Understanding AES 256 traces for CPA attack on CW305

km22 · November 15, 2023, 4:04pm

I am trying CPA attack on AES 256 and using CW305 FPGA target board. For AES 256,I am using the provided code from chipwhisperer. The power trace for one encryption appears as below:

In the above probing:

target frequency = 5MHz
scope.adc.sample = 1000

My questions are:

In the above waveform, where is the 14 rounds of operations, in zone1(red) or zone2(blue)? I count 14 spikes in red marked zone 1.
I tried to use the default CPA attack provided in the notebook of aes128 demo. I am using my custom key as follows:

knownkey = [0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
            0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11]

key = bytes(knownkey)

and text as usual from _, text = ktp.next().

After probing some traces and saving as project, when I run the attack using attack_results = attack.run(cb), it shows error IndexError: list index out of range like following:

Knowing the issue is the key, how can I make it work for 256bit keys? Is there any default options in chipwhisperer analyzer for 256 bit keys or I need to use custom CPA tool?

In the definition of ktp, I did not find a way to generate 256 bit keys. If there is a way doing to using ktp, please let me know.

jpthibault · November 15, 2023, 4:29pm

Almost certainly in zone 1.
ChipWhisperer can help you figure that out: assuming that the trigger is raised at the start of the encryption and lowered at the end, then scope.adc.trig_count will tell you how many clock cycles (of the ADC sampling clock) the trigger was seen to be high during the capture. If scope.adc.presamples = 0 and scope.adc.offset = 0, then the target is active from sample 0 onwards. If not, adjust accordingly (e.g. if presamples = X, then the target is active from sample X onwards; offset moves it in the other direction).
To extend the attack to AES-256, we have some hints in this notebook.

import chipwhisperer as cw
ktp = cw.ktp.Basic()
ktp.key_len = 32
ktp.fixed_key = False
ktp.next()
ktp.fixed_key = True

km22 · November 15, 2023, 7:23pm

Thank you @jpthibault for your explanation. I have found scope.adc.trig_count = 44 for one trace where I have taken 170 samples. For 170samples, does it mean the 14 rounds have ended at (170/44) * 14 (14 = number of rounds) = 54th sample? Please correct me if I have not understood properly.

jpthibault · November 15, 2023, 8:31pm

No, it’s more simple than that. The number of samples that you choose to capture (scope.adc.samples) is independent from the duration of the target operation – you may choose to set scope.adc.samples to equal the target operation duration, but you do not have to.

Here, scope.adc.trig_count = 44 means that the target trigger line went low after the 44th ADC sample – simple as that.