# AES Differential Side-channel Analysis: Guided attack with the API

<img src="images/Do-It-Yourself.jpg" width="300px">

---

## 2 - Prerequisites

For this HowTo, we will target an **AES**, so let's import what will be necessary from the eshard's API as well as the THS.

In [1]:
import scared

import matplotlib.pyplot as plt
plt.rcParams["figure.figsize"] = [20, 5]
GraphTitleFontSize = 14
    
import numpy as np

🤔 Is something missing?

😮 The selection function module !!?

Actualy no, as selection functions are related to the target algorithms, they lie into the target module itself:
```python
scared.aes.
```

Using the auto-completion as shown in HowTo/Tips will help you list all available selection function when using the scared API.

Now, let's get the trace acquisition campaign, our **ths**. Here, we use an ETS file.

---- 

### In this notebok we use the following Legend

-  🅰️ : Action to take
-  ✅ : Expected output

---
🅰️ Import the trace campaign you want to analyse

In [None]:
import estraces

In [None]:
ths = estraces.read_ths_from_ets_file(...)    

---
🅰️ Print the ths information, the ths len


In [None]:
print(...)

---
🅰️ Check the metadata for first 5 traces


In [None]:
plaintext = ths...
print(...)

Ciphertext = ths...
print(...)


Key = ths...
print(...)

---
🅰️ Visualize your traces from the ths information

Open the trace with maplotlib in the notebook

In [None]:
import matplotlib.pyplot as plt
plt.rcParams["figure.figsize"] = [20, 5]

TraceNumber = ...
traces = ...

plt.plot(....)
plt.show()


---
🅰️ Improve trace analysis with basic signal processing

We want to better identify the rounds and repetitive operations in the AES.
We can perform running mean, sum and var on the trace using esDynamic functionalities.

### We import the function from esDynamic

In [2]:
from scared.signal_processing import moving_operators as mov, pattern_detection as patt

--- 
🅰️ use the help to understand the function parameters

In [3]:
mov.moving_mean?

[0;31mSignature:[0m [0mmov[0m[0;34m.[0m[0mmoving_mean[0m[0;34m([0m[0mdata[0m[0;34m,[0m [0mwindow_size[0m[0;34m,[0m [0maxis[0m[0;34m=[0m[0;34m-[0m[0;36m1[0m[0;34m)[0m[0;34m[0m[0;34m[0m[0m
[0;31mDocstring:[0m
Move mean along specified axis with 'window_size' windows length.

Args:
    data (numpy.ndarray): N-dimensional array.
    window_size (int): windows length.
    axis (int): Axis over which to move window (default: -1).

Returns:
    (numpy.ndarray): N-dimensional array. The length on 'axis' dimension is: data.shape['axis'] - 'window_size' + 1.
[0;31mFile:[0m      /opt/anaconda3/lib/python3.7/site-packages/scared/signal_processing/moving_operators.py
[0;31mType:[0m      function


or use the help(..)

In [4]:
help(mov.moving_mean)

Help on function moving_mean in module scared.signal_processing.moving_operators:

moving_mean(data, window_size, axis=-1)
    Move mean along specified axis with 'window_size' windows length.
    
    Args:
        data (numpy.ndarray): N-dimensional array.
        window_size (int): windows length.
        axis (int): Axis over which to move window (default: -1).
    
    Returns:
        (numpy.ndarray): N-dimensional array. The length on 'axis' dimension is: data.shape['axis'] - 'window_size' + 1.



--- 
🅰️ Process the trace

In [None]:
#plot running average of traces 
period = 
TraceMean = ...

plt.plot(TraceMean.T)
plt.show()

--- 
🅰️ Same but use a widget to move the window size with a "slider"


In [None]:
from ipywidgets import *

In [None]:
def functionPlotWidget(period):


    #signal processing ... operation
    
    TraceMean = ...
    
    plt.plot(TraceMean.T)
    plt.show()   
   
interact(functionPlotWidget, period=(min...,max...,step...))

--- 
🅰️ Repeat the operation with other signal processing techniques

#### You are now able to easily distinguish the AES rounds and the operations.

--- 
🅰️ Where is the roundOne? Define its range.

In [None]:
RoundOne = range(...)

--- 
🅰️ Where is the last round? Define its range.

In [None]:
RoundSixteen = range(...)

## Are the traces misaligned?


--- 
🅰️ Print several traces, zoom-in and check if the trace set is aligned properly to run the attack

In [None]:
# use  MatplotLib ...



