I’ve been reviewing the HypHD function in our AES-256 hardware implementation, particularly its application in ciphertext-based side-channel attacks using the Hamming Distance (HD) model. I have some observations and would appreciate your insights.
In the current implementation:
def HypHD(self, pt, ct, key, bnum):
“”“Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming distance of result”“”
if pt is not None:
st2 = sbox(pt[bnum] ^ key)
st1 = pt[bnum]
return self.HW[st1 ^ st2]
elif ct is not None:
st10 = ct[self.INVSHIFT[bnum]]
st9 = ct[bnum] ^ key
return self.HW[st9 ^ st10]
else:
raise ValueError(“Must specify PT or CT”)
In the attack we are doing:" HD = HW(V1 XOR V2) where V1 = INV_SHIFT(ciphertext_byte) and V2 = INV_SUBBYTE(ciphertext_byte XOR key_byte_candidate)"
But the correct way is : Ciphertext byte ➔ XOR with last round key guess ➔ Apply INV_SHIFT ➔ Apply INV_SUBBYTE
Not directly apply INV_SHIFT on ciphertext! or doing INV_SUBBYTE on ciphertext_byte XOR key_byte directly. Instead we should do INV_SHIFT(ciphertext_byte XOR key_byte) and INV_SUBBYTE ( INV_SHIFT(ciphertext_byte XOR key_byte)) isn’t it ? Would anyone please help me understand what I am unable to decipher from the CPA attack model?