# Lab 6C.2 - DPA on Firmware Implementation of AES

---
NOTE: This lab references some (commercial) training material on [ChipWhisperer.io](https://www.ChipWhisperer.io). You can freely execute and use the lab per the open-source license (including using it in your own courses if you distribute similarly), but you must maintain notice about this source location. Consider joining our training course to enjoy the full experience.

---

**SUMMARY:** *In the previous lab, you saw how a single bit of information can be used to recover an entire byte of the AES key. Remember, this works due to the S-Box being present in the data flow that we are attacking.*

*Next, we'll see how to use power analysis instead of an actual bit value. With this technique, the goal is to separate the traces by a bit in the result of the SBox output (it doesn't matter which one): if that bit is 1, its group of traces should, on average, have higher power consumption during the SBox operation than the other set.*

*This is all based on the assumption we discussed in the slides and saw in earlier labs: there is some consistent relationship between the value of bits on the data bus and the power consumption in the device.*

**LEARNING OUTCOMES:**

* Using a power measurement to 'validate' a possible device model.
* Detecting the value of a single bit using power measurement.
* Breaking AES using the classic DPA attack.


## Prerequisites

Hold up! Before you continue, check you've done the following tutorials:

* ☑ Jupyter Notebook Intro (you should be OK with plotting & running blocks).
* ☑ SCA101 Intro (you should have an idea of how to get hardware-specific versions running).
* ☑ Breaking AES Using a Single Bit (we'll build on your previous work).

## AES Model

No need to remember the complex model from before - we can instead just jump right into the AES model! Copy your AES model you developed in the previous lab below & run it:

In [80]:
sbox = [
    # 0    1    2    3    4    5    6    7    8    9    a    b    c    d    e    f 
    0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76, # 0
    0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0, # 1
    0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15, # 2
    0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75, # 3
    0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84, # 4
    0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf, # 5
    0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8, # 6
    0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2, # 7
    0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73, # 8
    0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb, # 9
    0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79, # a
    0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08, # b
    0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a, # c
    0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e, # d
    0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf, # e
    0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16  # f
]

def aes_internal(inputdata, key):
    return sbox[inputdata ^ key]

You can verify the model works by running the following blocks, just like last time:

In [81]:
#Simple test vectors - if you get the check-mark printed all OK.
assert(aes_internal(0xAB, 0xEF) == 0x1B)
assert(aes_internal(0x22, 0x01) == 0x26)
print("✔️ OK to continue!")

✔️ OK to continue!


## AES Power Watcher

The next step is to send random data to the device, and observe the power consumption during the encryption.

The idea is that we will use a capture loop like this:

    print(scope)
    for i in trange(N, desc='Capturing traces'):
        key, text = ktp.next()  # manual creation of a key, text pair can be substituted here

        trace = cw.capture_trace(scope, target, text, key)
        if trace is None:
            continue
        traces.append(trace)
        plot.send(trace)

    #Convert traces to numpy arrays
    trace_array = np.asarray([trace.wave for trace in traces])
    textin_array = np.asarray([trace.textin for trace in traces])
    known_keys = np.asarray([trace.key for trace in traces])  # for fixed key, these keys are all the same

Depending what you are using, you can complete this either by:

* Capturing new traces from a physical device.
* Reading pre-recorded data from a file.

You get to choose your adventure - see the two notebooks with the same name of this, but called `(SIMULATED)` or `(HARDWARE)` to continue. Inside those notebooks you should get some code to copy into the following section, which will define the capture function.

Be sure you get the `"✔️ OK to continue!"` print once you run the next cell, otherwise things will fail later on!

**(Note - copy over the data acquisition code from 6C - Hardware Setup. Add cells here as needed to include the scope configuration, run the setup script for connecting to CW, build and program the firmware, and run the acquisition code.**

In [82]:
%matplotlib notebook
import matplotlib.pyplot as plt
import chipwhisperer as cw
import numpy as np
import scipy.stats
from tqdm import tnrange

In [83]:
# This is an API for your CW's scope (in the CAPTURE section)
scope = cw.scope()

# This is an API for your CW's target (in the TARGET section)
target = cw.target(scope, cw.targets.SimpleSerial)

# Sets the scope's default settings
scope.default_setup()

# Cap the max num of power trace samples to collect
scope.adc.samples = 500

# Prints the scope settings
print(scope)

print("✔️ OK to continue!")

See https://chipwhisperer.readthedocs.io/en/latest/api.html#firmware-update


Serial baud rate = 38400
ChipWhisperer Nano Device
fw_version = 
    major = 0
    minor = 24
    debug = 0
io = 
    tio1         = None
    tio2         = None
    tio3         = None
    tio4         = None
    pdid         = True
    pdic         = False
    nrst         = True
    clkout       = 7500000.0
    cdc_settings = None
adc = 
    clk_src  = int
    clk_freq = 7500000.0
    samples  = 500
glitch = 
    repeat     = 0
    ext_offset = 0

✔️ OK to continue!


In [84]:
SCOPETYPE = 'CWNANO'
PLATFORM = 'CWNANO'
CRYPTO_TARGET='TINYAES128C'
SS_VER='SS_VER_1_1'
print("✔️ OK to continue!")

