def cpa_attack_trace_set(trace_set, result, conf):
if result.guess_sample_score_matrix is None:
raise EMMAException("Score matrix is not initialized.")
if not trace_set.windowed:
logger.warning("Trace set not windowed. Skipping attack.")
return
if trace_set.num_traces <= 0:
logger.warning("Skipping empty trace set.")
return
hypotheses = np.empty([256, trace_set.num_traces])
# 1. Build hypotheses for all 256 possibilities of the key and all traces
leakage_model = LeakageModel(conf)
for subkey_guess in range(0, 256):
for i in range(0, trace_set.num_traces):
hypotheses[subkey_guess, i] = leakage_model.get_trace_leakages(
trace=trace_set.traces[i],
subkey_start_index=conf.subkey,
key_hypothesis=subkey_guess)
# 2. Given point j of trace i, calculate the correlation between all hypotheses
for j in range(0, trace_set.window.size):
# Get measurements (columns) from all traces
measurements = np.empty(trace_set.num_traces)
for i in range(0, trace_set.num_traces):
measurements[i] = trace_set.traces[i].signal[j]
# Correlate measurements with 256 hypotheses
for subkey_guess in range(0, 256):
# Update correlation
result.guess_sample_score_matrix.update(
(subkey_guess, j), hypotheses[subkey_guess, :], measurements)
def test_hmac_hw(self):
fake_pt = np.array([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08], dtype=np.uint8)
fake_key = np.array([0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80], dtype=np.uint8)
trace = Trace(signal=[], plaintext=fake_pt, ciphertext=[], key=fake_key, mask=[])
lm = LeakageModel(Namespace(leakage_model="hmac_hw", key_low=0, key_high=1))
self.assertEqual(lm.subkey_size, 4) # HMAC uses subkeys of size 4
leakage_subkey_0 = lm.get_trace_leakages(trace, 0) # hw32(0x40302010)
leakage_subkey_1 = lm.get_trace_leakages(trace, 1) # hw32(0x80706050)
self.assertEqual(leakage_subkey_0[0], hw32(0x40302010))
self.assertEqual(leakage_subkey_1[0], hw32(0x80706050))
self.assertEqual(leakage_subkey_0[1], hw32(0x40302010 ^ 0x36363636))
self.assertEqual(leakage_subkey_1[1], hw32(0x80706050 ^ 0x36363636))
self.assertEqual(leakage_subkey_0[2], hw32(0x40302010 ^ 0x5c5c5c5c))
self.assertEqual(leakage_subkey_1[2], hw32(0x80706050 ^ 0x5c5c5c5c))
def _get_correlation_loss(conf):
num_outputs = LeakageModel.get_num_outputs(conf)
num_keys = conf.key_high - conf.key_low
def correlation_loss(y_true_raw, y_pred_raw):
"""
Custom loss function that calculates the Pearson correlation of the prediction with
the true values over a number of batches.
"""
if num_outputs > num_keys:
y_true_raw = K.reshape(y_true_raw, (-1, num_keys))
y_pred_raw = K.reshape(y_pred_raw, (-1, num_keys))
# y_true_raw = K.print_tensor(y_true_raw, message='y_true_raw = ') # Note: print truncating is incorrect in the print_tensor function
# y_pred_raw = K.print_tensor(y_pred_raw, message='y_pred_raw = ')
y_true = (
y_true_raw - K.mean(y_true_raw, axis=0, keepdims=True)
) # We are taking correlation over columns, so normalize columns
y_pred = (y_pred_raw - K.mean(y_pred_raw, axis=0, keepdims=True))
loss = K.variable(0.0)
for key_col in range(0, conf.key_high - conf.key_low): # 0 - 16
y_key = K.expand_dims(y_true[:, key_col],
axis=1) # [?, 16] -> [?, 1]
y_keypred = K.expand_dims(y_pred[:, key_col],
axis=1) # [?, 16] -> [?, 1]
denom = K.sqrt(K.dot(K.transpose(y_keypred), y_keypred)) * K.sqrt(
K.dot(K.transpose(y_key), y_key))
denom = K.maximum(denom, K.epsilon())
correlation = K.dot(K.transpose(y_key), y_keypred) / denom
loss += 1.0 - correlation
return loss
return correlation_loss
def __perform_classification_attack(emma):
for subkey in range(emma.conf.key_low, emma.conf.key_high):
emma.conf.subkey = subkey # Set in conf, so the workers know which subkey to attack
async_result = parallel_work(emma.dataset_val.trace_set_paths,
emma.conf,
merge_results=False)
celery_results = wait_until_completion(async_result,
message="Classifying")
lm_outputs = LeakageModel(
emma.conf
).onehot_outputs # Determine leakage model number of outputs (classes)
predict_count = np.zeros(lm_outputs, dtype=int)
label_count = np.zeros(lm_outputs, dtype=int)
logprobs = np.zeros(lm_outputs, dtype=float)
accuracy = 0
num_samples = 0
# Get results from all workers and store in prediction dictionary
for celery_result in celery_results:
em_result = celery_result.get()
assert (len(em_result.labels) == len(em_result.predictions))
for i in range(0, len(em_result.labels)):
label = em_result.labels[i]
prediction = em_result.predictions[i]
logprob = em_result.logprobs[i]
if label == prediction:
accuracy += 1
predict_count[prediction] += 1
label_count[label] += 1
num_samples += 1
logprobs += np.array(logprob)
accuracy /= float(num_samples)
print("Labels")
print(label_count)
print("Predictions")
print(predict_count)
print("Best argmax prediction: %02x (hex)" % np.argmax(predict_count))
print("Argmax accuracy: %.4f" % accuracy)
if np.sum(label_count) == np.max(label_count):
print("Best logprob prediction: %02x" % np.argmax(logprobs))
print("True key : %02x" % np.argmax(label_count))
else:
print(
"WARNING: logprob prediction not available because there is more than 1 true key label."
