▲ 6 r/crypto
Bitsliced first-order masked AES-128 decryption in Cortex-M0 assembly — how many traces to break it?
Wrote this from scratch for a university smart card lab course — couldn't find any usable reference implementation of bitsliced first-order masked AES in assembly, so I had to write one.
Key details:
- Platform: STM32F051 (Cortex-M0, 8 MHz)
- 26,801 cycles
- Bitsliced representation: 16-bit per bit-plane
- S-box: Boyar-Peralta depth-16 circuit
- Masking: first-order Boolean masking with ISW multiplication
Evaluation so far:
- Fixed-vs-Random TVLA (5,000 traces): passes for all intermediate rounds, expected endpoint leakage at unmask boundary only
- CPA (5,000 traces, single-bit): no key recovered
The honest question: does it hold up at larger trace counts, or did I miss something? Would love to see someone actually run a second-order attack on it and report back.
Repo: https://github.com/Changyin-4B4/Masked-AES-Decryption-CortexM0
u/Embarrassed_Cat4693 — 16 days ago