✔️ OK to continue!


In [85]:
%run "../cw-base-setup/Setup_Scripts/Setup_Generic.ipynb"
print("✔️ OK to continue!")

Serial baud rate = 38400
INFO: Found ChipWhisperer😍
✔️ OK to continue!


In [86]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET" "$SS_VER"
pwd
cd ../cw-base-setup/simpleserial-aes
pwd
make PLATFORM=$1 CRYPTO_TARGET=$2 SS_VER=$3

/home/phs/Desktop/phs-labs/PHS-Lab-06/PHS-Lab-06/Python
/home/phs/Desktop/phs-labs/PHS-Lab-06/PHS-Lab-06/cw-base-setup/simpleserial-aes
Building for platform CWNANO with CRYPTO_TARGET=TINYAES128C
SS_VER set to SS_VER_1_1
Blank crypto options, building for AES128
make clean_objs .dep 
make[1]: Entering directory '/home/phs/Desktop/phs-labs/PHS-Lab-06/PHS-Lab-06/cw-base-setup/simpleserial-aes'
Building for platform CWNANO with CRYPTO_TARGET=TINYAES128C
SS_VER set to SS_VER_1_1
Blank crypto options, building for AES128

+--------------------------------------------------------

Removing old files
rm -f -- simpleserial-aes-CWNANO.hex
rm -f -- simpleserial-aes-CWNANO.elf
rm -f -- simpleserial-aes-CWNANO.map
rm -f -- objdir-CWNANO/*.o
rm -f -- objdir-CWNANO/*.lst
rm -f -- simpleserial-aes-random.s simpleserial.s stm32f0_hal_nano.s stm32f0_hal_lowlevel.s aes.s aes-independant.s
rm -f -- simpleserial-aes-random.d simpleserial.d stm32f0_hal_nano.d stm32f0_hal_lowlevel.d aes.d aes-independant.d



+--------------------------------------------------------

Creating load file for Flash: simpleserial-aes-CWNANO.hex
arm-none-eabi-objcopy -O ihex -R .eeprom -R .fuse -R .lock -R .signature simpleserial-aes-CWNANO.elf simpleserial-aes-CWNANO.hex

+--------------------------------------------------------

Size after:
   text	   data	    bss	    dec	    hex	filename
      0	   6224	      0	   6224	   1850	simpleserial-aes-CWNANO.hex
make[1]: Leaving directory '/home/phs/Desktop/phs-labs/PHS-Lab-06/PHS-Lab-06/cw-base-setup/simpleserial-aes'
make clean_out end lastmessage
make[1]: Entering directory '/home/phs/Desktop/phs-labs/PHS-Lab-06/PHS-Lab-06/cw-base-setup/simpleserial-aes'
Building for platform CWNANO with CRYPTO_TARGET=TINYAES128C
SS_VER set to SS_VER_1_1
Blank crypto options, building for AES128

+--------------------------------------------------------

Cleaning up output files
rm -f -- simpleserial-aes-CWNANO.elf
rm -f -- simpleserial-aes-CWNANO.map
rm -f -- objdir-CWNANO/*.o
r

In [87]:
cw.program_target(scope, prog, "../cw-base-setup/simpleserial-aes/simpleserial-aes-{}.hex".format(PLATFORM))
print("✔️ OK to continue!")

Serial baud rate = 115200
Detected known STMF32: STM32F03xx4/03xx6
Extended erase (0x44), this can take ten seconds or more
Attempting to program 6223 bytes at 0x8000000
STM32F Programming flash...
STM32F Reading flash...
Verified flash OK, 6223 bytes
Serial baud rate = 38400
✔️ OK to continue!


In [88]:
import time
def reset_target(): 
    target.flush()
    scope.io.nrst = 'low'
    time.sleep(0.2)
    scope.io.nrst = 'high'
    time.sleep(0.01)

def readall_target():
    ret = ""
    num_char = target.in_waiting()
    while num_char > 0:
        ret += target.read(timeout=10)
        time.sleep(0.1)
        num_char = target.in_waiting()
    return ret

print("✔️ OK to continue!")

✔️ OK to continue!


In [89]:
# Should print start-up test from the device
reset_target()
print(readall_target())
print("✔️ OK to continue!")

hello

✔️ OK to continue!


In [90]:
#
# Perform the capture, resulting in trace_array and textin_array of 2500 traces.
#
from tqdm import tnrange
import numpy as np
import time

ktp = cw.ktp.Basic()
trace_array = []
textin_array = []

key, text = ktp.next()

target.set_key(key)

N = 2500
for i in tnrange(N, desc='Capturing traces'):
    scope.arm()
    
    target.simpleserial_write('p', text)
    
    ret = scope.capture()
    if ret:
        print("Target timed out!")
        continue
    
    response = target.simpleserial_read('r', 16)
    
    trace_array.append(scope.get_last_trace())
    textin_array.append(text)
    
    key, text = ktp.next() 
# raise NotImplementedError("Add your code here, and delete this.")

assert(len(trace_array) == 2500)
print("✔️ OK to continue!")

  for i in tnrange(N, desc='Capturing traces'):


Capturing traces:   0%|          | 0/2500 [00:00<?, ?it/s]

✔️ OK to continue!


