Using Tutorial B6 script to obtain 14th Round Key in A5 Tut.

Hi There

I was wondering is it possible to use the same principle and code used in tutorial B6 to carryout a CPA on the 14th round key in the A5 tutorial?
I have used the code and the traces provided by the aes256_round1413_key0_100.cwp file . I set the numtraces to 99 and ran the script. However the first byte I received was “e7” but according to the A5 tutorial the first byte is “ea”. Also depending on the numtraces the output changes and the aes256_round1413_key0_100.cwp file only has 100 traces. Does this mean having more traces are better? if so roughly how many traces would I require?

Thanks in advance.

It’s totally possible to do this. After all, you ran an automated attack in tutorial A5, so you can definitely reproduce the attack that our software is running :slight_smile:

What you coded in B6 won’t work out of the box, though. The problem is that you’re calculating

intermediate = SubBytes(AddRoundKey(textin, key))

but the real intermediate value we’re interested in for AES256 decryption is

intermediate  = InvSubBytes(InvShiftRows(AddRoundKey(textin, key)))

These are different, so if you run an attack searching for the first intermediate value, you won’t find anything - the attack will just print random keys, and adding more traces will swap everything around. However, you can just change your script to use the correct intermediate value and things should Just Work ™.

By the way - the InvShiftRows step doesn’t modify the bytes in the AES state. It just swaps them around. This means that you don’t even need to add it in your attack script - all of the byte values will still be there ready for your CPA attack.

Thank you very much for your advise :smiley:
I’ve changed the S-box and used the script and was able to obtain correct 14th key.