I’m trying to attack the AES Hardware implementation on a custom target, but had no success so far. Even with a high number of traces I wasn’t able to reproduce the recovery of a single sub byte.
With the same target I’m able to recover all key bytes of the AES software implementation with about 500 traces.
My target is a SoC running at 50 MHz, which I sample with 50 MHz (clkgen_x1). I’m using the leakage model “last_round_state_diff”, which gives me a relatively high correlation for wrong bytes, at a position in the trace where the AES operation is already done. Here is a picture:
This was an attack with 60000 traces and recovered a single sub byte (which is not reproducible, most of my measurements recover 0 bytes). I usually just attack the area in the traces where the actual AES operation takes place. The picture shows the highest correlation in the whole trace.
I also tried using different leakage models, different clocks for the SoC and different sample rates (also tried clkgen_x4 100MHz, with 25 MHz target clock) but none of this was showing any success.
The AES core of this SoC is this one from opencores.org https://opencores.org/projects/aes_highthroughput_lowarea
Does anybody have an idea what might be the problem attacking the AES hardware implementation of this target?
Thanks in advance