Paper 2018/1007

Masking the AES with Only Two Random Bits

Hannes Gross, Ko Stoffelen, Lauren De Meyer, Martin Krenn, and Stefan Mangard


Masking is the best-researched countermeasure against side-channel analysis attacks. Even though masking was introduced almost 20 years ago, its efficient implementation continues to be an active research topic. Many of the existing works focus on the reduction of randomness requirements since the production of fresh random bits with high entropy is very costly in practice. Most of these works rely on the assumption that only so-called online randomness results in additional costs. In practice, however, it shows that the distinction between randomness costs to produce the initial masking and the randomness to maintain security during computation (online) is not meaningful. In this work, we thus study the question of minimum randomness requirements for first-order Boolean masking when taking the costs for initial randomness into account. We demonstrate that first-order masking can in theory always be performed by just using two fresh random bits and without requiring online randomness. We first show that two random bits are enough to mask linear transformations and then discuss prerequisites under which nonlinear transformations are securely performed likewise. Subsequently, we introduce a new masked AND gate that fulfills these requirements and which forms the basis for our synthesis tool that automatically transforms an unmasked implementation into a first-order secure masked implementation. We demonstrate the feasibility of this approach by implementing AES in software with only two bits of randomness, including the initial masking. Finally, we use these results to discuss the gap between theory and practice and the need for more accurate adversary models.

Available format(s)
Publication info
Preprint. MINOR revision.
maskingAESfirst-order maskinghardware securityside-channel analysis
Contact author(s)
hannes gross @ iaik tugraz at
k stoffelen @ cs ru nl
ldemeyer @ esat kuleuven be
2019-07-22: revised
2018-10-22: received
See all versions
Short URL
Creative Commons Attribution


      author = {Hannes Gross and Ko Stoffelen and Lauren De Meyer and Martin Krenn and Stefan Mangard},
      title = {Masking the AES with Only Two Random Bits},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1007},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.