Cryptology ePrint Archive: Report 2017/103

Reconciling d+1 Masking in Hardware and Software

Hannes Gross and Stefan Mangard

Abstract: The continually growing number of security-related autonomous devices require efficient mechanisms to counteract low-cost side-channel analysis (SCA) attacks like differential power analysis. Masking provides a high resistance against SCA at an adjustable level of security. A high level of security, however, goes hand in hand with an increasing demand for fresh randomness which also affects other implementation costs. Since software based masking has other security requirements than masked hardware implementations, the research in these fields have been quite separated from each other over the last ten years. One important practical difference is that recently published software based masking schemes show a lower randomness footprint than hardware masking schemes. In this work we combine existing software and hardware based masking schemes into a unified masking approach (UMA). We demonstrate how UMA can be used to protect software and hardware implementations likewise, and for lower randomness costs especially for hardware implementations. Theoretical considerations as well as practical implementation results are then used to compare this unified masking approach to other schemes from different perspectives and at different levels of security.

Category / Keywords: implementation / masking, hardware security, threshold implementations, domain-oriented masking, side-channel analysis

Original Publication (with minor differences): IACR-CHES-2017

Date: received 9 Feb 2017, last revised 26 Jun 2017

Contact author: hannes gross at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Version: 20170626:130022 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]