What's this data look like? Try plotting a trace or two here:

In [126]:
%matplotlib notebook
import matplotlib.pylab as plt
plt.figure(figsize=(5.5, 3.5), constrained_layout=True)

plt.plot(trace_array[0], color="blue")

plt.title("Power Trace for Text-1")     
plt.xlabel("Sample Number")  # adds x-axis label
plt.ylabel("Power")          # adds y-axis label
plt.legend()

# saves the plot
plt.savefig("../Figures/power_trace_text_1_random.pdf")

# show the plot on your screen
plt.show()

<IPython.core.display.Javascript object>



In [127]:
%matplotlib notebook
import matplotlib.pylab as plt
# raise NotImplementedError("Add your code here, and delete this.")
plt.figure(figsize=(5.5, 3.5), constrained_layout=True)

plt.plot(trace_array[2000], color="m")

plt.title("Power Trace for Text-2000")     
plt.xlabel("Sample Number")  # adds x-axis label
plt.ylabel("Power")          # adds y-axis label
plt.legend()

# saves the plot
plt.savefig("../Figures/power_trace_text_2000_random.pdf")

# show the plot on your screen
plt.show()

<IPython.core.display.Javascript object>



OK interesting - so we've got data! And what about the format of the input data?

In [102]:
print(textin_array[0])
print(textin_array[1])

CWbytearray(b'5f af 82 ea 3f bf e1 66 bf dd b5 5e e6 54 eb 1c')
CWbytearray(b'32 99 87 e6 4d 50 34 ea 45 f4 e0 9c 1e 6f 44 c5')


In [103]:
print(trace_array[0])

[-0.171875   -0.08984375 -0.17578125 ... -0.08203125 -0.16015625
 -0.08984375]


## AES Guesser - One Byte

The attack now needs a way of splitting traces into two groups, depending on the state of a bit in our "guessed" value. We're going to start easy by guessing a single byte of the AES key at a time.

To start with - define the number of traces & number of points in each trace. You can use the following example code, just run this block:

In [104]:
numtraces = np.shape(trace_array)[0] #total number of traces
numpoints = np.shape(trace_array)[1] #samples per trace

print(numtraces)
print(numpoints)
print(textin_array)

2500
5000
[CWbytearray(b'5f af 82 ea 3f bf e1 66 bf dd b5 5e e6 54 eb 1c'), CWbytearray(b'32 99 87 e6 4d 50 34 ea 45 f4 e0 9c 1e 6f 44 c5'), CWbytearray(b'db b8 71 9b bc 66 44 ac 70 e4 b8 cc 65 e0 37 ae'), CWbytearray(b'f1 91 b8 e7 48 3c d5 b9 31 6b 6c b0 ff 0b 55 ee'), CWbytearray(b'f0 09 ea ed 7c 57 c2 a8 51 86 2b 4a 6c eb 17 93'), CWbytearray(b'32 fb 7a dc c8 b9 cb 74 2e d6 bf 67 cf 32 db d2'), CWbytearray(b'64 81 cd 80 b8 64 43 4f f0 4e 47 44 fe 99 d5 4d'), CWbytearray(b'2c 04 00 24 a5 9a fd 18 ab e9 08 2f 93 24 47 8e'), CWbytearray(b'ea f8 43 8a 5c 1e 30 f5 1e 57 f7 3a f6 0f 08 12'), CWbytearray(b'8c aa 15 c5 d6 46 2b 9f a9 e8 31 4c 7e 6f f3 24'), CWbytearray(b'37 7c 13 d1 0e 78 fa f3 de 74 3d d3 32 92 2e 55'), CWbytearray(b'15 15 e8 39 1f 1d 9f 9c 5d 78 a4 7a a5 56 e5 f5'), CWbytearray(b'b2 15 b8 a6 1f c5 43 cb da b6 7a 07 0c 24 b7 ad'), CWbytearray(b'ad ee c7 bd 81 c8 5c ce 4e c7 bb e6 26 01 92 bb'), CWbytearray(b'85 6a e1 f1 50 28 fc a5 18 7d b4 ac e0 53 9b e0'), CWbytearray(b'

If you remember from the slides - our algorithm looks like this:    

    for key_byte_guess_value in [0, 1, 2, 3, ... 253, 254, 255]:
        
        one_list = empty list
        zero_list = empty list
        
        for trace_index in [0, 1, 2, 3, ..., numtraces]:
        
            input_byte = textin_array[trace_index][byte_to_attack]
            
            #Get a hypothetical leakage list - use aes_internal(guess, input_byte)          

            if hypothetical_leakage bit 0 is 1:
                append trace_array[trace_index] to one_list
            else:
                append trace_array[trace_index] to zero_list
                
        one_avg = average of one_list
        zero_avg = average of zero_list

        max_diff_value = maximum of ABS(one_avg - zero_avg)
        
To get the average of your `one_list` and `zero_list` you can use numpy:

    import numpy as np
    avg_one_list = np.asarray(one_list).mean(axis=0)

The important thing here is the `axis=0`, which does an average so the resulting array is done across all traces (not just the average value of one trace, but the average of each point index *across all traces*).

