Paper 2017/637

Very High Order Masking: Efficient Implementation and Security Evaluation

Anthony Journault and François-Xavier Standaert


In this paper, we study the performances and security of recent masking algorithms specialized to parallel implementations in a 32-bit embedded software platform, for the standard AES Rijndael and the bitslice cipher Fantomas. By exploiting the excellent features of these algorithms for bitslice implementations, we first extend the recent speed records of Goudarzi and Rivain (presented at Eurocrypt 2017) and report realistic timings for masked implementations with 32 shares. We then observe that the security level provided by such implementations is uneasy to quantify with current evaluation tools. We therefore propose a new ``multi-model" evaluation methodology which takes advantage of different (more or less abstract) security models introduced in the literature. This methodology allows us to both bound the security level of our implementations in a principled manner and to assess the risks of overstated security based on well understood parameters. Concretely, it leads us to conclude that these implementations withstand worst-case adversaries with >2^64 measurements under falsifiable assumptions.

Available format(s)
Publication info
A minor revision of an IACR publication in CHES 2017
maskingblock ciphersperformances and security evaluations
Contact author(s)
fstandae @ uclouvain be
2017-07-03: received
Short URL
Creative Commons Attribution


      author = {Anthony Journault and François-Xavier Standaert},
      title = {Very High Order Masking: Efficient Implementation and Security Evaluation},
      howpublished = {Cryptology ePrint Archive, Paper 2017/637},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.