CPA on mbedtls AES-128 decryption

I tried running a CPA on mbedtls decryption traces (target STM32F303) but it can’t find the correct round key. I increased the number of traces up to 50k and used both the “inverse_sbox_output” and “t_table_dec” leakage models without success.
Between the two models “inverse_sbox_output” leads to higher correlation values. I attach the results for this case. The correct round key would be 8b de 00 3d 97 97 23 fa 0f a7 06 2b f7 9b a1 f6.

Do you know if there is any specific step to take in order to attack this decryption implementation?


Found the problem in the definition of the “t_table_hw_dec” (software/chipwhisperer/common/utils/
t_table_hw_dec = [hw[gal9[sbox[i]]] + hw[gal11[sbox[i]]] + hw[gal13[sbox[i]]] + hw[gal14[sbox[i]]] for i in range(256)]
i_sbox should be used instad of sbox.
Also, I realized that using the inverse_sbox_output model won’t ever work in decryption if the target implements t-tables, as the inverse sbox output never directly appears in the inverse t-table output.


Thanks for the report on this. I’ve fixed this in the following commit: fix ttable inv model · newaetech/chipwhisperer@114f2b0 · GitHub.

While sbox[i] doesn’t directly appear in the output of the t-table, the inverse_sbox_output model actually does work. This is because multiplication in the Galois field is a linear operation. If you replace the original CPA attack in sca201/Lab 2_1 with one that targets the inverse sbox instead, you still get the correct key out:


Hi Alex, thanks for your reply.
Are you sure this is also true when using decryption traces? I have tried the inverse_sbox_output model on 50,000 decryption traces without success (see table in the first post).
Later I tried to use an inverse sbox leakage model that includes one of the multiplications in the galois field, so as to partially match the inverse t-table output, and it works much better:


Sorry yeah, you’re probably right, thanks for the correction.