Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Masked Circuits for Block-Ciphers

Overview

A main goal of circuit masking is to make more difficult the illegitimate exfiltration of secrets from a circuit evaluation. Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation.

After past exploratory steps to obtain feedback, the Masked Circuits (MC) project is not considering actions toward standardization. However, there is a plan to create a Masked Circuits Library (MCL), specified at the logic level, based on public submissions to a Call for Masked Circuits, planned to be issued later in 2024. Said library will be useful as a baseline for subsequent analysis. See details here.

After a d-th order masking, the probing of up to d wires in a masked circuit should not reveal information about the logical value of the secret bits in the original circuit. However, various attack models exist and masking does not provide resistance against all conceivable attacks. For example, glitches during the evaluation of a circuit introduce some complications.

In noisy leakage scenarios, a potential effect of masking is to enhance resistance against an adversary that can analyze aggregate measures (traces) of power during a circuit evaluation. However, the attained (or not) side-channel resistance depends on the implementation.

In 2018/2019, the NIST "Threshold Cryptography" (TC) project considered circuit masking as a technique of potential interest [NISTIR 8214] for exploration from a standardization perspective. The TC project considered two separate tracks: single-device and multi-party [NISTIR 8214A]. The relation between masking and "threshold" is that masking schemes usually use secret-sharing (a fundamental technique in threshold cryptography) to satisfy a threshold property with regard to reconstruction of secret data carried in circuit wires.

In 2021, the TC project split into the masked circuits (MC) project (a rebranding of the TC single-device setting) and the MPTC project (covering multi-party threshold schemes). Then, after a call for feedback in June 2021, the MC project scope was redefined in January 2022, positioning a goal to collecting reference material in the form of concrete masked circuits, to constitute a Masked Circuits Library (MCL) that will serve as an open reference for use by the community. It is expected that a corresponding call for masked circuits will be issued in the 2nd half of 2024.

Early public feedback about the single-device threshold setting was received in talks at the NTCW 2019 workshop (sessions II.1 and II.2), comments provided for NISTIR 8214 (see the diff) and 8214A (see the diff) and at a related workshop organized by K.U. Leuven (July 2020).

The Masked Circuits call for feedback issued in June 2021 (open till 2021-Sep-06) received diverse comments. Some summary notes: 

  • Some comments from Industry convey that the glitch-extended probing model is overkill (too strong as a baseline for security requirements of masking), as real application scenarios might do well with other models that enable cheaper solutions with better performance. Also, Industry comments there are tools to verify design compliance with intended masking, but testing is still necessary to measure leakage / side-channel resistance in hardware. 
  • Some comments from Academia appeal for masking schemes that can be based on composable gadgets and be easily extended to higher-orders, and convey that efficiency can still be improved.
  • Other comments mentioned the existence of standards (ISO/IEC) already in place for assessing the security level of cryptographic implementations.

The received feedback did not reveal a consensus about the utility of standardizing concrete masking techniques. Yet, there is a recognized potential value for circuit masking. As a result, the project will focus on a stage of collecting reference material in the form of concrete masked circuits, to constitute a masked circuits library, to serve as an open reference for use by the community.

Some talks of related interest have also been hosted by the NIST Crypto Reading Club: 2021-Nov-17, 2021-Dec-01, 2022-Jun-29.

Current project phase. The project is positioned to issue a call for masked circuits (specified at the logical level). This is expected for sometime after the NIST Threshold Call, later in 2024). In summary, the project plans to collect reference material in the form of concrete masked circuits, to constitute a masked circuits library (MCL), to serve as an open reference for use by the community. The organization of the MCL, to be based on public contributions, will be performed in collaboration with the NIST circuit complexity project. There is an initial focus on circuits for AES, but with time it will be extended to other primitives represented in the form of vectorial Boolean functions.

Vision: In the future, the MCL will serve as a basis for comparative analyses of side-channel leakage and resistance for certain physical implementations. However, said testing and evaluation is currently out of scope for this project. Also, at this stage this project is not considering actions toward standardization.

Potential future discussions, after gathering a baseline MCL, may consider:

  • Algorithm vs. implementation profiles: the masking techniques are defined at the algorithmic level, but their effectiveness relies on some hardware implementation assumptions. It is useful to characterize the implementation profiles for which the proposed techniques will improve resistance against side-channel attacks.
  • Usefulness to the industry: the success of new standards will depend on an alignment with not only improved security but also their adoptability by the industry.

Additional Pages

Email List (MC-Forum)

Contacts

Reach the masked circuits team at
masked-circuits@nist.gov

René Peralta

Luís T. A. N. Brandão

Topics

Security and Privacy: encryption, random number generation

Created May 12, 2021, Updated February 05, 2024