### Run a side-channel Differential Analysis (DPA)
 What are you going to find?

<img src="images/openTheDoor.jpeg" width="200px">

### Targeting the intermediate computations in the AES

As explained previously this attack technique needs to perform guesses on a part of the key (divide-and-conquer approach) and for each guess, knowing the plaintext (resp. the ciphertext) we can compute the intermediate data that is manipulated by the targeted device during the computation. Of course only the right guess will lead the values really manipulated by the device. In that case the DPA attack will succeed and gives the information the guess leading to highest DPA peak matches with the secret key.

<img src="images/AESscheme.png" width="300px">

### Perform the Attack on the first round

Knowing the plaintexts (AES inputs) we know the value given as input to the first AES (SPN) round.
Performing guesses on each key byte we can guess all the intermediate values of the first round and and use these values with DPA to exploit the related side-channel trace collected by performing the attack.
It can be the output of the key addition, the output of the Subbytes operations, and even in the MixColumn when using chosen messages.

--- 
🅰️ Configure the attack parameters

In [None]:
#(S) SelectionFunction
S = scared.

#(M) Model
M = scared.

#(d) Discriminant
d = scared.

### Now, we are all set to attack

With the right **Selection function (S)**, **Data model (M)**, **Distinguisher (D)** we can now create the attack.

--- 
🅰️ Define the traces container

In [None]:
container = scared...

--- 
🅰️ Setup the attack

In [None]:
attack_dpa = scared.DPAAttack(...)

### ...Attack!

If everything went well, then you're ready to go for a _run()_: All 16 bytes will be attacked! If you want to target less bytes or a single one, check at the selection function arguments. In particular the keyword '_words_'.

In [None]:
#run
attack_dpa.run(...)

--- 
🅰️ Print the result

In [5]:
from sys import path

In [6]:
path.append('/Users/bfeix/_Cyrano/Jupyter/a_helper')
#path

In [7]:
from plot_and_show_results import plot_attack_result, print_attack_result, attack_entropy

In [None]:
print_attack_result(attack_dpa, ths[0].key)

### Let's visualize the results we have obtained

--- 
🅰️ PLot the result with the function plot_attack_result()

In [None]:
plot_attack_result(...)

--- 
🅰️ Save the result

--- 
🅰️ Let see the DPA traces obtained

--- 
🅰️ Refine the attack more cleverly using more options

* From previous trace analysis we have identified the area of interest is RoundOne.
* Let's refine the attack more cleverly the attack on the precise area for the attack frame
* you can also observe the attack result at different steps (traces number used) among the whole set of used traces in the ths, for instance each 10% of traces.

In [None]:
...

--- 
🅰️ Plot directly Attack result

In [None]:
# define the key byte targeted value
KeyByte= ...

# Plotting the DPA scores for byte selected    
plt.plot(attack_dpa.results[:, KeyByte, :].T)
plt.show()

# Plotting the convergence scores for byte 0
plt.plot(attack_dpa.convergences_traces[:,KeyByte,:].T)
plt.show()

-----------------------------
The devil is in the details ...

<!---

ResultTraces = attack_dpa

@interact(KeyByte=(0,15))    
def interactive_plot_3(KeyByte=0):
    plt.rcParams["figure.figsize"] = [25, 5]
    plt.subplot(121)
    plt.title('DPA scores - Byte'+str(KeyByte), fontsize=GraphTitleFontSize)
    plt.xlabel('points', fontsize=14)
    plt.ylabel('DPA score', fontsize=14)
    plt.plot(ResultTraces.results[:, KeyByte, :].T)
    # Plotting the convergence scores for byte 0
    plt.subplot(122)
    plt.title('Convergence score - Byte'+str(KeyByte), fontsize=GraphTitleFontSize)
    plt.xlabel('Number of trace', fontsize=14)
    plt.ylabel('DPA score', fontsize=14)
    plt.plot(ResultTraces.convergences_traces[:,KeyByte,:].T)
    plt.show()

    --->

### Perform the Attack on the ten-th (last) round

Knowing the ciphertexts (AES outputs) we can for a key byte guess revert the intermediate computation until the input of the last Subbytes operation.
Performing guesses on each key byte we can guess all the intermediate values of last AES round and and use these values with DPA to exploit the related side-channel trace collected by performing the attack.

--- 
🅰️ Configure the attack

In [None]:
...

--- 
🅰️ Attack

In [None]:
...

--- 
🅰️ Print and plot results

In [None]:
...

### Have you recovered the  key?

