Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation. This has the potential to improve resistance of hardware implementations of block-ciphers against certain side-channel attacks, including some based on power analysis. A main goal is to make the illegitimate exfiltration of secret keys more difficult.
A typical desired consequence of a masked implementation is that an adversary that can probe up to d wires of a circuit does not obtain information about the real logical bits of the original computation. This has the potential to also provide resistance against an adversary that can perform power analysis over noisy aggregate measures (traces) during a circuit evaluation. Various attack models exist.
The current focus of this project is on ascertaining the advantages and disadvantages of secret-sharing based hardware implementations of the Advanced Encryption Standard (AES), for potential standardization. It is also useful to consider the possible applicability to lightweight block-ciphers of upcoming NIST standards.
The consideration of masked circuits, as an approach related to secret sharing, started with the threshold cryptography project. The project then considered two separate tracks (single-device and multi-party). He single-deice track evolved to become the "masked circuits for block-cipher circuits" project. Early public feedback about the single-device threshold setting was received in talks at the NTCW 2019 workshop (sessions II.1 and II.2), comments provided for NISTIR 8214 (see the diff) and 8214A (see the diff) and a related workshop organized by KULeuven (July 2020).
Identifying reference approaches: The research literature describes various possible approaches to enable resistance against side-channel attacks, under various models. Often there are tradeoffs between implementation/operation cost (e.g., area, energy, randomness) and security (e.g., protection order against certain side-channel attacks).
As of the 1st half of 2021, the project is considering criteria for secure masked implementation schemes. We are thinking about how to engage further with the community in the 2nd half of 2021. In particular, it will be useful to identify reference approaches that will ease the description, comparison and discussion of possible variants.
The discussions ahead will involve considerations on:
We intend to soon engage with the community of stakeholders in a directed discussion about these topics, including on how to organize a process for initial proposals.
Security and Privacy: encryption, random number generation