up:: Classical Cryptography MOC

Masking (Cryptographic Countermeasure)

Masking is a side-channel countermeasure that splits every secret value a cryptographic implementation touches into several random shares, so that the physical leakage from any one share (its power draw, its electromagnetic emanation, its timing) tells an attacker nothing about the secret, and only by combining measurements of all the shares at once could anyone recover it. It defends the box that runs the algorithm rather than the algorithm itself, which is a different problem from the one Shor’s and Grover’s algorithms create, and it is one of the load-bearing techniques for building side-channel-resistant implementations of the post-quantum signature standards, most notably ML-DSA.

The short version:

  1. Masking hides secrets from physical leakage by secret-sharing. Each sensitive value is split into d+1 random shares that recombine to the original (XOR for Boolean masking, modular addition for arithmetic masking), and the device computes on the shares so the raw secret never appears in one place.
  2. It answers side-channel analysis (power, electromagnetic, and timing leakage), which is a separate threat from breaking the underlying math. Quantum algorithms attack the cipher; side channels attack the silicon running it, and masking is the defense for the second.
  3. Higher masking order means more shares, more protection, and more cost. An order-d masking uses d+1 shares, the measurements an attacker needs grow exponentially with d on a noisy device, and the compute cost of the protected multiplication grows quadratically, about O(d²).
  4. Masking is decisive for post-quantum signatures. ML-DSA runs on HSMs, secure elements, and constrained devices that leak, and its rejection-sampling step is one of the hardest parts of any signature scheme to mask correctly.
  5. Masking is an implementation property, not an algorithm choice. A FIPS-standardized algorithm can still surrender its private key if the hardware that runs it is unmasked and an attacker can measure it.

Picture splitting a passphrase across several couriers. You hand each courier a random string, arranged so that adding all the strings together reproduces the passphrase, while any single string on its own is pure noise. An eavesdropper who taps one courier learns nothing, and only by capturing every courier and combining their pieces could anyone reconstruct the secret. Masking does exactly this inside a chip, so a probe listening to the power line or the electromagnetic field sees one meaningless share at a time instead of the key.

What is masking?

Masking is a class of side-channel countermeasures in which a cryptographic implementation never operates on a sensitive value directly, but instead represents it as a set of random shares and computes on those shares throughout. It comes from the observation, made once differential power analysis was published in 1999, that a device leaks information correlated with the intermediate values it computes, so the fix is to make sure no single intermediate value is correlated with the secret. Splitting a secret x into shares x₀, x₁, …, x_d chosen so they recombine to x, with every proper subset of them independent of x, achieves precisely that.

The idea was introduced by Chari, Jutla, Rao, and Rohatgi at CRYPTO 1999, in the same year and the same proceedings as the power-analysis attack it answers. They framed masking as secret-sharing against leakage and proved the property that makes it worth the cost: on a device with genuine measurement noise, the number of samples an attacker needs to recover a shared secret grows exponentially with the number of shares. That exponential relationship between shares and attacker effort is the entire reason to mask.

Source: P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” CRYPTO 1999, LNCS 1666, Springer.

Source: S. Chari, C. Jutla, J. R. Rao, and P. Rohatgi, “Towards Sound Approaches to Counteract Power-Analysis Attacks,” CRYPTO 1999, LNCS 1666, Springer.

How does masking work?

Masking works by carrying a secret as random shares from the moment it enters a computation to the moment a result leaves, so that every intermediate the hardware physically touches is decorrelated from the real value. The mechanism runs in three parts:

  1. Sharing. A sensitive value x is split into d+1 shares. For Boolean masking, d of the shares are fresh random values and the last is set so that x = x₀ ⊕ x₁ ⊕ … ⊕ x_d. Because every share except the combination is uniformly random, any d of the d+1 shares reveal nothing about x.
  2. Computing on shares. The algorithm is rewritten so each operation runs on shares and produces shares, never reconstructing x. Linear operations are simple, since applying them share-by-share is already correct. Nonlinear operations, such as a cipher’s substitution box or a lattice scheme’s arithmetic, are the hard part, because they need a special protected sub-routine (a “gadget”) that mixes shares while carefully injecting fresh randomness so no internal value leaks.
  3. Recombining. Only at the very end, once the sensitive processing is complete, are the output shares combined to yield the final result.

