CPA attack success rate!!!!!!!!!!

Hi Colin,
First of all thank you so much for wonderful work.
I am using SAKURA-G board along with open ADC for my experiments.
I have designed fault detection circuits on top of existing AES algorithm.
I am using HD power model for the attack. The CPA attack can able to retrieve the key in fewer traces if the hardware cost of implemented fault detection is more, which is measured from Xilinx ISE. Just for example:
If the fault detection is double modular redundancy (DMR) -
Number of Slice Registers Number of Slice LUTs Number of occupied Slices
759 3414 988
The key can be retrieved in 2800 power traces.
If the fault detection is even parity check code
Number of Slice Registers Number of Slice LUTs Number of occupied Slices
768 2937 914
The key can be retrieved in 7500 power traces.

I read your documentation eprint.iacr.org/2014/204.pdf, but still I am confused.
I think the attack success depends on the amount of hardware cost. Can you help me to understand, If I am concluding this correctly? The power change measured by chipwhisperer capture is more when the design consumes more hardware.

Thanks

Hello,

This is true - but it’s only an artifact of the measurement environment (using the shunt resistor). More hardware area will mean more power draw, and a larger signal across the shunt resistor, which results in a better SNR for a fixed amount of noise.

But instead what you could do is increase the value of the shunt resistor. The voltage drop would increase for the same amount of hardware used, resulting in an improvement in SNR again.

If you are trying to compare different hardware implementations it will be a little tricky, as your larger hardware area will probably cause a slight improvement in SNR. I don’t know off-hand how to easily compensate for that, but trying to measure the SNR might be a useful first step. There was a thesis at alexandria.tue.nl/extra1/afstver … i_2015.pdf that might be a good starting point for this!

Regards,

-Colin

Hi Colin,

Thanks for the response. I understood it partially.
I am facing another problem. I am using double modular redundancy (DMR) for Mixcolumn for AES (Meaning two replicated copies of Mixcolumn). Due to the optimization in Xilinx ISE, there is no excess overhead for the DMR MixColumns and not significant change in power compared to baseline AES( where I am using single copy of Mixcolumn).
The number of power traces required to retrieve the key in Mixcolumns DMR based AES is less than baseline AES.
I read through CPA theory “http://www.newae.com/sidechannel/cwdocs/theory.html#theorycpa”.
I am not able to relate why did it is happening even though the area and power consumption is same.
Am I misunderstanding CPA attack?
What factor making key retrieval process easier in case of two replicated module of Mixcolumn in AES then single Mixcolumns in AES?

Thanks again.

Hello,

What sort of differences are you getting in number of traces? If it’s not too substantial it could just be variations when the place & route algorithm… i.e. there is probably a placement that will result in better leakage and one that will result in worse leakage.

The default CW CPA attack is looking at the change in the state register in the FPGA. Anything that might result in a larger fanout/net length when accessing that state register will also mean less traces are needed (since the leaked data will have a slightly stronger signal due to larger current draw when switching states).

If you can figure out in the placed design where your state register went, it might be interesting to compare the two synthesis runs (DMR vs. Baseline). You might be able to see if the baseline one is tighter, or has less fanout perhaps on the state register output? But basically I’m just guessing here…

Hi Colin,
Thank you so much. Your explanation makes sense to me.
The difference of power traces is almost 2000. I will try to look into cell placement.

I think the difference is quiet large in number of power traces.

Dear Colin,

I can see the section in newae.com/sidechannel/cwdocs … ition.html, which is yet to document.
I was wondering if there is any way in chipwhisperer to test the leakage of CPA like Test Vector Leakage Assessment (TVLA)?

Thanks

Hello,

The documentation is being changed to the wiki (see wiki.newae.com) - there is a new tutorial now on the template attack, which goes through how the partioning works.

I want to update with a new tutorial for doing T-Testing, but it’s not quite online yet… is there anything specific you are looking for?

Thanks!

-Colin