To help you do some testing - let me tell you that the correct value of byte 0 is `0x2B`. You can use this to validate that your solution is working on the first byte. If you get stuck - see some hints below (but give it a try first).

What you should see is an output of the maximum value between the two average groups be higher for the `0x2B` value. For example, priting the maximum SAD value from an example loop looks like this for me:

    Guessing 28: 0.001397
    Guessing 29: 0.000927
    Guessing 2a: 0.001953
    Guessing 2b: 0.005278
    Guessing 2c: 0.000919
    Guessing 2d: 0.002510
    Guessing 2e: 0.001241
    Guessing 2f: 0.001242

Note the value of `0.005278` for `0x2B` - this is higher than the others which range from `0.000927` to `0.002510`.

In [105]:
import numpy as np
mean_diffs = []

### Code to do guess of byte 0 set to 0x2B
guessed_byte = 0

for guess in range(0, 256):
    one_list = []
    zero_list = []

    for trace_index in range(numtraces):
        hypothetical_leakage = aes_internal(guess, textin_array[trace_index][guessed_byte])

        #Mask off the lowest bit - is it 0 or 1? Depending on that add trace to array
        if hypothetical_leakage & 0x01:        
            one_list.append(trace_array[trace_index])
        else:
            zero_list.append(trace_array[trace_index])

    one_avg = np.asarray(one_list).mean(axis=0)
    zero_avg = np.asarray(zero_list).mean(axis=0)
    mean_diffs_2b = np.max(abs(one_avg - zero_avg))
    mean_diffs.append(mean_diffs_2b)

    print("Max SAD for {:02X}: {:2}".format(guess,mean_diffs_2b))
    
print("max value is",max(mean_diffs),hex(mean_diffs.index(max(mean_diffs))))

Max SAD for 00: 0.0008220907638848002
Max SAD for 01: 0.0009915344954775779
Max SAD for 02: 0.0011174791889507901
Max SAD for 03: 0.0012534445667472457
Max SAD for 04: 0.0008895422772282335
Max SAD for 05: 0.0008578003260501232
Max SAD for 06: 0.0008793660423744576
Max SAD for 07: 0.0013035637919201898
Max SAD for 08: 0.0010503920812649573
Max SAD for 09: 0.0011655769355078255
Max SAD for 0A: 0.0007352839925090088
Max SAD for 0B: 0.00119016435534669
Max SAD for 0C: 0.0011949032647380897
Max SAD for 0D: 0.00098549082283423
Max SAD for 0E: 0.0010672712266310003
Max SAD for 0F: 0.0011152284100813328
Max SAD for 10: 0.0009767625005120129
Max SAD for 11: 0.0008744608729999992
Max SAD for 12: 0.0010049346484928001
Max SAD for 13: 0.0009679393832711936
Max SAD for 14: 0.0011027115759377482
Max SAD for 15: 0.0009505344375473762
Max SAD for 16: 0.0011366647550238307
Max SAD for 17: 0.0007767189059129376
Max SAD for 18: 0.0009314521316530766
Max SAD for 19: 0.0010565044040704574
Max SAD for 1A: 

Max SAD for F0: 0.001705487961840585
Max SAD for F1: 0.0010062862174834708
Max SAD for F2: 0.0010373054604136955
Max SAD for F3: 0.0016769171716318407
Max SAD for F4: 0.0009517562040004396
Max SAD for F5: 0.0008407259516152316
Max SAD for F6: 0.0013456590305444965
Max SAD for F7: 0.00150244848236393
Max SAD for F8: 0.0008520366695809745
Max SAD for F9: 0.000912144340358044
Max SAD for FA: 0.0007986726287016466
Max SAD for FB: 0.0010743057120441435
Max SAD for FC: 0.0010526390800275343
Max SAD for FD: 0.0007753550434945744
Max SAD for FE: 0.0007877522663328335
Max SAD for FF: 0.0014859325706182702
max value is 0.002279071038912117 0x2b


In [106]:
print("max value is",max(mean_diffs),hex(mean_diffs.index(max(mean_diffs))))
len(mean_diffs)
np.argsort(mean_diffs)

max value is 0.002279071038912117 0x2b


array([ 65, 233, 142,  30,  10, 143,  62, 101, 253,  23, 254, 135, 250,
       131, 166, 127, 104,  82,  83,  28,  69, 203, 138,   0,  44,  81,
       123, 236, 176, 152, 217, 151, 245, 213,  76, 109, 139, 167, 145,
       248, 209,  54,  38,   5, 188, 238, 141, 239, 184,  34, 180,  17,
       149, 190, 179,   6,  80, 159, 177, 229,  94,   4,  46,  86, 206,
       221, 183,  56,  31, 161, 155,  66,  73, 171, 130, 118,  29, 249,
       195, 204, 116, 158, 125, 191,  87, 160,  68,  59,  24, 208, 106,
       215,  70, 107,  49, 137, 148, 212, 147,  55, 122, 162,  90,  51,
        45,  21, 244, 223, 154, 140, 168,  19,  35,  92, 224,  16, 173,
        96, 163,  13, 121, 111,  42, 205,   1, 222,  50,  18, 241, 216,
       227, 133,  39, 218, 225, 189, 230,  63, 242, 103, 124, 192, 186,
       144,   8, 178, 252, 169,  25, 175,  75, 232, 210,  14, 193, 181,
       251, 165, 156, 119, 112, 174, 153,  32, 234,  20, 108, 201,  40,
        88,  15, 187,  85,  93,   2, 237, 182,  36,  48, 136,  3

