Description
Full AES-128 key recovery via Differential Power Analysis (DPA) on noisier power traces, building on PowerAnalysis Part 1. You need a larger trace corpus and additional signal processing to overcome noise and successfully recover all 16 key bytes.
Download and unzip the challenge files.
Install NumPy, SciPy, and optionally tqdm for progress tracking.
wget https://artifacts.picoctf.net/c/502/PowerAnalysis_Part2.zip && unzip PowerAnalysis_Part2.zippip3 install numpy scipy tqdmSolution
Walk me through it- Step 1Assess the noise level in the tracesPlot a few traces and compute their signal-to-noise ratio to understand how much harder this is than Part 1.python
python3 -c " import numpy as np import matplotlib.pyplot as plt traces = np.load('traces.npy') plt.plot(traces[0]); plt.title('Sample trace'); plt.show() print('SNR estimate:', traces.mean(axis=0).max() / traces.std(axis=0).max()) "Learn more
Part 2 adds significantly more noise to the simulated power traces, modeling realistic measurement conditions where electromagnetic interference, power supply fluctuations, and jitter obscure the actual computation signal. A low signal-to-noise ratio (SNR) means many more traces are needed to achieve the same confidence in the correlation.
The relationship between noise and required traces is roughly quadratic: doubling the noise standard deviation requires 4x more traces to achieve the same correlation separation. The reason is that the Pearson correlation of a noisy signal converges as
1/sqrt(N): the standard error of the sample correlation shrinks with the square root of the sample size. To keep the CPA peak detectable above the noise floor when sigma doubles, you need to shrink the standard error by half, which means quadrupling N. If Part 1 needed ~100 traces, Part 2 with 3x the noise needs roughly9 * 100 = 900traces. - Step 2Apply trace averaging and pre-processingAverage traces with the same plaintext byte value to reduce noise, and optionally apply a bandpass filter around the known POI (point of interest).python
python3 -c " import numpy as np traces = np.load('traces.npy') plaintexts = np.load('plaintexts.npy') # Average across all traces to get mean trace mean_trace = traces.mean(axis=0) # Subtract mean to center data centered = traces - mean_trace print('Pre-processing complete, shape:', centered.shape) "Learn more
Signal processing techniques can improve CPA effectiveness on noisy data:
- Per-trace centering (
traces - mean_trace) removes the DC bias and any fixed offset that every trace shares. The CPA correlation only cares about the variance that depends on the secret, so subtracting the mean trace strips out everything that is constant across the dataset and tightens the estimate. - Windowing (POI selection) reuses Part 1's findings: the time sample where the correct key byte's correlation peaked in Part 1 is the same point of interest now. Take the bandpass window (or just the index) around that sample and ignore the rest of the trace; this drastically reduces the search space for CPA and the noise it has to integrate over.
- Averaging across multiple traces for the same plaintext byte reduces random noise (assumes the signal is deterministic).
- Sum of Absolute Differences (SAD) is an alternative to Pearson correlation that can be more robust in certain noise models.
- Per-trace centering (
- Step 3Run full CPA over all 16 key bytesExecute the same correlation attack from Part 1 but with the full (larger) trace set and any pre-processing applied.python
python3 cpa_part2.pyLearn more
The fundamental attack algorithm is identical to Part 1. The improvements are quantitative (more traces) and qualitative (signal pre-processing). With enough traces, the Pearson correlation for the correct key byte will eventually dominate the correlation for all incorrect guesses, regardless of noise level - this is the statistical power of the CPA attack.
Monitor convergence by plotting the maximum correlation for each of the 256 key guesses as a function of N (the number of traces used so far). The correct key byte's line climbs steadily and plateaus at a clearly elevated peak, while the 255 incorrect guesses fluctuate near the noise floor (~
1/sqrt(N)) without ever separating. This convergence plot is the cleanest visual confirmation that you have enough traces and that your model is right; if no line breaks away from the rest after the full corpus, increase N or revisit the POI selection.See the AES for CTF guide for the round-by-round structure that the attack model assumes.
- Step 4Verify and format the recovered key as the flagDecrypt a known ciphertext with the recovered key to verify, then format the hex key as the flag.python
python3 -c " from Crypto.Cipher import AES key = bytes([<K0>, <K1>, ..., <K15>]) cipher = AES.new(key, AES.MODE_ECB) print(cipher.decrypt(bytes.fromhex('<CT>'))) print('Flag: picoCTF{' + key.hex() + '}') "Learn more
Completing Part 2 demonstrates the full power analysis attack pipeline against a realistically noisy target. In actual hardware security evaluations, researchers use oscilloscopes and current probes to capture real power traces from microcontrollers, then apply the same statistical correlation methodology to recover keys from production devices.
Countermeasures in certified products include: first-order masking (XOR intermediates with random values to break the Hamming-weight model), higher-order masking (resists DPA of any fixed order), shuffling (random byte processing order), and hardware-level noise injection. These add cost and complexity but are required for EAL5+ and FIPS 140-3 Level 3 certifications.
Flag
picoCTF{...}
This challenge was not solved during the competition. Follow the steps above to reproduce the solution.