I am trying to mount a CPA on EM traces of the Canright Sbox verilog implementation without any success.
I use an in-house software to perform the CPA attack.
The power analysis worked after 200k traces.
But the EM attack does not work even after 450k traces.
I have used a jumper on the JP7 to bypass the shunt.
The CW EM probe is on top of the FPGA with a small inclination due to the SMA connectors
on the board. I use the CW LNA connected to a 2GSPS oscilloscope.
By the way one issue I am having is that there is a 20ns rise time and more than 20ns falling time for the default trigger pin of the CW305-100T.
Is there a particular clock frequency going to help?
Do you have any suggestions? Is there any setting I should use to make the attack easier?
I don’t have access to CW305, but I did it on Spartan7 dev board. (I also created a thread on it here.)
I’m pretty sure you can do it too on CW305 (I’ve seen it somewhere, but I cannot find it now).
Thank you very much Jean-Pierre, in fact my issue was due to a bug and it is solved now.
By the way for future reference, with an on-the-fly sbox implementation (Canright) computing
16 times the sbox with the same inputs (to artificially increase the leakage), using the
CW EM probe and LNA, I needed 70k traces to find the key at the sbox output of the first round.
This is without any careful placement of the probe. The probe is in the middle of the FPGA.