def recover_full_key(self, subkeys, subkeys2):
"""
Builds the master key using the first two subkeys
"""
print("Construction de la cle")
# Building an uncomplete key using subkeys
turn_key= des_block.des_block()
for sb in subkeys:
turn_key= turn_key.concat( des_block.__from_int__(sb, 6) )
cd1= turn_key.pc2(-1)
c0 = cd1.subblock(0,28).rs(1)
d0 = cd1.subblock(28,56).rs(1)
uncomp1= c0.concat(d0)
# Building another uncomplete key using subkeys2
turn_key= des_block.des_block()
turn_key= turn_key.concat(des_block.__from_int__(subkeys2[0], 6))
turn_key= turn_key.concat(des_block.__from_int__(subkeys2[1], 6))
turn_key= turn_key.concat(des_block.__from_int__(subkeys2[2], 6))
turn_key= turn_key.concat(des_block.des_block("0", 6) )
turn_key= turn_key.concat(des_block.__from_int__(subkeys2[3], 6))
turn_key= turn_key.concat(des_block.des_block("0", 6) )
turn_key= turn_key.concat(des_block.__from_int__(subkeys2[4], 6))
turn_key= turn_key.concat(des_block.__from_int__(subkeys2[5], 6))
cd1= turn_key.pc2(-1)
c0 = cd1.subblock(0,28).rs(2)
d0 = cd1.subblock(28,56).rs(2)
uncomp2= c0.concat(d0)
# Merging the two subkeys
print("Premiere cle incomplete : " + des_block.int2bin(uncomp1.value,56))
print("Deuxieme cle incomplete : " + des_block.int2bin(uncomp2.value,56))
key= des_block.des_block()
key= uncomp1.key_or( uncomp2)
print("Cle finale : " + des_block.int2bin(key.value, 56))
return key
def __partition(self, msg): """ Return the estimated partition of the message, according to sbox-key couples used to initialize key_estimator. The keys of these couples are either hypothetic or known (previously disclosed). """ ip= des_block.des_block(msg, 64).ip() l0= ip.subblock(0,32) r0= ip.subblock(32,64) e0= r0.e() s0=l0.xor(r0).p(-1) # Computes function selection of attacked or previously disclosed SBox if REGL: w= l0.xor(r0).hw() # Taking R0->L1 tranfert into account else: w= 0 for sbox,key in self.__sbox_key_list: e0_0= e0.subblock(sbox*6, (sbox+1)*6) s0_0= s0.subblock(sbox*4, (sbox+1)*4) db_key= des_block.__from_int__(key, 6) w+= weight( e0_0.xor(db_key).s(sbox).xor(s0_0) ) return float( w )
def __partition(self, msg): """ Return the estimated partition (\in [0,4]) of the message, according to the current sbox and the current key. The partitioning is done with respect to Brier's original CPA. """ ip= des_block.des_block(msg, 64).ip() l0= ip.subblock(0,32) r0= ip.subblock(32,64) e0= r0.e().subblock(self.__sbox*6, (self.__sbox+1)*6) s0= l0.xor(r0).p(-1).subblock(self.__sbox*4, (self.__sbox+1)*4) return float( weight( e0.xor(self.__key).s(self.__sbox).xor(s0) ))
def process2(self, msg, trace): """ Idem, for second round """ intermediary= des_block.des_block(msg, 64) l0= intermediary.subblock(0, 32) r0= intermediary.subblock(32,64) l0= r0.concat( l0.xor( r0.f(self.__first_subkey) ) ) intermediary= l0.subblock(32, 64).concat( l0.subblock(0, 32) ) for i in range( len(self.__sbox_breakers2) ): self.__sbox_breakers2[i].process( intermediary, trace )
def get_key(self, msg, crypt): """ Guess the 8 last bits of the full key, using cryptogram. Return the key if found, None elsewhere. """ # Building turn_key turn_key= des_block.des_block() for sb in self.__sbox_breakers: turn_key= turn_key.concat( des_block.__from_int__(sb.get_key(),6) ) # Computing uncomplete initial_key cd1= turn_key.pc2(-1) c0 = cd1.subblock(0,28).rs(1) d0 = cd1.subblock(28,56).rs(1) uncomp_cd0= c0.concat(d0) # Trying encipherement with the remaining 256 possible keys for i in range(256): cd0= uncomp_cd0.fill( des_block.__from_int__(i, 8) ) key= cd0.pc1(-1).fill( des_block.__from_int__(0, 8) ) cip= des_block.des_block(msg, 64).encipher(key) if cip.value() == des_block.des_block(crypt,64).value(): return key return None