)
def _preprocess_trace_set(self, trace_set):
"""
Preprocess trace_set specifically for AICorrNet
"""
# Get model inputs (usually the trace signal)
signals = AIInput(self.conf).get_trace_set_inputs(trace_set)
# Get model labels (key byte leakage values to correlate / analyze)
values = LeakageModel(self.conf).get_trace_set_leakages(trace_set)
return signals, values
class SignalLeakageAIInput(AIInput):
input_type = AIInputType.SIGNAL_LEAKAGE
def __init__(self, conf):
super().__init__(conf)
self.leakage_model = LeakageModel(conf)
def get_trace_inputs(self, trace):
leakages = []
for k in range(16):
leakage = self.leakage_model.get_trace_leakages(trace, k)
if isinstance(leakage, list) or isinstance(leakage, np.ndarray):
leakages.extend(list(leakage))
else:
leakages.append(leakage)
leakages = np.array(leakages)
return np.concatenate((trace.signal, leakages))
def __init__(self, conf, input_dim, name="aicorrnet"):
super(AICorrNet, self).__init__(conf, name)
#optimizer = keras.optimizers.SGD(lr=0.1, decay=1e-6, momentum=0.9, nesterov=True)
#optimizer = keras.optimizers.Adam(lr=0.00001, beta_1=0.9, beta_2=0.999, decay=0.0)
if self.cnn:
optimizer = keras.optimizers.Nadam(lr=conf.lr / 10.0)
else:
optimizer = keras.optimizers.Nadam(lr=conf.lr)
#optimizer = keras.optimizers.Adadelta()
if not self.cnn:
self.model = Sequential()
#initializer = keras.initializers.Constant(value=1.0/input_dim)
#initializer = keras.initializers.Constant(value=0.5)
#initializer = keras.initializers.Constant(value=1.0)
#initializer = keras.initializers.RandomUniform(minval=0, maxval=1.0, seed=None)
#initializer = keras.initializers.RandomUniform(minval=0, maxval=0.001, seed=None)
initializer = 'glorot_uniform'
#constraint = Clip()
constraint = None
# Hidden layers
for i in range(0, self.n_hidden_layers):
hidden_nodes = conf.n_hidden_nodes
self.model.add(
Dense(hidden_nodes,
input_dim=input_dim,
use_bias=self.use_bias,
activation=None,
kernel_initializer=initializer,
kernel_regularizer=str_to_reg(
self.reg, self.reg_lambda)))
input_dim = hidden_nodes
if self.batch_norm:
self.model.add(BatchNormalization(momentum=self.momentum))
self.model.add(str_to_activation(self.activation))
# Output layer
extra_outputs = 1 if conf.loss_type == 'correlation_special' else 0
self.model.add(
Dense(LeakageModel.get_num_outputs(conf) + extra_outputs,
input_dim=input_dim,
use_bias=self.use_bias,
activation=None,
kernel_initializer=initializer,
kernel_constraint=constraint,
kernel_regularizer=str_to_reg(self.regfinal,
self.reg_lambda)))
if self.batch_norm:
self.model.add(BatchNormalization(momentum=0.1))
self.model.add(str_to_activation(self.activation))
else:
from ascad.ASCAD_train_models import cnn_best_nosoftmax
self.model = cnn_best_nosoftmax(input_shape=(input_dim, 1),
classes=conf.key_high -
conf.key_low)
# Compile model
self.model.compile(optimizer=optimizer, loss=self.loss, metrics=[])
# Custom callbacks
self.callbacks['tensorboard'] = CustomTensorboard(
log_dir='/tmp/keras/' + self.name + '-' + self.id,
freq=self.metric_freq)
if not conf.norank:
self.callbacks['rank'] = rankcallbacks.CorrRankCallback(
conf,
'/tmp/keras/' + self.name + '-' + self.id + '/rank/',
save_best=True,
save_path=self.model_path)
def test_corrtrain_correlation_multi(self):
from emma.attacks.leakagemodels import LeakageModel
"""
Artificial example to test AICorrNet and trace processing with multiple leakage values and multiple subkeys.
