CW305 CPA Attack not working

Embedded Security ChipWhisperer Hardware
1

Hi,

I followed the wiki tutorial but did not succeed in breaking the AES implementation with CW305 even with 10K traces!
Also, there were some errors (attached pic) in the python console while running the attack.

Please help me resolve this issue. I am using the latest CW v4.

Thanks,
Ron
error.png

2

Hi Ron,

Just to confirm, you’re working off of wiki.newae.com/Tutorial_CW305-2 … ES_on_FPGA, correct? The tutorial looks like it hasn’t been updated for v4 yet, but assuming you’re using the same model that’s described in the tutorial, you should be able to run the attack by changing:

from chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, SBox_output
and
leak_model = AES128_8bit(SBox_output)

to

from chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, LastroundStateDiff
leak_model = AES128_8bit(LastroundStateDiff)

in attack_cpa.py

Alex

3

For your second issue, my quick guess is that it looks to be some part of the logging system that doesn’t differentiate properly between using the GUI and being run by a python script in the terminal. How critical is the error (i.e. are you able to still run Analyzer)?

Thank you for reporting the bug, I’ll try to get it resolved as soon as possible.

Alex

4

Thanks Alex. Yes, I followed the tutorial. With the suggested changes, the attack now works for the last round HD.
Please let me know why the other HD models (like Round1Round2StateDiff_SBox) don’t work though.

The 2nd issue is not critical. The analyzer works fine.

Regards,
Ron

5

Hi Ron,

Have you tried other leakage models besides SBox_output and LastroundStateDiff? I’m not really familiar with attacks on FPGAs and the math of crypto definitely goes over my head so this is all guesswork, but I think any model that doesn’t try to correlate to state internal to the blue boxes and operates across sufficiently few rounds should work.

363×850 13 KB

The Round1Round2StateDiff_SBox model won’t work since its attack point is the output of the SubBytes operation (which is inside the blue box). Round1Round2StateDiff_KeyMix should work and I’d recommend giving it a try (though it might require more traces than is practical).

Alex

6

The error you were getting should be fixed as well on the latest develop commit.

Alex