AES - Understanding What We Are Attacking

---

Side-Channel Power Analysis Series — Part 3 of 7

---

← Previous: Part 2: Why Does Power Consumption Leak Secrets?   |   Next → Part 4: SPA, DPA and CPA - The Attack Ladder

Side-Channel Power Analysis Series | IoTSec.in

---

Okay. So we are at Blog 3 now.

In Blog 1, we understood that mathematical security is not the same as physical security.

In Blog 2, we understood how power consumption leaks information transistors, Hamming Weight, power traces all of that.

Now in Blog 3, we need to understand what we are actually attacking.

And the answer is: AES.

But before we attack it, we need to understand it. Not deeply. Not mathematically. Just enough to know where the key touches the data and why that matters for us.

That is the entire goal of this blog.

Let’s go.

---

What Even Is AES?

Let me start with a story.

There was an older encryption standard called DES. It worked fine for its time. But computers kept getting faster and faster. And one day, a computer could just try every possible DES key until it found the right one. That is called a brute force attack.

DES used a 56-bit key. That means there were about 72 quadrillion possible keys. Sounds like a lot. But by the late 1990s, specialized machines could crack it in under a day.

So the world needed something better.

In 1997, the US government ran a competition. “Give us a better encryption algorithm.” Teams from around the world submitted their designs. Five made it to the finals. One won.

It was called Rijndael, designed by two Belgian cryptographers. The US government standardized it and gave it a new name: AES Advanced Encryption Standard.

That was 2001. It is now 2026. AES is still everywhere:

Your WhatsApp messages      → AES
Your bank transactions      → AES
Your VPN                    → AES
Your laptop disk encryption → AES
HTTPS on every website      → AES

People have been trying to break AES mathematically for 25+ years. Nobody has found a way.

But here is the thing I kept thinking about when I first read this.

If nobody can break AES mathematically how are we going to attack it?

And the answer comes from Blog 1.

We are not breaking the algorithm. We are eavesdropping on the physical execution of the algorithm.

The math is unbreakable. The chip running the math? That leaks power. And power tells us secrets.

---

What I Found Confusing (And Now Don’t) - Part 1

When I first heard “AES is mathematically secure” I thought it meant even if you know the algorithm, you still can’t decrypt anything. Which is true.

But then I thought if we can’t break the math, what is the point of learning AES?

The answer is: we learn AES to find out where the key touches the data. Because that is exactly where the power leaks happen.

Once you see that connection, everything clicks.

---

Block Cipher - AES Works In Chunks

AES does not encrypt your data all at once. It slices your data into fixed-size chunks called blocks and encrypts one block at a time.

AES always uses a block size of exactly 128 bits. That is 16 bytes. Roughly 16 characters of text.

So if you want to encrypt the message "Hello, this is my secret message!" AES sees it like this:

Block 1: "Hello, this is "   ← 16 bytes
Block 2: "my secret messag"  ← 16 bytes
Block 3: "e!"                ← padded to make 16 bytes

Each block goes through the full AES encryption process separately. Same key. Same operations. Block by block.

Why does this matter for us?

Because when ChipWhisperer captures a power trace, it is capturing the chip processing one block. We can watch exactly what happens to those 16 bytes as the chip processes them.

That is our window into the chip.

---

The Key - The Only Real Secret

Think about a padlock. The padlock design is public - everyone can see how it works. But the key that opens it? Only you have that.

AES works the same way. The algorithm is fully public. Everyone knows exactly how AES works. The security comes entirely from the key being secret.

The key is just a string of random bits. Nothing fancy. For example, a 128-bit AES key looks like this:

2b 7e 15 16 28 ae d2 a6
ab f7 15 88 09 cf 4f 3c

16 random bytes. Looks like garbage. That is the point.

AES supports three key sizes:

128 bits = 16 bytes  → 2^128 possible keys
192 bits = 24 bytes  → 2^192 possible keys
256 bits = 32 bytes  → 2^256 possible keys

2^128 is an astronomically large number. Even if every computer on Earth tried keys nonstop since the Big Bang, they would not even scratch the surface.

So brute force is impossible.

