DPA contests home

Introduction

AES-256 RSM (v4)

AES-128 RSM (v4.2)

Tools

Participate

Frequently Asked Questions

Acknowledgments

AES-256 RSM Reference Traces

Introduction

A reference acquisition campaign has been performed during June and July 2013 in the security laboratory the Digital Electronic Systems research group of the Télécom ParisTech french University. The AES-256 RSM was implemented on an ATMega-163 smart-card connected to a SASEBO-W board.

This reference acquisition campaign contains 100,000 traces. All the traces correspond to an encryption operation using the same encryption key (unlike the DPA contest v2).

Due to the very long duration of an encryption operation on the smart-card (the AES has been coded in C and not in assembly language), the traces only cover the first round and the beginning of the second round of the AES.

Download

To test your attack, you will need to download both the index file and some traces (you do not have to download all the traces).

Index file

The index file contains the key, plaintexts, ciphertexts and offsets used for each traces.

Traces

To allow participants not to download the full set of traces, the campaign is divided into 10 subsets of 10,000 traces each. Each subset is a 2.0 GBytes ZIP archive.

Update (September 2014): As the AES-256 RSM implementation was broken using only a few traces, and to free some disk space on our server, traces #40,000 to #99,999 are no longer directly available on our website. If you need them, just send a mail to contact@dpacontest.org.

You can check the integrity of the files after download with these SHA1sums:

e858af4dd6d662e41ce0c6dea02ec9eb6036c954  DPA_contestv4_rsm_00000.zip
620e02848d592cc3f93d96d53d1b4490afe74684  DPA_contestv4_rsm_10000.zip
b59c7cc1f395879c6a2cc68098615fd8fc5f373b  DPA_contestv4_rsm_20000.zip
cdbde49c4fd4482fecac731120a249bd59389309  DPA_contestv4_rsm_30000.zip
0574464273a1e382c1d282bca72f6740a924a6d5  DPA_contestv4_rsm_40000.zip
d6d95c46e90bce86bb043242062b28305eb23eb8  DPA_contestv4_rsm_50000.zip
979a8039b6f382bdefeaa6dbc2c493d202f92163  DPA_contestv4_rsm_60000.zip
66797d0f49d808c739183e2580df750b78238b41  DPA_contestv4_rsm_70000.zip
9cd564506907555db037b3a3661191d4b55225ea  DPA_contestv4_rsm_80000.zip
f37e7e08561b69c41000e36773e696b52dfd7b90  DPA_contestv4_rsm_90000.zip

Format of the traces and index file

Index file

Each line of the index file contains the information about a trace.

Example:

6cecc67f287d083deb8766f0738b36cf164ed9b246951090869d08285d2e193b 448ff4f8eae2cea393553e15fd00eca1 f71e9995e754e9f711b4027106a72788 8 00000 Z1Trace00000.trc.bz2

On each line, the information are separated by a space:

Traces

Each trace subset ZIP archive contains 10,000 traces that decompress into a subdirectory of directory DPA_contestv4_rsm (in order to allow participants to only download a part of the campaign and to limit the number of files inside the same directory):

DPA_contestv4_rsm
|-00000
| |- Z1Trace00000.trc.bz2
| |- Z1Trace00001.trc.bz2
| |...
|
|-10000
| |- Z1Trace10000.trc.bz2
| |- Z1Trace10001.trc.bz2
| |...
|
|-20000
...

In order to limit its size, each file is compressed with bzip2. You can uncompressed them but it is not necessary as the tools we provide can manipulate compressed traces.

Each file Z1Tracexxxxx.trc.bz2 contains a single trace coded using the LeCroy Digital Oscilloscope format template 2.3.

Short version: After the first 357 bytes of the file (headers), there are 435,002 bytes which represent the 435,002 samples of the trace, the value (between -128 and +127) of each sample is coded on 1 byte (8 bit two's complement, i.e. signed value).

Complete version: The trace header starts with the string WAVEDESC. All the offsets in the table below are relative to the first character of this string. Some bytes (11 in the case of the traces of the DPA contest v4) precede this string and should not be taken into account. The table below describes the important fields of the headers of a trace.

Offset (in byte)
Relative to beginning of
WAVEDESC string		 Name Type Description Typical values for provided traces
0 Descriptor Name Null terminated string The first 8 chars are always "WAVEDESC" WAVEDESC
16 Template Name Null terminated string LECROY_2_3
32 Comm Type 16-bit data Format of data samples (0: byte (8-bit signed values), 1: word (16-bit signed values)) 0
34 Comm Order 16-bit data Format of data samples (0: MSB first, 1: LSB first) 1
36 Wave Descriptor 32-bit signed data Length in bytes of the block WAVEDESC 346
40 User Text 32-bit signed data Length in bytes of the block USERTEXT 0
44 Res Desc1 32-bit signed data Length in bytes of the block RES_DESC1 0
48 TrigTime Array 32-bit signed data Length in bytes of the TRIGTIME array 0
52 Ris Time Array 32-bit signed data Length in bytes of the RIS_TIME array 0
56 Res Array 1 32-bit signed data 0
60 Wave Array 1 32-bit signed data Length in bytes of the 1st data array 435,002
64 Wave Array 2 32-bit signed data Length in bytes of the 2nd data array 0
76 Instrument Name Null terminated string Name of the instrument LECROYWR6100A
116 Wave Array Count 32-bit signed data Number of data points (samples) in the data array 435,002
124 First Valid Point 32-bit signed data Number of points to skip before first good point 0
128 Last Valid Point 32-bit signed data Index of last good data point 435,001
172 Nominal Bits 16-bit signed data Intrinsic precision of the observation 8 bits