Common use of Performance Results Clause in Contracts

Performance Results. ‌ The current section summarizes the achieved performance results w.r.t. through- put and size. We depict in Tables 4 and 5 the performance figures of the works described in Sect. 2. As mentioned, we outperform prior art on the same archi- tecture between 2.5 and 21.2 times [23]. Table 4. PRESENT implementations, comparison with prior art (performance) Work Implementation Bitslicing Bitslicing factor Protected Platform No. cycles per block This work PRESENT-80 yes 32 yes ARM Cortex–M4 6,532 [23] PRESENT-80, CBC no - no ATmega 121,906 [23] PRESENT-80, CBC no - no MSP430 100,786 [23] PRESENT-80, CBC no - no ARM Cortex-M3 138,947 [23] PRESENT-80, CTR no - no ATmega 15,239 [23] PRESENT-80, CTR no - no MSP430 12,226 [23] PRESENT-80, CTR no - no ARM 16,919 [37] PRESENT-80 no - no ATiny 8,721 [41] PRESENT-80 yes 8 no ATMega163 78,403 [41] PRESENT-80, DPL yes 8 yes ATMega163 235,427 [38] PRESENT-80 yes 8 no ATiny85 2,967 [5] PRESENT-80, table no - no Corei3-2367M 988 [5] PRESENT-80, vperm yes 2 no Corei3-2367M 890 [5] PRESENT-80 yes 8 no Corei3-2367M 2,039 [5] PRESENT-80 yes 16 no Corei3-2367M 3,138 [34] PRESENT-80 yes 32 no Xeon E3-1280 37.84 [34] PRESENT-80 yes 16 no Xeon E3-1280 52.16 [34] PRESENT-80 yes 8 no Xeon E3-1280 67.68 [17] PRESENT-80 no - no MSP430 364,587 [39] PRESENT-80 no - no ATAM893-D 55,734 [39] PRESENT-80 no - no ATMega163 10,089 [39] PRESENT-80 no - no C167CR 19,460 As expected, the ISW implementation of the Sbox dominated CPU time, accounting for 95,88% of all clock cycles within the encryption process. A com- plete breakdown of the memory and time overheads required for different mod- ules is provided in Table 6. Table 5. PRESENT implementations, comparison with prior art (size) Work Implementation Code (bytes) RAM (bytes) This work PRESENT-80 1,548 1,644 [38] PRESENT-80 3,816 256 [39] PRESENT-80, ATMega 1,494 272 [39] PRESENT-80, C167CR 3 45.9·10 - [23] PRESENT-80, CBC, ATMega 1,388 56 [23] PRESENT-80, CBC, MSP430 1,108 52 [23] PRESENT-80, CBC, ARM 1,304 124 [23] PRESENT-80, CTR, ATMega 1,416 54 [23] PRESENT-80, CTR, MSP430 1,244 58 [23] PRESENT-80, CTR, ARM 1,532 140 [37] PRESENT-80 1,794 - [41] PRESENT-80, bitslicing 1,620 288 [41] PRESENT-80, bitslicing + DPL 3,056 352 Table 6. SW transformations of common logical operations Operation Code size (%) No. cycles (%) main 208 (13.44) 3,807 (1.82) sbox 892 (57.62) 200,404 (95.88) updatekey 146 (9.43) 1,688 (0.81) addroundkey 176 (11.37) 1,209 (0.58) split data 60 (3.88) 1,292 (0.62) unsplit data 66 (4.26) 623 (0.30) 5 Masking Effectiveness in ARM Cortex-M4‌ In this section, we assess experimentally the security level (masking order) pro- vided by the ISW masking scheme, taking into account the possibility of distance- based leakages in ARM Cortext-M4. In addition, we investigate whether the theoretical repercussions of distance-based leakages can be confirmed experi- mentally. In other words, we examine whether the cost of “lazy engineering” as introduced by ▇▇▇▇▇▇▇ et al. [2] is applicable to an ARM-based microcontroller.

