AES attack on FPGA using Hamming Distance Leakage

I’ve been reviewing the HypHD function in our AES-256 hardware implementation, particularly its application in ciphertext-based side-channel attacks using the Hamming Distance (HD) model. I have some observations and would appreciate your insights.

In the current implementation:

def HypHD(self, pt, ct, key, bnum):
“”“Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming distance of result”“”
if pt is not None:
st2 = sbox(pt[bnum] ^ key)
st1 = pt[bnum]
return self.HW[st1 ^ st2]
elif ct is not None:
st10 = ct[self.INVSHIFT[bnum]]
st9 = ct[bnum] ^ key
return self.HW[st9 ^ st10]
else:
raise ValueError(“Must specify PT or CT”)

In the attack we are doing:" HD = HW(V1 XOR V2) where V1 = INV_SHIFT(ciphertext_byte) and V2 = INV_SUBBYTE(ciphertext_byte XOR key_byte_candidate)"

But the correct way is : Ciphertext byte ➔ XOR with last round key guess ➔ Apply INV_SHIFT ➔ Apply INV_SUBBYTE

Not directly apply INV_SHIFT on ciphertext! or doing INV_SUBBYTE on ciphertext_byte XOR key_byte directly. Instead we should do INV_SHIFT(ciphertext_byte XOR key_byte) and INV_SUBBYTE ( INV_SHIFT(ciphertext_byte XOR key_byte)) isn’t it ? Would anyone please help me understand what I am unable to decipher from the CPA attack model?

The order of add round key, shift rows, and sub bytes can be varied to some degree without affecting the final result, as they don’t combine any of the bytes of the state together. That being said, I can’t verify that that function is correct, as it was written a long time ago and appears to be in a semi completed state.