- CIPH_MODE: sets some implementation tricks for regular AES encryption with KHL and RP schemes. The possible values are listed in mode.h. If not set to ANY, it should be used with specific sets of parameters (see below).
- RAND_MODE: sets the random number generator. Can either be C rand function for functionality testing (C_RAND) or a table look-up to emulate a fast TRNG for performance testing (TRNG).
- TEST_MODE: sets the function that will be tested. The possible values are listed in mode.h.
- NB_TESTS: sets the number of test that are going to be performed.
- BINMULT1: binary multiplication (l2r).
- BINMULT2: binary multiplication (l2r) with look-up table used for the modular reduction.
- EXPLOG1: exp-log multiplication.
- EXPLOG2: exp-log multiplication with look-up table used for the modular reduction.
- KARA: Karatsuba multiplication.
- HALFTAB: half table multiplication.
- FULLTAB: full table multiplication.
- FULLTABSHIFT: tweaked full table multiplication for 8 elements in parallel (for KHL cipher mode only).
- EXPLOG2SHIFT: tweaked exp-log multiplication for 4 elements in parallel (for RP cipher mode only).
- HALFTABSHIFT: tweaked half table multiplication for 4 elements in parallel (for in RP cipher mode only).
- NORMAL: no parallelisation.
- PARA2: parallelisation level 2: 2 elements/register.
- PARA4: parallelisation level 4: 4 elements/register (usually used for FIELDSIZE=8).
- PARA8: parallelisation level 8: 4 elements/register (only use for FIELDSIZE=4).
- BITSLICE: parallelisation level full: 32 elements/register.
- ANY: default choice for testing.
- KHL: used when testing KHL encryption.
- RP: used when testing RP encryption.
- RF1: regular refresh.
- RF4: optimised refresh (partial unrolling of loops).
- TRNG: "randomness" from table look-up to emulate a fast TRNG. For performance testing only!
- C_RAND: randomness from C rand function. For functionality testing.
- TEST_FIELDMULT: to test field multiplications.
- TEST_SECMULT_CPRR: to test CPRR evaluations.
- TEST_SECMULT_ISW: to test ISW multiplications.
- TEST_SECSBOX_RPAES: to test RP AES s-box.
- TEST_SECSBOX_KHLAES: to test KHL AES s-box.
- TEST_SECSBOX_FOGPRESENT: to test FoG PRESENT s-box.
- TEST_SECSBOX_BSAES: to test bitsliced AES s-box.
- TEST_SECSBOX_BSPRESENT: to test bitsliced PRESENT s-box.
- TEST_SECCIPHER_REGAES: to test regular AES encryption.
- TEST_SECCIPHER_REGPRESENT: to test regular PRESENT encryption.
- TEST_SECCIPHER_BSAES: to test bitslice AES encryption.
- TEST_SECCIPHER_BSPRESENT: to test bitslice PRESENT encryption.
To test the code:
- run the
python3 configure.pyscript and follow the instructions to set up the desired tests and its parameters. - use the
make clean; makecommand to compile the code. - run
./hom_ec17.
Due to the numerous amount of parameters, test coverage is work in progress (although the entire source code is already there). If you find any bug while testing this code, please contact the authors.
If you have any questions, please feel free to contact us at