Using CWlite, electromagnetic analysis was conducted to compare with power analysis attacks. When experiments were conducted using the code below for both power analysis and electromagnetic analysis, power analysis succeeded with 30-40 traces, whereas electromagnetic analysis succeeded with traces ranging between 1000 and 6000. Given the significant difference, I would like your comments on whether there is anything strange in the code.

The intended functionality of the code is to perform analysis after capturing each trace and, in the end, output the number of traces required to guess the correct key.

from tqdm.notebook import trange
import numpy as np

Capturing waveforms and guessing keys

def realtime_cpa(scope, target, ktp, correct_key, max_traces=10000):
trace_array =
textin_array =

# Split the correct key into a 16-byte list
correct_key = [correct_key[i] for i in range(16)]
best_guess = [0] * 16  # The guessed key
num_traces = 0

for i in trange(max_traces, desc="Capturing and analyzing traces"):
    num_traces += 1
    key, text = ktp.next()
    target.set_key(key)

    # Capture waveform
    scope.arm()
    target.simpleserial_write('p', text)
    ret = scope.capture()
    if ret:
        print("Target timed out!")
        continue

    trace_array.append(scope.get_last_trace())
    textin_array.append(text)
    trace_array_np = np.array(trace_array)

    # Perform CPA analysis byte by byte
    t_bar = mean(trace_array_np)
    o_t = std_dev(trace_array_np, t_bar)
    success = True

    for bnum in range(16):
        max_cpa = [0] * 256
        for kguess in range(256):
            hws = np.array([[HW[aes_internal(textin[bnum], kguess)] for textin in textin_array]]).transpose()
            hws_bar = mean(hws)
            o_hws = std_dev(hws, hws_bar)
            correlation = cov(trace_array_np, t_bar, hws, hws_bar)
            cpaoutput = correlation / (o_t * o_hws)
            max_cpa[kguess] = max(abs(cpaoutput))
        best_guess[bnum] = np.argmax(max_cpa)

        # If the current guess does not match the correct key
        if best_guess[bnum] != correct_key[bnum]:
            success = False

    # If the key matches, output the result and exit
    if success:
        print(f"Key matched after {num_traces} traces!")
        print("Guessed Key: ", ''.join(f"{k:02x}" for k in best_guess))
        return num_traces, best_guess

# If no match was found within the maximum number of traces
print("Failed to match key within the maximum number of traces.")
print("Last Guessed Key: ", ''.join(f"{k:02x}" for k in best_guess))
return num_traces, best_guess

ktp = cw.ktp.Basic()
correct_key = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]

num_traces, guessed_key = realtime_cpa(scope, target, ktp, correct_key)

Changing from a direct shunt measurement to an EM measurement doesn’t require any changes to your attack code other than increasing the number of traces and setting the correct scope.gain. The EM measurements are more noisy → more traces are needed. Probe placement will have a huge effect on this.

Thank you for your reply.
I read a paper stating that electromagnetic wave analysis requires fewer waveforms for analysis compared to electrical analysis. I wanted to verify this through an experimental reproduction, but to make a proper comparison, I needed to know the exact number of waveforms used. I tried writing some code for this purpose, but since I’m not very good at coding, I wanted to ask for your opinion.

Do you have a link to that paper? I’d say your results are about what I’d expect. While there could be some situations where EM measurement might give a better SNR than a resistive shunt, and there are other advantages to EM measurement, I’d expect measuring via shunt resistor to give a much better SNR.

From my experience EM indeed typically shows better results than power, as you can obtain more localized information. But this depends on probe type, its placement, having decapped/non-decapped sample… And sometimes you will just have the case when power is better. In any case no need to change the code, as said.

Thank you for your response, and I apologize for the delay in getting back to you.

This is the paper that outlines the reasons behind predicting those results. As for its content, I believe it discusses a comparison between electromagnetic wave analysis and power analysis conducted using the Japanese side-channel evaluation board known as SASEBO-R, based on shunt resistance.

I feel reassured knowing that we share similar opinions. I hope we can continue to discuss topics related to this paper in the future.

Thank you very much for your response.

In this instance, I conducted both CPA and CEMA. My approach was to analyze one waveform at a time, obtaining a sample and performing the analysis. After acquiring the second waveform, I combined it with the first waveform for further analysis. I intended to create a program following this method.

With power analysis, it only took about 27 to 37 waveforms, so the process did not take much time. However, with electromagnetic analysis, it required approximately 450 to 600 waveforms, resulting in a single analysis taking around three hours.

As it is taking far too long, I wanted to seek your opinion and thus decided to ask for your advice.

If you have any suggestions on how I could improve this process, I would greatly appreciate it if you could share them with me.

Interesting. I can’t read Japanese, so I can’t really comment on the paper, but some things to consider:

• Our microcontroller targets are very basic: most of the peripherals aren’t running, there’s few clocks running in the device, etc. so the effect of isolating the power consumption to only areas you care about is diminished compared to something more complex.
• You can run a much larger shunt resistor on the microcontrollers we use, both due to power draw on the microcontrollers being a lot smaller and them being more forgiving of voltage stability issues introduced by the shunt resistor. A smaller shunt will give you a worse SNR, so a smaller signal on EM measurements is less of an issue on a more complicated devices that requires a smaller shunt. I wouldn’t be surprised if the shunt on the SASEBO is more than an order of magnitude smaller than the Lite.
• The fact that you can optimize EM measurements a lot more is a bit of a double edged sword, as it gives more parameters that you need to optimize. Probe size and placement are things you need to optimize, so there’s a bit of a tradeoff between attack complexity and peak effectiveness. You can see this with EMFI as well (an example of scanning XYZ for that: https://eprint.iacr.org/2021/1217.pdf)

There’s a lot you could explore and test here, but I’d wager that as target complexity goes up, EM measurement becomes better relative to a shunt measurement.