CW305 - EM attack

Hi! thanks for providing great tools!

I am trying to mount a CPA on EM traces of the Canright Sbox verilog implementation without any success.

I use an in-house software to perform the CPA attack.

The power analysis worked after 200k traces.
But the EM attack does not work even after 450k traces.

I have used a jumper on the JP7 to bypass the shunt.

The CW EM probe is on top of the FPGA with a small inclination due to the SMA connectors
on the board. I use the CW LNA connected to a 2GSPS oscilloscope.

By the way one issue I am having is that there is a 20ns rise time and more than 20ns falling time for the default trigger pin of the CW305-100T.

Is there a particular clock frequency going to help?

Do you have any suggestions? Is there any setting I should use to make the attack easier?

Best Regards,

From my experience you must place probe above actual implementation inside FPGA, so try different positions.
Do your traces look good?

Thank you for your reply.

So you confirm that an EM attack on the CW305 FPGA using the CW EM probe is possible?

Best Regards

I don’t have access to CW305, but I did it on Spartan7 dev board. (I also created a thread on it here.)
I’m pretty sure you can do it too on CW305 (I’ve seen it somewhere, but I cannot find it now).

You can start with example implementation first:

Your traces should look like this:

If you haven’t yet, watch this video:

Set your target to encrypt continuously, as you move the probe around until you can distinguish the 10 AES rounds.


Thank you very much Jean-Pierre, in fact my issue was due to a bug and it is solved now.

By the way for future reference, with an on-the-fly sbox implementation (Canright) computing
16 times the sbox with the same inputs (to artificially increase the leakage), using the
CW EM probe and LNA, I needed 70k traces to find the key at the sbox output of the first round.

This is without any careful placement of the probe. The probe is in the middle of the FPGA.

Thanks again!