Template Attacks on Masking --- Resistance is Futile

ME Oswald, S Mangard

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

94 Citations (Scopus)


In this article we discuss different types of template attacks on masked implementations. All template attacks that we describe are applied in practice to a masked AES software implementation on an 8-bit microcontroller. They all break this implementation. However, they all require quite a different number of traces. It turns out that a template-based DPA attack leads to the best results. In fact, a template-based DPA attack is the most natural way to apply a template attack to a masked implementation. It can recover the key from about 15 traces. All other attacks that we present perform worse. They require between about 30 and 1800 traces. There is no difference between the application of a template-based DPA attack to an unmasked and to a masked implementation. Hence, we conclude that in the scenario of template attacks, masking does not improve the security of an implementation.
Translated title of the contributionTemplate Attacks on Masking --- Resistance is Futile
Original languageEnglish
Title of host publicationTopics in Cryptology - CTRSA 2007
EditorsMasayuki Abe
PublisherSpringer Berlin Heidelberg
Pages243 - 256
Publication statusPublished - 2007

Bibliographical note

Conference Organiser: RSA


Dive into the research topics of 'Template Attacks on Masking --- Resistance is Futile'. Together they form a unique fingerprint.

Cite this