Paper 2021/734

Guarding the First Order: The Rise of AES Maskings

Amund Askeland, University of Bergen
Siemen Dhooghe, KU Leuven COSIC-imec
Svetla Nikova, KU Leuven COSIC-imec, University of Bergen
Vincent Rijmen, KU Leuven COSIC-imec, University of Bergen
Zhenda Zhang, KU Leuven COSIC-imec

We provide three first-order hardware maskings of the AES, each allowing for a different trade-off between the number of shares and the number of register stages. All maskings use a generalization of the changing of the guards method enabling the re-use of randomness between masked S-boxes. As a result, the maskings do not require fresh randomness while still allowing for a minimal number of shares and providing provable security in the glitch-extended probing model. The low-area variant has five cycles of latency and a serialized area cost of $8.13~kGE$. The low-latency variant reduces the latency to three cycles while increasing the serialized area by $67.89\%$ compared to the low-area variant. The maskings of the AES encryption are implemented on FPGA and evaluated with Test Vector Leakage Assessment (TVLA).

Available format(s)
Publication info
Published elsewhere. CARDIS 2022
AES Hardware Probing Security Threshold Implementations
Contact author(s)
amund askeland @ uib no
siemen dhooghe @ esat kuleuven be
svetla nikova @ esat kuleuven be
vincent rijmen @ esat kuleuven be
zhenda zhang @ esat kuleuven be
2022-09-16: last of 3 revisions
2021-06-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Amund Askeland and Siemen Dhooghe and Svetla Nikova and Vincent Rijmen and Zhenda Zhang},
      title = {Guarding the First Order: The Rise of AES Maskings},
      howpublished = {Cryptology ePrint Archive, Paper 2021/734},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.