Paper 2017/116

Masking Proofs are Tight (and How to Exploit it in Security Evaluations)

Vincent Grosso and François-Xavier Standaert


Evaluating the security level of a leaking implementation against side-channel attacks is a challenging task. This is especially true when countermeasures such as masking are implemented since in this case: (i) the amount of measurements to perform a key recovery may become prohibitive for certification laboratories, and (ii) applying optimal (multivariate) attacks may be computationally intensive and technically challenging. In this paper, we show that by taking advantage of the tightness of masking security proofs, we can significantly simplify this evaluation task in a very general manner. More precisely, we show that the evaluation of a masked implementation can essentially be reduced to the one of an unprotected implementation. In addition, we show that despite optimal attacks against masking schemes are computationally intensive for large number of shares, heuristic (soft analytical side-channel) attacks can approach optimality very efficiently. As part of this second contribution, we also improve over the recent multivariate (aka horizontal) side-channel attacks proposed at CHES 2016 by Battistello et al.

Available format(s)
Publication info
Published by the IACR in EUROCRYPT 2018
side-channel analysismaskingsecurity proofsworst-case evaluations
Contact author(s)
fstandae @ uclouvain be
2018-02-08: revised
2017-02-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Vincent Grosso and François-Xavier Standaert},
      title = {Masking Proofs are Tight (and How to Exploit it in Security Evaluations)},
      howpublished = {Cryptology ePrint Archive, Paper 2017/116},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.