In both hardware and software, masking can represent an effective means ofhardening an implementation against side-channel attack vectors such as DifferentialPower Analysis (DPA). Focusing on software, however, the use of masking can presentvarious challenges: specifically, it often 1) requires significant effort to translate anytheoretical security properties into practice, and, even then, 2) imposes a significantoverhead in terms of efficiency. To address both challenges, this paper explores theuse of an Instruction Set Extension (ISE) to support masking in software-basedimplementations of a range of (symmetric) cryptographic kernels including AES: wedesign, implement, and evaluate such an ISE, using RISC-V as the base ISA. OurISE-supported first-order masked implementation of AES, for example, is an orderof magnitude more efficient than a software-only alternative with respect to bothexecution latency and memory footprint; this renders it comparable to an unmaskedimplementation using the same metrics, but also first-order secure.
|Journal||IACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)|
|Publication status||Published - 11 Aug 2021|