"""
# ------------------------------
# Generate data
# ------------------------------
traces = [ # Contains abs(trace). Shape = [trace, point]
[1, 1, 1, -15],
[-4, 2, 2, -12],
[10, 3, 3, 8],
[8, 1, 1, -14],
[9, 0, -3, 8],
]
plaintexts = [
[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 2, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 13, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 15, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
]
keys = [
[0, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
[0, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
]
# Convert to numpy
traces = np.array(traces)
plaintexts = np.array(plaintexts)
keys = np.array(keys)
trace_set = TraceSet(name='test', traces=traces, plaintexts=plaintexts, keys=keys)
# ------------------------------
# Preprocess data
# ------------------------------
conf = Namespace(
max_cache=0,
augment_roll=False,
augment_noise=False,
normalize=False,
traces_per_set=4,
online=False,
dataset_id='qa',
cnn=False,
leakage_model=LeakageModelType.AES_MULTI,
input_type=AIInputType.SIGNAL,
augment_shuffle=True,
n_hidden_layers=1,
n_hidden_nodes=256,
activation='leakyrelu',
metric_freq=100,
regularizer=None,
reglambda=0.001,
model_suffix=None,
use_bias=True,
batch_norm=True,
hamming=False,
key_low=1,
key_high=3,
loss_type='correlation',
lr=0.001,
epochs=5000,
batch_size=512,
norank=False,
)
it_dummy = AICorrSignalIterator([], conf, batch_size=10000, request_id=None, stream_server=None)
x, y = it_dummy._preprocess_trace_set(trace_set)
# ------------------------------
# Train and obtain encodings
# ------------------------------
model = models.AICorrNet(conf, input_dim=4, name="test")
print(model.info())
rank_cb = rankcallbacks.CorrRankCallback(conf, '/tmp/deleteme/', save_best=False, save_path=None)
rank_cb.set_trace_set(trace_set)
if model.using_regularization:
print("Warning: cant do correlation loss test because regularizer will influence loss function")
return
# Find optimal weights
print("The x (EM samples) and y (leakage model values) are:")
print(x)
print(y)
print("When feeding x through the model without training, the encodings become:")
print(model.predict(x))
print("Training now")
model.train_set(x, y, save=False, epochs=conf.epochs, extra_callbacks=[rank_cb])
print("Done training")
# Get the encodings of the input data using the same approach used in ops.py corrtest (iterate over rows)
result = []
for i in range(0, x.shape[0]):
result.append(model.predict(np.array([x[i,:]], dtype=float))[0]) # Result contains sum of points such that corr with y[key_index] is maximal for all key indices. Shape = [trace, 16]
result = np.array(result)
print("When feeding x through the model after training, the encodings for key bytes %d to %d become:\n %s" % (conf.key_low, conf.key_high, str(result)))
# ------------------------------
# Check loss function
# ------------------------------
# Evaluate the model to get the loss for the encodings
predicted_loss = model.model.evaluate(x, y, verbose=0)
# Manually calculate the loss using numpy to verify that we are learning a correct correlation
calculated_loss = 0
num_keys = (conf.key_high - conf.key_low)
num_outputs = LeakageModel.get_num_outputs(conf) // num_keys
for i in range(0, num_keys):
subkey_hws = y[:, i*num_outputs:(i+1)*num_outputs]
subkey_encodings = result[:, i*num_outputs:(i+1)*num_outputs]
print("Subkey %d HWs : %s" % (i + conf.key_low, str(subkey_hws)))
print("Subkey %d encodings: %s" % (i + conf.key_low, str(subkey_encodings)))
y_key = subkey_hws.reshape([-1, 1])
y_pred = subkey_encodings.reshape([-1, 1])
print("Flattened subkey %d HWs : %s" % (i + conf.key_low, str(y_key)))
print("Flattened subkey %d encodings: %s" % (i + conf.key_low, str(y_pred)))
# Calculate correlation (numpy approach)
corr_key_i = np.corrcoef(y_pred[:, 0], y_key[:, 0], rowvar=False)[1,0]
print("corr_num: %s" % corr_key_i)
calculated_loss += 1.0 - corr_key_i
print("These values should be close:")
print("Predicted loss: %s" % str(predicted_loss))
print("Calculated loss: %s" % str(calculated_loss))
self.assertAlmostEqual(predicted_loss, calculated_loss, places=2)
def __init__(self, conf):
super().__init__(conf)
self.leakage_model = LeakageModel(conf)