Paper 2022/045

Probing Security through Input-Output Separation and Revisited Quasilinear Masking

Dahmun Goudarzi
Thomas Prest, PQShield
Matthieu Rivain, CryptoExperts (France)
Damien Vergnaud, Sorbonne Université, CNRS, LIP6

The probing security model is widely used to formally prove the security of masking schemes. Whenever a masked implementation can be proven secure in this model with a reasonable \emph{leakage rate}, it is also provably secure in a realistic leakage model known as the \emph{noisy leakage model}. This paper introduces a new framework for the composition of probing-secure circuits. We introduce the security notion of \emph{input-output separation} (IOS) for a refresh gadget. From this notion, one can easily compose gadgets satisfying the classical probing security notion --which does not ensure composability on its own-- to obtain a \emph{region probing secure} circuit. Such a circuit is secure against an adversary placing up to $t$ probes in each gadget composing the circuit, which ensures a tight reduction to the more realistic noisy leakage model. After introducing the notion and proving our composition theorem, we compare our approach to the composition approaches obtained with the (Strong) Non-Interference (S/NI) notions as well as the Probe-Isolating Non-Interference (PINI) notion. We further show that any uniform SNI gadget achieves the IOS security notion, while the converse is not true. We further describe a refresh gadget achieving the IOS property for any linear sharing with a quasilinear complexity $\Theta(n \log n)$ and a $O(1/\log n)$ leakage rate (for an $n$-size sharing). This refresh gadget is a simplified version of the quasilinear SNI refresh gadget proposed by Battistello, Coron, Prouff, and Zeitoun (ePrint 2016). As an application of our composition framework, we revisit the quasilinear-complexity masking scheme of Goudarzi, Joux and Rivain (Asiacrypt 2018). We improve this scheme by generalizing it to any base field (whereas the original proposal only applies to field with $n$th powers of unity) and by taking advantage of our composition approach. We further patch a flaw in the original security proof and extend it from the random probing model to the stronger region probing model. Finally, we present some application of this extended quasilinear masking scheme to AES and MiMC and compare the obtained performances.

Note: A wrong claim of the original paper about the relation between security notions has been removed (Section 3.3). A security flaw has been patched in the IOS refresh gadget (Section 4).

Available format(s)
Publication info
A minor revision of an IACR publication in TCHES 2021
Masking Composition Side-Channel Security (Region) Probing Model Quasilinear Complexity
Contact author(s)
dahmun goudarzi @ gmail com
thomas prest @ pqshield com
matthieu rivain @ cryptoexperts com
damien vergnaud @ lip6 fr
2022-06-23: revised
2022-01-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Dahmun Goudarzi and Thomas Prest and Matthieu Rivain and Damien Vergnaud},
      title = {Probing Security through Input-Output Separation and Revisited Quasilinear Masking},
      howpublished = {Cryptology ePrint Archive, Paper 2022/045},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.