Help with Lab 3_3 DPA on Firmware AES – Ghost Peaks and Windowing Uncertainty

Hello,

We’re currently trying to extract the correct AES key using Differential Power Analysis (DPA) on firmware implementations. Unfortunately, despite numerous attempts, we’re unable to retrieve the full correct key.

We’ve tested both crypto targets (TinyAES128C and AVRCryptoLab) and collected datasets with 2,500 and 10,000 traces for each. Our primary suspicion is that we’re running into issues with ghost peaks.

We’ve followed the windowing suggestions from the lab solution, but we’re unsure which graph to use to determine the cycle offset and sample begin values. Specifically:

• We tried using the graph generated by a single subkey hypothesis (showing ghost peaks and the correct key), like this:
  

  

  Screenshot (17)714×493 57.4 KB

• We also tried using the graph that includes all subkey guesses along with the correct key, like this:
  

  

  Screenshot (19)792×604 104 KB

We’ve experimented with a wide range of offsets and sample begin values, but the best result we’ve achieved so far is 13/16 correct key bytes.

So our questions are:

• Which graph should we be using to determine the cycle offset and sample begin?
• How do we decide which peak to consider? How “tall” does a peak need to be for it to be meaningful or worth zooming in on?
• Are there any additional tips to deal with ghost peaks more effectively?

We’d really appreciate any advice or clarification. Thanks in advance!

So we’ve tried a bunch of different settings for the cycle offset and sample beginning, but the best results we’re getting are still only 14 out of 16 characters recovered. But we’re still unsure which exact graph we should be using to read those numbers.

Hi, a couple of questions…
What intermediate data do you target?
Are you able to do a leakage test with known-key on your target device, or are you only able to do an attack directly?
In your first picture is the red one a ‘ghost peak’ and the green one linked to the correct key hypothesis, or the other way around?

Hi,

I had a similar issue some months ago: Running SOLN_LAB_3_3 with a Husky doesn't yield correct results - #48 by vector247

Finally it is really about selecting the correct window and this can be determined by analysing the plot. What you are looking for is the right number (in this case 16) distinct peaks in equal distance, each one of a different color, i.e. from a different trace. Based on the plot you shared I would guess that a window from 1800 to 2900 will lead to a successful result.