DPA contests home

Introduction

AES-256 RSM (v4)

AES-128 RSM (v4.2)

Tools

Participate

Frequently Asked Questions

Acknowledgments

AES-256 RSM Reference Traces

Introduction

A reference acquisition campaign has been performed during June and July 2013 in the security laboratory the Digital Electronic Systems research group of the Télécom ParisTech french University. The AES-256 RSM was implemented on an ATMega-163 smart-card connected to a SASEBO-W board.

This reference acquisition campaign contains 100,000 traces. All the traces correspond to an encryption operation using the same encryption key (unlike the DPA contest v2).

Due to the very long duration of an encryption operation on the smart-card (the AES has been coded in C and not in assembly language), the traces only cover the first round and the beginning of the second round of the AES.

Download

To test your attack, you will need to download both the index file and some traces (you do not have to download all the traces).

Index file

The index file contains the key, plaintexts, ciphertexts and offsets used for each traces.

Traces

To allow participants not to download the full set of traces, the campaign is divided into 20 subsets of 10,000 traces each. Each subset is a 1.1 GBytes ZIP archive.

You can check the integrity of the files after download with these SHA1sums:

345ff4434e755c99856abc1be342b371b1fbd078  DPA_contestv4_rsm_00000_part1.zip
94e1fe6abf2f808364c02f7143246ed9b83e2f11  DPA_contestv4_rsm_00000_part2.zip
51a23d52a4422b6c164c913ffdcbb43ff2051e2d  DPA_contestv4_rsm_10000_part1.zip
ef5656238837eac274083f6f7a75b1fd494ad776  DPA_contestv4_rsm_10000_part2.zip
68d9b27c8ac0badc035fa0ee6fba0b33d1ce36c1  DPA_contestv4_rsm_20000_part1.zip
8ef4a3bb741959988b457b0f8db7ab5bfd3d6ddf  DPA_contestv4_rsm_20000_part2.zip
7238b4113775656354a2f828bde4928365c56b87  DPA_contestv4_rsm_30000_part1.zip
b8aae296dff3f90ff8c204eda29ca58ebb5c3b0b  DPA_contestv4_rsm_30000_part2.zip
cb014e6e69857cdc74ed608488a4482cd4e131a4  DPA_contestv4_rsm_40000_part1.zip
679a4e51735c80e92437188357831eb8cb7f059e  DPA_contestv4_rsm_40000_part2.zip
eea06fe65be50b76b7d4e2de96af38d4840caa35  DPA_contestv4_rsm_50000_part1.zip
6ccd1d4e58a9f7e2d7476cf444ccd3c80d52a54c  DPA_contestv4_rsm_50000_part2.zip
1e76ef44b69983246db50862f3efe592141a4461  DPA_contestv4_rsm_60000_part1.zip
bbf7a83c9ca76039b2f62a3ce20066e936201ef4  DPA_contestv4_rsm_60000_part2.zip
f99b5955a7d65fb0f03da0149e2bc101d70a6508  DPA_contestv4_rsm_70000_part1.zip
d5f3c237d9aea6eb6e017de1a396f9f2ee53b060  DPA_contestv4_rsm_70000_part2.zip
d83f9f633f14d24aab691d312bd89e7c9d0e5424  DPA_contestv4_rsm_80000_part1.zip
53e7c087187db679632fc08374acf621fb268f0b  DPA_contestv4_rsm_80000_part2.zip
cc37f5f0acdc21cb1078d7d46fd4fc869e4f5e72  DPA_contestv4_rsm_90000_part1.zip
61cdb5766ba55726cc760aa5c83f5dd9c30c5960  DPA_contestv4_rsm_90000_part2.zip

Format of the traces and index file

Index file

Each line of the index file contains the information about a trace.

Example:

6cecc67f287d083deb8766f0738b36cf164ed9b246951090869d08285d2e193b 448ff4f8eae2cea393553e15fd00eca1 f71e9995e754e9f711b4027106a72788 8 00000 Z1Trace00000.trc.bz2

On each line, the information are separated by a space:

Traces

Each trace subset ZIP archive contains 10,000 (5,000 in each _part) traces that decompress into a subdirectory of directory DPA_contestv4_rsm (in order to allow participants to only download a part of the campaign and to limit the number of files inside the same directory):

DPA_contestv4_rsm
|-00000
| |- Z1Trace00000.trc.bz2
| |- Z1Trace00001.trc.bz2
| |...
|
|-10000
| |- Z1Trace10000.trc.bz2
| |- Z1Trace10001.trc.bz2
| |...
|
|-20000
...

In order to limit its size, each file is compressed with bzip2. You can uncompressed them but it is not necessary as the tools we provide can manipulate compressed traces.

Each file Z1Tracexxxxx.trc.bz2 contains a single trace coded using the LeCroy Digital Oscilloscope format template 2.3.

Short version: After the first 357 bytes of the file (headers), there are 435,002 bytes which represent the 435,002 samples of the trace, the value (between -128 and +127) of each sample is coded on 1 byte (8 bit two's complement, i.e. signed value).

Complete version: The trace header starts with the string WAVEDESC. All the offsets in the table below are relative to the first character of this string. Some bytes (11 in the case of the traces of the DPA contest v4) precede this string and should not be taken into account. The table below describes the important fields of the headers of a trace.

Offset (in byte)
Relative to beginning of
WAVEDESC string		 Name Type Description Typical values for provided traces
0 Descriptor Name Null terminated string The first 8 chars are always "WAVEDESC" WAVEDESC
16 Template Name Null terminated string LECROY_2_3
32 Comm Type 16-bit data Format of data samples (0: byte (8-bit signed values), 1: word (16-bit signed values)) 0
34 Comm Order 16-bit data Format of data samples (0: MSB first, 1: LSB first) 1
36 Wave Descriptor 32-bit signed data Length in bytes of the block WAVEDESC 346
40 User Text 32-bit signed data Length in bytes of the block USERTEXT 0
44 Res Desc1 32-bit signed data Length in bytes of the block RES_DESC1 0
48 TrigTime Array 32-bit signed data Length in bytes of the TRIGTIME array 0
52 Ris Time Array 32-bit signed data Length in bytes of the RIS_TIME array 0
56 Res Array 1 32-bit signed data 0
60 Wave Array 1 32-bit signed data Length in bytes of the 1st data array 435,002
64 Wave Array 2 32-bit signed data Length in bytes of the 2nd data array 0
76 Instrument Name Null terminated string Name of the instrument LECROYWR6100A
116 Wave Array Count 32-bit signed data Number of data points (samples) in the data array 435,002
124 First Valid Point 32-bit signed data Number of points to skip before first good point 0
128 Last Valid Point 32-bit signed data Index of last good data point 435,001
172 Nominal Bits 16-bit signed data Intrinsic precision of the observation 8 bits