2

I'm implementing some cryptographic functions on an ARM Cortex-M4 and would like to be safe against side-channel attacks, like power and timing attacks. For efficiency I'd like to use conditional versions of common single-cycle instructions such as moveq, movne, umaaleq etc. The cycle timing will be constant regardless of the flags, but is there any other problem with this approach? Are there some "safe" instructions and some "unsafe"?

Emil
  • 133
  • 4
  • 3
    I don't believe there are any truly safe instructions when it comes down to DPA/EMI attacks; different instructions will trigger different gates on the CPU, and that's what DPA/EMI attacks are sensitive to. If you need to be strong against those attacks, you'd probably need to use something like a blinded or threshold implementation in your software. – poncho Nov 02 '16 at 21:44
  • The specific point where I need this is for example conditional swapping. I could do that with bit masking and some and/xor instructions but that is slightly more costly. – Emil Nov 02 '16 at 22:18
  • My two pence. It would be helpful to know which exactly crypto functions are in question. It's worth noting that what you don't want to leak is the key data, so the question "can I use these instructions or shall I avoid them" is a bit too broad - you want to focus on the instructions that manipulate the actual key bits, the rest is not really important. Also, I believe, some examples of side-channel attack resistant implementations of some crypto funcs can be found on the Net - might be helpful. – tum_ Nov 03 '16 at 07:05
  • 1
    In my experience for Cortex-M3 (SC300) on smart cards, conditional commands are OK for timing and SPA-attacks. Against DPA-attacks I wouldn't use them. But without HW-lab, you will have a hard time getting everything right. – Hope that's a start Nov 03 '16 at 10:31
  • To exploit timing variations in SPA, they need to depend on sensitive data. So the "safety" of conditional instructions depend on manipulated data. And as mentioned by poncho, to prevent DPA-like attacks, you need to randomize your data applying side channel countermeasures. – Miss Seeluna Nov 09 '16 at 08:39

0 Answers0