Paper 2023/1117

Mask Compression: High-Order Masking on Memory-Constrained Devices

Markku-Juhani O. Saarinen, PQShield, UK
Mélissa Rossi, ANSSI, France

Masking is a well-studied method for achieving provable security against side-channel attacks. In masking, each sensitive variable is split into $d$ randomized shares, and computations are performed with those shares. In addition to the computational overhead of masked arithmetic, masking also has a storage cost, increasing the requirements for working memory and secret key storage proportionally with $d$. In this work, we introduce mask compression. This conceptually simple technique is based on standard, non-masked symmetric cryptography. Mask compression allows an implementation to dynamically replace individual shares of large arithmetic objects (such as polynomial rings) with $\kappa$-bit cryptographic seeds (or temporary keys) when they are not in computational use. Since $\kappa$ does not need to be larger than the security parameter (e.g., $\kappa=256$ bits) and each polynomial share may be several kilobytes in size, this radically reduces the memory requirement of high-order masking. Overall provable security properties can be maintained by using appropriate gadgets to manage the compressed shares. We describe gadgets with Non-Inteference (NI) and composable Strong-Non Interference (SNI) security arguments. Mask compression can be applied in various settings, including symmetric cryptography, code-based cryptography, and lattice-based cryptography. It is especially useful for cryptographic primitives that allow quasilinear-complexity masking and hence are practically capable of very high masking orders. We illustrate this with a $d=32$ (Order-31) implementation of the recently introduced lattice-based signature scheme Raccoon on an FPGA platform with limited memory resources.

Available format(s)
Publication info
Published elsewhere. Minor revision. SAC 2023: Selected Areas in Cryptography, 30th International Conference, Fredericton, NB, Canada, August 16-18, 2023
Side-Channel SecurityMask CompressionRaccoon Signature SchemePost-Quantum Cryptography
Contact author(s)
mjos @ pqshield com
melissa rossi @ ssi gouv fr
2023-07-18: approved
2023-07-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Markku-Juhani O. Saarinen and Mélissa Rossi},
      title = {Mask Compression: High-Order Masking on Memory-Constrained Devices},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1117},
      year = {2023},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.