The security of this construction was formalized by Ishai, Sahai, and Wagner at CRYPTO 2003 with the probing model, which asks whether an adversary who can observe up to t internal wires learns anything about the secret. Their result showed that a circuit can be transformed into one provably secure against any t-wire probing adversary, and the probing model became the standard yardstick for proving a masked gadget correct. A masking is called order-d when it resists an adversary observing d intermediate values at once.

Source: Y. Ishai, A. Sahai, and D. Wagner, “Private Circuits: Securing Hardware against Probing Attacks,” CRYPTO 2003, LNCS 2729, Springer.

What is the difference between Boolean and arithmetic masking?

Boolean and arithmetic masking differ in how the shares recombine, and that difference is why masking a lattice-based signature is more involved than masking a block cipher. Boolean masking recombines shares with XOR and suits bitwise operations. Arithmetic masking recombines shares with modular addition and suits the modular arithmetic at the heart of lattice-based cryptography. A scheme that needs both (a signature that mixes bitwise hashing with modular ring arithmetic) has to convert shares back and forth between the two representations, and those conversions are expensive and delicate to keep leak-free.

PropertyBoolean maskingArithmetic masking
Shares recombine byXOR (x = x₀ ⊕ … ⊕ x_d)Modular addition (x = x₀ + … + x_d mod q)
Natural fitBitwise operations, hashing, AES-style S-boxesModular ring arithmetic in lattice schemes
Cheap operationsBitwise and XOR stepsModular add and multiply-by-constant
Expensive operationsModular arithmeticBitwise steps, comparisons
Cost in PQCNeeds conversion for the arithmetic partsNeeds conversion for the hashing and comparison parts

The practical consequence is that post-quantum signatures pay a conversion tax that a pure block cipher avoids. A large part of the research on masking ML-DSA is precisely about making the Boolean-to-arithmetic and arithmetic-to-Boolean conversions fast and provably secure.

Source: J.-S. Coron, F. Gérard, T. Lepoint, M. Trannoy, and R. Zeitoun, “Improved High-Order Masked Generation of Masking Vector and Rejection Sampling in Dilithium,” IACR TCHES 2024(4), eprint 2024/1149.

What does masking protect against, and what does it not?

Masking protects against side-channel analysis, the family of attacks that read secrets out of a device’s physical behavior instead of attacking the mathematics. That covers power analysis (measuring current draw during a computation), electromagnetic analysis (measuring the field the chip radiates), and some timing leakage. The threat is concrete for any hardware an attacker can get near or measure: a smart card, a hardware security module, a secure element, a signing accelerator, or a constrained IoT device in the field.

What masking does not do is change the security of the algorithm against a mathematical attack. It offers no defense against Shor’s algorithm recovering a private key from a public key, and it does nothing about a weak cipher or a bad protocol. Masking and post-quantum migration are answers to two independent questions: post-quantum standards fix the math against a quantum computer, and masking fixes the implementation against a probe. A system needs both, because a perfectly quantum-safe ML-DSA key is still extractable if the silicon signing with it leaks and nobody masked it.

Two related countermeasures often travel with masking rather than replacing it:

  1. Constant-time implementation removes the timing and control-flow leakage that comes from secret-dependent branches or memory access. It is necessary groundwork, and masking is layered on top for the power and electromagnetic channels that constant-time code alone does not close.
  2. Hiding (adding noise, shuffling the order of operations, balancing power draw) raises the measurement cost but does not carry masking’s provable, order-scaling guarantee, so it is typically combined with masking rather than used alone.

Why does masking order matter?

