A. .. , , p.28

, Number of Random S-boxes for each Multiplicative Complexity for n = 8, vol.38

, Optimal r parameter w.r.t. the CPRR-ISW cost ratio ? for ? ?, p.41

. , Graph representation of Circuit 1

. , Graph representation of Circuit 1 after maskComp

.. .. Security-game,

. , Overview of the sequence of games

. , Graph representation of a second Boolean circuit

. , Structure of an SPN-Based Block Cipher

, Timings of a t-probing secure AES s-box implementation, p.76

. , Full code size (left graph) and LUT size (right table) w.r.t

. , Timings of mask refreshing

. .. , Multiplication performances for TRNG-1 in clock cycles, p.96

, Multiplication performances for TRNG-2 in clock cycles, p.97

.. .. Timings,

. , Timings of (parallel) ISW and CPRR schemes for n = 8

. , Timings of (parallel) ISW and CPRR schemes for n = 4

. .. , 106 5.11 PRESENT s-box circuit for efficient bitslice implementation

. , Timings for 16 PRESENT s-boxes

A. .. ,

P. .. .-;-=-f-?-g(x and ). .. , 32 3.3 Achievable smallest randomized basis computed according to Algorithm 1.. 34 3.4 Optimal parameters with rank-drop improvements

.. .. Results-for-aes-s-box-circuit,

. , Performance results of the implementation AES s-box depending on the number of refresh gadgets

. , Size of the full multiplication table (in kilobytes) w.r

, Implementation results for the ISW multiplication over F 2, p.85

. .. , Performance results for BDF + (generic and unrolled), vol.87

. , Implementation results for the BBP + multiplication

. , Implementation results for the BCPZ multiplication

. , Timings of the ISW-based mask refreshing

. .. Bdf-+-refresh, 94 5.10 Comparison of the multiplications at the algorithmic level, p.95

. .. Performance, 98 5.15 Performances of parallel ISW and CPRR schemes for n = 4

. .. Method, 18 Performances in clock cycles, vol.102

C. .. , 111 5.22 Timings for masked bistlice AES and PRESENT with a 60 Mhz clock, vol.104, p.111

, NBS FIPS PUB, vol.46, 1977.

R. Anderson, E. Biham, and L. Knudsen, Serpent: A Proposal for the Advanced Encryption Standard, NIST AES Proposal, p.35, 1998.

M. Andrychowicz, S. Dziembowski, and S. Faust, Circuit Compilers with O(1/ log(n)) Leakage Rate, EUROCRYPT 2016, Part II, vol.9666, pp.586-615, 2016.

G. Barthe, S. Belaïd, F. Dupressoir, P. Fouque, B. Grégoire et al., Verified Proofs of Higher-Order Masking, EUROCRYPT 2015, Part I
URL : https://hal.archives-ouvertes.fr/hal-01216699

, LNCS, vol.9056, pp.457-485, 2015.

G. Barthe, S. Belaïd, F. Dupressoir, P. Fouque, B. Grégoire et al., Strong Non-Interference and Type-Directed Higher-Order Masking, ACM CCS 16
URL : https://hal.archives-ouvertes.fr/hal-01410216

S. Weippl, C. Katzenbeisser, A. C. Kruegel, S. Myers, and . Halevi, , vol.46, pp.49-52, 2016.

S. Belaïd, F. Benhamouda, A. Passelègue, E. Prouff, A. Thillard et al., Randomness Complexity of Private Circuits for Multiplication, EUROCRYPT 2016, Part II, vol.9666, pp.616-648, 2016.

A. Battistello, J. Coron, E. Prouff, and R. Zeitoun, Horizontal Side-Channel Attacks and Countermeasures on the ISW Masking Scheme, CHES 2016
URL : https://hal.archives-ouvertes.fr/hal-01399577

, LNCS, vol.9813, p.22, 2016.

G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F. Standaert et al., Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model. Cryptology ePrint Archive, p.92, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01414009

G. Barthe, F. Dupressoir, S. Faust, B. Grégoire, F. Standaert et al., Parallel Implementations of Masking Schemes and the Bounded Moment Leakage Model
URL : https://hal.archives-ouvertes.fr/hal-01414009

, LNCS, vol.10210, pp.535-566, 2017.

