DPA contest v4

DPA contests home

Introduction

AES-256 RSM (v4)

• Documentation
• Reference traces
• Hall of Fame

AES-128 RSM (v4.2)

• Documentation
• Reference traces
• Hall of Fame

Tools

Participate

Frequently Asked Questions

Acknowledgments

Frequently Asked Questions

About the Contest

How to mention or cite the ``DPA contest v4'' in a publication?

Use the permanent link https://dpacontest.telecom-paris.fr, and this reference if you refer to the improvements in the version 4.2 of this contest.

Traces

How to read the traces provided on the website?

The traces we provide on our website, for instance for the AES-256 RSM reference acquisition campaign, can not directly be opened by a simple text editor because they are not stored in a human-readable format. But it is not a problem as the wrapper (available for download here) knows how to process them and give them one by one, in a decoded format, to your attack.

However, if you want to process by yourself the traces, their format is describe on the website (for AES-256 RSM traces). To help you, we provide a tool named traces2text (which is part of the wrapper available for download here) which convert a trace into a human-readable file (text file with one sample per line).

AES

How subkeys are numbered?

The subkey used during the first AddRoundKey operation of the AES is numbered 0 (in fact, this subkey is the first 128 bits of the main encryption key). The last subkey for an AES-128 is numbered 10 (it is used in the 11th AddRoundKey operation). The last subkey for an AES-256 is numbered 14 (it is used in the 14th AddRoundKey operation).

AES-256 RSM

The target is an AES-256 but only the first round is provided

We have chosen, for this first implementation proposed in the DPA contest v4 (there will be other implementations later), to provide participants with traces that only cover the first round mainly because of the size of the traces (400 kB / trace uncompressed, and as it is a protected implementation, we have to provide a lot of traces...).

So, the submissions will be evaluated only on their capability to recover the 128 bits of the first subkey and not the 256 bits of the main key. Unfortunately, this prevents attacks from verifying that the key they found is correct by checking with the plaintexts and the ciphertexts we provide, and from performing some exhaustive searches on some bits.

To overcome this problem, we allow participants to store the last 128 bits of the key in their attack to be able to check if the guessed key is correct. When an attack is submitted, it is evaluated with traces from another key, so, if you store a part of the key in the attack, you have to tell us so we can replace it in the source code with the part of the key we use for evaluation.

However, for participants wishing to take up the challenge, the manipulation of all the 256 bits of the key appears on the traces who provide, as they cover at least the following operations of the beginning of the AES:

• AddRoundKey with the first subkey (the 16 first bytes of the 256 bits key)
• and the first complete round:
  • SubBytes
  • ShiftRows
  • MixColumns
  • AddRoundKey with the second subkey (the 16 remaining bytes of the 256 bits key)

If you have a question that is not listed here, do not hesitate to send a mail to contact@dpacontest.org, we will make our best to help you.

/ Twitter account: DPAContest / Announcement mailing list