CW305 ECC: Average traces vs POIs

1

Hi all,
Suppose we have two secret numbers to be fed into P256 point multiplication.

k1 = 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

Collect its traces, and calculate the average.

bokeh_plot (1)
bokeh_plot (1)2500×750 47 KB
Fig1. Average Trace for k1.

Another secret number.

k2 = 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

Similarly, we get its average trace.

bokeh_plot (2)
bokeh_plot (2)2500×750 48.4 KB

Fig2. Average Trace for k2.

Now, I subtract k2’s average trace from k1’s, I get

bokeh_plot (3)
bokeh_plot (3)2500×750 35.3 KB

Fig3. The difference between k1’s and k2’s average traces

We could see some spikes here,

Inkedbokeh_plot (3)_LI
Inkedbokeh_plot (3)_LI2500×750 218 KB

Figure 4.
This confused me. k1, and k2 only differs in MSB; further, in CW305_ECC, this MSB is processed in cycle 42; thus cycle 42 should be the timing where average traces k1 and k2 differs the most, then there should be a large spike at cycle 42, right? If this holds, the next large spike should be at cycle 4246 as CW305_ECC described. Then why are so many spikes in the circled area?

Zoom in the circled area, and label some timings.

Inkedbokeh_plot (4)_LI
Inkedbokeh_plot (4)_LI2500×750 248 KB

Figure 5.

The very beginning cycle, 4400, where these spikes start to show up, does not coincide with 42.
Why isn’t cycle 42 the first timing that comes with the first large spike?

Alan

2

No, this is exactly what I would expect to see.
The leakage which we use to guess bit i occurs when bit i+1 is processed. Maybe this isn’t super obvious in the CW305_ECC.ipynb notebook, but think about the correlation that’s calculated for the attack: it’s the correlation between a power trace segment of bit i and a power trace segment of bit i+1. So it’s not until bit i+1 is processed that we can guess at bit i. This is exactly what your experiment shows.

The other thing that your experiment shows is that there is a fair bit of leakage throughout the processing of the 2nd bit, and it looks a lot different from the localized leakage that the demo shows around cycles 6 and 4202.

The reason for this is that the first k=1 bit (i.e. the leading one) has different leakage characteristics from other k=1 bits. This is why there is an “initial threshold” and a “regular threshold” in the final notebook attack. When I get the chance I will update the notebook to explain why this is. Long story short, this is why you see more differences between k1 and k2, and your results are exactly what I would expect to see.

Jean-Pierre

1 Like