S. Belaid, D. Goudarzi, and M. Rivain, Tight Private Circuits: Achieving Probing Security with the Least Refreshing, p.4, 2018.

E. Biham, A Fast New DES Implementation in Software, LNCS, vol.1267, p.16, 1997.

A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann et al., PRESENT: An Ultra-Lightweight Block Cipher, CHES 2007. Ed. by Pascal Paillier and Ingrid Verbauwhede, vol.4727, pp.450-466, 2007.

J. Boyar, P. Matthews, and R. Peralta, Logic Minimization Techniques with Applications to Cryptology, Journal of Cryptology, vol.26, p.73, 2013.

P. Barreto and V. Rijmen, The Khazad Legacy-Level Block Cipher. First Open NESSIE Workshop

D. Canright, A Very Compact S-Box for AES, CHES 2005, vol.3659, pp.441-455, 2005.

C. Carlet, L. Goubin, E. Prouff, M. Quisquater, and M. Rivain, Higher-Order Masking Schemes for S-Boxes, FSE 2012, vol.7549, pp.366-384, 2012.
DOI : 10.1007/978-3-642-34047-5_21

URL : https://link.springer.com/content/pdf/10.1007%2F978-3-642-34047-5_21.pdf

N. T. Courtois, D. Hulme, and T. Mourouzis, Solving Circuit Optimisation Problems in Cryptography and Cryptanalysis, Cryptology ePrint Archive, p.105, 2011.

S. Chari, C. S. Jutla, J. R. Rao, and P. Rohatgi, Towards Sound Approaches to Counteract Power-Analysis Attacks, CRYPTO'99
DOI : 10.1007/3-540-48405-1_26

URL : https://link.springer.com/content/pdf/10.1007%2F3-540-48405-1_26.pdf

, LNCS. Springer, vol.1666, pp.398-412, 1999.

N. Courtois, T. Mourouzis, and D. Hulme, Exact Logic Minimization and Multiplicative Complexity of Concrete Algebraic and Cryptographic Circuits, Advances in Intelligent Systems, vol.6, pp.43-57, 2013.

J. Coron, Higher Order Masking of Look-Up Tables, LNCS. Springer, vol.8441, p.84, 2014.
DOI : 10.1007/978-3-642-55220-5_25

URL : https://link.springer.com/content/pdf/10.1007%2F978-3-642-55220-5_25.pdf

J. Coron, Formal Verification of Side-channel Countermeasures via Elementary Circuit Transformations. Cryptology ePrint Archive, p.46, 2017.
DOI : 10.1007/978-3-319-93387-0_4

N. T. Courtois, CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited, p.26, 2007.

E. Jean-sébastien-coron, M. Prouff, T. Rivain, and . Roche, Higher-Order Side Channel Security and Mask Refreshing, FSE 2013, vol.8424, pp.410-424, 2014.

C. Carlet, E. Prouff, M. Rivain, and T. Roche, Algebraic Decomposition for Probing Security, CRYPTO 2015, Part I, vol.9215, pp.742-763, 2015.
DOI : 10.1007/978-3-662-47989-6_36

A. Jean-sébastien-coron, S. Roy, and . Vivek, Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-Channel Countermeasures, LNCS. Springer, vol.8731, p.41, 2014.

A. Duc, S. Dziembowski, and S. Faust, Unifying Leakage Models: From Probing Attacks to Noisy Leakage, EUROCRYPT 2014, vol.8441, pp.423-440, 2014.
DOI : 10.1007/s00145-018-9284-1

URL : https://link.springer.com/content/pdf/10.1007%2Fs00145-018-9284-1.pdf

J. Daemen, M. Peeters, G. V. Assche, and V. Rijmen, , p.26

F. Pub, Advanced Encryption Standard. NIST, p.108, 2001.

D. Goudarzi, A. Joux, and M. Rivain, How to Securely Compute with Noisy Leakage in Quasilinear Complexity, Asiacrypt, p.4, 2018.
DOI : 10.1007/978-3-030-03329-3_19

URL : https://hal.archives-ouvertes.fr/hal-01960745

D. Goudarzi, A. Journault, M. Rivain, and F. Standaert, Secure Multiplication for Bitslice Higher-Order Masking: Optimisation and Comparison, Proceedings. Ed. by Junfeng Fan and Benedikt Gierlichs, vol.10815, pp.3-22, 2018.
DOI : 10.1007/978-3-319-89641-0_1

