A main goal of circuit masking is to make more difficult the illegitimate exfiltration of secrets from a circuit evaluation. Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation.
After past exploratory steps to obtain feedback, the Masked Circuits (MC) project is not considering actions toward standardization. However, there is a plan to create a Masked Circuits Library (MCL), specified at the logic level, based on public submissions to a Call for Masked Circuits, planned to be issued later in 2024. Said library will be useful as a baseline for subsequent analysis. See details here.
After a d-th order masking, the probing of up to d wires in a masked circuit should not reveal information about the logical value of the secret bits in the original circuit. However, various attack models exist and masking does not provide resistance against all conceivable attacks. For example, glitches during the evaluation of a circuit introduce some complications.
In noisy leakage scenarios, a potential effect of masking is to enhance resistance against an adversary that can analyze aggregate measures (traces) of power during a circuit evaluation. However, the attained (or not) side-channel resistance depends on the implementation.
In 2018/2019, the NIST "Threshold Cryptography" (TC) project considered circuit masking as a technique of potential interest [NISTIR 8214] for exploration from a standardization perspective. The TC project considered two separate tracks: single-device and multi-party [NISTIR 8214A]. The relation between masking and "threshold" is that masking schemes usually use secret-sharing (a fundamental technique in threshold cryptography) to satisfy a threshold property with regard to reconstruction of secret data carried in circuit wires.
In 2021, the TC project split into the masked circuits (MC) project (a rebranding of the TC single-device setting) and the MPTC project (covering multi-party threshold schemes). Then, after a call for feedback in June 2021, the MC project scope was redefined in January 2022, positioning a goal to collecting reference material in the form of concrete masked circuits, to constitute a Masked Circuits Library (MCL) that will serve as an open reference for use by the community. It is expected that a corresponding call for masked circuits will be issued in the 2nd half of 2024.
The received feedback did not reveal a consensus about the utility of standardizing concrete masking techniques. Yet, there is a recognized potential value for circuit masking. As a result, the project will focus on a stage of collecting reference material in the form of concrete masked circuits, to constitute a masked circuits library, to serve as an open reference for use by the community.
Current project phase. The project is positioned to issue a call for masked circuits (specified at the logical level). This is expected for sometime after the NIST Threshold Call, later in 2024). In summary, the project plans to collect reference material in the form of concrete masked circuits, to constitute a masked circuits library (MCL), to serve as an open reference for use by the community. The organization of the MCL, to be based on public contributions, will be performed in collaboration with the NIST circuit complexity project. There is an initial focus on circuits for AES, but with time it will be extended to other primitives represented in the form of vectorial Boolean functions.
Vision: In the future, the MCL will serve as a basis for comparative analyses of side-channel leakage and resistance for certain physical implementations. However, said testing and evaluation is currently out of scope for this project. Also, at this stage this project is not considering actions toward standardization.
Potential future discussions, after gathering a baseline MCL, may consider: