Template attacks are the strongest form of side-channel attack in an information-theoretic sense. These attacks can break implementations and countermeasures that rely on the assumption that an adversary cannot obtain more than one or a limited number of side-channel samples. They require an adversary to have access to an identical experimental device that can be programmed to their choosing. The success of these attacks is due to the way noise within each sample is handled, focusing on precisely modeling noise to fully extract information from a single sample. This approach contrasts with previous methods that viewed noise as a hindrance to be reduced or eliminated. The paper describes how an RC4 implementation, not amenable to techniques like SPA and DPA, can be easily broken using template attacks with a single sample. Other applications include attacks on certain DES implementations using DPA-resistant hardware and SSL accelerators that can be attacked by monitoring electromagnetic emanations from RSA operations even from 15 feet away. Template attacks are particularly effective on cryptographic algorithms implemented in CMOS devices due to their contamination and diffusion properties. Contamination refers to key-dependent leakages observable over multiple cycles, while diffusion is the cryptographic property where small differences in key bits are magnified in subsequent computations. Template attacks use an extend-and-prune strategy, iteratively classifying samples and pruning the space of possible key hypotheses. This approach is effective because the natural diffusion properties of cryptographic algorithms help eliminate errors. The paper introduces the theory behind template attacks, using signal detection and estimation theory. It describes the multivariate Gaussian model approach, where the optimal technique for classifying a sample involves computing the probability of observing the sample under each hypothesized operation. The success of template attacks critically depends on how effectively the pruning strategy reduces the combinatorial explosion in the extension process. The paper also discusses the implications of template attacks and potential countermeasures, emphasizing the need to minimize contamination caused by the use of sensitive information in the clear. Countermeasures include high-level protocols to limit key usage and non-linear key update techniques. The requirement of an identical experimental device is a weakness of the template approach, and mitigating this involves randomization in computation, such as address/data scrambling, blinding/masking of data and key bits, and ensuring the adversary cannot control the choice of randomness in their experimental device.Template attacks are the strongest form of side-channel attack in an information-theoretic sense. These attacks can break implementations and countermeasures that rely on the assumption that an adversary cannot obtain more than one or a limited number of side-channel samples. They require an adversary to have access to an identical experimental device that can be programmed to their choosing. The success of these attacks is due to the way noise within each sample is handled, focusing on precisely modeling noise to fully extract information from a single sample. This approach contrasts with previous methods that viewed noise as a hindrance to be reduced or eliminated. The paper describes how an RC4 implementation, not amenable to techniques like SPA and DPA, can be easily broken using template attacks with a single sample. Other applications include attacks on certain DES implementations using DPA-resistant hardware and SSL accelerators that can be attacked by monitoring electromagnetic emanations from RSA operations even from 15 feet away. Template attacks are particularly effective on cryptographic algorithms implemented in CMOS devices due to their contamination and diffusion properties. Contamination refers to key-dependent leakages observable over multiple cycles, while diffusion is the cryptographic property where small differences in key bits are magnified in subsequent computations. Template attacks use an extend-and-prune strategy, iteratively classifying samples and pruning the space of possible key hypotheses. This approach is effective because the natural diffusion properties of cryptographic algorithms help eliminate errors. The paper introduces the theory behind template attacks, using signal detection and estimation theory. It describes the multivariate Gaussian model approach, where the optimal technique for classifying a sample involves computing the probability of observing the sample under each hypothesized operation. The success of template attacks critically depends on how effectively the pruning strategy reduces the combinatorial explosion in the extension process. The paper also discusses the implications of template attacks and potential countermeasures, emphasizing the need to minimize contamination caused by the use of sensitive information in the clear. Countermeasures include high-level protocols to limit key usage and non-linear key update techniques. The requirement of an identical experimental device is a weakness of the template approach, and mitigating this involves randomization in computation, such as address/data scrambling, blinding/masking of data and key bits, and ensuring the adversary cannot control the choice of randomness in their experimental device.