Paper 2021/1111

A Low-Randomness Second-Order Masked AES

Tim Beyne, Siemen Dhooghe, Adrián Ranea, and Danilo Šijačić


We propose a second-order masking of the AES in hardware that requires an order of magnitude less random bits per encryption compared to previous work. The design and its security analysis are based on recent results by Beyne et al. from Asiacrypt 2020. Applying these results to the AES required overcoming significant engineering challenges by introducing new design techniques. Since the security analysis is based on linear cryptanalysis, the masked cipher needs to have sufficient diffusion and the S-box sharing must be highly nonlinear. Hence, in order to apply the changing of the guards technique, a detailed study of its effect on the diffusion of the linear layer becomes important. The security analysis is automated using an SMT solver. Furthermore, we propose a sharpening of the glitch-extended probing model that results in improvements to our concrete security bounds. Finally, it is shown how to amortize randomness costs over multiple evaluations of the masked cipher.

Available format(s)
Publication info
Published elsewhere. Selected Areas in Cryptography 2021
HardwareLinear CryptanalysisMaskingProbing SecuritySide-Channel AnalysisThreshold Implementations
Contact author(s)
siemen dhooghe @ esat kuleuven be
2021-09-01: revised
2021-08-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Tim Beyne and Siemen Dhooghe and Adrián Ranea and Danilo Šijačić},
      title = {A Low-Randomness Second-Order Masked AES},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1111},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.