Paper 2009/420

Higher-order Masking and Shuffling for Software Implementations of Block Ciphers

Matthieu Rivain, Emmanuel Prouff, and Julien Doget


Differential Power Analysis (DPA) is a powerful side channel key recovery attack that efficiently breaks block ciphers implementations. In software, two main techniques are usually applied to thwart them: masking and operations shuffling. To benefit from the advantages of the two techniques, recent works have proposed to combine them. However, the schemes which have been designed until now only provide limited resistance levels and some advanced DPA attacks have turned out to break them. In this paper, we investigate the combination of masking and shuffling. We moreover extend the approach with the use of higher-order masking and we show that it enables to significantly improve the security level of such a scheme. We first conduct a theoretical analysis in which the efficiency of advanced DPA attacks targeting masking and shuffling is quantified. Based on this analysis, we design a generic scheme combining higher-order masking and shuffling. This scheme is scalable and its security parameters can be chosen according to any desired resistance level. As an illustration, we apply it to protect a software implementation of AES for which we give several security/efficiency trade-offs.

Available format(s)
Publication info
Published elsewhere. Extended version of a paper published at CHES 2009.
Differential Power Analysis (DPA)block ciphers implementationssoftware countermeasureshigher order masking
Contact author(s)
matthieu rivain @ gmail com
2009-09-01: revised
2009-09-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Matthieu Rivain and Emmanuel Prouff and Julien Doget},
      title = {Higher-order Masking and Shuffling for Software Implementations of Block Ciphers},
      howpublished = {Cryptology ePrint Archive, Paper 2009/420},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.