SNR for AES S-box Attack


I’m wondering if someone could tell me if I’m understanding the following correctly and correct me if I’m wrong. I’m under the impression that for the AES S-box leakage model, you can calculate the SNR related to the output of the S-box for the 16 different bytes and look at the peak in order to figure out where to zoom in on the collected power traces before training a machine learning / deep learning model that’s intended to predict a given S-box output byte given a zoomed in trace. Is there a flaw in this thinking?

The below image is a plot of the SNR for byte 0 (with TINYAES128C loaded onto the STM32F3), but what’s interesting to me is that the index at the peak locations for the next 15 bytes doesn’t increase in ascending order by byte number. The index at the peak seems to jump back every 4 bytes. Does this mean bytes 0, 4, 8, and 12 (aka the first column in the state matrix) are substituted first, rather than going in ascending order of byte number? Maybe this is an obvious thing, but I’m fairly new to AES, so if someone could clarify this I’d really appreciate it.

Also, the SNR plot for certain bytes has additional significant peaks. Could someone explain the reason for this?

Thank you,

From the TINYAES source code:

// The SubBytes Function Substitutes the values in the
// state matrix with values in an S-box.
static void SubBytes(void)
  uint8_t i, j;
  for(i = 0; i < 4; ++i)
    for(j = 0; j < 4; ++j)
      (*state)[j][i] = getSBoxValue((*state)[j][i]);

as well as C multidimensional array ordering:, I believe you’re correct about the order of the bytes being substituted. SubBytes could technically be done in any order.

I believe these later correlation peaks are from the MixColumns operation, which does some GF multiply/add operations on the output of the SubBytes operation.


Awesome, thank you Alex.