Cryptology ePrint Archive: Report 2016/486

Domain-Oriented Masking: Compact Masked Hardware Implementations with Arbitrary Protection Order

Hannes Gross and Stefan Mangard and Thomas Korak

Abstract: Passive physical attacks, like power analysis, pose a serious threat to the security of embedded systems and corresponding countermeasures need to be implemented. In this work, we demonstrate how the costs for protecting digital circuits against passive physical attacks can be lowered significantly. We introduce a novel masking approach called domain-oriented masking (DOM). Our approach provides the same level of security as threshold implementations (TI), while it requires less chip area and less randomness. DOM can also be scaled easily to arbitrary protection orders for any circuit.

To demonstrate the flexibility of our scheme, we apply DOM to a hardware design of the Advanced Encryption Standard (AES). The presented AES implementation is built in a way that it can be synthesized for any protection order. Although the design is scalable, it leads to the smallest (7.1 kGE), fastest, and least randomness demanding (18 bits) first-order secure AES implementation. The gap between DOM and TI increases with the protection order. Our second-order secure AES S-box implementation, for example, has a hardware footprint that is half the size of the smallest existing second-order TI of the S-box. This paper includes synthesis results of our AES implementation up to the 15th protection order.

Category / Keywords: masking, domain-oriented masking, threshold implementations, private circuits, side-channel analysis, DPA, hardware security, AES

Date: received 20 May 2016, last revised 15 Nov 2016

Contact author: hannes gross at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Version: 20161115:152528 (All versions of this report)

Short URL: ia.cr/2016/486

Discussion forum: Show discussion | Start new discussion