U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Masked Circuits for Block-Ciphers

Overview

A main goal of circuit masking is to make more difficult the illegitimate exfiltration of secrets from a circuit evaluation.

Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation.

After a d-th order masking, the probing of up to d wires in a masked circuit should not reveal information about the logical value of the secret bits in the original circuit. However, various attack models exist and masking does not provide resistance against all conceivable attacks. For example, glitches during the evaluation of a circuit introduce some complications.

In noisy leakage scenarios, a potential effect of masking is to enhance resistance against an adversary that can analyze aggregate measures (traces) of power during a circuit evaluation. However, the attained (or not) side-channel resistance depends on the implementation.

After past exploratory steps to obtain feedback, the current focus of the Masked Circuits project is to collect concrete masked circuits to form a masked circuits library (MCL). The organization of the MCL, to be based on public contributions, will be performed in collaboration with the NIST circuit complexity project. There is an initial focus on circuits for AES, but with time it will be extended to other primitives represented in the form of vectorial Boolean functions. See details here.

At this stage, this project is not considering actions toward standardization.

The secret-sharing perspective of masked circuits was initially considered in the threshold cryptography project. The project then considered two separate tracks (single-device and multi-party). The single-device track evolved to become the "masked circuits for block-ciphers" project. Early public feedback about the single-device threshold setting was received in talks at the NTCW 2019 workshop (sessions II.1 and II.2), comments provided for NISTIR 8214 (see the diff) and 8214A (see the diff) and at a related workshop organized by K.U. Leuven (July 2020).

The Masked Circuits call for feedback issued in June 2021 (open till 2021-Sep-06) received diverse comments. The call and the received comments are compiled here.

Some summary notes: 

  • Some comments from Industry convey that the glitch-extended probing model is overkill (too strong as a baseline for security requirements of masking), as real application scenarios might do well with other models that enable cheaper solutions with better performance. Also, Industry comments there are tools to verify design compliance with intended masking, but testing is still necessary to measure leakage / side-channel resistance in hardware. 
  • Some comments from Academia appeal for masking schemes that can be based on composable gadgets and be easily extended to higher-orders, and convey that efficiency can still be improved.
  • Other comments mentioned the existence of standards (ISO/IEC) already in place for assessing the security level of cryptographic implementations.

The received feedback does not reveal a current consensus about the utility of standardizing concrete masking techniques. Yet, there is a recognized potential value for circuit masking. As a result, the project will focus on a stage of collecting reference material in the form of concrete masked circuits, to constitute a masked circuits library, to serve as an open reference for use by the community.

The project scope for 2022/2023 is explained here.

In summary, the project plans to collect reference material in the form of concrete masked circuits, to constitute a masked circuits library, to serve as an open reference for use by the community.

In the future, the MCL will serve as a basis for comparative analyses of side-channel leakage and resistance for certain physical implementations. However, said testing and evaluation is currently out of scope for this project.

At this stage, this project is not considering actions toward standardization.

The current step is focused on masked circuits at the logical level. Future discussions may consider:

  • Algorithm vs. implementation profiles: the masking techniques are defined at the algorithmic level, but their effectiveness relies on some hardware implementation assumptions. It is useful to characterize the implementation profiles for which the proposed techniques will improve resistance against side-channel attacks.
  • Usefulness to the industry: the success of new standards will depend on an alignment with not only improved security but also their adoptability by the industry.

Additional Pages

Email List (MC-Forum)

Contacts

Reach the masked circuits team at
masked-circuits@nist.gov

René Peralta

Luís T. A. N. Brandão

Topics

Security and Privacy: encryption, random number generation

Created May 12, 2021, Updated August 30, 2022