# **Aim**

In this series of assignments, you shall simulate some parts of the attack proposed in the paper "IoT Goes Nuclear: Creating a ZigBee Chain Reaction". The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes. It enables the attacker to turn all the city lights on or off, to permanently brick them, or to exploit them in a massive DDOS attack. At one stage, this attack requires to perform over-the-air firmware updates by evading a firmware authentication and encryption protocol based on AES-CCM. The secret key for this protocol is extracted through a power side-channel analysis.   

In the exercise sessions of day-1 and day-2, you shall be learning how to perform power side-channel attacks. Our target algorithm will be AES. We shall begin with simulating the power traces to understand the underlying concepts behind these attacks better. Eventually, you shall be provided with real power traces from a hardware implementation of AES.

In the first assignment below, you shall learn to simulate the power traces.

# **Task-2: Simulation of Power Traces**

In this assignment, you shall implement a simulator for power traces according to some leakage model. Real power traces are highly correlated with the Hamming Weight (HW) or Hamming Distance (HD) of the data being processed. So we shall simulate the traces based on these two mathematical abstractions. Also, practical traces contain a lot of additive noise originating from various sources such as ongoing computation, device-level process variation, and the measurement setups used for power measurement. You shall also model this situation by adding Gaussian noise in the simulated traces.        

# **Download the Prerequisites**

In [None]:


!wget "https://tinyurl.com/yxc95c73"
!unzip yxc95c73
!rm yxc95c73

--2021-05-09 15:49:12--  https://tinyurl.com/yxc95c73
Resolving tinyurl.com (tinyurl.com)... 172.67.1.225, 104.20.138.65, 104.20.139.65, ...
Connecting to tinyurl.com (tinyurl.com)|172.67.1.225|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://drive.google.com/uc?export=download&id=19UIsyc268hWX_L2XZEmqzPTqrzMnqFLI [following]
--2021-05-09 15:49:12--  https://drive.google.com/uc?export=download&id=19UIsyc268hWX_L2XZEmqzPTqrzMnqFLI
Resolving drive.google.com (drive.google.com)... 172.217.164.174, 2607:f8b0:4004:815::200e
Connecting to drive.google.com (drive.google.com)|172.217.164.174|:443... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://doc-04-1c-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v940pmu17cclk5ura5u4bssva3r98rea/1620575325000/17993255418915267927/*/19UIsyc268hWX_L2XZEmqzPTqrzMnqFLI?e=download [following]
--2021-05-09 15:49:13--  https://doc-04-1c-docs.g

# **Instructions:**

# **Part 1: Noise-free Traces in Hamming Weight Leakage Model**

1. In the first step, you shall generate noise-free traces assuming a Hamming Weight (HW) leakage model. HW leakage models are suitable while targeting software implementations. Find the following lines in the code cell entitled **Simulation Code**.
```
noise = False
HD_or_HW = 'hw'
```
This indicates that it is a noise-free simulation with HW leakage model.

2. Next, you have to implement functions for measuing the HW of AES states. Each state of AES contains 16 bytes. For convenience, each byte is represened as a python integer. You have to complete the following functions in sequence:


> a) `HW(val)`: This function computes HW of an integer variable.

> b) `ComputeHW(state)`: This function computes HW of an entire AES state. Replace the dummy varaible `Your_code` in the statement `hw = hw + Your_code` with a proper statement.

3. Go to the function `encrypt_powertrace(pt=None, gettrace=True, noise=False, mu=0, sigma=0.1)`. You should see 4 **Leakage Measurement Blocks**. Uncomment **first 3 code lines** in each block. These are measurement points where the HW of the states are registered.

4. Run the simulator code followed by the evaluation code (the code cell next to the simulator code cell). You should be able to see first few entries of the trace file.













# **Part 2: Noisy Traces in Hamming Weight Leakage Model**

1. Check the parameters in the Simulation Code cell. It should have:
```
noise = True
HD_or_HW = 'hw'
```
This indicates that it is a noisy simulation with HW leakage model.

2. Next, you have to implement a function for measuring noisy HW leakage. The noise is Gaussion and additive. Complete the function `ComputeHW_noisy(state, mu=0, sigma=0.1)`. The statement for generating a Gaussian distributed random variable is already provided. You have to complete the rest.