Masking order matters because it is the dial that trades performance for protection, and picking it is the central engineering decision when you mask a real implementation. The order d is the number of intermediate values an attacker would have to observe simultaneously to learn anything, and it sets both the security and the cost:

  1. Shares scale linearly. An order-d masking splits each secret into d+1 shares.
  2. Security scales exponentially. On a device with real measurement noise, the number of traces an attacker needs to defeat the masking grows exponentially with the order. Each extra order forces the attacker to multiply their measurement campaign, which is what makes even modest orders a strong deterrent in noisy conditions.
  3. Cost scales quadratically. The protected nonlinear gadget (the secure multiplication) costs on the order of operations, because it has to combine every share with every other share while injecting fresh randomness. Memory and the demand for random bits climb with order as well.
Masking order dSharesAttacker effort (noisy device)Compute cost of protected multiply
0 (unmasked)1Small, often a few thousand tracesBaseline
1 (first-order)2Substantially higher~4× the gadget work
d (order-d)d+1Grows exponentially with d~O(d²)

Because cost grows quadratically while security grows exponentially in noise, adding order is a favorable trade up to a point, and most deployments choose the lowest order that clears their threat model rather than the highest they can afford. The exponential-security and quadratic-cost relationship was set out for higher-order masking by Rivain and Prouff.

Source: M. Rivain and E. Prouff, “Provably Secure Higher-Order Masking of AES,” CHES 2010, LNCS 6225, Springer.

Why is masking hard for post-quantum signatures like ML-DSA?

Masking a post-quantum signature is harder than masking a block cipher because the scheme mixes operations that live in different masking worlds and includes steps that resist masking by their very structure. ML-DSA combines modular ring arithmetic (which wants arithmetic masking) with hashing and comparisons (which want Boolean masking), so a masked implementation is full of costly conversions between the two representations. On top of that, its signing loop uses rejection sampling: it generates a candidate signature, checks whether it falls inside safe bounds, and retries when it does not. That accept-or-reject test depends on secret values, and building it so the reject path leaks nothing (in timing, power, or emanation) is one of the thorniest problems in the whole area.

The research record reflects the difficulty. Migliore, Gérard, Tibouchi, and Fouque gave one of the first full side-channel evaluations of a masked Dilithium (the scheme standardized as ML-DSA) at ACNS 2019, and found the arithmetic-vs-Boolean tension so central that switching the scheme’s modulus to a power of two improved masking efficiency by roughly 7 to 9 times. Later work by Coron, Gérard, Lepoint, Trannoy, and Zeitoun (TCHES 2024) is devoted specifically to a faster, provably secure high-order masked rejection sampling and masking-vector generation, proven in the same Ishai-Sahai-Wagner probing model, which is a measure of how much dedicated effort masking one step of one signature scheme demands.

This is why the firm’s read on ML-DSA treats side-channel resistance as hardware-verification work rather than a checkbox: constant-time software is necessary but not sufficient, and the assurance that a signing key survives a probe rests on masking that was proven and measured on the exact platform being deployed.

Source: V. Migliore, B. Gérard, M. Tibouchi, and P.-A. Fouque, “Masking Dilithium: Efficient Implementation and Side-Channel Evaluation,” ACNS 2019, eprint 2019/394.

Source: J.-S. Coron, F. Gérard, T. Lepoint, M. Trannoy, and R. Zeitoun, “Improved High-Order Masked Generation of Masking Vector and Rejection Sampling in Dilithium,” IACR TCHES 2024(4), eprint 2024/1149.

What does masking cost, and what are the tradeoffs?

Masking is never free, and the cost lands in several places at once, which is why it is applied deliberately to the parts of a system that face a real physical attacker rather than everywhere. The tradeoffs worth knowing:

  1. Performance. The protected nonlinear operations grow quadratically with order, so a high-order masked implementation can run several times slower than an unmasked one. Linear parts stay cheap, so the slowdown concentrates in the substitution boxes and modular gadgets.
  2. Randomness. Every share and every gadget consumes fresh random bits, so masking leans hard on a fast, high-quality random source. A weak or slow generator becomes both a bottleneck and a new leakage risk.
  3. Memory and code size. More shares means more state and more code, which is a genuine constraint on the constrained devices that most need protection. On small hardware the binding limit for a masked post-quantum signature is often heap footprint rather than speed.
  4. Correctness and composition. A gadget proven secure in isolation can leak once composed with others, so masked designs need composition-aware proofs. Getting this wrong yields an implementation that looks masked and still leaks, which is why the bar reaches past the proof to measured evaluation on real hardware.
  5. Hardware specificity. Masking that resists leakage on one chip can under-perform on another with different physical characteristics, so the guarantee is tied to the platform it was validated on.

