Low CPA correlation against assembly outputs


I’m attempting a CPA attack against Kyber using the CW Lite by attacking the assembly instruction “smultt tmp, ct, sk”. However, even with the correct ct and key guess I only get a correlation between 0.4 to 0.5. Can this be because half of the tmp register is used as input in the next instruction? And I’m wondering if there are any ChipWhisper settings which are better at measuring the power usage of the output of assembly instructions?


Even if you expect a perfect correlation theoretically, you won’t get there in practice. The correlation you see in our software AES example is nearly a best case scenario - operating on a single byte at a time helps a lot to limit noise and doing the operation via an SRAM lookup takes up a large amount of power. If you take a look at something like hardware AES, which does 16 bytes at a time and has its largest power consumption updating the values of registers, which is much less distinct, you quickly end up with correlations around 0.1, even though the underlying math is largely the same and the attack still works.

The more important factor is whether or not you see a difference in correlation between correct and incorrect key guesses.

No, this shouldn’t affect the correlation you measure as that’s happening at a different point in time.


1 Like