EPFL's CTF team

Square CTF 2018: C4 - leaky power


C4 is a very advanced AES based defensive system. You are able to monitor the power lines. Is that enough?

You’re given three files:

note: The first two files are NumPy arrays.

note: there’s a mistake in the way instructions.jwe was created (the algorithm is A128GCM, not A256GCM).


instructions_corrected.jwe is a JSON file containing an encrypted message, along with an IV, an authentication tag and a protected field, all base64-encoded. The protected field decodes to {"alg":"dir","enc":"A128GCM"} which suggests that the message is encrypted with AES-128 in GCM mode. When the challenge was released, the files only contained instructions.jwe whose protected field instead decodes to {"alg":"dir","enc":"A256GCM"}, incorrectly suggesting that a 256-bit key was being used instead.

In order to solve this task we must perform a correlation power analysis (CPA) attack, which can recover an AES key from the plaintexts and power traces. The attack is explained here and the authors provide some example code which we adapted to solve this task.