¿Where can i modify the AES algorithm that is loaded in CW303 (xmega)?

Hello, i’m quite new in this area and i dont find the file of the AES algorithm, I have a CWLite and a CW303 target. I want to modify the algorithm for see how some countermeasure work. (Im using the V4).

Also i have another question, in all the papers that i read and the introduction video to SCA by Colin O’Flynn they always attack after the subbytes function. My question is, why exactly this point? Why not after the first addroundkey?

If anyone can guide me on these two topincs, it will be great!
Thank you very much in advance.

Hi Nicholas,

You’ll find the AES implementations in chipwhisperer/hardware/victims/firmware/crypto (avrcryptolib, mbedtls, etc). tiny-AES128-C is probably the best one to look at since it’s a straight 8-bit C implementation, while avrcryptolib I believe has some AVR assembly optimizations, and MBEDTLS has some 32bit specific optimizations (covered in PA_CPA_5).

About correlation attacks themselves, there’s actually a bunch of different points you could attack, especially in a software AES implementation. The SubBytes function is just a convenient place to attack because it gives you the original key (instead of a final round key, for example) and it doesn’t have any MixColumn operations between the plaintext (or ciphertext, depending on which way you’re going) and the point you’re attacking.

Hope that helps,


1 Like

Thanks for the answer!!

Well, attacking the first AddRoundKey would also give you the master key (= 0th round key). IMO it is more about targeting a non-linear opearation (S-box) instead of a linear one (XOR). That usually gives better correlation results.

Also, if you target the first AddRoundKey due to the linearity of the XOR the results will come in pairs - a certain byte value candidate will lead to a certain correlation, and the complement of this byte will give the same correlation but negative (good exercise to prove why this holds). So even if your attack is successful you will inevitably end up with a small brute-force to decide between the two byte value candidates which end up at the first shared place. But the brute-force is small, so this is just a detail.


Thanks!! i still had the doubt abaut the first addroundkey.