Quasi-linear masking against SCA and FIA, with cost amortization


  • Claude Carlet University of Bergen, Bergen, Norway; LAGA, Department of Mathematics, University of Paris 8 (and Paris 13 and CNRS), Saint–Denis Cedex 02, France
  • Abderrahman Daif BULL SAS, Les Clayes-sous-Bois, France
  • Sylvain Guilley Secure-IC S.A.S., Paris, France; Telecom Paris, Institut Polytechnique de Paris, Palaiseau, France
  • Cédric Tavernier Hensoldt France, Plaisir, France




Side-channel analysis (SCA), Fault injection analysis (FIA), Strong Non Interference (SNI), Code-Based Masking (CBM), Fault Detection, Frobenius Additive Fast Fourier Transform (FAFFT), Cost amortization


The implementation of cryptographic algorithms must be protected against physical attacks. Side-channel and fault injection analyses are two prominent such implementation-level attacks. Protections against either do exist. Against sidechannel attacks, they are characterized by SNI security orders: the higher the order, the more difficult the attack.
In this paper, we leverage fast discrete Fourier transform to reduce the complexity of high-order masking. The security paradigm is that of code-based masking. Coding theory is amenable both to mask material at a prescribed order, by mixing the information, and to detect and/or correct errors purposely injected by an attacker. For the first time, we show that quasi-linear masking (pioneered by Goudarzi, Joux and Rivain at ASIACRYPT 2018) can be achieved alongside with cost amortisation. This technique consists in masking several symbols/bytes with the same masking material, therefore improving the efficiency of the masking. We provide a security proof, leveraging both coding and probing security arguments. Regarding fault detection, our masking is capable of detecting up to d faults, where 2d + 1 is the length of the code, at any place of the algorithm, including within gadgets. In addition to the theory, that makes use of the Frobenius Additive Fast Fourier Transform, we show performance results, in a C language implementation, which confirms in practice that the complexity is quasi-linear in the code length.




How to Cite

Carlet, C., Daif, A., Guilley, S., & Tavernier, C. (2023). Quasi-linear masking against SCA and FIA, with cost amortization. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2024(1), 398–432. https://doi.org/10.46586/tches.v2024.i1.398-432