V. Grosso, G. Leurent, F. Standaert, and K. Varici, LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations". In: FSE 2014, vol.8540, pp.18-37, 2015.
DOI : 10.1007/978-3-662-46706-0_2

URL : https://hal.archives-ouvertes.fr/hal-01093491

V. Grosso, E. Prouff, and F. Standaert, Efficient Masked S-Boxes Processing-A Step Forward, LNCS, vol.8469, p.15, 2014.
DOI : 10.1007/978-3-319-06734-6_16

D. Goudarzi and M. Rivain, On the Multiplicative Complexity of Boolean Functions and Bitsliced Higher-Order Masking, CHES 2016
URL : https://hal.archives-ouvertes.fr/hal-01379296

, LNCS, vol.9813, pp.457-478, 2016.

D. Goudarzi and M. Rivain, How Fast Can Higher-Order Masking Be in Software?, In: EUROCRYPT 2017, Part I, vol.10210, pp.73-76, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01494061

D. Goudarzi, M. Rivain, and D. Vergnaud, Lattice Attacks Against Elliptic-Curve Signatures with Blinded Scalar Multiplication, SAC 2016, vol.10532, pp.120-139, 2016.
URL : https://hal.archives-ouvertes.fr/hal-01379249

D. Goudarzi, M. Rivain, D. Vergnaud, and S. Vivek, Generalized Polynomial Decomposition for S-boxes with Application to SideChannel Countermeasures, CHES 2017. Ed. by Wieland Fischer and Naofumi Homma, vol.10529, pp.154-171, 2017.
URL : https://hal.archives-ouvertes.fr/hal-01613764

Y. Ishai, A. Sahai, and D. Wagner, Private Circuits: Securing Hardware against Probing Attacks, CRYPTO 2003, vol.2729, pp.463-481, 2003.

A. Journault and F. Standaert, Very High Order Masking: Efficient Implementation and Security Evaluation, CHES 2017, vol.10529, pp.623-643, 2017.

H. Kim, S. Hong, and J. Lim, A Fast and Provably Secure Higher-Order Masking of AES S-Box, CHES 2011, vol.6917, pp.95-107, 2011.

M. Matsui and J. Nakajima, On the Power of Bitslice Implementation on Intel Core2 Processor, CHES 2007, vol.4727, p.16, 2007.

A. Poschmann, S. Ling, and H. Wang, 256 Bit Standardized Crypto for 650 GE-GOST Revisited, CHES 2010, vol.6225, p.26, 2010.

A. Poschmann, A. Moradi, K. Khoo, C. Lim, H. Wang et al., Side-Channel Resistant Crypto for Less than 2,300 GE, In: Journal of Cryptology, vol.24, p.16, 2011.

E. Prouff and M. Rivain, Masking against Side-Channel Attacks: A Formal Security Proof, EUROCRYPT 2013, vol.7881, pp.142-159, 2013.

M. Paterson and L. J. Stockmeyer, On the Number of Nonscalar Multiplications Necessary to Evaluate Polynomials, SIAM J. Comput, vol.2, issue.1, p.24, 1973.

M. Rivain and E. Prouff, Provably Secure Higher-Order Masking of AES, CHES 2010, vol.6225, pp.413-427, 2010.

A. Roy and S. Vivek, Analysis and Improvement of the Generic Higher-Order Masking Scheme of FSE, CHES 2013, vol.8086, pp.417-434, 2012.

A. Satoh, S. Morioka, K. Takano, and S. Munetoh, A Compact Rijndael Hardware Architecture with S-Box Optimization, 2001.

, LNCS. Springer, vol.2248, p.15, 2001.

T. Shirai, K. Shibutani, T. Akishita, S. Moriai, and T. Iwata, The 128-Bit Blockcipher CLEFIA (Extended Abstract)". In: FSE 2007, vol.4593, pp.181-195, 2007.

K. Stoffelen, Optimizing S-Box Implementations for Several Criteria Using SAT Solvers, FSE 2016, vol.9783, p.26, 2016.

T. Shimoyama, H. Yanami, K. Yokoyama, M. Takenaka, K. Itoh et al., The Block Cipher SC2000". In: FSE 2001. Ed. by Mitsuru Matsui, vol.2355, pp.312-327, 2002.