### Hint 1: General Program Flow

You can use the following general program flow to help you implement the outer loop above:

In [107]:
# #Hint #1 - General Program Flow
# import numpy as np
# mean_diffs = np.zeros(256)

# guessed_byte = 0

# for guess in range(0, 256):
    
#     one_list = []
#     zero_list = []
    
#     for trace_index in range(numtraces):
#         #Inside here do the steps shown above
#         pass
    
# # for i in range(len(trace_array)):
# #     if textin_array[i][0] == 0x00:
# #         one_list.append(trace_array[i])
        
# #     else:
# #         zero_list.append(trace_array[i])


# # assert len(one_list) > len(zero_list)/2
# # assert len(zero_list) > len(one_list)/2

# # print(len(one_list))
# # print(len(zero_list))
        
#     #Do extra steps to average one_list and zero_list        

### Hint 2: Example of Two Different Key Guesses

We aren't fully going to give it away, but here is how you can generate two differences, for `0x2B` and `0xFF`. If you're totally stuck you can use the following code to base what should be inside the loops on.

In [108]:
# import numpy as np
# mean_diffs = np.zeros(256)

# ### Code to do guess of byte 0 set to 0x2B
# guessed_byte = 0
# guess = 0x2B
   
# one_list = []
# zero_list = []
    
# for trace_index in range(numtraces):
#     hypothetical_leakage = aes_internal(guess, textin_array[trace_index][guessed_byte])

#     #Mask off the lowest bit - is it 0 or 1? Depending on that add trace to array
#     if hypothetical_leakage & 0x01:        
#         one_list.append(trace_array[trace_index])
#     else:
#         zero_list.append(trace_array[trace_index])
            
# one_avg = np.asarray(one_list).mean(axis=0)
# zero_avg = np.asarray(zero_list).mean(axis=0)
# mean_diffs_2b = np.max(abs(one_avg - zero_avg))

# print("Max SAD for 0x2B: {:1}".format(mean_diffs_2b))

# ### Code to do guess of byte 0 set to 0xFF
# guessed_byte = 1
# guess = 0xFF
    
# one_list = []
# zero_list = []
    
# for trace_index in range(numtraces):
#     hypothetical_leakage = aes_internal(guess, textin_array[trace_index][guessed_byte])

#     #Mask off the lowest bit - is it 0 or 1? Depending on that add trace to array
#     if hypothetical_leakage & 0x01:        
#         one_list.append(trace_array[trace_index])
#     else:
#         zero_list.append(trace_array[trace_index])
            
# one_avg = np.asarray(one_list).mean(axis=0)
# zero_avg = np.asarray(zero_list).mean(axis=0)
# mean_diffs_ff = np.max(abs(one_avg - zero_avg))

# print("Max SAD for 0xFF: {:1}".format(mean_diffs_ff))

## Ranking Guesses

You'll also want to rank some of your guesses (we assume). This will help you identify the most likely value. The best way to do this is build a list of the maximum difference values for each key:

    mean_diffs = [0]*256

    for key_byte_guess_value in [0, 1, 2, 3, ... 253, 254, 255]:

        *** CODE FROM BEFORE***
        max_diff_value = maximum of ABS(one_avg - zero_avg)
        mean_diffs[key_byte_guess_value] = max_diff_value
        
If you modify your previous code, it will generate a list of maximum differences in a list. This list will look like:

    [0.002921, 0.001923, 0.005131, ..., 0.000984]
    
Where the *index* of the list is the value of the key guess. We can use `np.argsort` which generates a new list showing the *indicies* that would sort an original list (you should have learned about `argsort` in the previous lab too):

So for example, run the following to see it in action on the list `[1.0, 0.2, 3.4, 0.01]`:

In [109]:
np.argsort([1.0, 0.2, 3.4, 0.01])

array([3, 1, 0, 2])

This should return `[3, 1, 0, 2`] - that is the order of lowest to highest. To change from highest to lowest, remember you just add `[::-1]` at the end of it like `np.argsort([1.0, 0.2, 3.4, 0.01])[::-1]`.

Try using the `np.argsort` function to output the most likely key values from your attack.

## Plotting Differences

Before we move on - you should take a look at various plots of these differences. They will play in something called the *ghost peak* problem.

