Exemplo n.º 1
0
def leakage(pt, ct, guess, bnum, setting, state):

    if setting == LEAK_HW_SBOXOUT_FIRSTROUND:
        # Classic HW of S-Box output
        return getHW(sbox(pt[bnum] ^ guess))

    elif setting == LEAK_HW_INVSBOXOUT_FIRSTROUND:
        # HW Leakage of inverse S-Box (AES Decryption)
        return getHW(inv_sbox(pt[bnum] ^ guess))

    elif setting == LEAK_HD_LASTROUND_STATE:
        # HD Leakage of AES State between 9th and 10th Round
        # Used to break SASEBO-GII / SAKURA-G
        st10 = ct[INVSHIFT[bnum]]
        st9 =  inv_sbox(ct[bnum] ^ guess)
        return getHW(st9 ^ st10)

    elif setting == LEAK_HD_SBOX_IN_OUT:
        # Leakage from HD of S-Box input to output
        st1 = pt[bnum] ^ guess
        st2 = sbox(st1)
        return getHW(st1 ^ st2)

    elif setting == LEAK_HD_SBOX_IN_SUCCESSIVE:
        pass

    elif setting == LEAK_HD_SBOX_OUT_SUCCESSIVE:
        pass

    else:
        raise ValueError("Invalid setting: %s" % str(setting))
Exemplo n.º 2
0
def leakage(pt, ct, guess, bnum, setting, state):

    if setting == LEAK_HW_SBOXOUT_FIRSTROUND:
        # Classic HW of S-Box output
        return getHW(sbox(pt[bnum] ^ guess))

    elif setting == LEAK_HW_INVSBOXOUT_FIRSTROUND:
        # HW Leakage of inverse S-Box (AES Decryption)
        return getHW(inv_sbox(pt[bnum] ^ guess))

    elif setting == LEAK_HD_LASTROUND_STATE:
        # HD Leakage of AES State between 9th and 10th Round
        # Used to break SASEBO-GII / SAKURA-G
        st10 = ct[INVSHIFT[bnum]]
        st9 = inv_sbox(ct[bnum] ^ guess)
        return getHW(st9 ^ st10)

    elif setting == LEAK_HD_SBOX_IN_OUT:
        # Leakage from HD of S-Box input to output
        st1 = pt[bnum] ^ guess
        st2 = sbox(st1)
        return getHW(st1 ^ st2)

    elif setting == LEAK_HD_SBOX_IN_SUCCESSIVE:
        pass

    elif setting == LEAK_HD_SBOX_OUT_SUCCESSIVE:
        pass

    else:
        raise ValueError("Invalid setting: %s" % str(setting))
Exemplo n.º 3
0
def HypHW(pt, ct, key, bnum):
    """Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result"""
    if pt != None:
        return getHW(sbox(pt[bnum] ^ key))
    elif ct != None:
        return getHW(inv_sbox(ct[bnum] ^ key))
    else:
        raise ValueError("Must specify PT or CT")
Exemplo n.º 4
0
def HypHD(pt, ct, key, bnum):
    """Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming distance of result"""
    #Get output
    if pt != None:
        raise ValueError("First-Round HD isn't possible")
    elif ct != None:
        st10 = ct[INVSHIFT[bnum]]
        st9 =  inv_sbox(ct[bnum] ^ key)
        return getHW(st9 ^ st10)
    else:
        raise ValueError("Must specify PT or CT")
Exemplo n.º 5
0
def HypHW(pt, ct, key, bnum):
    """Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result"""
    if pt != None:
        return getHW(sbox(pt[bnum] ^ key))
    elif ct != None:
        knownkey = [0xae, 0x83, 0xc1, 0xa5, 0x6b, 0xcb, 0xc6, 0x46, 0x55, 0xa3, 0xbf, 0x8d, 0x58, 0xfa, 0x20, 0x6d]
        a = AES()
        xored = [knownkey[i] ^ ct[i] for i in range(0, 16)]
        block = a.mapin(xored)
        block = a.shiftRows(block, True)
        block = a.subBytes(block, True)
        block = a.mixColumns(block, True)
        block = a.shiftRows(block, True)
        result = a.mapout(block)
        return getHW(inv_sbox((result[bnum] ^ key)))
    else:
        raise ValueError("Must specify PT or CT")
Exemplo n.º 6
0
    def getPartitionNum(self, trace, tnum):
        key = trace.getKnownKey(tnum)
        ct = trace.getTextout(tnum)

        #Convert from initial key to final-round key, currently
        #this assumes AES
        if len(key) == 16:
            rounds = 10
        else:
            raise ValueError("Need to implement for selected AES")
        key = keyScheduleRounds(key, 0, rounds)

        guess = [0] * 16
        for i in range(0, 16):
            st10 = ct[INVSHIFT[i]]
            st9 = inv_sbox(ct[i] ^ key[i])
            guess[i] = getHW(st9 ^ st10)
        return guess
Exemplo n.º 7
0
    def getPartitionNum(self, trace, tnum):
        key = trace.getKnownKey(tnum)
        ct = trace.getTextout(tnum)

        #Convert from initial key to final-round key, currently
        #this assumes AES
        if len(key) == 16:
            rounds = 10
        else:
            raise ValueError("Need to implement for selected AES")
        key = keyScheduleRounds(key, 0, rounds)

        guess = [0] * 16
        for i in range(0, 16):
            st10 = ct[INVSHIFT[i]]
            st9 = inv_sbox(ct[i] ^ key[i])
            guess[i] = getHW(st9 ^ st10)
        return guess
Exemplo n.º 8
0
def HypHW(pt, ct, key, bnum):
    """Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result"""
    if pt != None:
        return getHW(sbox(pt[bnum] ^ key))
    elif ct != None:
        knownkey = [
            0xae, 0x83, 0xc1, 0xa5, 0x6b, 0xcb, 0xc6, 0x46, 0x55, 0xa3, 0xbf,
            0x8d, 0x58, 0xfa, 0x20, 0x6d
        ]
        a = AES()
        xored = [knownkey[i] ^ ct[i] for i in range(0, 16)]
        block = a.mapin(xored)
        block = a.shiftRows(block, True)
        block = a.subBytes(block, True)
        block = a.mixColumns(block, True)
        block = a.shiftRows(block, True)
        result = a.mapout(block)
        return getHW(inv_sbox((result[bnum] ^ key)))
    else:
        raise ValueError("Must specify PT or CT")