In this article we discuss different types of template attacks on masked implementations. All template attacks that we describe are applied in practice to a masked AES software implementation on an 8-bit microcontroller. They all break this implementation. However, they all require quite a different number of traces. It turns out that a template-based DPA attack leads to the best results. In fact, a template-based DPA attack is the most natural way to apply a template attack to a masked implementation. It can recover the key from about 15 traces. All other attacks that we present perform worse. They require between about 30 and 1800 traces. There is no difference between the application of a template-based DPA attack to an unmasked and to a masked implementation. Hence, we conclude that in the scenario of template attacks, masking does not improve the security of an implementation.
|Translated title of the contribution||Template Attacks on Masking --- Resistance is Futile|
|Title of host publication||Topics in Cryptology - CTRSA 2007|
|Publisher||Springer Berlin Heidelberg|
|Pages||243 - 256|
|Publication status||Published - 2007|