3. Go to the function `encrypt_powertrace(pt=None, gettrace=True, noise=False, mu=0, sigma=0.1)`. You should see 4 **Leakage Measurement Blocks**. Uncomment **last 2 code lines** in each block. These are measurement points where the HW of the states are registered.

4. Run the simulator code followed by the evaluation code (the code cell next to the simulator code cell). You should be able to see first few entries of the trace file.













# **Part 3: Noise-free Traces in Hamming Distance Leakage Model**

1. Check the parameters in the Simulation Code cell. It should have:
```
noise = False
HD_or_HW = 'hd'
```
This indicates that it is a noise-free simulation with Hamming Distance (HD) leakage model (i.e. HD between the previous state and the current state). HD leakage models are more suitable while targeting hardware implementations.

2. Next, you have to complete the function `ComputeHD(prev_state, state)`. Replace the dummy variable `Your_code` at the statement `hd = hd + Your_code` with a proper statement.

3. Go to the function `encrypt_powertrace_HD(pt=None, gettrace=True, noise=False, mu=0, sigma=0.1)`. You should see 4 **Leakage Measurement Blocks**. Uncomment **first 3 code lines** in each block. These are measurement points where the HW of the states are registered. These are measurement points where the HD of the states are registered.

3. Run the simulator code followed by the evaluation code (the code cell next to the simulator code cell). You should be able to see first few entries of the trace file.













# **Part 4: Noisy Traces in Hamming Distance Leakage Model**

1. Check the parameters in the Simulation Code cell. It should have:
```
noise = True
HD_or_HW = 'hd'
```
This indicates that it is a noisy simulation with Hamming Distance (HD) leakage model.

2. Next, you have to complete the function `ComputeHD_noisy(prev_state, state, mu=0, sigma=0.1)`.

3. Go to the function `encrypt_powertrace_HD(pt=None, gettrace=True, noise=False, mu=0, sigma=0.1)`. You should see 4 **Leakage Measurement Blocks**. Uncomment **last 2 code lines** in each block. These are measurement points where the HW of the states are registered. These are measurement points where the HD of the states are registered.


3. Run the simulator code followed by the evaluation code (the code cell next to the simulator code cell). You should be able to see first few entries of the trace file.













# **Simulator Code**

In [None]:
import math
import numpy as np
import scipy
import random
import csv
from aes import *


# Compute the HW of an integer
def HW(val):
	h = 0
	while( not(val == 0) ):
		v = val%2
		h = h + v
		val = int(val/2)
	return h

# Compute the HW of a state
def ComputeHW(state):
	hw = 0
	for i in range(4):
		for j in range(4):
			hw = hw + HW(state[i][j])
	return hw

# Compute the HW of a state (noisy)
def ComputeHW_noisy(state, mu=0, sigma=0.1):
	s = np.random.normal(mu, sigma, 1)[0]
	hw = 0
	for i in range(4):
		for j in range(4):
			hw = hw + HW(state[i][j])
	hw = hw + s
	return hw

# Compute the HD of a state
def ComputeHD(prev_state, state):
	hd = 0
	for i in range(4):
		for j in range(4):
			hd = hd + HW(state[i][j]^prev_state[i][j])
	return hd

# Compute the HD of a state (noisy)
def ComputeHD_noisy(prev_state, state, mu=0, sigma=0.1):
	s = np.random.normal(mu, sigma, 1)[0]
	hd = 0
	for i in range(4):
		for j in range(4):
			hd = hd + HW(state[i][j]^prev_state[i][j])
	hd = hd + s
	return hd

# Encryption module with trace simulation (Hamming Weight)
def encrypt_powertrace(pt=None, gettrace=True, noise=False, mu=0, sigma=0.1):

	trace = [0]*12 		# We are considering that every leakage trace will have 12 leakage points,
						# one for the plauntext, one for the first round key and 10 for 10 rounds, you may
						# vary this
	if pt is None:
		pt = [0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff]
	for i in range(4):
		for j in range(4):
			cipher.state[j][i] = pt[i*4 + j]
	if trace is not None:
		if not noise:
			trace[0] = ComputeHW(cipher.state)
		else:
			trace[0] = ComputeHW_noisy(cipher.state, mu, sigma)
	rnd = 0
	cipher.AddRoundKey(rnd)
	if trace is not None:
		if not noise:
			trace[1] = ComputeHW(cipher.state)
		else:
			trace[1] = ComputeHW_noisy(cipher.state, mu, sigma)


