Target timed out when trying custom program (NTT)

san9 · February 14, 2025, 12:44pm

Hey, I’ve been trying to get traces of the NTT algorithm from the Kyber PQC algorithm (source code here.
I’ve setup simpleserial SS_VER_1_1.
I’ve setup the triggers to capture power traces of when the algorithm does its work, however, it all results in the following output:

(ChipWhisperer Target WARNING|File SimpleSerial.py:447) Unexpected start to command: 
(ChipWhisperer Scope WARNING|File _OpenADCInterface.py:732) Timeout in OpenADC capture(), no trigger seen! Trigger forced, data is invalid. Status: 0b
(ChipWhisperer Scope WARNING|File _OpenADCInterface.py:732) Timeout in OpenADC capture(), no trigger seen! Trigger forced, data is invalid. Status: 08
Target timed out!

I’ve setup my communication with simpleserial the following way:

uint8_t get_pt(uint8_t* pt, uint8_t len)
{
    trigger_high();
    // Initialize the polynomial r with random coefficients
    poly *r, r_polynomial;
    r = &r_polynomial;
    for (int i = 0; i < KYBER_N; i++) {
        r->coeffs[i] = (int16_t) rand();  // Random coefficients
    }

    // Perform NTT
    ntt(r->coeffs);

    // Stop power trace capture
    trigger_low();
	/* End user-specific code here. *
	********************************/
	simpleserial_put('r', 16, pt);
	return 0x00;
}

int main(void)
{
    platform_init();
	init_uart();
	trigger_setup();

	simpleserial_init();
#if SS_VER != SS_VER_2_1
	simpleserial_addcmd('p', 16, get_pt);
#else
    simpleserial_addcmd(0x01, 16, aes);

#endif
	while(1)
		simpleserial_get();
}

My platform configuration is as follows:

SCOPETYPE = 'OPENADC'
CRYPTO_TARGET = 'NONE'
PLATFORM = 'CW308_STM32F4'
SS_VER='SS_VER_1_1'
CRYPTO_OPTIONS='NONE'

Trace capture is configured like this:

from tqdm.notebook import trange
import numpy as np
import time

ktp = cw.ktp.Basic()
trace_array = []
textin_array = []

key, text = ktp.next()

target.set_key(key)

N = 50#2500
for i in trange(N, desc='Capturing traces'):
    reboot_flush()
    scope.arm()
    
    target.simpleserial_write('p', text)
    
    ret = scope.capture()
    if ret:
        print("Target timed out!")
        continue
    
    response = target.simpleserial_read('r', 16)
    
    trace_array.append(scope.get_last_trace())
    textin_array.append(text)
    
    key, text = ktp.next()

Could someone help me out with this? I feel like the simpleserial communication is configured wrong, but I’m not sure what key size I should use exactly in order to capture traces correctly.
Or maybe the key size parameter can be somehow skipped entirely?
I’ve read the docs but couldn’t figure it out myself.

TIA

Alex_Dewar · February 14, 2025, 3:18pm

Hi,

If you don’t need to send the target a key, you don’t have to. We usually do for AES for some visual representation stuff, but it’s not necessary for that attack either. There might be something else wrong here though, as you’re rebooting the target before sending the p command and that doesn’t seem to work. Maybe try adding a larger delay between resetting the target and sending the p command?

Alex

san9 · February 24, 2025, 1:49pm

hi, thanks for your answer. it turns out my whole implementation of simpleserial was wrong, because i wasn’t sending the text correctly.

once i fix it completely, i’ll upload it here, someone might find it useful

RajaKar · February 25, 2025, 7:59pm

it would be great if you can post the way you have fixed it. Once you are done.

Thanks in Advance

wand1 · March 3, 2025, 7:49am

My friend, may I ask if you were successful? I’m having a similar problem.

san9 · March 4, 2025, 9:42am

sadly not yet, i’ve been trying a lot of different things, like resetting scope, switching to simpleserial v2.1, and yet still i’m faced with the same issue. i now suspect that the C code of ntt is wrong, maybe i missed some necessary parts when extracting ntt from the pqc implementation.

it’s all insanely hard to debug, but i’m still working on it

wand1 · March 5, 2025, 5:32am

A similar problem annoys me and seems to occur whenever I try to run Kyber code. (There’s always some function in the code that has trouble running.) At first I thought it was a random number problem, but when I used the software implementation of the random number function, the problem persisted. Recently I am trying to use debugger but I don’t know much about embedded so it is difficult for me too.
If I get anything I will contact you on the platform as well.