Performance Results. ‌ The current section summarizes the achieved performance results w.r.t. through- put and size. We depict in Tables 4 and 5 the performance figures figures of the works described in Sect. 2. As mentioned, we outperform prior art on the same archi- tecture between 2.5 and 21.2 times [23]. Table 4. PRESENT implementations, comparison with prior art (performance) Work Implementation Bitslicing Bitslicing factor Protected Platform No. cycles per block This work PRESENT-80 yes 32 yes ARM Cortex–M4 6,532 [23] PRESENT-80, CBC no - no ATmega 121,906 [23] PRESENT-80, CBC no - no MSP430 100,786 [23] PRESENT-80, CBC no - no ARM Cortex-M3 138,947 [23] PRESENT-80, CTR no - no ATmega 15,239 [23] PRESENT-80, CTR no - no MSP430 12,226 [23] PRESENT-80, CTR no - no ARM 16,919 [37] PRESENT-80 no - no ATiny 8,721 [41] PRESENT-80 yes 8 no ATMega163 78,403 [41] PRESENT-80, DPL yes 8 yes ATMega163 235,427 [38] PRESENT-80 yes 8 no ATiny85 2,967 [5] PRESENT-80, table no - no Corei3-2367M 988 [5] PRESENT-80, vperm yes 2 no Corei3-2367M 890 [5] PRESENT-80 yes 8 no Corei3-2367M 2,039 [5] PRESENT-80 yes 16 no Corei3-2367M 3,138 [34] PRESENT-80 yes 32 no Xeon E3-1280 37.84 [34] PRESENT-80 yes 16 no Xeon E3-1280 52.16 [34] PRESENT-80 yes 8 no Xeon E3-1280 67.68 [17] PRESENT-80 no - no MSP430 364,587 [39] PRESENT-80 no - no ATAM893-D 55,734 [39] PRESENT-80 no - no ATMega163 10,089 [39] PRESENT-80 no - no C167CR 19,460 As expected, the ISW implementation of the Sbox dominated CPU time, accounting for 95,88% of all clock cycles within the encryption process. A com- plete breakdown of the memory and time overheads required for different different mod- ules is provided in Table 6. Table 5. PRESENT implementations, comparison with prior art (size) Work Implementation Code (bytes) RAM (bytes) This work PRESENT-80 1,548 1,644 [38] PRESENT-80 3,816 256 [39] PRESENT-80, ATMega 1,494 272 [39] PRESENT-80, C167CR 3 45.9·10 - [23] PRESENT-80, CBC, ATMega 1,388 56 [23] PRESENT-80, CBC, MSP430 1,108 52 [23] PRESENT-80, CBC, ARM 1,304 124 [23] PRESENT-80, CTR, ATMega 1,416 54 [23] PRESENT-80, CTR, MSP430 1,244 58 [23] PRESENT-80, CTR, ARM 1,532 140 [37] PRESENT-80 1,794 - [41] PRESENT-80, bitslicing 1,620 288 [41] PRESENT-80, bitslicing + DPL 3,056 352 Table 6. SW transformations of common logical operations Operation Code size (%) No. cycles (%) main 208 (13.44) 3,807 (1.82) sbox 892 (57.62) 200,404 (95.88) updatekey 146 (9.43) 1,688 (0.81) addroundkey 176 (11.37) 1,209 (0.58) split data 60 (3.88) 1,292 (0.62) unsplit data 66 (4.26) 623 (0.30) 5 Masking Effectiveness Effectiveness in ARM Cortex-M4‌ In this section, we assess experimentally the security level (masking order) pro- vided by the ISW masking scheme, taking into account the possibility of distance- based leakages in ARM Cortext-M4. In addition, we investigate whether the theoretical repercussions of distance-based leakages can be confirmed confirmed experi- mentally. In other words, we examine whether the cost of “lazy engineering” as introduced by ▇▇▇▇▇▇▇ et al. [2] is applicable to an ARM-based microcontroller.