def leakage(self, pt, ct, guess, bnum, state):
if self.model == self.LEAK_HW_SBOXOUT_FIRSTROUND:
# Classic HW of S-Box output
return self.HW[sbox(pt[bnum] ^ guess)]
elif self.model == self.LEAK_HW_INVSBOXOUT_FIRSTROUND:
# HW Leakage of inverse S-Box (AES Decryption)
return self.HW[inv_sbox(pt[bnum] ^ guess)]
elif self.model == self.LEAK_HD_LASTROUND_STATE:
# HD Leakage of AES State between 9th and 10th Round
# Used to break SASEBO-GII / SAKURA-G
st10 = ct[self.INVSHIFT[bnum]]
st9 = inv_sbox(ct[bnum] ^ guess)
return self.HW[st9 ^ st10]
elif self.model == self.LEAK_HD_SBOX_IN_OUT:
# Leakage from HD of S-Box input to output
st1 = pt[bnum] ^ guess
st2 = sbox(st1)
return self.HW[st1 ^ st2]
elif self.model == self.LEAK_HD_SBOX_IN_SUCCESSIVE:
pass
elif self.model == self.LEAK_HD_SBOX_OUT_SUCCESSIVE:
pass
else:
raise ValueError("Invalid model: %s" % str(self.model))
def getPartitionNum(self, trace, tnum):
key = trace.getKnownKey(tnum)
text = trace.getTextin(tnum)
guess = [0] * 16
for i in range(0, 16):
guess[i] = AES128_8bit.getHW(sbox(text[i] ^ key[i]))
return guess
def getPartitionNum(self, trace, tnum):
key = trace.getKnownKey(tnum)
text = trace.getTextin(tnum)
guess = [0] * 16
for i in range(0, 16):
guess[i] = AES128_8bit.getHW(sbox(text[i] ^ key[i]))
return guess
def HypHD(self, pt, ct, key, bnum):
"""Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming distance of result"""
#Get output
if pt != None:
#TODO: This does't work too well, need to fix
st2 = sbox(pt[bnum] ^ key)
st1 = pt[bnum]
return self.HW[st1 ^ st2]
elif ct != None:
st10 = ct[self.INVSHIFT[bnum]]
st9 = [ct[bnum] ^ key]
return self.HW[st9 ^ st10]
else:
raise ValueError("Must specify PT or CT")
def HypHD(self, pt, ct, key, bnum):
"""Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming distance of result"""
#Get output
if pt != None:
#TODO: This does't work too well, need to fix
st2 = sbox(pt[bnum] ^ key)
st1 = pt[bnum]
return self.HW[st1 ^ st2]
elif ct != None:
st10 = ct[self.INVSHIFT[bnum]]
st9 = [ct[bnum] ^ key]
return self.HW[st9 ^ st10]
else:
raise ValueError("Must specify PT or CT")
def HypHW(self, pt, ct, key, bnum):
"""Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result"""
if pt != None:
return self.HW[sbox(pt[bnum] ^ key)]
elif ct != None:
knownkey = [0xae, 0x83, 0xc1, 0xa5, 0x6b, 0xcb, 0xc6, 0x46, 0x55, 0xa3, 0xbf, 0x8d, 0x58, 0xfa, 0x20, 0x6d]
a = AES()
xored = [knownkey[i] ^ ct[i] for i in range(0, 16)]
block = a.mapin(xored)
block = a.shiftRows(block, True)
block = a.subBytes(block, True)
block = a.mixColumns(block, True)
block = a.shiftRows(block, True)
result = a.mapout(block)
return self.HW[inv_sbox((result[bnum] ^ key))]
else:
raise ValueError("Must specify PT or CT")
def HypHW(self, pt, ct, key, bnum):
"""Given either plaintext or ciphertext (not both) + a key guess, return hypothetical hamming weight of result"""
if pt != None:
return self.HW[sbox(pt[bnum] ^ key)]
elif ct != None:
knownkey = [0xae, 0x83, 0xc1, 0xa5, 0x6b, 0xcb, 0xc6, 0x46, 0x55, 0xa3, 0xbf, 0x8d, 0x58, 0xfa, 0x20, 0x6d]
a = AES()
xored = [knownkey[i] ^ ct[i] for i in range(0, 16)]
block = a.mapin(xored)
block = a.shiftRows(block, True)
block = a.subBytes(block, True)
block = a.mixColumns(block, True)
block = a.shiftRows(block, True)
result = a.mapout(block)
return self.HW[inv_sbox((result[bnum] ^ key))]
else:
raise ValueError("Must specify PT or CT")
def HypHWXtime(self, pt, keyguess, numguess, keyknown, bnumknown):
"""Given plaintext + a subkey guess + a known subkey + subkey numbers return xtime result"""
a = sbox(pt[numguess] ^ keyguess)
b = sbox(pt[bnumknown] ^ keyknown)
raise ValueError("Should this be HW instead of just xtime()???")
return self.HW[xtime(a ^ b)]
def sbox(self, data):
"""Helper function: performs AES sbox on single byte"""
return sbox(data)
def HypHWXtime(self, pt, keyguess, numguess, keyknown, bnumknown):
"""Given plaintext + a subkey guess + a known subkey + subkey numbers return xtime result"""
a = sbox(pt[numguess] ^ keyguess)
b = sbox(pt[bnumknown] ^ keyknown)
raise ValueError("Should this be HW instead of just xtime()???")
return self.HW[xtime(a^b)]
def sbox(self, data):
"""Helper function: performs AES sbox on single byte"""
return sbox(data)