But here is the beautiful thing about power analysis. We do not brute force the full key at once. We guess one byte at a time. Each byte has only 256 possible values. Very manageable. We will see exactly how this works later.

---

What I Found Confusing (And Now Don’t) - Part 2

I got confused between the key and a password.

When I type a password like “mypassword123” - that is NOT the AES key. The AES key is raw binary data generated separately. If you use a password in software, the software converts it into a key behind the scenes. But inside AES itself, the key is always a fixed block of raw bits.

---

The Four Operations Inside AES

AES does not encrypt your block in one magic step. It runs your 16 bytes through four operations, repeated multiple times.

Think of it like a washing machine cycle. Same actions. Repeated. Until the data is thoroughly scrambled.

Your 16 bytes are first arranged into a 4x4 grid of bytes:

[ b0  b1  b2  b3  ]
[ b4  b5  b6  b7  ]
[ b8  b9  b10 b11 ]
[ b12 b13 b14 b15 ]

Then the four operations work on this grid:

---

1. AddRoundKey - The Key Enters Here

This is the most important operation for us.

The secret key gets XOR’d into the data. Byte by byte.

Your data byte:  01001010
Key byte:        11010011
XOR result:      10011001

That is AddRoundKey. Key meets data. XOR. Done.

This is the ONLY operation where the key directly touches the data.

Everything else SubBytes, ShiftRows, MixColumns does not use the key. Only AddRoundKey does.

---

2. SubBytes- Every Byte Gets Disguised

Every byte in the grid gets swapped for a completely different byte using a lookup table called the S-Box.

Input byte  → S-Box table → Output byte

Example:
01001010    → S-Box       → 11010110

Every possible byte value (0 to 255) has exactly one S-Box output. You put a byte in. You get a different byte out.

We will talk about the S-Box in much more detail very soon. It is the most important piece for our attack.

---

3. ShiftRows - Bytes Get Their Positions Shuffled

The 16 bytes in the 4x4 grid get their row positions shifted:

Before ShiftRows:        After ShiftRows:
[ b0  b1  b2  b3  ]     [ b0  b1  b2  b3  ]  ← row 0: no change
[ b4  b5  b6  b7  ]     [ b5  b6  b7  b4  ]  ← row 1: shift left 1
[ b8  b9  b10 b11 ]     [ b10 b11 b8  b9  ]  ← row 2: shift left 2
[ b12 b13 b14 b15 ]     [ b15 b12 b13 b14 ]  ← row 3: shift left 3

This shuffles the positions of bytes. No key involved. Just rearranging seats.

---

4. MixColumns - Bytes Get Blended Together

Each column of the 4x4 grid gets mathematically mixed. One byte influences four bytes.

No key involved here either. Just mixing.

---

For our attack, we only care deeply about two of these four:

AddRoundKey  ← key enters here
SubBytes     ← power leaks here

ShiftRows and MixColumns just do scrambling. Important for security. Not our attack focus.

---

Why AES Repeats - The Concept of Rounds

One round of these four operations is not enough scrambling. Two rounds is not enough. After enough rounds, the output looks completely random with no trace of the original data.

AES uses a Rubik’s cube logic here.

If you make one move on a Rubik’s cube, someone can easily reverse it. One move back and they see your secret.

But if you make 10 moves, each one building on the last? The cube looks completely mixed. Hard to reverse without knowing exactly which moves happened in which order.

AES Round 1  → a little scrambled
AES Round 3  → more scrambled
AES Round 7  → very scrambled
AES Round 10 → looks completely random

AES with a 128-bit key does exactly 10 rounds. Each round uses a different version of the key (called a round key). The original key gets expanded into 11 round keys - one for before Round 1 and one for each of the 10 rounds.

Original Key → Key Expansion → K0, K1, K2, K3... K10

Pre-round    : uses K0
Round 1      : uses K1
Round 2      : uses K2
...
Round 10     : uses K10

That diagram you might have seen that looks like this:

Plain Text (128 bits)
        ↓
Pre-round transformation  ← K0
        ↓
Round 1  ← K1
        ↓
Round 2  ← K2
        ↓
...
        ↓
Round 10 ← K10
        ↓
Cipher Text (128 bits)

Each round contains: SubBytes → ShiftRows → MixColumns → AddRoundKey.

