Side Channel Attack (SCA) on AES — Part 2

8 min readMar 4, 2024

Hello !!! after previous post I talked about introduction SCA on AES from setup environment, generate traces with simulator and do a Simple Power Analysis on AES. In this post I will tell you how to break AES key. Before we go further I will tell the short explanation about DPA and CPA. Let’s get started………

DPA and CPA

what is DPA and CPA? DPA is Differential Power Analysis, I quote it from Wikipedia:

Differential power analysis (DPA) is a side-channel attack which involves statistically analyzing power consumption measurements from a cryptosystem. The attack exploits biases varying power consumption of microprocessors or other hardware while performing operations using secret keys

by statistically analyze power consumption of hardware we can find the secret/key is used in the process. How come it's possible to analyze the power consumption? Every input we gave, it will make the hardware run the process like XOR, AND, SHIFT, OR, and etc. The register value always change due to the variation of the process.

One of the famous power leakage model used is Hamming Weight it counts number of bit 1 in intermediate state. For example you have input: 0xAB ^ 0x12 = 0xB9. If we convert 0xB9 to binary it’s equal to: 10111001, so the hamming weight of 0xB9 is 5. With this technique we can predict the secret by grouping possibility of guess bit per bit.

Different from DPA that analyze the possibility bit per bit by grouping guesses, CPA is more straight forward and more statistical. That’s why the name is CPA, Correlation Power Analysis. So we will use correlation between the real power consumption we captured from Oscilloscope (Power/Current) and power model we used in statistic (Hamming Weight). To make it simple if we do operation 0xAB ^ 0x12 = 0xB9 (HW=5) the power we captured in Oscilloscope will be moderated, and if we do operation 0xA5 ^ 0x5A = 0xFF (HW=9) the power in Oscilloscope will be very high, and if the result is 0x00 the power will be low.

Let’s say you want to find AES Key, with the same/fixed key you must give different input (plaintext) and you need to make guesses of key from 0x00 to 0xFF and find with what byte guess you get high correlation between your power model and real power consumption. If the correlation high it might be the key used in the process. Of course you will not do it manually one by one, you need some formula to do the correlation. That’s why in the CPA it used Pearson Correlation

You can find more detail about this formula in Wikipedia. I will not tell you all the detail about this. But, if you are interested to read more detail about how to use Pearson Correlation in CPA you also can read it in Chipwhisperer Wiki, this is one of the best resource to learn Side Channel Attack. Ok it’s enough for introduction I don’t want to tell too many theory because maybe it can be boring for some people 😛

CPA with Kresca Module

From previous post I already told you how to generate AES traces with the simulator and save it in Eshard Tracesheader set (ETS). And now we will use the traces again to attack the real key of AES. Before we go further don’t forget to activate your SCA virutal environment. After that, open this file from my github repository

kresca → Example → AES → AES Attack.ipynb

Import Library and Plot Traces

Run the cell to import some needed library and kresca module. Import the traces from previous post “TinyAES_1k.ets” and see the content of traces: 1000 sample traces with 3 metadatas (plaintext, key, and ciphertext).

if you want to plot inline in your notebook, put extra parameter “inline=True” otherwise it will generate new window dedicated for the curve only.

Make Selection Functions

To do CPA in AES, we must choose good intermediate area to retrieve the master key. There are several popular intermediate area in AES:

First Add Round Key → Plaintext^Key
First Sub Bytes → Sbox[Plaintext^Key]
Last Add Round Key → Ciphertext^Key
Last Sub Bytes → Sbox[Ciphertext^Key]

First means we use key from first round, last means we use last key schedule from the last round (Ex. 10th round AES-128). There are another intermediate function like Mix Column Attack or Delta R Last, but I will not explain it in this post. You also must guess where is the first or last area to get the leakage, that’s why SPA is the important process before you go to the CPA.

In the add round key you will find the correlation between hamming weight of addroundkey plaintext/ciphertext ^ key with the real measurement (Power/EM) in the real product. In this case, your real measurements comes from simulator result. In Sub bytes intermediate function you put the plaintext/ciphetext ^ Key to the Sbox first. It’s better to choose non-linear intermediate function which is go into the Substation Box first, So if the correlation happen between the guess model and the real product it will only have 1 possibility outcome. If we use linear function like add round key, due to hamming Weight model, the guess input from 0–255 can get more similar Hamming Weight (0~8) value.

In the Kresca Module, I used existing eShard scared selection function. You can just use it or later you can create your own customize selection function for others algorithm.

Let’s construct the selection function into 1 list. Then later we can just run it with single shot to get all the result without doing it one bye one.

Make and Run Attack Object

After we made selection functions, We need to make an attack object. First, you need to used NonProfileAttack object. The simplest things you need to give to this object are traces file and the selection function list. After that, you can just call run and it will run all of your selection functions in one shot.

*(You might not get the loading bar below, because I already put the extra library in scared to give loading bar in run process, but trust me the rest is same)

Actually in NonProfileAttack object you can give more optional parameter other than this two, you can see in this image bellow

distinguisher → is how you compute the CPA, default use CPA means used Pearson Correlation formula
model → is the model type to guess the intermediate function, default used Hamming Weight model
discriminant → is how you make a ‘rank/score’ from your computation result (your correlation positive/negative)
frame → is to select the specific point from your traces, you can put specific point by use range(X, Y) to this parameter.
preprocess → preprocess method for the traces. You can use it if you want to do something to your traces before you use it for computation (Ex. filter, standardize, product between point, etc.) We can use preprocess to do second order attack

You can find more detail about this parameter in eShard scared documentation.

After you finished to run the attack object you can just run the report. It will give you all the score report for all your selection functions.

You also can run show_result() to see the plot of your leakage. Left plot shows where the leakage is, x-axis show sample points and y-axis is the correlation score. Right plot shows convergence scores where x-axis shows how many traces you need and y-axis shows the the correlation scores itself. The more traces you used the more confident score you will get.

You can see in the first add round key, guess 0x00 and 0xFF have high correlation. However, the correlation is the opposite. It means if you use linear intermediate function there is a chance you will have more then 1 guess which has similar correlation. If you only have 2 guesses with high correlation and the correlation is opposite, you can change the discriminant in previous parameter to nanmax (default maxabs), then you will just count the guess with the positive correlation as the highest rank.

Contrast with the first add round key, the first sub bytes only has 1 guess with the high correlation score. With this result in the real world (where you don’t know what the real key is) you can confident enough with your guess as the real key. That’s why non-linear intermediate function is better, whatever input you give to the function, the correlation is always consistent to 1 guess.

You can see from the last round both add round key and sub bytes have same behavior with the first round. So you can choose to attack first or last round, it depends on situation. If you are attacking the first round you can use the key as a master key directly. But, if you are attacking the last round to get the master key, you need to do a reverse key schedule to get the master key.

Huala it’s done you already can get the AES Key !!!! FYI in the mobile SIM Card, one of the most popular algorithm for authentication is Milenage. And you know what? Milenage Algorithm is based on AES !!!! So with this knowledge you can get the secret of every SIM Card and clone it 😃 But of course the good SIM Card company will protect it with anti Side Channel Attack Right 😛 But don’t worry there will be another company who don’t know about this and you can try it there😆

— Still Stay Tuned And Wait For The Next Post Thank You !!! —