I could see that the left edge of move_inhibit is at 41925 ns. Is it the clock cycle 4195? Further, where can I find the clock frequency that CW305 operate in for ECC point operations? And where are the 8 writes mentioned above?
If I zoom in move_inhibit, there seems more than 8 pulses consisting from bram_rx_wr_en, bram_ry_wr_en, and bram_rz_wr_en. Are these pulses the 8 wirtes?
Hi Alan,
On your waveform, pull up the tb.cycle_count signal.
Now just before bit_counter goes from 0 to 1, you should find bram_r[x|y|z]_wr_en be high for 8 consecutive clock cycles when cycle_count is between 4237 and 4244. Now scroll back to where bit_counter is initialized to 0, and you’ll see that cycle_count is 42 at that point. 4237 - 42 = 4195.
Here’s an example showing this (in this example move_inhibit happened to be low on the first bit, but the same principle applies).
The 8 writes are not pulses; they are burst over 8 consecutive cycles, as you can see here.
In this simulation, the clock is driven with a 6ns period, but that’s a completely arbitrary number, since the attack only concerns itself with numbers of clock cycles, not nanoseconds.
1- follow the Verilog code, you’ll see that they connect to the BRAM write control.
2- these are the clock cycle indices where the x/y/z BRAMs are read, relative to when bit_counter changes
Jean-Pierre
Where could I see the x/y/z BRAM read cycles? Could you show me a gtkwave example?
In the section, Cryptograpy Detour, I saw a key word,
bram_1rw_1ro_readfirst
Sorry because Verilog code is a total new thing to me, could I ask you where could I find this very keyword in gtkwave? Does the understanding of it bother our attack?
Each bit takes 4204 cycles to process, then we would have 256 times 4204 cycles. Thus we totally need 1, 076, 224 cycles, this is much larger than my CW-Lite’s capability of sample storing, which can only accommodate 24400 samples. Do I mix up the concept of cycles and samples? What’s the difference between them?
If you want to really understand all this properly, you’ll absolutely need some Verilog fluency. Verilog is quite different from most languages so you can’t really wing your way through this. I’m sure there are good online tutorials (I don’t know of any specific ones to recommend).
From the notebook:
“With a ChipWhisperer-Lite, every trace needs to be captured in several steps, using the sample offset feature”
What we do is run the operation to capture the first 24400 samples. Then we set the sample offset to 24400 (which means "start capturing 24400 samples after the trigger asserts), re-run the exact same operation, and capture samples 24400 - 48799. We repeat this until all ~1M samples of the ECC operation are collected. You can see this in the notebook code for the get_traces() method.
Does move_inhibit only discard the addition when the bit is 0? And is this why there is a statistical difference between processing a 1 versus a 0? If this holds, why are the bit 1 and bit 3 discarded in the following figure?
From the waveform it appears that the addition result for bits 1, 2 and 3 is discarded, because move_inhibit is set, which in turn is because the associated k bit is set.
No, if you follow the Verilog source you’ll see that bits are processed from MSB to LSB, so the first four bits are 0111 (7), which indeed matches the move_inhibit behaviour on your waveform.
So gratitude for all of your kind help here.
Thus, by default, the CW305 clock is fed with 12MHz from PLL1, right? Further, where could we see ADC sampling rate and could we modify it?
