4

I am trying to implement the correlation power analysis attack. I have a hardware AES for which I found a trigger which defines the start of the AES calculations. After that I performed an EM curves acquisition.

It is the first time that I have some traces so I have some questions about my trace:

  1. According to my trace, the x-axis is the time and the y-axis is the energy consumption. Is there any software that helps me to plot my trace more clearly and make them more comprehensive?

  2. It is clear that I have some noise in my trace. So how to avoid that noise? which type of filter must do? Must I use a low pass filter or a high pass filter, I need to see my 10 rounds clearly to analyse? What are the steps that I must take?

  3. Why there are an important possibility to make our attack in the first and last round of the AES?

  4. Some explanation about CPA:'We can use the Hamming Distance model in our CPA attacks. If we can find a point in the encryption algorithm where the victim changes a variable from x to y, then we can estimate that the power consumption is proportional to Hamming Distance(x, y)' I really don't understand the relation between the CPA and the hamming distance. Can anybody explain?

  5. Is there any software that helps me to make my CPA, given my curves?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
nani92
  • 133
  • 1
  • 8

1 Answers1

3

Answer to the 1st and 5th question :

For the CHES 2016 (Cryptographic Hardware and Embedded Systems), a video has been made to explain how to perform a CPA. There is a wiki associated to the video and the code of the attack is available on it.

Answer to the 2nd question :

For a CPA, you don't need to use a filter : increase the number of measure (number of AES that you perform) should be enough to find the key. Furthemore, you only need to see the round that you attack to find the key.

Answer to the 3rd question :

You can find the answer on the topic of crypto stack exchange named "What is the difference between perfoming Correlation Power Analysis (CPA) in the first AES round and doing it in the last round?".

Answer to the 4th question :

The Hamming weight model is a basic power model which is based on the assumption that the amount of power consumed is proportional to the number of bits that are logic '1' during an operation. Typically, if you initialize a variable to the value of Sbox[x ^ y], the consumption used will be correlated to the number of bytes set to 1 in this value. For more information about it, see the .pdf available online : "Differential Power Analysis attacks on AES" from Kevin Meritt.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
kingsjester
  • 161
  • 3
  • 9