Skip to Main Content
Side-channel attacks are an important class of cryptanalytic techniques against cryptographic implementations and masking is a frequently considered solution to improve the resistance of a cryptographic implementation against side-channel attacks. The security of higher-order Boolean masking schemes in various contexts is analysed. The results presented are 2-fold. First, the definitions of higher-order side-channel attacks with the related security notions are formalised and certain security weaknesses in recently proposed masking schemes are put forward. Second, the conditions upon which a substitution box in a block cipher can be perfectly masked by Boolean values in order to counteract side-channel attacks are investigated. That is, can the leakages' statistical distributions at a masked S-box output (over all possible masks) be independent of the secret key targeted in the attacks? The consequences of this requirement are studied in two commonly considered leakage models, namely the Hamming weight and distance models, and conditions on the substitution boxes are derived. As a result of the analysis, it appears that these conditions are not achievable as they lead to evident cryptanalytic weaknesses. Thus, it is formally confirmed that masking cannot be used as a stand-alone countermeasure and cannot offer provable security against side-channel attacks.