We're going to now define a function called `calculate_diffs()` that implements our attacks (you can replace this with your own function or keep this one for now):

In [110]:
def calculate_diffs(guess, byteindex=0, bitnum=0):
    """Perform a simple DPA on two traces, uses global `textin_array` and `trace_array` """
    
    one_list = []
    zero_list = []

    for trace_index in range(numtraces):
        hypothetical_leakage = aes_internal(guess, textin_array[trace_index][byteindex])

        #Mask off the requested bit
        if hypothetical_leakage & (1<<bitnum):
            one_list.append(trace_array[trace_index])
        else:
            zero_list.append(trace_array[trace_index])

    one_avg = np.asarray(one_list).mean(axis=0)
    zero_avg = np.asarray(zero_list).mean(axis=0)
    return abs(one_avg - zero_avg)

Try plotting the difference between various bytes. For byte 0, remember `0x2B` is the correct value. Zoom in on the plots and see how the correct key should have a much larger difference.

Sometimes we get *ghost peaks* which are incorrect peaks. So far we're assuming there is a single "best" solution for the key - we may need to get fancy and put a threshold whereby we have several candidates for the correct key. For now let's just plot a handful of examples:

In [125]:
%matplotlib notebook
import matplotlib.pylab as plt
known_key = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]

plt.title("Plot for Difference of Averages")     
plt.xlabel("Sample Number")  # adds x-axis label
plt.ylabel("Average")          # adds y-axis label
plt.legend()

plt.plot(calculate_diffs(0x2B), 'r')
plt.plot(calculate_diffs(0x2C), 'g')
plt.plot(calculate_diffs(0x2D), 'b')
plt.savefig("../Figures/calculate_diffs_random.pdf")
plt.show()

<IPython.core.display.Javascript object>



When we rank the bytes, we just use the maximum value of any peak. There is a lot more you could learn from these graphs, such as the location of the peak, or if there are multiple peaks in the graph.

## AES Guesser - All Bytes

Alright - good job! You've got a single byte and some DPA plots up. Now let's move onward and guess *all* of the bytes.

Doing this requires a little more effort than before. Taking your existing guessing function, you're going to wrap a larger loop around the outside of it like this:

    for subkey in range(0,16):
        #Rest of code from before!
        

In [114]:
from tqdm import tnrange
import numpy as np

#Store your key_guess here, compare to known_key
key_guess = []
known_key = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]

### Code to do guess of byte 0 set to 0x2B
guessed_byte = 0
for subkey in tnrange(0, 16, desc="Attacking Subkey"):
    mean_diffs = []
    for guess in range(0, 256):
        one_list = []
        zero_list = []

        for trace_index in range(numtraces):
            hypothetical_leakage = aes_internal(guess, textin_array[trace_index][subkey])

            #Mask off the lowest bit - is it 0 or 1? Depending on that add trace to array
            if hypothetical_leakage & 0x01:        
                one_list.append(trace_array[trace_index])
            else:
                zero_list.append(trace_array[trace_index])

        one_avg = np.asarray(one_list).mean(axis=0)
        zero_avg = np.asarray(zero_list).mean(axis=0)
        mean_diffs_2b = np.max(abs(one_avg - zero_avg))
        mean_diffs.append(mean_diffs_2b)

    key_guess.append(hex(mean_diffs.index(max(mean_diffs))))
    print("max value is",max(mean_diffs),'sub key', (subkey+1),'is',hex(mean_diffs.index(max(mean_diffs))))

  for subkey in tnrange(0, 16, desc="Attacking Subkey"):


Attacking Subkey:   0%|          | 0/16 [00:00<?, ?it/s]

max value is 0.002279071038912117 sub key 1 is 0x2b
max value is 0.002424855026959591 sub key 2 is 0x7e
max value is 0.0026378035443063858 sub key 3 is 0x15
max value is 0.0016860593705465 sub key 4 is 0xa1
max value is 0.0020347258355925546 sub key 5 is 0xfe
max value is 0.0026359376830010564 sub key 6 is 0xae
max value is 0.0018704521492645676 sub key 7 is 0xd2
max value is 0.001888096866228206 sub key 8 is 0xa6
max value is 0.0019121574652581075 sub key 9 is 0x3f
max value is 0.0018724845054835099 sub key 10 is 0x7d
max value is 0.002273006694745963 sub key 11 is 0x15
max value is 0.0021211019183834945 sub key 12 is 0x75
max value is 0.0022071774462771865 sub key 13 is 0x9
max value is 0.0026146119076707955 sub key 14 is 0xcf
max value is 0.002106999071180074 sub key 15 is 0x4f
max value is 0.0019797650755797314 sub key 16 is 0x3c


In [115]:
print(key_guess)

['0x2b', '0x7e', '0x15', '0xa1', '0xfe', '0xae', '0xd2', '0xa6', '0x3f', '0x7d', '0x15', '0x75', '0x9', '0xcf', '0x4f', '0x3c']


🥳🥳🥳🥳🥳🥳🥳🥳🥳🥳🥳🥳🥳
Congrats - you did it!!!!

Hopefully the above worked - but we're going to go a little further to understand how to apply this in case it didn't work right away (or it almost worked).

