def leakage(self, pt, ct, guess, bnum, state):
if self.model == self.LEAK_HW_SBOXOUT_FIRSTROUND:
# Classic HW of S-Box output
return self.HW[sbox(pt[bnum] ^ guess)]
elif self.model == self.LEAK_HW_INVSBOXOUT_FIRSTROUND:
# HW Leakage of inverse S-Box (AES Decryption)
return self.HW[inv_sbox(pt[bnum] ^ guess)]
elif self.model == self.LEAK_HD_LASTROUND_STATE:
# HD Leakage of AES State between 9th and 10th Round
# Used to break SASEBO-GII / SAKURA-G
st10 = ct[self.INVSHIFT[bnum]]
st9 = inv_sbox(ct[bnum] ^ guess)
return self.HW[st9 ^ st10]
elif self.model == self.LEAK_HD_SBOX_IN_OUT:
# Leakage from HD of S-Box input to output
st1 = pt[bnum] ^ guess
st2 = sbox(st1)
return self.HW[st1 ^ st2]
elif self.model == self.LEAK_HD_SBOX_IN_SUCCESSIVE:
pass
elif self.model == self.LEAK_HD_SBOX_OUT_SUCCESSIVE:
pass
else:
raise ValueError("Invalid model: %s" % str(self.model))
def distinguisher(self, tnum, bnum, kguess):
global HW_LUT
st10 = self.ct[tnum][self.INVSHIFT_undo[bnum]]
st9 = inv_sbox(self.ct[tnum][bnum] ^ kguess)
# return st9 % 2 == 0
# return bin(st9).count("1") >= 2
return bin(st9).count("1") >= 3
def HypHW(self, pt, ct, key, bnum):
"""Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result"""
if pt != None:
return self.HW[sbox(pt[bnum] ^ key)]
elif ct != None:
knownkey = [0xae, 0x83, 0xc1, 0xa5, 0x6b, 0xcb, 0xc6, 0x46, 0x55, 0xa3, 0xbf, 0x8d, 0x58, 0xfa, 0x20, 0x6d]
a = AES()
xored = [knownkey[i] ^ ct[i] for i in range(0, 16)]
block = a.mapin(xored)
block = a.shiftRows(block, True)
block = a.subBytes(block, True)
block = a.mixColumns(block, True)
block = a.shiftRows(block, True)
result = a.mapout(block)
return self.HW[inv_sbox((result[bnum] ^ key))]
else:
raise ValueError("Must specify PT or CT")
def HypHW(self, pt, ct, key, bnum):
"""Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result"""
if pt != None:
return self.HW[sbox(pt[bnum] ^ key)]
elif ct != None:
knownkey = [0xae, 0x83, 0xc1, 0xa5, 0x6b, 0xcb, 0xc6, 0x46, 0x55, 0xa3, 0xbf, 0x8d, 0x58, 0xfa, 0x20, 0x6d]
a = AES()
xored = [knownkey[i] ^ ct[i] for i in range(0, 16)]
block = a.mapin(xored)
block = a.shiftRows(block, True)
block = a.subBytes(block, True)
block = a.mixColumns(block, True)
block = a.shiftRows(block, True)
result = a.mapout(block)
return self.HW[inv_sbox((result[bnum] ^ key))]
else:
raise ValueError("Must specify PT or CT")
def getPartitionNum(self, trace, tnum):
key = trace.getKnownKey(tnum)
ct = trace.getTextout(tnum)
#Convert from initial key to final-round key, currently
#this assumes AES
if len(key) == 16:
rounds = 10
else:
raise ValueError("Need to implement for selected AES")
key = keyScheduleRounds(key, 0, rounds)
guess = [0] * 16
for i in range(0, 16):
st10 = ct[AES128_8bit.INVSHIFT[i]]
st9 = inv_sbox(ct[i] ^ key[i])
guess[i] = AES128_8bit.getHW(st9 ^ st10)
return guess
def getPartitionNum(self, trace, tnum):
key = trace.getKnownKey(tnum)
ct = trace.getTextout(tnum)
#Convert from initial key to final-round key, currently
#this assumes AES
if len(key) == 16:
rounds = 10
else:
raise ValueError("Need to implement for selected AES")
key = keyScheduleRounds(key, 0, rounds)
guess = [0] * 16
for i in range(0, 16):
st10 = ct[AES128_8bit.INVSHIFT[i]]
st9 = inv_sbox(ct[i] ^ key[i])
guess[i] = AES128_8bit.getHW(st9 ^ st10)
return guess
def inv_sbox(self, data):
"""Helper function: performs AES inv-sbox on single byte"""
return inv_sbox(data)
def leakage(self, pt, ct, key, bnum):
# HD Leakage of AES State between 9th and 10th Round
# Used to break SASEBO-GII / SAKURA-G
st10 = ct[self.INVSHIFT_undo[bnum]]
st9 = inv_sbox(ct[bnum] ^ key[bnum])
return (st9 ^ st10)
def leakage(self, pt, ct, key, bnum):
# Alternate leakage
st10 = ct[bnum]
st9 = inv_sbox(ct[bnum] ^ key[bnum])
return (st9 ^ st10)
def inv_sbox(self, data):
"""Helper function: performs AES inv-sbox on single byte"""
return inv_sbox(data)
def leakage(self, pt, ct, key, bnum):
# HD Leakage of AES State between 9th and 10th Round
# Used to break SASEBO-GII / SAKURA-G
st10 = ct[self.INVSHIFT_undo[bnum]]
st9 = inv_sbox(ct[bnum] ^ key[bnum])
return (st9 ^ st10)
