Masking vs. Multiparty Computation: How Large is the Gap for AES?

Abstract. In this paper, we evaluate the performances of state-of-the-art higher-order masking schemes for the AES. Doing so, we pay a par-ticular attention to the comparison between specialized solutions intro-duced exclusively as countermeasures against side-channel analysis, and a recent proposal by Roche and Prouff exploiting MultiParty Computa-tion (MPC) techniques. We show that the additional security features this latter scheme provides (e.g. its glitch-freeness) comes at the cost of large performance overheads. We then study how exploiting standard op-timization techniques from the MPC literature can be used to reduce this gap. In particular, we show that “packed secret sharing ” based on a mod-ified multiplication algorithm can speed up MPC-based masking when the order of the masking scheme increases. Eventually, we discuss the ran-domness requirements of masked implementations. For this purpose, we first show with information theoretic arguments that the security guar-antees of masking are only preserved if this randomness is uniform, and analyze the consequences of a deviation from this requirement. We then conclude the paper by including the cost of randomness generation in our performance evaluations. These results should help actual designers to choose a masking scheme based on security and performance constraints.