## Ghost Peaks

Maybe the previous didn't actually recover the full key? No need to worry - there are a few reasons for this. One artifact of a DPA attack is you get another strong peak that isn't the correct key (which can be a ghost peak).

We're going to get into more efficient attacks later, but for now, let's look at some solutions:

* Increase the number of traces recorded.
* Change the targetted bit (& combine solutions from multiple bits).
* Window the input data.

The first one is the brute-force option: go from 2500 to 5000 or even 10000 power traces. As you add more data, you may find the problem is reduced. But real ghost peaks may not disappear, so we need to move onto other solutions.

Before we begin - we're going to give you a "known good" DPA attack script we're going to build on. This uses the `calculate_diffs()` function defined earlier.

Run the following block (will take a bit of time):

In [116]:
from tqdm import tnrange
import numpy as np

#Store your key_guess here, compare to known_key
key_guess = []
known_key = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]

#Which bit to target
bitnum = 0

full_diffs_list = []

for subkey in tnrange(0, 16, desc="Attacking Subkey"):
    
    max_diffs = [0]*256
    full_diffs = [0]*256

    for guess in range(0, 256):
        full_diff_trace = calculate_diffs(guess, subkey, bitnum)
        max_diffs[guess] = np.max(full_diff_trace)
        full_diffs[guess] = full_diff_trace
    
    #Make copy of the list
    full_diffs_list.append(full_diffs[:])
    
    #Get argument sort, as each index is the actual key guess.
    sorted_args = np.argsort(max_diffs)[::-1]
    
    #Keep most likely
    key_guess.append(sorted_args[0])
    
    #Print results
    print("Subkey %2d - most likely %02X (actual %02X)"%(subkey, key_guess[subkey], known_key[subkey]))
    
    #Print other top guesses
    print(" Top 5 guesses: ")
    for i in range(0, 5):
        g = sorted_args[i]
        print("   %02X - Diff = %f"%(g, max_diffs[g]))
    
    print("\n")

  for subkey in tnrange(0, 16, desc="Attacking Subkey"):


Attacking Subkey:   0%|          | 0/16 [00:00<?, ?it/s]

Subkey  0 - most likely 2B (actual 2B)
 Top 5 guesses: 
   2B - Diff = 0.002279
   69 - Diff = 0.001775
   F0 - Diff = 0.001705
   34 - Diff = 0.001702
   EB - Diff = 0.001679


Subkey  1 - most likely 7E (actual 7E)
 Top 5 guesses: 
   7E - Diff = 0.002425
   D9 - Diff = 0.001835
   B9 - Diff = 0.001759
   12 - Diff = 0.001738
   A8 - Diff = 0.001737


Subkey  2 - most likely 15 (actual 15)
 Top 5 guesses: 
   15 - Diff = 0.002638
   67 - Diff = 0.002132
   BD - Diff = 0.001812
   D4 - Diff = 0.001753
   D9 - Diff = 0.001702


Subkey  3 - most likely A1 (actual 16)
 Top 5 guesses: 
   A1 - Diff = 0.001686
   40 - Diff = 0.001659
   6F - Diff = 0.001650
   3A - Diff = 0.001634
   16 - Diff = 0.001607


Subkey  4 - most likely FE (actual 28)
 Top 5 guesses: 
   FE - Diff = 0.002035
   3C - Diff = 0.002009
   28 - Diff = 0.001724
   13 - Diff = 0.001677
   10 - Diff = 0.001667


Subkey  5 - most likely AE (actual AE)
 Top 5 guesses: 
   AE - Diff = 0.002636
   2C - Diff = 0.001912
   3C 

This block should now print some *next top guesses* - in this case just the next top 5 guesses, but you can extend this if you wish. It's also keeping a copy of all the *difference* traces (unlike before where it threw them away).

### Plotting Peaks

After it runs, select a subkey that is either wrong or has very close "next best guesses". For example, the following shows the output for Subkey 5 is actually wrong - the correct guess (`0xAE`) has been ranked as option 5.

    Subkey  5 - most likely CB (actual AE)
     Top 5 guesses: 
       CB - Diff = 0.003006
       C5 - Diff = 0.002984
       AE - Diff = 0.002739
       3C - Diff = 0.002674
       2F - Diff = 0.002511

You can find the full diff in the `full_diffs_list` array. If you index this array it will give you every guess for a given subkey (for example `full_diffs_list[5]` is the 5th subkey guess outputs).