The honest summary is that masking buys a strong, quantifiable reduction in side-channel risk in exchange for performance, randomness, memory, and engineering care, and the order is chosen to match the attacker a given device actually faces.

Common misconceptions

  1. “Masking makes an algorithm quantum-safe.” It does neither more nor less than reduce physical leakage. Resistance to a quantum computer comes from switching to a post-quantum algorithm like ML-DSA; masking protects the implementation of whatever algorithm you run.
  2. “If the algorithm is FIPS-approved, the key is safe.” Standardization certifies the math. An unmasked implementation of a standardized algorithm can still leak its key through power or electromagnetic analysis to an attacker who can measure the device.
  3. “First-order masking is enough for everything.” First-order masking stops the simplest attacks, and higher-order analysis can defeat it. The right order depends on the device’s noise and the attacker’s access, so high-value hardware often needs order two or more.
  4. “Constant-time code is masking.” Constant-time execution closes timing and control-flow leakage and is necessary groundwork. It does nothing for the power and electromagnetic channels, which is what masking is for, so the two are layered together.
  5. “A masking proof means the product is secure.” A proof in the probing model is necessary and not sufficient. Real silicon can leak through effects the model abstracts away, so proven masking still has to be measured on the actual platform.
  6. “Masking only matters for smart cards.” Any hardware an attacker can get near or instrument is in scope, including HSMs, secure elements, signing accelerators, and IoT devices in the field.

Questions people ask

Is masking a hardware or a software technique? Both. Masking is a way of structuring a computation on shares, and it can be implemented in software (a masked library) or baked into hardware (a masked co-processor). The strongest protection usually combines masked software with hardware designed to leak as little as possible.

What is the difference between first-order and higher-order masking? First-order masking splits each secret into two shares and stops an attacker who observes a single intermediate value. Higher-order masking uses more shares and resists an attacker who can combine several observations at once. Higher order costs more and, on a noisy device, raises the attacker’s effort exponentially.

Does masking replace constant-time implementation? No, they address different channels and are used together. Constant-time code removes timing and control-flow leakage, and masking removes the correlation between the secret and the device’s power and electromagnetic behavior.

Do I need masking if I already migrated to post-quantum cryptography? If the hardware runs private keys where an attacker can measure it, yes. Post-quantum migration fixes the math against a quantum computer, and masking fixes the implementation against a probe, so a device like an HSM or secure element needs both.

Why is masking harder for ML-DSA than for AES? ML-DSA mixes arithmetic that wants arithmetic masking with hashing and comparisons that want Boolean masking, forcing expensive conversions, and its rejection-sampling step is especially difficult to mask without leaking. A block cipher like AES stays in one masking world and has no rejection loop.

How much slower is a masked implementation? It depends on the order and the operation. Linear steps stay cheap, and the protected nonlinear gadgets grow roughly quadratically with the masking order, so a higher-order masked implementation can run several times slower than an unmasked one.

Who is responsible for masking, the algorithm designer or the vendor? The implementer. A standard specifies the algorithm, and masking is an implementation decision made by whoever builds the library or the chip. When buying hardware, it is worth asking whether the side-channel resistance was proven and measured on the platform you will actually deploy.

Is masking required by NIST? The FIPS standards specify the algorithms and flag side-channel resistance as an implementation concern rather than mandating a specific countermeasure. Whether masking is required in practice is driven by the deployment’s threat model and by validation regimes for the hardware, so high-assurance products treat it as part of the bar.


Everything here is the map, given freely. When your team needs its post-quantum signing hardware evaluated for where it leaks and how deeply it has to be masked, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.