Target timed out when trying custom program (NTT)

san9 · February 14, 2025, 12:44pm

Hey, I’ve been trying to get traces of the NTT algorithm from the Kyber PQC algorithm (source code here.
I’ve setup simpleserial SS_VER_1_1.
I’ve setup the triggers to capture power traces of when the algorithm does its work, however, it all results in the following output:

(ChipWhisperer Target WARNING|File SimpleSerial.py:447) Unexpected start to command: 
(ChipWhisperer Scope WARNING|File _OpenADCInterface.py:732) Timeout in OpenADC capture(), no trigger seen! Trigger forced, data is invalid. Status: 0b
(ChipWhisperer Scope WARNING|File _OpenADCInterface.py:732) Timeout in OpenADC capture(), no trigger seen! Trigger forced, data is invalid. Status: 08
Target timed out!

I’ve setup my communication with simpleserial the following way:

uint8_t get_pt(uint8_t* pt, uint8_t len)
{
    trigger_high();
    // Initialize the polynomial r with random coefficients
    poly *r, r_polynomial;
    r = &r_polynomial;
    for (int i = 0; i < KYBER_N; i++) {
        r->coeffs[i] = (int16_t) rand();  // Random coefficients
    }

    // Perform NTT
    ntt(r->coeffs);

    // Stop power trace capture
    trigger_low();
	/* End user-specific code here. *
	********************************/
	simpleserial_put('r', 16, pt);
	return 0x00;
}

int main(void)
{
    platform_init();
	init_uart();
	trigger_setup();

	simpleserial_init();
#if SS_VER != SS_VER_2_1
	simpleserial_addcmd('p', 16, get_pt);
#else
    simpleserial_addcmd(0x01, 16, aes);

#endif
	while(1)
		simpleserial_get();
}

My platform configuration is as follows:

SCOPETYPE = 'OPENADC'
CRYPTO_TARGET = 'NONE'
PLATFORM = 'CW308_STM32F4'
SS_VER='SS_VER_1_1'
CRYPTO_OPTIONS='NONE'

Trace capture is configured like this:

from tqdm.notebook import trange
import numpy as np
import time

ktp = cw.ktp.Basic()
trace_array = []
textin_array = []

key, text = ktp.next()

target.set_key(key)

N = 50#2500
for i in trange(N, desc='Capturing traces'):
    reboot_flush()
    scope.arm()
    
    target.simpleserial_write('p', text)
    
    ret = scope.capture()
    if ret:
        print("Target timed out!")
        continue
    
    response = target.simpleserial_read('r', 16)
    
    trace_array.append(scope.get_last_trace())
    textin_array.append(text)
    
    key, text = ktp.next()

Could someone help me out with this? I feel like the simpleserial communication is configured wrong, but I’m not sure what key size I should use exactly in order to capture traces correctly.
Or maybe the key size parameter can be somehow skipped entirely?
I’ve read the docs but couldn’t figure it out myself.

TIA

Alex_Dewar · February 14, 2025, 3:18pm

Hi,

If you don’t need to send the target a key, you don’t have to. We usually do for AES for some visual representation stuff, but it’s not necessary for that attack either. There might be something else wrong here though, as you’re rebooting the target before sending the p command and that doesn’t seem to work. Maybe try adding a larger delay between resetting the target and sending the p command?

Alex