HW AES SAM target


#1

Hi all,

I was wondering whether anyone has broken the SAM4L target? If so, could you please point me to the leakage model that worked for you?

After some trial and error, I went looking around online for tips to point me in the right direction. I found Colin’s overlords paper (https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2018/us-18-OFlynn-I-For-One-Welcome-Our-New-Power-Analysis-Overloards.pdf), which suggests round to round leakage (round 2 to round 3 specifically mentioned), in approx 3000 traces without, any countermeasures enabled.

  1. I tried the HD last state round diff (and the alternate version), and round 1 to round 2 key add attack scripts with 10k traces. This was very unsuccessful.
  2. Given the results above, and the reference to round 2 to round 3 in Colin’s paper, I thought this might have been a suggestion that this round specifically was what needed to be attacked. I tried this by adopting the code for the key round attack and having it step a round deeper into the algorithm. This was unsuccessful.
  3. I would have thought that the key diffusion steps of the algorithm would prevent a sub-key attack between rounds with mixcols in play, as we do not know the correct adjacent sub keys it uses for diffusion? If this assumption is correct, then how would this attack be approached or is it indeed not really very possible / practical?

Big thanks for any help.


#2

I had done an attack on the SAML4L as mentioned - the actual CPA attack was a last-round state attack.

The example notebook for HW is broken - I was going to commit a fix for that. This might be a better starting point…

Also due to the number of traces using a faster engine (such as LASCAR) is useful here as well. This was also broken & will be fixed. I’m aiming to do both of those this week, will update when done.

-Colin


#3

Ah ok awesome. Thanks very much for the response, much appreciated!

Is this the notebook that’s broken: PA_CPA_4-Hardware_Crypto_Attack?


#4

Yup - I pushed the fix/update the other day, forgot to mention. One major improvement too is it shows you how to use Lascar for higher performance analysis. See https://github.com/newaetech/chipwhisperer-jupyter/blob/master/PA_CPA_4-Hardware_Crypto_Attack.ipynb .


#5

Awesome. Thanks for the update and the effort, Colin!

I’ll give it a go tomorrow, probably with the stm32f4 first.