U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Masked Circuits for Block-ciphers MC


Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation. This has the potential to improve resistance of hardware implementations of block-ciphers against certain side-channel attacks, including some based on power analysis. A main goal is to make the illegitimate exfiltration of secret keys more difficult.

A typical desired consequence of a masked implementation is that an adversary that can probe up to d wires of a circuit does not obtain information about the real logical bits of the original computation. This has the potential to also provide resistance against an adversary that can perform power analysis over noisy aggregate measures (traces) during a circuit evaluation. Various attack models exist.

The current focus of this project is on ascertaining the advantages and disadvantages of secret-sharing based hardware implementations of the Advanced Encryption Standard (AES), for potential standardization. It is also useful to consider the possible applicability to lightweight block-ciphers of upcoming NIST standards.

The consideration of masked circuits, as an approach related to secret sharing, started with the threshold cryptography project. The project then considered two separate tracks (single-device and multi-party). He single-deice track evolved to become the "masked circuits for block-cipher circuits" project. Early public feedback about the single-device threshold setting was received in talks at the NTCW 2019 workshop (sessions II.1 and II.2), comments provided for NISTIR 8214 (see the diff) and 8214A (see the diff) and a related workshop organized by KULeuven (July 2020).

Identifying reference approaches: The research literature describes various possible approaches to enable resistance against side-channel attacks, under various models. Often there are tradeoffs between implementation/operation cost (e.g., area, energy, randomness) and security (e.g., protection order against certain side-channel attacks).

As of the 1st half of 2021, the project is considering criteria for secure masked implementation schemes. We are thinking about how to engage further with the community in the 2nd half of 2021. In particular, it will be useful to identify reference approaches that will ease the description, comparison and discussion of possible variants.

The discussions ahead will involve considerations on:

  •  Algorithm vs. implementation profiles: the masking techniques are defined at the algorithmic level, but their effectiveness relies on some hardware implementation assumptions. It is useful to characterize the implementation profiles for which the proposed algorithmic techniques will improve the expected resistance against side channel attacks.
  •  Usefulness to the industry: the success of new standards will depend on an alignment with not only improved security but also their adoptability by the industry.

We intend to soon engage with the community of stakeholders in a directed discussion about these topics, including on how to organize a process for initial proposals.

Additional Pages

Email List (MC-Forum)


Reach the masked circuits team at

Apostol Vassilev

Luís T. A. N. Brandão

René Peralta


Security and Privacy: encryption, random number generation

Created May 12, 2021, Updated June 16, 2021