Paper 2004/101

Provably Secure Masking of AES

Johannes Blömer, Jorge Guajardo Merchan, and Volker Krummel


A general method to secure cryptographic algorithm implementations against side-channel attacks is the use of randomization techniques and, in particular, masking. Roughly speaking, using random values unknown to an adversary one masks the input to a cryptographic algorithm. As a result, the intermediate results in the algorithm computation are uncorrelated to the input and the adversary cannot obtain any useful information from the side-channel. Unfortunately, previous AES randomization techniques have based their security on heuristics and experiments. Thus, flaws have been found which make AES randomized implementations still vulnerable to side-channel cryptanalysis. In this paper, we provide a formal notion of security for randomized maskings of arbitrary cryptographic algorithms. Furthermore, we present an AES randomization technique that is provably secure against side-channel attacks if the adversary is able to access a single intermediate result. Our randomized masking technique is quite general and it can be applied to arbitrary algorithms using only arithmetic operations over some even characteristic finite field. We notice that to our knowledge this is the first time that a randomization technique for the AES has been proven secure in a formal model.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
AESside-channel attacksprovable secure countermeasuresDPAhardware implementationsecurity model
Contact author(s)
krummel @ uni-paderborn de
2004-05-07: received
Short URL
Creative Commons Attribution


      author = {Johannes Blömer and Jorge Guajardo Merchan and Volker Krummel},
      title = {Provably Secure Masking of {AES}},
      howpublished = {Cryptology ePrint Archive, Paper 2004/101},
      year = {2004},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.