I have implemented a CPA attack on AES running on the CW305 following the procedure described in the NAEAN0010: Power Analysis on FPGA Implementation of AES Using CW305 & ChipWhisperer white paper at NAE0010_Whitepaper_CW305_AES_SCA_Attack.pdf (newae.com). My hardware setup is also exactly the same as described in the white paper and utilizes the CW Lite 2.
I have programmed the CW305 using the provided default impl_100t bitstream verified that my CW305 indeed has a 100t variant, but unfortunately, regardless of however many traces I collect, I am unable to extract the cipher key. I have tried up until 40000 traces with no success.
Attached is the jupyter notebook containing the capture and CPA logic I am using, in addition to various graphs for analyzing CPA results such as PGE as a function of number of traces collected.
CPA_AES.zip (3.1 MB)
It does not seem like the attack is making any progress given an increasing number of traces, so I believe something is wrong and the attack will not improve regardless of the number traces I collect.
I have also tried utilizing last_round_state_diff leakage model instead of sbox_output as described in CW305 CPA Attack not working - Embedded Security / ChipWhisperer Hardware - NewAE Forum.
However, the last_round_state_diff leakage model did not yield a successful attack after 25K traces either.
What is causing CPA to fail like this? Are there any parameters that can be tweaked to improve the attack? Any feedback or suggestions would be greatly appreciated. Thank you.