AES-256 RSM Reference Traces

Introduction

A reference acquisition campaign has been performed during June and July 2013 in the security laboratory the Digital Electronic Systems research group of the Télécom ParisTech french University. The AES-256 RSM was implemented on an ATMega-163 smart-card connected to a SASEBO-W board.

This reference acquisition campaign contains 100,000 traces. All the traces correspond to an encryption operation using the same encryption key (unlike the DPA contest v2).

Due to the very long duration of an encryption operation on the smart-card (the AES has been coded in C and not in assembly language), the traces only cover the first round and the beginning of the second round of the AES.

Download

To test your attack, you will need to download both the index file and some traces (you do not have to download all the traces).

Index file

The index file contains the key, plaintexts, ciphertexts and offsets used for each traces.

Index file (dpav4_rsm_index) 15 MB

Traces

To allow participants not to download the full set of traces, the campaign is divided into 10 subsets of 10,000 traces each. Each subset is a 2.0 GBytes ZIP archive.

You can check the integrity of the files after download with these SHA1sums:

e858af4dd6d662e41ce0c6dea02ec9eb6036c954  DPA_contestv4_rsm_00000.zip
620e02848d592cc3f93d96d53d1b4490afe74684  DPA_contestv4_rsm_10000.zip
b59c7cc1f395879c6a2cc68098615fd8fc5f373b  DPA_contestv4_rsm_20000.zip
cdbde49c4fd4482fecac731120a249bd59389309  DPA_contestv4_rsm_30000.zip
0574464273a1e382c1d282bca72f6740a924a6d5  DPA_contestv4_rsm_40000.zip
d6d95c46e90bce86bb043242062b28305eb23eb8  DPA_contestv4_rsm_50000.zip
979a8039b6f382bdefeaa6dbc2c493d202f92163  DPA_contestv4_rsm_60000.zip
66797d0f49d808c739183e2580df750b78238b41  DPA_contestv4_rsm_70000.zip
9cd564506907555db037b3a3661191d4b55225ea  DPA_contestv4_rsm_80000.zip
f37e7e08561b69c41000e36773e696b52dfd7b90  DPA_contestv4_rsm_90000.zip

Format of the traces and index file

Index file

Each line of the index file contains the information about a trace.

Example:

6cecc67f287d083deb8766f0738b36cf164ed9b246951090869d08285d2e193b 448ff4f8eae2cea393553e15fd00eca1 f71e9995e754e9f711b4027106a72788 8 00000 Z1Trace00000.trc.bz2

On each line, the information are separated by a space:

1st column: the AES-256 key (256 bits represented as 64 hexadecimal digits)
2nd column: the plaintext (128 bits represented as 32 hexadecimal digits)
3rd column: the ciphertext (128 bits represented as 32 hexadecimal digits)
4th column: the offset (see the AES-256 RSM specifications, 0-15 represented as 1 hexadecimal digit)
5th column: the name of the directory (below the top-level directory DPA_contestv4_rsm) where the trace is stored
6th column: the name of the trace

Traces

Each trace subset ZIP archive contains 10,000 traces that decompress into a subdirectory of directory DPA_contestv4_rsm (in order to allow participants to only download a part of the campaign and to limit the number of files inside the same directory):

DPA_contestv4_rsm
|-00000
| |- Z1Trace00000.trc.bz2
| |- Z1Trace00001.trc.bz2
| |...
|
|-10000
| |- Z1Trace10000.trc.bz2
| |- Z1Trace10001.trc.bz2
| |...
|
|-20000
...

In order to limit its size, each file is compressed with bzip2. You can uncompressed them but it is not necessary as the tools we provide can manipulate compressed traces.

Each file Z1Tracexxxxx.trc.bz2 contains a single trace coded using the LeCroy Digital Oscilloscope format template 2.3.

Short version: After the first 357 bytes of the file (headers), there are 435,002 bytes which represent the 435,002 samples of the trace, the value (between -128 and +127) of each sample is coded on 1 byte (8 bit two's complement, i.e. signed value).

Complete version: The trace header starts with the string WAVEDESC. All the offsets in the table below are relative to the first character of this string. Some bytes (11 in the case of the traces of the DPA contest v4) precede this string and should not be taken into account. The table below describes the important fields of the headers of a trace.

Offset (in byte) Relative to beginning of WAVEDESC string	Name	Type	Description	Typical values for provided traces
0	Descriptor Name	Null terminated string	The first 8 chars are always "WAVEDESC"	WAVEDESC
16	Template Name	Null terminated string		LECROY_2_3
32	Comm Type	16-bit data	Format of data samples (0: byte (8-bit signed values), 1: word (16-bit signed values))	0
34	Comm Order	16-bit data	Format of data samples (0: MSB first, 1: LSB first)	1
36	Wave Descriptor	32-bit signed data	Length in bytes of the block WAVEDESC	346
40	User Text	32-bit signed data	Length in bytes of the block USERTEXT	0
44	Res Desc1	32-bit signed data	Length in bytes of the block RES_DESC1	0
48	TrigTime Array	32-bit signed data	Length in bytes of the TRIGTIME array	0
52	Ris Time Array	32-bit signed data	Length in bytes of the RIS_TIME array	0
56	Res Array 1	32-bit signed data		0
60	Wave Array 1	32-bit signed data	Length in bytes of the 1st data array	435,002
64	Wave Array 2	32-bit signed data	Length in bytes of the 2nd data array	0
76	Instrument Name	Null terminated string	Name of the instrument	LECROYWR6100A
116	Wave Array Count	32-bit signed data	Number of data points (samples) in the data array	435,002
124	First Valid Point	32-bit signed data	Number of points to skip before first good point	0
128	Last Valid Point	32-bit signed data	Index of last good data point	435,001
172	Nominal Bits	16-bit signed data	Intrinsic precision of the observation	8 bits