U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Masked Circuits for Block-ciphers MC


Masking schemes use secret-sharing of the input bits of a circuit and recompile the circuit logic to ensure that important properties of the secret sharing remain across the circuit evaluation. This has the potential to improve resistance of hardware implementations of block-ciphers against certain side-channel attacks, including some based on power analysis. A main goal is to make the illegitimate exfiltration of secret keys more difficult.

A typical desired consequence of a masked implementation is that an adversary that can probe up to d wires of a circuit does not obtain information about the real logical bits of the original computation. This has the potential to also provide resistance against an adversary that can perform power analysis over noisy aggregate measures (traces) during a circuit evaluation. Various attack models exist.

The current focus of this project is on ascertaining the advantages and disadvantages of secret-sharing based hardware implementations of the Advanced Encryption Standard (AES), for potential standardization. It is also useful to consider the possible applicability to lightweight block-ciphers of upcoming NIST standards.

The consideration of masked circuits, as an approach related to secret sharing, started with the threshold cryptography project. The project then considered two separate tracks (single-device and multi-party). He single-deice track evolved to become the "masked circuits for block-cipher circuits" project. Early public feedback about the single-device threshold setting was received in talks at the NTCW 2019 workshop (sessions II.1 and II.2), comments provided for NISTIR 8214 (see the diff) and 8214A (see the diff) and a related workshop organized by KULeuven (July 2020).

Identifying reference approaches: The research literature describes various possible approaches to enable resistance against side-channel attacks, under various models. Often there are tradeoffs between implementation/operation cost (e.g., area, energy, randomness) and security (e.g., protection order against certain side-channel attacks).

As of the 1st half of 2021, the project is considering criteria for secure masked implementation schemes. We are thinking about how to engage further with the community in the 2nd half of 2021. In particular, it will be useful to identify reference approaches that will ease the description, comparison and discussion of possible variants.

The discussions ahead will involve considerations on:

  •  Algorithm vs. implementation profiles: the masking techniques are defined at the algorithmic level, but their effectiveness relies on some hardware implementation assumptions. It is useful to characterize the implementation profiles for which the proposed algorithmic techniques will improve the expected resistance against side channel attacks.
  •  Usefulness to the industry: the success of new standards will depend on an alignment with not only improved security but also their adoptability by the industry.

We intend to soon engage with the community of stakeholders in a directed discussion about these topics, including on how to organize a process for initial proposals.

Additional Pages

Email List (MC-Forum)


Reach the masked circuits team at

Apostol Vassilev

Luís T. A. N. Brandão

René Peralta


Security and Privacy: encryption, random number generation

Created May 12, 2021, Updated August 18, 2021