CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Provably secure masking of AES
SAC'04 Proceedings of the 11th international conference on Selected Areas in Cryptography
Practical second-order DPA attacks for masked smart card implementations of block ciphers
CT-RSA'06 Proceedings of the 2006 The Cryptographers' Track at the RSA conference on Topics in Cryptology
WISA'04 Proceedings of the 5th international conference on Information Security Applications
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
On second-order differential power analysis
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
Improved higher-order side-channel attacks with FPGA experiments
CHES'05 Proceedings of the 7th international conference on Cryptographic hardware and embedded systems
Proceedings of the 44th annual Design Automation Conference
Protecting AES Software Implementations on 32-Bit Processors Against Power Analysis
ACNS '07 Proceedings of the 5th international conference on Applied Cryptography and Network Security
Gaussian Mixture Models for Higher-Order Side Channel Analysis
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
Side Channel Cryptanalysis of a Higher Order Masking Scheme
CHES '07 Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis
Fast Software Encryption
Attacking State-of-the-Art Software Countermeasures--A Case Study for AES
CHES '08 Proceeding sof the 10th international workshop on Cryptographic Hardware and Embedded Systems
Comparative Evaluation of Rank Correlation Based DPA on an AES Prototype Chip
ISC '08 Proceedings of the 11th international conference on Information Security
Isolated WDDL: A Hiding Countermeasure for Differential Power Analysis on FPGAs
ACM Transactions on Reconfigurable Technology and Systems (TRETS)
Higher-Order Masking and Shuffling for Software Implementations of Block Ciphers
CHES '09 Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems
Unknown Plaintext Template Attacks
Information Security Applications
Affine masking against higher-order side channel analysis
SAC'10 Proceedings of the 17th international conference on Selected areas in cryptography
Montgomery's trick and fast implementation of masked AES
AFRICACRYPT'11 Proceedings of the 4th international conference on Progress in cryptology in Africa
Thwarting higher-order side channel analysis with additive and multiplicative maskings
CHES'11 Proceedings of the 13th international conference on Cryptographic hardware and embedded systems
Revisiting higher-order DPA attacks: multivariate mutual information analysis
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Masking with randomized look up tables
Cryptography and Security
An efficient leakage characterization method for profiled power analysis attacks
ICISC'11 Proceedings of the 14th international conference on Information Security and Cryptology
Analyzing side channel leakage of masked implementations with stochastic methods
ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Semi-Supervised template attack
COSADE'13 Proceedings of the 4th international conference on Constructive Side-Channel Analysis and Secure Design
Hi-index | 0.00 |
In this article we discuss different types of template attacks on masked implementations. All template attacks that we describe are applied in practice to a masked AES software implementation on an 8-bit microcontroller. They all break this implementation. However, they all require quite a different number of traces. It turns out that a template-based DPA attack leads to the best results. In fact, a template-based DPA attack is the most natural way to apply a template attack to a masked implementation. It can recover the key from about 15 traces. All other attacks that we present perform worse. They require between about 30 and 1800 traces. There is no difference between the application of a template-based DPA attack to an unmasked and to a masked implementation. Hence, we conclude that in the scenario of template attacks, masking does not improve the security of an implementation.