	for rnd in range(1, cipher.Nr):
		cipher.SubBytes()
		cipher.ShiftRows()
		cipher.MixColumns()
		cipher.AddRoundKey(rnd)
		if trace is not None:
			if not noise:
				trace[rnd+1] = ComputeHW(cipher.state)
			else:
				trace[rnd+1] = ComputeHW_noisy(cipher.state, mu, sigma)
	cipher.SubBytes()
	cipher.ShiftRows()
	cipher.AddRoundKey(cipher.Nr)
	if trace is not None:
		if not noise:
			trace[cipher.Nr + 1] = ComputeHW(cipher.state)
		else:
			trace[cipher.Nr + 1] = ComputeHW_noisy(cipher.state, mu, sigma)

	for i in range(4):
		for j in range(4):
			cipher.ciphertext[i*4 + j] = cipher.state[j][i]

	return cipher.ciphertext, trace

# Wrapper for trace simulation with random plaintexts
def PowerTrace_Sim(sim_len=100, noise=False, mu=0, sigma=0.1):
	ct_list = []
	trace_list = []
	for i in range(sim_len):
		# Generate Random Plaintexts
		rand_pt = [random.randint(0,255) for x in range(16)]
		# Simulate the trace
		ciphertext, trace = encrypt_powertrace(pt=rand_pt, gettrace=True, noise=noise, mu=mu, sigma=sigma)
		ct_list.append(intarraytohexstring(ciphertext))
		trace_list.append(trace)
	return ct_list, trace_list

# Encryption module with trace simulation (Hamming Distance)
def encrypt_powertrace_HD(pt=None, gettrace=True, noise=False, mu=0, sigma=0.1):

	trace = [0]*12 		# We are considering that every leakage trace will have 12 leakage points,
						# one for the plauntext, one for the first round key and 10 for 10 rounds, you may
						# vary this

	prev_state = [ [0]*4 for i in range(4)]  # Initialize the previous state

	if pt is None:
		pt = [0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff]
	for i in range(4):
		for j in range(4):
			cipher.state[j][i] = pt[i*4 + j]
	if trace is not None:
		if not noise:
			trace[0] = ComputeHD(prev_state, cipher.state)
		else:
			trace[0] = ComputeHD_noisy(prev_state, cipher.state, mu, sigma)


	# Save the previous state
	for i in range(4):
		for j in range(4):
			prev_state[j][i] = cipher.state[j][i]
	#############################################
	rnd = 0
	cipher.AddRoundKey(rnd)

	if trace is not None:
		if not noise:
			trace[1] = ComputeHD(prev_state, cipher.state)
		else:
			trace[1] = ComputeHD_noisy(prev_state, cipher.state, mu, sigma)


	for rnd in range(1, cipher.Nr):
		# Save the previous state
		for i in range(4):
			for j in range(4):
				prev_state[j][i] = cipher.state[j][i]
		#############################################
		cipher.SubBytes()
		cipher.ShiftRows()
		cipher.MixColumns()
		cipher.AddRoundKey(rnd)
		if trace is not None:
			if not noise:
				trace[rnd+1] = ComputeHD(prev_state, cipher.state)
			else:
				trace[rnd+1] = ComputeHD_noisy(prev_state, cipher.state, mu, sigma)

	# Save the previous state
	for i in range(4):
		for j in range(4):
			prev_state[j][i] = cipher.state[j][i]
	#############################################
	cipher.SubBytes()
	cipher.ShiftRows()
	cipher.AddRoundKey(cipher.Nr)
	if trace is not None:
		if not noise:
			trace[cipher.Nr + 1] = ComputeHD(prev_state, cipher.state)
		else:
			trace[cipher.Nr + 1] = ComputeHD_noisy(prev_state, cipher.state, mu, sigma)

	for i in range(4):
		for j in range(4):
			cipher.ciphertext[i*4 + j] = cipher.state[j][i]

	return cipher.ciphertext, trace

# Wrapper for trace simulation with random plaintexts (Hamming Distance)
def PowerTrace_Sim_HD(sim_len=100, noise=False, mu=0, sigma=0.1):
	ct_list = []
	trace_list = []
	for i in range(sim_len):
		# Generate Random Plaintexts
		rand_pt = [random.randint(0,255) for x in range(16)]
		# Simulate the trace
		ciphertext, trace = encrypt_powertrace_HD(pt=rand_pt, gettrace=True, noise=noise, mu=mu, sigma=sigma)
		ct_list.append(intarraytohexstring(ciphertext))
		trace_list.append(trace)
	return ct_list, trace_list



