Last round state difference model


We are trying to figure out how does the leakage model last_round_state_diff work. As far as we understand, in the last round we have first SBox, then ShiftRows and finally XOR with the key. At the output of that round we get our cyphertext. The code for the leakage model is:
st10 = ct[self.INVSHIFT_undo[bnum]]
st9 = inv_sbox(ct[bnum] ^ key[bnum])
return (st9 ^ st10)

This poses several questions:

  1. Why is the st10 defined as if the cyphertext were the direct output of the ShiftRows when we know that it is the output of XOR operation?
  2. Why is the st9 defined as the input of the 10th round as if the ShiftRows didn’t exist? Cause it seems that it only takes into account the SBOX and XOR operation
  3. Why would the Hamming distance between st9 and st10 be registered in the HW implementation and therefore proportional to the leaked signal at a certain time moment?

Many thanks in advance

This is a timely question as I’ve actually been working on a new hardware AES tutorial which explore AES leakage models in a bit more detail, which I hope to be able to release soon.

last_round_state_diff is the model that’s used for the CPA attack on our CW305 AES example. If you dig into the Verilog code, you’ll see that aes_core.v executes all the rounds, doing one round per clock cycle; it’s called over 11 consecutive clock cycles to do the entirety of AES. The output of each round is stored in flops. We have a very basic testbench which helps see and understand how it works.

aes_core.v follows exactly the steps listed here; the results of step 2, each of the 9 rounds in step 3, and step 4 are stored in the same set of flops.

st9 represents the flop contents after the last round of step 3, and st10 the contents after step 4, which one small change: undoing the shift rows is done to st10 instead of st9. (I’m not 100% sure why it’s done this way but it shouldn’t matter. Again, simulating the Verilog, along with working out manually st9 and st10 values, helps to see how this works.)

So to summarize: the leakage model is based on the AES state flops as they are updated from their post-round-9 state to their final post-round-10 state.

Many thanks for your fast reply. We will look into these documents in more details, but we definitely now have a clearer picture on what is going on.