AES on CW305 FPGA

Hi,
I follow the draft: Power Analysis on FPGA Implementation of AES Using CW305.

I got the correct AES output when I am running the following comments:

key = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]
text = [0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x45]
ret = cw.capture_trace(scope, target, text, key)
byte_array = bytearray(ret.textout)
hexadecimal_string = byte_array.hex()
print(hexadecimal_string)
printed value: eb9d2e5e593ef438f2c807f23317ac2d

However, I got the wrong output (for the same key and plaintext) when I am running the following comments. How to correct it?.

key = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]
text = [0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x45]
target.fpga_write(target.REG_CRYPT_KEY, key)
scope.arm()
target.fpga_write(target.REG_CRYPT_TEXTIN, text)

target.fpga_write(target.REG_USER_LED, [0x01])
target.usb_trigger_toggle()

ret = scope.capture()

output = target.fpga_read(target.REG_CRYPT_CIPHEROUT, 16)
byte_array = bytearray(output)
hexadecimal_string = byte_array.hex()
print(hexadecimal_string)
printed wrong value: d93e8ba76bb71cd155df6487242feb79

It’s a byte order issue. If you follow what capture_trace() does, you eventually get to loadEncryptionKey() and loadInput() in capture/targets/CW305.py, and there you see that the order of the bytes given to target.fpga_write() is reversed (e.g. key = key[::-1]).
Similarly, the result of the output is also reversed after it is read from the FPGA.

Here are the changes to make your example work properly:

key = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]
text = [0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, 0xbf, 0xef, 0x95, 0x60, 0x18, 0x45]

target.fpga_write(target.REG_CRYPT_KEY, key[::-1])
scope.arm()
target.fpga_write(target.REG_CRYPT_TEXTIN, text[::-1])

target.fpga_write(target.REG_USER_LED, [0x01])
target.usb_trigger_toggle()

ret = scope.capture()

output = target.fpga_read(target.REG_CRYPT_CIPHEROUT, 16)
byte_array = bytearray(output[::-1])
hexadecimal_string = byte_array.hex()
assert hexadecimal_string == 'eb9d2e5e593ef438f2c807f23317ac2d'
1 Like

Thank JP, Now I got the correct output.