HD vs HW in aes cpa attack

Hi Colin,
I’m trying to understand the difference between HW and HD in aes cpa attack.I only started working with ChipWhisperer and i’m new to all of it.
I am running the built-in CPA attack on AES 128 on the XMEGA target of the ChipWhisperer .

It works (exposes the key) with the default code in attack_cpa.py, which use HW model:
leak_model = AES128_8bit(SBox_output)
attack.setAnalysisAlgorithm(CPAProgressive, leak_model)

However, when I change to HD : leak_model = AES128_8bit(SBoxInOutDiff) it doesn’t expose the key.
I’m trying to understand exactly why, It would be very helpful to see your explanation.

This is what I was thinking, not sure if it’s correct but I would like to hear if it can explain the difference:
having this formula- HD(in,out)= HD(p^k,s(p^k)) = HW(in^out)=HW ( p^k ^ s(p^k)) , in the analyze part all the parameters should be known in the SW- for every guess we know k-the key, p-the plaintext, and s-the sbox output, is the problem in the capture part, that we don’t have a corresponding measurement to relate our guesses to?
In HW model in the capture part we measure power which we assume equals to HW(s(p^k)) and then in the analysis part we try all different keys for this p and calculate by SW HW(s(p^k))- if the values match we found the key.
However in the HD model: in the capture part our measurement stays the same- measuring -the power that represents the HW(s(p^k)) but unlike HW model in HD we cant compare the calculation HW ( p^k ^ s(p^k)) to the measurement directly because we have HW(s(p^k) and not the value s(p^k).

Thank you in advance!
Yuval

Hi Yuval,

The reason that hamming weight is used instead of hamming distance is because microcontrollers typically reset the state of the bus lines to a middle value in between data updates to lower average power consumption, meaning you’re finding the hamming distance between the SBox output and 0 (which is just the hamming weight).

The full hamming distance model is a lot more useful when attacking hardware AES, where this isn’t the case. This makes the attack harder, since you need to also consider what the data lines were both before an operation and after.

Alex

Hi Alex,
Thanks for the answer.
There are still some points which are unclear to me though.
You describes a case in which the data buses are reset to middle values- do you know if it actually happens in Chip Whisperer? If it’s true, as you said in this case the Hamming Distance will be equal to hamming weigh:
HD(SboxInput, SboxOutput) = HD(0,SboxOutput) = HW(SboxOutput).

If so, why the attack of HW(SboxOutput) success and reveals he key, but when switching model to HD(SboxInput, SboxOutput) it doesn’t success.

Thanks,
Yuval

I doubt you’ll be able to find an answer to your specific question since this is a pretty low-level implementation detail, but start with your target’s datasheet. To me, the fact that one leak model works and a different one doesn’t is the way to infer that implementation detail, short of some serious transistor-level reverse engineering.

Now regarding HD vs HW, you may be right that on the target itself, HD = HW, sort of… But that doesn’t mean that a HD model can succeed, because using the HD model means that the attack is trying to correlate against HD which is not what’s actually happening on the target bus. Sorry if I’m not expressing this super clearly but if you think about it for a few minutes it should click.

Jean-Pierre