# DPA on AES cryptosystem
In this notebook you will learn about AES and how we can find the secret key using a differential power analysis attack

**Goals:**
* Learn what AES is and how it works
* Learn about leakage bits
* Perform a DPA attack on AES

#### Prerequisites
- [x] *0_series* notebooks 
- [x] *1_series* notebooks

## AES - Advanced Encryption Standard
As mentioned in the previous notebook, AES is a symmetric cryptosystem. That means to encrypt and decrypt messages the same secret key must be used. The version of AES we will program on the target is AES128. The 128 means that the secret key is 128 bits (= 16 bytes) long. To encrypt a message with AES, the message is split into pieces as large as the key. Those pieces are then encrypted apart to eventually end up with a fully encrypted text. For simplicity sake we will just use messages that are the same size as the key to find that secret key.

### How to attack AES
In order to encrypt plain text (16 bytes long) the AES-algorithm encrypts each byte at a time using the corresponding byte in the key. Let's look at a little visualization: e.g.
```
    secret_key = 0x01 23 45 67 .. (16 bytes long)
    plain_text = 0xAB CD EF 98 .. (16 bytes long)
    
    1)The first byte of the key is used to encrypt the first byte of the plain text:
        0x01 is used to encrypt 0xAB
    
    2) The second byte of the key is used to encrypt the second byte of the plain text:
        0x23 is used to encrypt 0xCD
    
    3) The third byte of the key is used to encrypt the third byte of the plain text.
    
    .
    .
    .
    
    16) The last byte of the key is used to encrypt the last byte of the plain text.
```

The beauty of the atttack we are going to perform is that we can use this implementation of AES to figure out the secret key 1 byte at a time by trying all different possibilities that a byte can be. You might think that this is the same as just trying every possible key but let's quickly look at the maths.
```
    Trying to guess the full 16 byte key at once:
        There are 2^(16*8) possibilities = 3.4028237*10^38
    
    But what if we try to guess each byte seperately:
        There are 2^(1*8) possibilities per byte = 256
        We need to find 16 bytes, so the total amount of possibilities is 256*16 = 4096
        
Compared to 3.4*10^38 the number 4096 is really small. More importantly, it is small enough to let a computer try all those 4096 possibilities in just a couple of seconds.
```
All right, the important thing we need to know now is how we decide if our guess for the key was correct or not. We will never be able to tell from one guessed byte if it was the correct one or not. But we can look at the system while it is checking our guesses (side channel analysis). If we compare our observations for every guess we will see that with one of our guesses the system will behave differently, because that guess was correct. The thing we will be observing is the power consumption of the device. That train of thought is how we will be able to recover the hidden key in the target.

To know exactly how we are going to practically do this, keep reading.

### Inner workings of AES
In order to perform a successful attack later on we need to know a bit more about how AES encryts/decrypts each byte. (to follow along see the image below) In the first steps the plain text byte is `XOR`'ed with the key byte. That produces a new byte (the `xor_byte`) that is used to look up a value in a predetermined `SBOX`. An SBOX is nothing more than a table with 16\*16 values. The SBOX produces a new byte (the `sbox_byte`) by taking the value stored at the following posistion in the SBOX: `SBOX[first_4_bits_xor_byte][last_4_bits_xor_byte]`. That sbox_byte is then encrypted even further, but what we know is already enough to perform a decent attack!

<img src="src/images/aes_byte_encrypt.png" alt="AES start encryption of a byte" width=800>

## Clean up

In [None]:
scope.dis()
target.dis()

## Next step
Now you know or can:
* ??????????

???.

**Next notebook click here: [2_B - CPA on AES cryptosystem.ipynb](./2_B%20-%20CPA%20on%20AES%20cryptosystem.ipynb)**

### Supplemental Reading
* ???