The last round skips MixColumns.

---

What I Found Confusing (And Now Don’t) — Part 3

I kept thinking about rounds the wrong way. I thought “more rounds = more checks = more time to see if something is correct.”

That is wrong. AES does not check anything. There is no correct or incorrect inside AES. It just encrypts. Blindly. All 10 rounds. Every time. Regardless of what key you use.

The rounds are not for checking. They are for scrambling. More rounds = harder to reverse = stronger encryption.

---

The Threat Model - Why Does Any Of This Matter?

Before I explain the S-Box, let me make the threat model crystal clear. Because I was confused about this for a while.

You are not attacking a server over the internet. You are not guessing passwords. You are not cracking a database.

You are attacking a chip. A physical device. Something you can hold in your hand.

The scenario looks like this:

TARGET = a small chip (Arduino, smart card, IoT device)
         This chip has a SECRET KEY stored inside it
         You cannot open the chip
         You cannot read its memory directly
         But you CAN send it data to encrypt
         And you CAN measure its power consumption

Real world example: a payment card.

When you tap your card at a terminal, the terminal does not just say “is this card ID 10?” and the card says “yes it is.” That would be fakeable by anyone.

Instead:

Terminal: "prove you are you  encrypt this random number"
Card:      encrypts that number using its secret key
Terminal:  checks if the result matches what it expected

The secret key IS the proof of identity. Not your name. Not a PIN. The key itself.

Now the attack:

Attacker steals your card for 5 minutes
Attacker connects ChipWhisperer to the card
Attacker sends random numbers to the card
Card encrypts them using its secret key
ChipWhisperer measures the power each time
Attacker analyses the power traces
Attacker recovers the secret key
Attacker copies that key into a blank card
Blank card now IS your card
The bank cannot tell the difference

No password needed. No brute force. Just physics.

That is the threat. That is why this matters.

---

The S-Box - The Heart of Our Attack

Now we get to the most important concept in this entire blog.

Remember the S-Box from SubBytes? It is a lookup table. Input byte goes in. Different output byte comes out.

Input  → Output
0x00   → 0x63
0x01   → 0x7c
0x02   → 0x77
...
0xff   → 0x16

256 entries. One for every possible byte value.

Simple enough. But here is where it gets interesting for us.

In Round 1 of AES, the very first thing that happens is AddRoundKey. The key gets XOR’d into your plain text data.

Plain text byte XOR Key byte = Mixed value

Then immediately after that, that mixed value goes into the S-Box.

Plain text → XOR with Key → S-Box input → S-Box output

So the S-Box output depends on BOTH the plain text AND the key together.

Now connect this to what we learned in Blog 2.

More 1s in a binary value = more transistors switching = more power consumed. That is Hamming Weight.

So:

S-Box output has a certain number of 1s
Number of 1s = Hamming Weight
Hamming Weight = amount of power consumed
Power consumed = what ChipWhisperer measures

The full chain looks like this:

Key + Plain text
      ↓
  XOR together
      ↓
  S-Box input
      ↓
  S-Box output
      ↓
  Hamming Weight (count the 1s)
      ↓
  Power spike
      ↓
  ChipWhisperer captures it

---

The Jacob Example - Making It Concrete

Let me walk through this with a real example. Let’s encrypt the letter J.

J in binary = 01001010

Let’s say one byte of our secret key is:

Key byte = 11010011

Step 1: AddRoundKey (XOR)

J:        01001010
Key byte: 11010011
XOR:      10011001   ← this is the S-Box input

Step 2: SubBytes (S-Box lookup)

10011001 → goes into S-Box table
S-Box looks it up
S-Box output → 11010110

Step 3: Hamming Weight

11010110
Count the 1s: 1+1+0+1+0+1+1+0 = 5 ones
Hamming Weight = 5

Step 4: Power spike

5 transistors switching = medium power spike
ChipWhisperer captures this spike

---

The Attack Connection

Here is why this chain is so powerful for us.

