ESP32-C6 Leakage Assessment

Overview

The method used here aims at assessing the leakage of the ESP32-C6.

Here, the encryption key is expected to be known. This is not an attack, but an attempt to answer the following questions:

  • Does data leak?
  • Where are the leakages located?

To do so, the state array of the AES-128 encryption block using the KEK_E key is computed at various points.

More specifically, this state is computed after each of the following standard operations:

  • AddRoundKeyAddRoundKey
  • InvMixColumnsInvMixColumns
  • InvShiftRowsInvShiftRows
  • InvSBoxInvSBox

For each of these 16-byte states, the power consumption of the device is modeled with a simple Hamming weight method.

H=HW(state) H = HW(state)

This power consumption model is correlated against the measured power traces at each timestamp using a Pearson correlation coefficient.

Input Data

Power Traces

The captured data can be downloaded from here (5.47 GB).

Replication of results These traces have been captured using tools available in the esp-cpa repository. The following command can be used. 
poetry run measure config/capture/esp32c6.py \
                   esp32c6_off.zarr \
                   --gui-display # Optional

AES Key

The key flashed in the target’s fuses is available below, and can be downloaded here.

00000000: c636 c050 fc66 fd40 32b0 8c6b 0834 9342  [email protected]
00000010: 0f5a a370 00ec d68e ba01 4b90 e01d 5aa8  .Z.p......K...Z.

The clock randomization feature of the ESP32-C6 was disabled for this test.

Results

Replication of results The data displayed above can be locally computed using tools available in the esp-cpa repository. The following commands can be used. 
# Perform assessment
poetry run analyze leakage-assessment esp32c6_off.zarr \
                   config/analysis/leakage_assessment.py \
                   flash_encryption_key.bin leakage_esp32c6.csv
# Plot results
poetry run plot plot-leakages leakage_esp32c6.csv

Note

Because a simple Hamming weight has been chosen to model power consumption, it’s worth noting that correlation values are not altered after an InvShiftRowsInvShiftRows operation.

Observations

Judging from the peaks observed in the correlation values, it appears that most of the internal states do leak.

That being said, the correlations peaks following the AddRoundKeyAddRoundKey operations are arguably not as clear as the ones observed for in the ESP32-C3 Leakage Assessment. However, this difference isn’t extremely significant, and it’s not clear whether this behavior is caused by the masking countermeasure implemented in the ESP32-C6 or not.

Additionally, the position of these leakages does make sense, with data corresponding to each round appearing in a chronological order. Incidentally, it seems the ESP32-C6 crypto-core performs its computations faster than the one in the ESP32-C3.

Go back to the main article