Breaking Masked Implementations with Many Shares on 32-bit Software Platforms

We explore the concrete side-channel security provided by state-of-theart higher-order masked software implementations of AES and (candidate to NIST Lightweight Cryptography competition) Clyde, in ARM Cortex-M0 M3 devices. Rather than looking for possibly reduced orders (as frequently considered literature), we directly target these assuming their maximum order aim at reducing noise level thanks multivariate, horizontal analytical attacks. Our investigations point out that device has so limited physical masking is close ineffective. The Cortex-M3 shows a better trend but still requires large number shares provide strong guarantees. Practically, first exhibit full 128-bit key recovery less 10 traces 6-share implementation running on requiring 232 enumeration power. A similar attack performed against with 5 require 1,000 measurements 244 then show positive impact lightweight block ciphers AND gates security, compare our attacks Clyde best reported CHES 2020 CTF. complement experiments careful information theoretic analysis, which allows interpreting results. also discuss conclusions under umbrella “backwards evaluations” recently put forwards Azouaoui et al. finally extrapolate evolution proposed complexities presence additional countermeasures using local random probing model 2020.