We know:     the plain text (J) — we sent it ourselves
We measure:  the power spike — ChipWhisperer captured it
We want:     the secret key byte

So we do this:

Guess: "what if the key byte is 11010011?"
Calculate: J XOR 11010011 = 10011001
S-Box(10011001) = 11010110
Hamming Weight of 11010110 = 5
Expected power spike = medium

Actual power spike = medium ✓ MATCH

We guessed the key byte correctly. The predicted power matches the real power.

Wrong guess would give a different Hamming Weight. Different predicted spike. No match.

We do this for all 16 bytes of the key. 256 guesses per byte. We find the one that matches the power trace.

Byte 1 of key → guess and match → found
Byte 2 of key → guess and match → found
...
Byte 16 of key → guess and match → found
Full 128-bit key recovered

That is the power analysis attack on AES. Not decrypting. Not brute forcing. Reading the key from the physics of the chip, one byte at a time.

---

What I Found Confusing (And Now Don’t) — Part 4

I kept thinking we needed to reverse the encryption to get something useful. Like - even if we capture the power trace, we still need to decrypt the data somehow, right?

No.

We are not trying to decrypt the ciphertext. We already know the plain text - we chose it. We already have the ciphertext - we read it. The only missing piece is the key.

And the power trace tells us the key. Not by reversing AES. By matching our prediction of the power to the actual power we measured.

Plain text is known. Ciphertext is known. Power trace is measured. Key is recovered. That is the complete picture.

---

Why Round 1 and Not Round 10?

One more thing worth understanding.

We attack Round 1 specifically. Not Round 5. Not Round 10. Why?

Because at Round 1, the data has only been scrambled once. The key’s fingerprint is still clearly visible in the power trace.

By Round 10, the data has been through 10 rounds of mixing. Everything is so scrambled that the relationship between the key and the power trace becomes very hard to see.

Round 1  → data close to original → key fingerprint visible → attack here
Round 10 → data thoroughly mixed  → key fingerprint buried  → too late

We catch the key at its first contact with the data. Before the rounds have a chance to hide it.

---

What We Learned - Glossary

AES (Advanced Encryption Standard) - The encryption algorithm that replaced DES. Uses 128-bit blocks. Mathematically unbroken. But physically attackable through power analysis.

Block Cipher - An encryption method that works on fixed-size chunks of data. AES uses 128-bit (16 byte) blocks.

Key - A string of random bits (128, 192, or 256 bits) that is the only secret in AES. The algorithm itself is public.

Round - One complete pass through all four AES operations. AES does 10 rounds for a 128-bit key.

Round Key - A version of the original key derived for use in a specific round. AES generates 11 round keys from one original key.

Key Expansion - The process of stretching the original key into 11 round keys.

AddRoundKey - The operation where the key is XOR’d into the data. The only place the key directly touches the data.

SubBytes - The operation where every byte is replaced using the S-Box lookup table.

ShiftRows - The operation where bytes get their positions shifted within the 4x4 grid.

MixColumns - The operation where bytes in each column get mathematically blended together.

S-Box - A lookup table with 256 entries used in SubBytes. Input byte goes in. Different output byte comes out.

Hamming Weight - The count of 1s in a binary value. More 1s = more power consumed.

Power Trace - The graph of power consumption over time captured by ChipWhisperer while a chip computes.

Attack Chain - Plain text XOR Key → S-Box input → S-Box output → Hamming Weight → Power spike → Key recovery.

---

What’s Coming in Blog 4

We now know what AES is. We know where the key touches the data. We know why the S-Box output leaks power. We know how to connect a power spike back to a key guess.

Blog 4 is where things get really interesting.

We climb the attack ladder:

SPA - Simple Power Analysis. One trace. One look. What can you see directly?

DPA - Differential Power Analysis. Many traces. Statistical differences. Much more powerful.

CPA - Correlation Power Analysis. The method we actually use with ChipWhisperer. Predicting power, measuring power, correlating them together to recover the key.

We have built the foundation. Blog 4 is where we start using it.

See you there.

---

Previous: Blog 2 — Why Power Consumption Leaks Information
Next: Blog 4 — SPA, DPA, and CPA: The Attack Ladder