Skip to content
/ aes-masked-neon Public

Optimized AES-128 implementations with 4 and 8 shares for the Cortex-A8

License

CC0-1.0 license
7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Ko-/aes-masked-neon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
enableccnt
enableccnt
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
aes_shared_1x4s.s
aes_shared_1x4s.s
 
 
aes_shared_1x8s.s
aes_shared_1x8s.s
 
 
aes_shared_2x4s.s
aes_shared_2x4s.s
 
 
analysis.c
analysis.c
 
 
benchmark.c
benchmark.c
 
 
common.c
common.c
 
 
common.h
common.h
 
 
cpucycles.c
cpucycles.c
 
 

Repository files navigation

Vectorizing Higher-Order Masking

This repository contains three masked AES-128 implementations that are optimized for the ARM Cortex-A8 with NEON:

  • 1 block, 4 shares;
  • 2 blocks, 4 shares;
  • 1 block, 8 shares.

They are part of a paper that was published at COSADE 2018.

Compiling

The code is meant to be compiled using gcc on a native ARM Cortex-A8 running Linux. Cross-compiling might also work, as is the case for using other compilers/assemblers, depending on how compatible they are with gas assembly. First, set the number of blocks and shares by changing NUM_BLOCKS and NUM_SHARES in Makefile. Then execute make.

Running the binaries might give 'Illegal instruction' errors. The binaries measure CPU cycles using a special CCNT register that is only accessible in kernel mode. To enable access in user mode, the enableccnt kernel module needs to be inserted. Make sure linux-headers or linux-headers-$(uname -r) is installed. In the enableccnt directory, issue sudo make, followed by sudo insmod enableccnt.ko. Removing all calls to cpucycles_cortex() and removing the dependency in the Makefile is of course also a possible workaround, if you don't care about measuring clock cycles.

Security warning

We studied the security of these implementations in this paper. Of course, it remains hard to give any guarantees, so please refrain from using these implementations in a production setting without full awareness of the risks and a clear picture of your attacker model. Also note that the key expansion is currently not implemented, let alone masked.

Replicating results

Disable frequency scaling

By default, frequency scaling is enabled, saving energy when the CPU load is low. For consistent results, its preferable to disable this. This way, one can also fix the clock frequency. To do so, do this as root:

# echo userspace > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
# echo 1000000 > /sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed

Benchmark

The benchmark binary executes aes_enc NUM_TESTS times and prints the median number of cycles. Note that NUM_TESTS 1 will make sure that the ciphertext that is printed is actually correct.

Analysis

analysis needs to be run as root. Before executing AES but after the sharing and bitslicing of input, GPIO pin P9_27 is set to high such that it can be used as trigger. It is turned low immediately after executing AES.

About

Optimized AES-128 implementations with 4 and 8 shares for the Cortex-A8

Resources

Readme

License

CC0-1.0 license
Activity

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages