BRIEF DESCRIPTION OF THE DRAWINGS

[0001] Figure l is a diagram illustrating an example two domain masked AND gate.

[0002] Figure 2 is a diagram illustrating an example of a masked AND gate that takes a first operand using four shares and a second operand using two shares and produces a two share output (a.k.a., 4/2-to-2 domain AND gate).

[0003] Figure 3 is a diagram illustrating an example two domain to four domain masked AND gate.

[0004] Figure 4 is a block diagram illustrating an example use of low-latency domain oriented masking to implement the Advanced Encryption Standard (AES) S-box.

[0005] Figure 5 is a flowchart illustrating low-latency multi-domain masking. [0006] Figure 6 is a block diagram of a processing system.

DETAILED DESCRIPTION OF THE EMBODIMENTS

[0007] Hardware masking is a countermeasure that may be used to make power analysis attacks more difficult. Masking attempts to decouple the secret and/or processed values of a cryptographic implementation from its intermediate values. One method of masking is to probabilistically split each bit of a computation into multiple “shares”. Because the values of the shares are the result of an operation that processes random values, each share bit does not yield information about the original bit. Computations may then be performed on the individual bit shares (a.k.a. mask shares) without revealing information about the original (secret) bit. In Domain Oriented Masking (DOM), each share of a variable is associated with one share domain. Thus, the basic idea of the DOM approach is to keep the shares of all domains independent from shares of the other domains. [0008] In an embodiment, a multi-domain masked AND gate includes inner-domain calculations, re-sharing, register stage, cross-domain calculations, and compression. The inner-domain multiplication and the re-sharing are calculated prior to storing the re-shared variables in the register stage. Thus, the inputs to the cross-domain multiplication and the compression are performed on variables that have been refreshed by additional randomness. This AND gate does not need statistically independent inputs, is secure in the probing model even in the presence of glitches, also known as the robust probing model. Additionally, this AND gate is NI, SNI and PINI robust. A two-domain input and two domain output AND gate can be implemented using six (6) registers, four (4) two input logical AND gates, and eight (8) exclusive-OR (XOR) gates. The AND gate may also be used to implement an AES S-box that has two (2) register stages and takes two (2) clock cycles per computation.

[0009] Figure l is a diagram illustrating an example two domain masked AND gate. In Figure 1, two domain masked AND gate 100 comprises AND gates 11 la-11 lb, XOR gates 121a-123a, XOR gates 121b-123b, registers (e.g., D flip-flop, latch, etc.) 131a-133a, registers 13 lb-133b, AND gates 141a-141b, and XOR gates 15 la-15 lb. Masked AND gate 100 securely computes the function q=xAy (i.e., x logically AND’d with y), where each variable has been split into two Boolean mask shares (i.e., x=(Ax,Bx)=Ax®Bx, and y=(Ay,By)=AyffiB _y ) and the output is two shares (A _q ,B _q ). Thus, AND gate 100 securely computes ANDmasked(Ax,Bx,Ay,B _y ,Zo-2)=(A _q ,B _q ) where Z0-2 are three random variables (i.e., Zo, Zi, and Z2) and q=A _q ®B _q =xAy.

[0010] Masked AND gate 100 is divided into two share domains: domain A and domain B. Domain A receives the input shares A _x and A _y , receives random values Z0-Z2, and produces the output share A _q . Domain A includes AND gate I l la, XOR gates 12 la- 123a, registers 131a-133a, AND gate 141a, and XOR gate 151a. Domain B receives the input shares B _x and B _y , receives random values Z0-Z2, and produces the output share B _q . Domain B includes AND gate 111b, XOR gates 121b-123b, registers 13 lb-133b, AND gate 141b, and

XOR gate 151b.

[0011] In domain A, AND gate I l la receives A _x and A _y and produces a result that is provided to XOR gate 121a. The calculation of A _X AAV by AND gate I l la may be referred to as inner-domain calculation. A _x is also provided to XOR gate 122a. A _y is also provided to XOR gate 123a. XOR gate 121a also receives random input variable Z2. XOR gate 122a also receives random input variable Zi. XOR gate 123a also receives random input variable Zo. The calculations of Z2®( AXAAV), ZiffiA _x , and ZoffiAy by XOR gates 12 la- 123a, respectively, may be referred to as re-sharing. The outputs of XOR gates 12 la- 123a are stored in registers 13 la- 133 a, respectively. The outputs of XOR gates 12 la- 123a are stored in registers 131a-133a timed (latched) by a clock signal, CK.

[0012] The latched (e.g., de-glitched) output of register 132a (i.e., the latched result of ZiffiA _x ) is provided to AND gate 141a. AND gate 141a also receives the output of register 133b (i.e., the latched result of ZoffiB _y ) from domain B. The calculation of (ZiffiA _x )A(ZoffiB _y ) may be referred to as cross-domain calculation. The output of AND gate 141a is provided to XOR gate 151a. XOR gate 151 a al so receives the output of regi ster 131 a (i . e . , the 1 atched result of Z2®[A _x AA _y ]). The calculation performed by XOR gate 151a may be referred to as compression. The output of XOR gate 151a is the output share A _q .

[0013] In domain B, AND gate 111b receives B _x and B _y and produces a result that is provided to XOR gate 121b. The calculation of BXABV by AND gate 111b may be referred to as inner-domain calculation. B _x is also provided to XOR gate 122b. B _y is also provided to XOR gate 123b. XOR gate 121b also receives random input variable Z2. XOR gate 122b also receives random input variable Zi. XOR gate 123b also receives random input variable Zo. The calculations of Z2®(B _x AB _y ), ZiffiB _x , and ZoffiB _y by XOR gates 12 lb- 123b, respectively, may be referred to as re-sharing. The outputs of XOR gates 12 lb-123b are stored in registers 13 lb-133b, respectively. The outputs of XOR gates 121b-123b are stored in registers 13 lb-133b timed (latched) by clock signal, CK.

[0014] The latched (e.g., de-glitched) output of register 132b (i.e., the latched result of ZiffiBx) is provided to AND gate 141b. AND gate 141b also receives the output of register 133a (i.e., the latched result of ZoffiAy) from domain A. The calculation of (ZiffiBx)A(ZoffiAy) may be referred to as cross-domain calculation. The output of AND gate 141b is provided to XOR gate 151b. XOR gate 151b also receives the output of register 131b (i.e., the latched result of Z2®[BxAB _y ]). The calculation of performed by XOR gate 151b may be referred to as compression. The output of XOR gate 151b is the output share Bq.

[0015] Figure 2 is a diagram illustrating an example of a masked AND gate that takes a first operand using four shares and a second operand using two shares and produces a two share output (a.k.a., 4/2-to-2 domain AND gate). In Figure 2, 4/2-to-2 domain AND gate 200 comprises AND gates 21 la-212a, AND gates 21 lb-212b, AND gates 21 lc-212c, AND gates 21 ld-212d, XOR gates 221a-223a, XOR gates 221b-223b, XOR gates 221c-223c, XOR gates 221d-223d, registers (e.g., D flip-flop, latch, etc.) 231a-233a, registers 231b-233b, registers 231c-232c, 231d-232d, XOR gates 242a-242b, AND gates 24 la-24 lb, XOR gates 25 la- 25 lb, and XOR gate 252a-252b. Masked AND gate 200 securely computes the function q=xAy (i.e., x logically AND’d with y), where the x variable has been split into four (4) Boolean mask shares, the y variable has been split into two Boolean mask shares (i.e., x=(Ax,Bx,Cx,Dx)=Ax®BxffiCxffiDx, and y=(A _y ,B _y )=A _y ®B _y ), and the output is two shares (Aq,B _q ). Thus, AND gate 200 securely computes ANDmasked(Ax,Bx,Cx,Dx,A _y ,B _y ,Zo-3)=(Aq,Bq) where Zo-3 are four random variables (i.e., Zo, Zi, Z2, and Z3), and q=Aq®Bq=xAy.

[0016] The inputs to masked AND gate 200 are divided into four share domains: input domain A, input domain B, input domain C, and input domain D. Input domain A receives the input shares A _x and A _y and random values Z0-Z1. Input domain A includes AND gates 21 la-212a, XOR gates 22 la-223 a, and registers 23 la-233 a. Input domain B receives the input shares B _x and By and random values Zo-Zi. Input domain B includes AND gates 211b- 212b, XOR gates 221b-223b, and registers 23 lb-233b. Input domain C receives the input shares C _x and A _y and random values Z2-Z3. Input domain C includes AND gates 21 lc-212c, XOR gates 221c-223c, and registers 23 lc-232c. Input domain D receives the input shares D _x and By and random values Z2-Z3. Input domain D includes AND gates 21 ld-212d, XOR gates 221d-223d, and registers 231d-232d.

[0017] Output domain A receives the outputs of registers 23 la-232a from input domain A, the output of register 233b from input domain B, and the outputs of registers 23 lc-232c from input domain C. Output domain A includes XOR gate 242a, AND gate 241a, and XOR gates 25 la-252a. Output domain B receives the output of register 233a from input domain A, the outputs of registers 23 lb-232b from input domain B, and the outputs of registers 23 Id- 232d from input domain C. Output domain B includes XOR gate 242b, AND gate 241b, and XOR gates 251b-252b.

[0018] In input domain A, AND gate 211a receives A _x and A _y and produces a result that is provided to XOR gate 221a. AND gate 212a receives A _y and Zi and produces a result that is provided to XOR gate 222a. A _x is also provided to XOR gate 223a. A _y is also provided to register 233a. XOR gate 221a also receives random input variable Zo. The output of XOR gate 221a is provided to XOR gate 222a. XOR gate 223a also receives random input variable Zi. The outputs of XOR gates 222a-223a are stored in registers 232a-23 la, respectively. The outputs of XOR gates 222a-223a and input variable A _y are stored in registers 23 la-233a timed (latched) by a clock signal, CK.

[0019] In input domain B, AND gate 211b receives B _x and B _y and produces a result that is provided to XOR gate 221b. AND gate 212b receives B _y and Zi and produces a result that is provided to XOR gate 222b. B _x is also provided to XOR gate 223b. B _y is also provided to register 233b. XOR gate 221b also receives random input variable Zo. The output of XOR gate 221b is provided to XOR gate 222b. XOR gate 223b also receives random input variable Zi. The outputs of XOR gates 222b-223b are stored in registers 232b-23 lb, respectively. The outputs of XOR gates 222b-223b and input variable B _y are stored in registers 231b-233b timed (latched) by clock signal, CK.

[0020] In input domain C, AND gate 211c receives Cx and A _y and produces a result that is provided to XOR gate 221c. AND gate 212c receives A _y and Z3 and produces a result that is provided to XOR gate 222c. Cx is also provided to XOR gate 223c. XOR gate 221c also receives random input variable Z2. The output of XOR gate 221c is provided to XOR gate 222c. XOR gate 223c also receives random input variable Z3. The output of XOR gate 222c is stored in register 232c. The output of XOR gate 223c is stored in register 231c. The outputs of XOR gates 222c-223c are stored in registers 231c-232c timed (latched) by clock signal, CK.

[0021] In input domain D, AND gate 21 Id receives D _x and B _y and produces a result that is provided to XOR gate 221d. AND gate 212d receives B _y and Z3 and produces a result that is provided to XOR gate 222d. D _x is also provided to XOR gate 223d. XOR gate 221d also receives random input variable Z2. The output of XOR gate 22 Id is provided to XOR gate 222d. XOR gate 223d also receives random input variable Z3. The output of XOR gate 222d is stored in register 232d. The output of XOR gate 223d is stored in register 23 Id. The outputs of XOR gates 222d-223d are stored in registers 231d-232d timed (latched) by clock signal, CK.

[0022] In output domain A, the latched (e.g., de-glitched) output of register 231a (i.e., the latched result of Zi® A _x ) from input domain A is provided to XOR gate 242a. The latched output of register 231c (i.e., the latched result of Z3®Cx) from input domain C is also provided to XOR gate 242a. The output of XOR gate 242a is provided to AND gate 241a. AND gate 241a also receives the output of register 233b (i.e., the latched version of B _y ) from input domain B. The output of AND gate 241a is provided to XOR gate 251a. XOR gate 251a also receives the output of register 232a. The output of XOR gate 251a is provided to XOR gate 252a. XOR gate 252a also receives the latched output of register 232c from input domain C. The output of XOR gate 252a is the output share A _q .

[0023] In output domain B, the latched (e.g., de-glitched) output of register 231b (i.e., the latched result of ZiffiB _x ) from input domain B is provided to XOR gate 242b. The latched output of register 23 Id (i.e., the latched result of Z3®D _X ) from input domain D is also provided to XOR gate 242b. The output of XOR gate 242b is provided to AND gate 241b. AND gate 241b also receives the output of register 233a (i.e., the latched version of A _y ) from input domain A. The output of AND gate 241b is provided to XOR gate 25 lb. XOR gate 25 lb also receives the output of register 232b. The output of XOR gate 25 lb is provided to XOR gate 252b. XOR gate 252b also receives the latched output of register 232d from input domain D. The output of XOR gate 252b is the output share B _q .

[0024] Figure 3 is a diagram illustrating an example two domain to four domain masked AND gate (a.k.a., 2-to-4 domain AND gate). In Figure 3, 2-to-4 domain AND gate 300 comprises AND gates 31 la-312a, AND gates 31 lb-312b, and registers 33 la-33 Id. Masked AND gate 300 securely computes the function q=xAy (i.e., x logically AND’d with y), where the x variable has been split into two (2) Boolean mask shares, the y variable has been split into two Boolean mask shares (i.e., x=(A _x ,B _x )=A _x ®B _x , and y=(A _y ,B _y )=A _y ®B _y ), and the output has four shares (A _q ,B _q ,C _q ,D _q ). Thus, AND gate 300 securely computes ANDmasked(A _x ,B _x , A _y ,B _y )= (A _q ,B _q ,C _q ,D _q ) where q=A _q ®B _q ffiC _q ffiD _q =xAy. Note that additional random variables (e.g., Z _x ) are not required. Note also that to prevent cross-domain leakage, the input variables A _x , B _x , A _y , and B _y need to be statistically independent. [0025] The inputs to masked AND gate 300 are divided into two share domains: input domain A and input domain B. Input domain A receives the input shares A _x and A _y . Input domain A includes AND gates 31 la-312a. Input domain B receives the input shares B _x and By. Input domain B includes AND gates 31 lb-312b. and registers 23 la-233a. Output domain A receives the output of AND gate 311a from input domain A and includes the output of register 33 la. Output domain B receives the output of AND gate 312a from input domain A and includes the output of register 33 lb.. Output domain C receives the output of AND gate 312b from input domain B and includes the output of register 331c. Output domain D receives the output of AND gate 311b from input domain B and includes the output of register 33 Id.

[0026] In input domain A, AND gate 311a receives A _x and A _y and produces a result that is provided to register 331a. The output of register 33 la is the output domain A share Aq. AND gate 312a receives A _x and B _y and produces a result that is provided to register 331b. The output of register 33 lb is the output domain B share Bq. In input domain B, AND gate 312b receives B _x and A _y and produces a result that is provided to register 331c. The output of register 331c is the output domain C share Cq. AND gate 311b receives B _x and B _y and produces a result that is provided to register 33 Id. The output of register 33 Id is the output domain D share Dq.

[0027] Figure 4 is a block diagram illustrating an example use of low-latency domain oriented masking to implement the Advanced Encryption Standard (AES) S-box. In Figure 4, system 400 comprises linear map 451, GF(2 ⁴ ) square, scale, and multiply 452, GF(2 ⁴ ) inverter 453, first GF(2 ⁴ ) multiply 454a, second GF(2 ⁴ ) multiply 454b, inverse linear map 455. In an embodiment, the elements of system 400 may reside on an integrated circuit. [0028] The input to system 400 is received by linear map 451. The output of linear map

451 is provided to GF(2 ⁴ ) square, scale, and multiply 452, first GF(2 ⁴ ) multiply 454a, and second GF(2 ⁴ ) multiply 454b. The output of GF(2 ⁴ ) square, scale, and multiply 452 is provided to GF(2 ⁴ ) inverter 453. The output of GF(2 ⁴ ) square, scale, and multiply 452 is held at register stage #1 before being provided to GF(2 ⁴ ) inverter 453. The output of GF(2 ⁴ ) inverter 453 is provided to first GF(2 ⁴ ) multiply 454a, and second GF(2 ⁴ ) multiply 454b. The output of GF(2 ⁴ ) inverter 453 is held at register stage #2 before being provided to first GF(2 ⁴ ) multiply 454a, and second GF(2 ⁴ ) multiply 454b. The outputs of first GF(2 ⁴ ) multiply 454a, and second GF(2 ⁴ ) multiply 454b are provided to inverse linear map 455. The output of inverse linear map 455 is the output of system 400.

[0029] From the input of system 400 to register stage #1 (i.e., linear map 451 and GF(2 ⁴ ) square, scale, and multiply 452), 2-to-4 sharing circuitry (e.g., masked AND gate 300) is used. From register stage #1 to register stage #2 (i.e., GF(2 ⁴ ) inverter 453), 4/2-to-2 and 2-to- 4 sharing circuitry (e.g., masked AND gate 200 and masked AND gate 300, respectively) is used. Finally, from register stage #2 to the output of system 400 (i.e., first GF(2 ⁴ ) multiply 454a, second GF(2 ⁴ ) multiply 454b, and inverse linear map 455) 4/2-to-2 sharing circuitry (e.g., masked AND gate 200) is used.

[0030] Figure 5 is a flowchart illustrating low-latency multi-domain masking. One or more steps illustrated in Figure 5 may be performed by, for example, masked AND gate 100, masked AND gate 200, system 400, and/or their components. A first plurality of masked input signals is received (502). For example, masked AND gate 100 may receive masked input signal A _x and A _y . Based on the first plurality of masked input signals, an inner-domain result is calculated (504). For example, AND gate 11 la of masked AND gate 100 may receive A _x and A _y and produce a result that is provided to XOR gate 121a of masked AND gate 100.

[0031] A re-shared plurality of masked input signals and a re-shared inner domain result are produced (506). For example, XOR gate 121a may also receive random input variable Z2. Ax and random input variable Zi may be provided to XOR gate 122a of masked AND gate

100. A _y and random input variable Zo may be provided to XOR gate 123a of masked AND gate 100. Thus, causing the calculations of Z2®(A _x AA _y ), ZiffiAx, and ZoffiAy by XOR gates 121a-123a, respectively, to be produced. The re-shared plurality of masked input signals and a re-shared inner domain result are stored in a plurality of registers. For example, the outputs of XOR gates 121a-123a (i.e., Z2®[A _x AA _y ], ZiffiAx, and ZoffiAy) are stored in registers 131a- 133a timed (latched) by a clock signal, CK.

[0032] A cross-domain result from at least one of the re-shared plurality of masked input signals and a first at least one re-shared masked input signal from a corresponding at least one other of a plurality of share domains is calculated (510). For example, the latched (e.g., deglitched) output of register 132a (i.e., the latched result of ZiffiAx) from domain A of masked AND gate 100 and the output of register 133b (i.e., the latched result of ZoffiBy) from domain B of masked AND gate 100 may be provided to AND gate 141a. An output share signal is generated from the cross-domain result and a second at least one re-shared masked input signal from the plurality of registers (512). For example, XOR gate 151a may receive the output of register 131a (i.e., the latched result of Z2ffi[AxAAy]) and the output of AND gate 141a (i.e., the cross-domain result [ZlffiAx]A[Z0ffiBy]) and produce the output share Aq.

[0033] The methods, systems and devices described above may be implemented in computer systems, or stored by computer systems. The methods described above may also be stored on a non-transitory computer readable medium. Devices, circuits, and systems described herein may be implemented using computer-aided design tools available in the art, and embodied by computer-readable files containing software descriptions of such circuits. This includes, but is not limited to one or more elements of masked AND gate 100, masked AND gate 200, masked AND gate 300, and/or system 400, and their components. These software descriptions may be: behavioral, register transfer, logic component, transistor, and layout geometry -level descriptions. Moreover, the software descriptions may be stored on storage media or communicated by carrier waves.

