def leakage(self, pt, ct, guess, bnum, state): if self.model == self.LEAK_HW_SBOXOUT_FIRSTROUND: # Classic HW of S-Box output return self.HW[sbox(pt[bnum] ^ guess)] elif self.model == self.LEAK_HW_INVSBOXOUT_FIRSTROUND: # HW Leakage of inverse S-Box (AES Decryption) return self.HW[inv_sbox(pt[bnum] ^ guess)] elif self.model == self.LEAK_HD_LASTROUND_STATE: # HD Leakage of AES State between 9th and 10th Round # Used to break SASEBO-GII / SAKURA-G st10 = ct[self.INVSHIFT[bnum]] st9 = inv_sbox(ct[bnum] ^ guess) return self.HW[st9 ^ st10] elif self.model == self.LEAK_HD_SBOX_IN_OUT: # Leakage from HD of S-Box input to output st1 = pt[bnum] ^ guess st2 = sbox(st1) return self.HW[st1 ^ st2] elif self.model == self.LEAK_HD_SBOX_IN_SUCCESSIVE: pass elif self.model == self.LEAK_HD_SBOX_OUT_SUCCESSIVE: pass else: raise ValueError("Invalid model: %s" % str(self.model))
def distinguisher(self, tnum, bnum, kguess): global HW_LUT st10 = self.ct[tnum][self.INVSHIFT_undo[bnum]] st9 = inv_sbox(self.ct[tnum][bnum] ^ kguess) # return st9 % 2 == 0 # return bin(st9).count("1") >= 2 return bin(st9).count("1") >= 3
def HypHW(self, pt, ct, key, bnum): """Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result""" if pt != None: return self.HW[sbox(pt[bnum] ^ key)] elif ct != None: knownkey = [0xae, 0x83, 0xc1, 0xa5, 0x6b, 0xcb, 0xc6, 0x46, 0x55, 0xa3, 0xbf, 0x8d, 0x58, 0xfa, 0x20, 0x6d] a = AES() xored = [knownkey[i] ^ ct[i] for i in range(0, 16)] block = a.mapin(xored) block = a.shiftRows(block, True) block = a.subBytes(block, True) block = a.mixColumns(block, True) block = a.shiftRows(block, True) result = a.mapout(block) return self.HW[inv_sbox((result[bnum] ^ key))] else: raise ValueError("Must specify PT or CT")
def HypHW(self, pt, ct, key, bnum): """Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result""" if pt != None: return self.HW[sbox(pt[bnum] ^ key)] elif ct != None: knownkey = [0xae, 0x83, 0xc1, 0xa5, 0x6b, 0xcb, 0xc6, 0x46, 0x55, 0xa3, 0xbf, 0x8d, 0x58, 0xfa, 0x20, 0x6d] a = AES() xored = [knownkey[i] ^ ct[i] for i in range(0, 16)] block = a.mapin(xored) block = a.shiftRows(block, True) block = a.subBytes(block, True) block = a.mixColumns(block, True) block = a.shiftRows(block, True) result = a.mapout(block) return self.HW[inv_sbox((result[bnum] ^ key))] else: raise ValueError("Must specify PT or CT")
def getPartitionNum(self, trace, tnum): key = trace.getKnownKey(tnum) ct = trace.getTextout(tnum) #Convert from initial key to final-round key, currently #this assumes AES if len(key) == 16: rounds = 10 else: raise ValueError("Need to implement for selected AES") key = keyScheduleRounds(key, 0, rounds) guess = [0] * 16 for i in range(0, 16): st10 = ct[AES128_8bit.INVSHIFT[i]] st9 = inv_sbox(ct[i] ^ key[i]) guess[i] = AES128_8bit.getHW(st9 ^ st10) return guess
def getPartitionNum(self, trace, tnum): key = trace.getKnownKey(tnum) ct = trace.getTextout(tnum) #Convert from initial key to final-round key, currently #this assumes AES if len(key) == 16: rounds = 10 else: raise ValueError("Need to implement for selected AES") key = keyScheduleRounds(key, 0, rounds) guess = [0] * 16 for i in range(0, 16): st10 = ct[AES128_8bit.INVSHIFT[i]] st9 = inv_sbox(ct[i] ^ key[i]) guess[i] = AES128_8bit.getHW(st9 ^ st10) return guess
def inv_sbox(self, data): """Helper function: performs AES inv-sbox on single byte""" return inv_sbox(data)
def leakage(self, pt, ct, key, bnum): # HD Leakage of AES State between 9th and 10th Round # Used to break SASEBO-GII / SAKURA-G st10 = ct[self.INVSHIFT_undo[bnum]] st9 = inv_sbox(ct[bnum] ^ key[bnum]) return (st9 ^ st10)
def leakage(self, pt, ct, key, bnum): # Alternate leakage st10 = ct[bnum] st9 = inv_sbox(ct[bnum] ^ key[bnum]) return (st9 ^ st10)
def inv_sbox(self, data): """Helper function: performs AES inv-sbox on single byte""" return inv_sbox(data)
def leakage(self, pt, ct, key, bnum): # HD Leakage of AES State between 9th and 10th Round # Used to break SASEBO-GII / SAKURA-G st10 = ct[self.INVSHIFT_undo[bnum]] st9 = inv_sbox(ct[bnum] ^ key[bnum]) return (st9 ^ st10)