1/4 Security Advisory Title Security Advisory Concerning Bypassing Pseudo-Round Mechanism of XTS-AES Using CPA Attack on ESP32-C5 Issue Date 2026/04/07 Advisory Number AR2026-001 Serial Number NA Version V1.0 Issue Summary A hardware vulnerability has been identified in the ESP32-C5 chip affecting the Flash Encryption feature. This feature uses the XTS-AES algorithm with a pseudo-round countermeasure that inserts dummy encryption operations to randomize the chip’s power consumption profile, making side-channel analysis more difficult. A security researcher demonstrated that the pseudo-round countermeasure can be bypassed using a Correlation Power Analysis (CPA) side-channel attack. The attack exploits a distinguishable power signature that occurs during transitions between dummy and real encryption rounds, allowing an attacker to isolate the actual AES operations from collected power traces. Using this method, the encryption key for individual flash blocks of 128 bytes can be recovered. The attack requires physical access to the device, purpose-built measurement hardware with controlled thermal conditions, and significant computational resources for key recovery. With clock randomization enabled alongside the pseudo-round mechanism at the highest level, key recovery for a single 128-byte block takes on the order of several days. What is the Side Channel Attack (SCA)? A side-channel attack exploits unintentional information leakage from a system to uncover secret values, typically encryption keys. The side-channel analysis can take various forms, including timing variations or the power consumption of a device. The side-channel attacks on ESP32-C5 discussed in this advisory are based on Correlation Power Analysis (CPA). 2/4 What is the Pseudo‑Round Mechanism? ESP32‑C5 incorporates a pseudo‑round function in the XTS‑AES peripheral as a side‑channel attack countermeasure. The chip intentionally performs extra dummy encryption rounds using a pseudo key that does not alter the final encrypted result. These additional rounds are inserted randomly, increasing the complexity of side‑channel analysis by randomizing the power consumption profile. The strength of this mechanism is configurable. Impact Analysis 1. Chips affected by this attack use XTS-AES encryption mode for Flash Encryption, where a separate encryption key is used for each flash block. Using the CPA technique, an attacker can extract the encryption key for individual flash blocks. However, each block key recovery is an independent and time-intensive effort. 2. With clock randomization enabled alongside the pseudo-round mechanism at the highest level, CPA key recovery for a single 128-byte block takes on the order of several days, requiring hundreds of thousands of power trace recordings and substantial computational effort for key brute-forcing. The CPA attack cannot recover the tweak key directly but can only recover the tweak value of each block, meaning each attack compromises only 128 bytes of data. Furthermore, fully breaking the XTS-AES mode requires recovering both the tweak values and the encryption key. This makes the attack considerably more complicated. 3. Decrypting the entire encrypted flash using this technique becomes impractical both in terms of effort and time required. At the highest protection level, attacking 1 KB of flash content would take several weeks. 4. It should be noted that even if the key to a single data block is recovered, the attacker still needs to find other exploitable vulnerabilities within the system to carry out a valuable attack. Currently, no such combined attack chain has been identified for the ESP32-C5. 5. This attack requires physical access to the device, purpose-built measurement hardware including specialized analog-to-digital converters and signal amplifiers, controlled thermal conditions, custom SPI flash emulation, and significant computational resources for key recovery. Since each device uses a unique Flash Encryption key, this attack is device-specific and cannot be scaled to an entire class of devices, making it less attractive for attackers. 3/4 Affected Espressif Products Series: This vulnerability has been confirmed on the ESP32-C5 (Chip Revision v1.0 and v1.2). The CPA technique to bypass the pseudo-round mechanism may be theoretically applicable to other chips that share the same XTS-AES peripheral architecture with pseudo-round countermeasure support, such as ESP32-P4. The ESP32-H2 (Chip Revision v1.2) was tested during the same research but was found not vulnerable to this specific attack. Differences in the chip’s internal power delivery architecture prevent the attacker from obtaining the distinguishable power signatures required for the CPA technique. Mitigation At present, there is no complete software or hardware fix available for this issue. Future products will incorporate improved hardware countermeasures in the chip to address these issues. The following are some recommendations to mitigate the risk. Hardware Countermeasures Protect the device from physical access by enclosing it with a tamper-resistant mechanism that cannot be breached without detection. The device should respond to tamper detection according to a predetermined action, such as resetting the device or clearing secret information stored on the device. Physical access prevention is the most effective countermeasure, as this attack fundamentally depends on collecting power traces from the device hardware. Use the chip’s System-in-Package (SiP) form factor with flash pins terminated internally. SiP variants (such as ESP32-C5HF4) better protect against this type of attack by preventing the use of any external flash emulator or monitoring of flash pins. Software Countermeasures Enable the pseudo‑round mechanism at the highest strength and enable clock randomization. While the pseudo‑round countermeasure was bypassed during the research, clock randomization at the highest level significantly increases the time and effort required for key recovery. Both protections should be configured during first boot. Application Countermeasures Long-lived encryption keys that are common between devices or a manufacturing batch should be avoided at all costs. 4/4 These attacks need significant effort, skill, expensive and sophisticated lab equipment to be carried out successfully on a device. If each device is provisioned with a unique secret tied to that specific device identity, then the attacker cannot scale it to an entire class of devices, making this attack less attractive. In addition, we recommend that chip users enable Flash Encryption and Secure Boot at the same time, which can minimize the risk of an attacker rewriting the firmware. Credits We would like to thank Alexey Shalpegin from Positive Technologies for reporting this vulnerability and for practicing responsible disclosure.