[0034] Data formats in which such descriptions may be implemented include, but are not limited to: formats supporting behavioral languages like C, formats supporting register transfer level (RTL) languages like Verilog and VHDL, formats supporting geometry description languages (such as GDSII, GDSIII, GDSIV, CIF, and MEBES), and other suitable formats and languages. Moreover, data transfers of such files on machine-readable media may be done electronically over the diverse media on the Internet or, for example, via email. Note that physical files may be implemented on machine-readable media such as: 4 mm magnetic tape, 8 mm magnetic tape, 3-1/2 inch floppy media, CDs, DVDs, and so on. [0035] Figure 6 is a block diagram illustrating one embodiment of a processing system 600 for including, processing, or generating, a representation of a circuit component 620. Processing system 600 includes one or more processors 602, a memory 604, and one or more communications devices 606. Processors 602, memory 604, and communications devices 606 communicate using any suitable type, number, and/or configuration of wired and/or wireless connections 608.

[0036] Processors 602 execute instructions of one or more processes 612 stored in a memory 604 to process and/or generate circuit component 620 responsive to user inputs 614 and parameters 616. Processes 612 may be any suitable electronic design automation (EDA) tool or portion thereof used to design, simulate, analyze, and/or verify electronic circuitry and/or generate photomasks for electronic circuitry. Representation 620 includes data that describes all or portions of masked AND gate 100, masked AND gate 200, masked AND gate 300, and/or system 400, and their components, as shown in the Figures. [0037] Representation 620 may include one or more of behavioral, register transfer, logic component, transistor, and layout geometry -level descriptions. Moreover, representation 620 may be stored on storage media or communicated by carrier waves.

[0038] Data formats in which representation 620 may be implemented include, but are not limited to: formats supporting behavioral languages like C, formats supporting register transfer level (RTL) languages like Verilog and VHDL, formats supporting geometry description languages (such as GDSII, GDSIII, GDSIV, CIF, and MEBES), and other suitable formats and languages. Moreover, data transfers of such files on machine-readable media may be done electronically over the diverse media on the Internet or, for example, via email

[0039] User inputs 614 may comprise input parameters from a keyboard, mouse, voice recognition interface, microphone and speakers, graphical display, touch screen, or other type of user interface device. This user interface may be distributed among multiple interface devices. Parameters 616 may include specifications and/or characteristics that are input to help define representation 620. For example, parameters 616 may include information that defines device types (e.g., NFET, PFET, etc.), topology (e.g., block diagrams, circuit descriptions, schematics, etc.), and/or device descriptions (e.g., device properties, device dimensions, power supply voltages, simulation temperatures, simulation models, etc.).

[0040] Memory 604 includes any suitable type, number, and/or configuration of non- transitory computer-readable storage media that stores processes 612, user inputs 614, parameters 616, and circuit component 620.

[0041] Communications devices 606 include any suitable type, number, and/or configuration of wired and/or wireless devices that transmit information from processing system 600 to another processing or storage system (not shown) and/or receive information from another processing or storage system (not shown). For example, communications devices 606 may transmit circuit component 620 to another system. Communications devices 606 may receive processes 612, user inputs 614, parameters 616, and/or circuit component 620 and cause processes 612, user inputs 614, parameters 616, and/or circuit component 620 to be stored in memory 604.

[0042] Implementations discussed herein include, but are not limited to, the following examples:

[0043] Example 1: An integrated circuit, comprising: inner-domain calculation circuitry to respectively receive a plurality of masked input signals in each of a plurality of masked domains; re-sharing circuitry to respectively receive results from the inner-domain calculation circuitry of each of the plurality of masked domains and to produce a respective plurality of re-shared results; a plurality of registers to respectively receive the plurality of reshared results in the plurality of masked domains from the inner-domain calculation circuitry of the plurality of masked domains; cross-domain calculation circuitry to respectively receive re-shared results from each of the plurality of masked domains and to each respectively produce a cross-domain result; and compression calculation circuitry to respectively generate an output share signal in each of the plurality of masked domains from the cross-domain results and the re-shared results.

