Correlations in CW305_ECC

Hello everyone,
The plot listed here depicts the correlation coefficients of x, y, z coordinates, in the section “Correlation Attack”, whose colors are orange, purple, and green, respectively.
Does this plot coincide with the descriptions, " The correlation with the y-coordinate read is very good…"?
I just cannot tell any information from this purple curve. Or, does this the curve shape depend on my environment? Did I get a bad curve?


Hi Alan,
I don’t understand your question; to me the information about k is very clear on your purple curve:

Can you explain what you mean?

For reference, this is what I get:

For some reason you are getting somewhat different results, however the leakage is still clearly present; the attack should still succeed, although you may need to adjust some parameters (like initial_threshold and regular_threshold).


Hey Jean,

  1. Thank you for your kind reply, I just wonder whether my CW305 would inherit some discrepancies from yours such that I cannot tell any information from my purple curve.

  2. My secret number k= 0x70a12c2db16845ed56ff68cfc21a472b3f04d7d6851bf6349f2d7d5b3452b38a, which shows some differences from your opinions. But I’ still stunned that how can you tell there is a leading one in the very beginning?

  3. Moreover, the thresholds confused me a lot, how to determine these values?
    Unfortunately, my attack failed in the end.

Hi Alan,

2- I’m not sure I understand your question… Are you sure you haven’t gotten mixed up with your k values? i.e. was the plot that you shared above obtained with that random-looking k?. We can tell about the leading one’s presence just by observation; in the plots above, the sudden change around k index = 16 corresponds exactly with the position of the leading 1 in the k used to generate those plots. Moreover if you repeat the experiment with a different k, where you move around the leading 1 (but keeping all other bits the same, to make the change more obvious), you’ll see that the first “jump” always lines up with the location of the leading one.

3- As shown in the notebook, when we use a known k with easily identifiable patterns of 1’s and 0’s we obtain something like this:

and we simply manually set a threshold at the halfway point between the power metric for 1’s vs that of 0’s. The “initial threshold” business complicates this a little bit but it’s the same idea.


1 Like

Hey Jean,

  1. Sorry, you are right, I just mixed up k with that random-looking one, here k is

k = 0x0000ffffffffffff0000000000000000aaaa0000cccc00001111000033330000.

How do you know the patterns in the k index = 64~ 127 are zeros? I thought the zeros’ patterns should be low, but in this plot, they gained much higher than ones in the k index = 32~63.

  1. Ok, I need some time to chew on this idea.


Easy - we know because we know! When building the attack, k is known. One could get into the physics of why the marker is higher when k=0, and not vice-versa. But from a side-channel attack (or defense!) point of view, this really doesn’t matter. What matters to us is that the marker is consistent, and thus useful towards a side-channel attack.


1 Like