An Instruction Set Extension to Support Software-Based Masking Si Gao1, Johann Großschädl2, Ben Marshall3,6, Dan Page3, Thinh Pham3 and Francesco Regazzoni4,5 1 Alpen-Adria Universität Klagenfurt.
[email protected] 2 Department of Computer Science, University of Luxembourg.
[email protected] 3 Department of Computer Science, University of Bristol. {ben.marshall,daniel.page,th.pham}@bristol.ac.uk 4 University of Amsterdam,
[email protected] 5 Università della Svizzera italiana,
[email protected] 6 PQShield Ltd, Oxford, UK.
[email protected] Abstract. In both hardware and software, masking can represent an effective means of hardening an implementation against side-channel attack vectors such as Differential Power Analysis (DPA). Focusing on software, however, the use of masking can present various challenges: specifically, it often 1) requires significant effort to translate any theoretical security properties into practice, and, even then, 2) imposes a significant overhead in terms of efficiency. To address both challenges, this paper explores the use of an Instruction Set Extension (ISE) to support masking in software-based implementations of a range of (symmetric) cryptographic kernels including AES: we design, implement, and evaluate such an ISE, using RISC-V as the base ISA. Our ISE-supported first-order masked implementation of AES, for example, is an order of magnitude more efficient than a software-only alternative with respect to both execution latency and memory footprint; this renders it comparable to an unmasked implementation using the same metrics, but also first-order secure. Keywords: side-channel attack, masking, RISC-V, ISE 1 Introduction The threat of implementation attacks.