[0044] Example 2: The integrated circuit of example 1, wherein the plurality of masked input signals are statistically dependent.

[0045] Example 3: The integrated circuit of example 1, wherein the inner-domain calculation circuitry comprises a first logical AND function.

[0046] Example 4: The integrated circuit of example 3, wherein the re-sharing circuitry respectively randomizes the result of the inner-domain calculation circuitry and each of the plurality of masked input signals of that masked domain. [0047] Example 5: The integrated circuit of example 4, wherein the re-sharing circuitry of each of the plurality of masked domains uses a same set of random input values.

[0048] Example 6: The integrated circuit of example 5, wherein the cross-domain calculation circuitry comprises a second logical AND function.

[0049] Example 7: The integrated circuit of example 6, wherein the compression calculation circuitry comprises a logical exclusive-OR function receiving a cross-domain result.

[0050] Example 8: An integrated circuit comprising a plurality of share domains, each of the plurality of share domains comprising: inner-domain calculation circuitry to receive a first plurality of masked input signals; re-sharing circuitry to respectively receive results from the inner-domain calculation circuitry and to produce a plurality of re-shared results; a plurality of registers to respectively receive the plurality of re-shared results; cross-domain calculation circuitry to receive at least one re-shared result from a corresponding at least one other of the plurality of share domains and to produce a cross-domain result; and compression calculation circuitry to respectively generate an output share signal from the cross-domain result and at least one of the plurality of re-shared results from the plurality of registers.

[0051] Example 9: The integrated circuit of example 8, wherein the first plurality of masked input signals are statistically dependent with a second plurality of masked input signals received by the at least one other of the plurality of share domains.

[0052] Example 10: The integrated circuit of example 8, wherein the inner-domain calculation circuitry comprises a first logical AND function.

[0053] Example 11 : The integrated circuit of example 10, wherein the re-sharing circuitry randomizes the result of the inner-domain calculation circuitry.

[0054] Example 12: The integrated circuit of example 11, wherein the re-sharing circuitry of each of the plurality of share domains uses a same set of random input values. [0055] Example 13: The integrated circuit of example 12, wherein the cross-domain calculation circuitry comprises a second logical AND function.

[0056] Example 14: The integrated circuit of example 13, wherein the compression calculation circuitry comprises a logical exclusive-OR function receiving a cross-domain result.

[0057] Example 15: A method, comprising: receiving a first plurality of masked input signals; based on the first plurality of masked input signals, calculating an inner-domain result; producing a re-shared plurality of masked input signals and a re-shared inner-domain result; storing the re-shared plurality of masked input signals and a re-shared inner-domain result in a plurality of registers; calculating a cross-domain result from at least one of the reshared plurality of masked input signals and a first at least one re-shared masked input signal from a corresponding at least one other of a plurality of share domains; and generate an output share signal from the cross-domain result and a second at least one re-shared masked input signal from the plurality of registers.

[0058] Example 16: The method of example 15, wherein the first plurality of masked input signals are statistically dependent with a second plurality of masked input signals received by the at least one other of the plurality of share domains.

[0059] Example 17: The method of example 15, wherein calculating the inner-domain result comprises a first logical AND function.

[0060] Example 18: The method of example 17, wherein producing a re-shared plurality of masked input signals and a re-shared inner-domain result randomizes the inner-domain result.

[0061] Example 19: The method of example 18, the plurality of share domains uses a same set of random input values. [0062] Example 20: The method of example 19, wherein calculating a cross-domain result comprises a second logical AND function.

[0063] The foregoing description of the invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed, and other modifications and variations may be possible in light of the above teachings. The embodiment was chosen and described in order to best explain the principles of the invention and its practical application to thereby enable others skilled in the art to best utilize the invention in various embodiments and various modifications as are suited to the particular use contemplated. It is intended that the appended claims be construed to include other alternative embodiments of the invention except insofar as limited by the prior art.