# Parameters
sim_len = 5000
noise = False		# Make noise=True for generating noisy traces
HD_or_HW = 'hw'		# hw ==> HW; hd ==> HD
mu = 20
sigma = 7.5

# Initialize
cipher = AES()
cipher.KeyExpansion()

print(intarraytohexstring(cipher.get_lastroundkey()))

# Perform the power trace simulation
if (HD_or_HW == 'hw'):
	print("HW Leakage Model...")
	if (noise is True):
		print("Noisy Leakage Simulation")
	else:
		print("Noise-free Leakage Simulation")
	ct_list, trace_list = PowerTrace_Sim(sim_len=sim_len, noise=noise, mu=mu, sigma=sigma)
elif (HD_or_HW == 'hd'):
	print("HD Leakage Model...")
	if (noise is True):
		print("Noisy Leakage Simulation")
	else:
		print("Noise-free Leakage Simulation")
	ct_list, trace_list = PowerTrace_Sim_HD(sim_len=sim_len, noise=noise, mu=mu, sigma=sigma)
else:
	raise ValueError("Wrong option for leakage model...Valid options: 'hw' and 'hd'")


# Print the ciphertexts and traces to a file
if (HD_or_HW == 'hw'):
	if not noise:
		filename = 'trace_file_hw.csv'
	else:
		filename = 'trace_file_hw_noisy.csv'
elif (HD_or_HW == 'hd'):
	if not noise:
		filename = 'trace_file_hd.csv'
	else:
		filename = 'trace_file_hd_noisy.csv'
else:
	raise ValueError("Wrong option for leakage model...Valid options: 'hw' and 'hd'")


# A little formatting for making it print friendly
for l in range(len(ct_list)):
	trace_list[l].insert(0, ct_list[l])


#Print the traces and ciphertexts to a csv file
with open(filename, mode='w') as trace_file:
	trace_writer = csv.writer(trace_file, delimiter=',')
	trace_writer.writerows(trace_list)

13111d7fe3944a17f307a78b4d2b30c5
HW Leakage Model...
Noise-free Leakage Simulation


# **Evaluator Code**

Check the Output .csv file. If you have completed all the steps correctly in sequence, the .csv file should contain rows, each beginning with a ciphertext, followed by 12 (int/float) values. Each of these values indicates the HW (resp. HD) of the AES state after the complition of a round. The first entry is the HW (resp. HD) of the plaintext.

In [None]:
print(filename)
with open(filename, mode='r') as trace_file:
	i = 0
	trace_reader = csv.reader(trace_file, delimiter=',')
	for row in trace_reader:
		print(row)
		i = i + 1
		if i == 10: break

trace_file_hw.csv
['c533fcab890b24bdf7c071363c2072b7', '71', '71', '68', '65', '70', '64', '60', '60', '63', '57', '57', '65']
['4d71174553123da4af77bf9d6d4f6968', '53', '49', '69', '68', '60', '58', '63', '65', '68', '66', '60', '70']
['8eae86be598aee3245b46cd7b35c4fdc', '64', '62', '70', '68', '69', '66', '71', '63', '70', '62', '64', '70']
['84f8063a8135ce1e70b3d6ec3928d957', '63', '57', '53', '64', '74', '61', '58', '72', '72', '64', '60', '62']
['7fe041c8db9ccf0031554a012d7c3d22', '60', '56', '64', '65', '60', '65', '65', '58', '65', '67', '66', '58']
['23cf7c7a7c533830994cf6d3b73e0d5f', '64', '60', '74', '72', '55', '58', '62', '60', '62', '67', '61', '71']
['96a8b28d05bd93926171b810527851ee', '60', '62', '62', '74', '61', '65', '68', '70', '65', '69', '66', '58']
['f995b26ff4a44e533c6590a282b8aa1c', '50', '52', '60', '70', '52', '55', '68', '72', '54', '60', '66', '62']
['04be0573a2e609c520121374fede4327', '66', '60', '58', '60', '53', '63', '66', '54', '56', '66', '71', '58']
[