def __partition(self, msg): """ Return the estimated partition (True or False) of the message, according to the current sbox and the current key. The partitioning is done with respect to P. Kocher's original `difference of means' algorithm applied on the first round (using the sbox output bit #0 (MSB) if __BIT__=0). """ ip= des_block.des_block(msg, 64).ip() l0= ip.subblock(0,32) r0= ip.subblock(32,64) e0= (r0.e()).subblock(self.__sbox*6, (self.__sbox+1)*6) s0= ((l0.xor(r0)).p(-1)).subblock(self.__sbox*4, (self.__sbox+1)*4) return (((e0.xor(self.__key)).s(self.__sbox)).xor(s0)).get(__BIT__)
def __partition(self, msg,key): """ Return the estimated partition (\in [0,12]) of the message, according to the current sboxes and the current key. The partitioning is done with respect to Brier's original CPA. """ ip= des_block.des_block(msg, 64).ip() l0= ip.subblock(0,32) r0= ip.subblock(32,64) key1 = des_block.__from_int__((key & 0xFC0)>>6,6) key2 = des_block.__from_int__(key,6) e0= r0.e().subblock(self.__sbox*6, (self.__sbox+1)*6) e0_1 = r0.e().subblock( (self.__sbox+1)*6, (self.__sbox+2)*6) s0= l0.xor(r0).p(-1).subblock(self.__sbox*4, (self.__sbox+1)*4) s0_1= l0.xor(r0).p(-1).subblock((self.__sbox+1)*4, (self.__sbox+2)*4) return float( weight( e0.xor(key1).s(self.__sbox).xor(s0) ) + weight(e0_1.xor(key2).s(self.__sbox+1).xor(s0_1) ) )
def verify(self):
"""
Verify that ciphertext = Encrypt(plaintext, key) and delete those which fail this test (due to comms error)
"""
count = 0
# Generate hypotheticals
for i in range(self.acq.numTraces):
ptStr = self.ptNumpyArray2String(self.acq.inputtext[i])
ctStr1 = (des_block.des_block(ptStr,64)).encipher(self.key)
ctStr2 = self.ptNumpyArray2String(self.acq.outputtext[i])
if (ctStr1 != ctStr2):
acq.traces = np.delete(acq.traces, i, axis=0)
acq.inputtext = np.delete(acq.inputtext, i, axis = 0)
acq.outputtext = np.delete(acq.outputtext, i , axis =0)
count += 1
print "Deleted %d traces" % count
def verify(self):
"""
Verify that ciphertext = Encrypt(plaintext, key) and delete those which fail this test (due to comms error)
"""
count = 0
# Generate hypotheticals
for i in range(self.acq.numTraces):
ptStr = self.ptNumpyArray2String(self.acq.inputtext[i])
ctStr1 = (des_block.des_block(ptStr, 64)).encipher(self.key)
ctStr2 = self.ptNumpyArray2String(self.acq.outputtext[i])
if (ctStr1 != ctStr2):
acq.traces = np.delete(acq.traces, i, axis=0)
acq.inputtext = np.delete(acq.inputtext, i, axis=0)
acq.outputtext = np.delete(acq.outputtext, i, axis=0)
count += 1
print "Deleted %d traces" % count
def __begin_second_round__(self):
"""
Calcul des bits deja connus au tour 2
"""
turn_key= des_block.des_block()
for sb in self.__sbox_breakers:
turn_key= turn_key.concat( des_block.__from_int__(sb.get_key(),6) )
# turn_key= des_block.des_block("FFFFFFFFFFFF", 48)
print("Premiere sous-cle : " + str(turn_key))
self.__first_subkey= turn_key
cd1= turn_key.pc2(-1)
c0 = cd1.subblock(0,28).ls(1)
d0 = cd1.subblock(28,56).ls(1)
subkey2= c0.concat(d0).pc2(1)
for i in [0,1,2,4,6,7]:
print("Attaque de la boite S" + str(i) + " avec la cle partielle " + str(subkey2.subblock(6*i, 6*i+6).value))
self.__sbox_breakers2.append( sbox_breaker2(i, subkey2.subblock(6*i, 6*i+6).value) )
def __init__(self, acq):
self.acq = acq
self.distList = None
self.key = des_block.des_block("deadbeefcafebabe", 64)
self.des = DES.new('\xde\xad\xbe\xef\xca\xfe\xba\xbe', DES.MODE_ECB)
def __init__(self, acq):
self.acq = acq
self.distList = None
self.key = des_block.des_block("deadbeefcafebabe", 64)
self.des = DES.new('\xde\xad\xbe\xef\xca\xfe\xba\xbe', DES.MODE_ECB)
import des_block
msg= des_block.des_block("42c331daf2e07d88", 64)
key= des_block.des_block("6a64786a64786a64", 64)
print "msg", msg
print "key", key
print "cryptogram", msg.encipher(key)
