How does CW Lite Measure port actually work?

I am collecting power traces using the ChipWhisperer Lite and the capture software GUI. What exactly am I looking at? Is it showing me the current measurement or the power (I*V) measurement?

The second thing I am confused about, is how does the software know how to give me the current measurement or power measurement when all I give it is the voltage measurement through the “Measure” SMA connector? If I am doing this on a external target and I put a shunt resistor on the external target, does the ChipWhisperer software need to know the resistor value and the supply voltage of the target device?

Clarification on these questions would be greatly appreciated. I looked over the documentation on the Wiki, but I was not able to find the answers to my questions.

Thanks.

Hi,

CW measures a voltage; depending on the target and where the measurement is taken, it may be the voltage drop across a shunt resistor, or between either side of the shunt resistor and ground (for example the CW305 wiki explains the options for that target).

The key point is that side-channel attacks don’t care about absolute power measurements; relative power differences is all that matters. This is why the value of the shunt resistor doesn’t matter to the Capture software. Correlations and statistics are the magic that makes the attacks work.

Hope this helps,
Jean-Pierre

Thanks for the response Jean-Pierre. That is helpful to know.

Could you (or anyone) explain the benefits of measuring power at different locations? For example in the options below, what are the pros and cons for each measurement location and why might I choose one over the other?

1. VCC --> [MEASURE PORT] --> Shunt Resistor --> Device --> GND
2. VCC --> Shunt Resistor --> [MEASURE PORT] --> Device --> GND
3. VCC --> Device --> [MEASURE PORT] --> Shunt Resistor --> GND

It seems like the XMega target board that comes with the ChipWhisperer Lite uses option 2 if I am not mistaken.

Any insight would be appreciated. Thanks.

Hi everyone! I’m really sorry for resurrecting this topic but I have the exact same question as @jcox, which sadly has not been replied to.

I read bunch of other similar threads (such as Understanding Power Trace). I was also looking at the schematic of the CW-Lite w/ XMEGA target (R66 is the shunt in this case, of 49.9 Ohms) and I deduced the config used should be the #2 jcox written in the above reply.

I get that one measuring terminal is placed between the shunt and the microP, but I’m not getting where’s the other one: is it placed on the other terminal of the shunt, near Vdd, (making a high-side current sensing circuit) or is it placed on GND, de facto measuring the voltage drop across the load?

Finally, since the probe is AC coupled, is there actually any difference if we measured the voltage drop across the high-side shunt or, viceversa, across the load? Do we measure on the load just to reduce the DC component as much as possible (since Vload = Vdd - VShunt), even if it is rejected by the AC coupled probe? What is the reason? Isn’t the variable Req of the load a problem for the preamp and ADC circuit?

I’m assuming a circuit like the one in this image I’m using for my thesis:

Screenshot_20210320_162332841×543 34.1 KB

Thank you so much!!

Hi,

Option 2 from jcox’s post is generally preferred, though option 3 can also be used. This is because different Vcc pins on more complicated targets generally go to different parts of the chip, allowing you to avoid noisy parts of the chip that you don’t care about (VCCIO, for example). You can’t do that nearly as well with a ground shunt.

GND and the high side of the shunt resistor have almost no AC component, meaning measuring on the low side of the shunt resistor gives you the AC portion of the current consumption, which is what we care about for power analysis. If you try to measure from the high side of the shunt resistor, you’ll get almost nothing.

For your figure, you’ll get something like:

V_sl = V_dd - I*R_s
V_sl = 0 - I*R_s
V_sl = -I*R_s

Alex