Using `full_diffs_list[N]` to get your selected subkey, plot the correct key by plotting `full_diffs_list[N][0xCORRECT]` in green as the *last* (so it appears on top). Plot a few other highly ranked guesses before that. In my example, this would look like:

    %matplotlib notebook
    import matplotlib.pylab as plt

    plt.plot(full_diffs_list[5][0xC5], 'r')
    plt.plot(full_diffs_list[5][0xCB], 'r')
    plt.plot(full_diffs_list[5][0xAE], 'g')

In [117]:
%matplotlib notebook
import matplotlib.pylab as plt

plt.plot(full_diffs_list[5][0x2B], 'r')
plt.plot(full_diffs_list[5][0x1E], 'g')
plt.plot(full_diffs_list[5][0x7E], 'b')

<IPython.core.display.Javascript object>

[<matplotlib.lines.Line2D at 0x7fd7a4195070>]

Zoom in on the window, and you should notice there is a location where the correct peak is *higher* than the incorrect peaks. If you want to plot all the traces (this will get slow!) for a given trace, we can do so as the following:

In [120]:
plt.figure()
subkey = 0
for guess in range(0, 256):
    plt.plot(full_diffs_list[subkey][guess])
    
plt.title("Peaks for subkeys-guess")     
plt.xlabel("Sample Number")  # adds x-axis label
plt.ylabel("Average")          # adds y-axis label
plt.legend()

plt.savefig("../Figures/plotting_peaks_1_random.pdf")
plt.show()

<IPython.core.display.Javascript object>



Depending on your hardware, the previous may show a single nice large spike, or multiple large spikes. If we have the ghost peak problem you've probably got multiple spikes. The incorrect peaks may trail behind the correct locations -- we can first plot the correct locations by looking at the known key. The following will do that:

In [121]:
plt.figure()
for subkey in range(0, 16):
    plt.plot(full_diffs_list[subkey][known_key[subkey]])
    
plt.title("Peaks for subkeys-known")     
plt.xlabel("Sample Number")  # adds x-axis label
plt.ylabel("Average")          # adds y-axis label
plt.legend()

plt.savefig("../Figures/plotting_peaks_2_random.pdf")
plt.show()

<IPython.core.display.Javascript object>



### Windowing Peaks

The final trick here - see if there is some way to "window" the data that could be useful. For example, looking at the peaks you might notice that the correct peaks are always coming at 60 cycle offsets, with the first peak around sample 1100 (these will be different for your hardware).

So we could modify the loop to only look at differences after this point:

    for guess in range(0, 256):
        full_diff_trace = calculate_diffs(guess, subkey, bitnum)
        full_diff_trace = full_diff_trace[(1010 + subkey*60):]
        max_diffs[guess] = np.max(full_diff_trace)
        full_diffs[guess] = full_diff_trace
        
Copy the full DPA attack here - and try it out! See if you can get the correct key to come out for every byte.

In [122]:
from tqdm import tnrange
import numpy as np

#Store your key_guess here, compare to known_key
key_guess = []
known_key = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]

#Which bit to target
bitnum = 0

full_diffs_list = []

for subkey in tnrange(0, 16, desc="Attacking Subkey"):

    max_diffs = [0]*256
    full_diffs = [0]*256

    for guess in range(0, 256):
        full_diff_trace = calculate_diffs(guess, subkey, bitnum)
        full_diff_trace = full_diff_trace[(0 + subkey*0):]
        max_diffs[guess] = np.max(full_diff_trace)
        full_diffs[guess] = full_diff_trace

    #Make copy of the list
    full_diffs_list.append(full_diffs[:])

    #Get argument sort, as each index is the actual key guess.
    sorted_args = np.argsort(max_diffs)[::-1]

    #Keep most likely
    key_guess.append(sorted_args[0])

    #Print results
    print("Subkey %2d - most likely %02X (actual %02X)"%(subkey, key_guess[subkey], known_key[subkey]))

    #Print other top guesses
    print(" Top 5 guesses: ")
    for i in range(0, 5):
        g = sorted_args[i]
        print("   %02X - Diff = %f"%(g, max_diffs[g]))

    print("\n")

  for subkey in tnrange(0, 16, desc="Attacking Subkey"):


Attacking Subkey:   0%|          | 0/16 [00:00<?, ?it/s]

Subkey  0 - most likely 2B (actual 2B)
 Top 5 guesses: 
   2B - Diff = 0.002279
   69 - Diff = 0.001775
   F0 - Diff = 0.001705
   34 - Diff = 0.001702
   EB - Diff = 0.001679


Subkey  1 - most likely 7E (actual 7E)
 Top 5 guesses: 
   7E - Diff = 0.002425
   D9 - Diff = 0.001835
   B9 - Diff = 0.001759
   12 - Diff = 0.001738
   A8 - Diff = 0.001737


Subkey  2 - most likely 15 (actual 15)
 Top 5 guesses: 
   15 - Diff = 0.002638
   67 - Diff = 0.002132
   BD - Diff = 0.001812
   D4 - Diff = 0.001753
   D9 - Diff = 0.001702


Subkey  3 - most likely A1 (actual 16)
 Top 5 guesses: 
   A1 - Diff = 0.001686
   40 - Diff = 0.001659
   6F - Diff = 0.001650
   3A - Diff = 0.001634
   16 - Diff = 0.001607


Subkey  4 - most likely FE (actual 28)
 Top 5 guesses: 
   FE - Diff = 0.002035
   3C - Diff = 0.002009
   28 - Diff = 0.001724
   13 - Diff = 0.001677
   10 - Diff = 0.001667


Subkey  5 - most likely AE (actual AE)
 Top 5 guesses: 
   AE - Diff = 0.002636
   2C - Diff = 0.001912
   3C 

## Conclusions & Next Steps

You've now seen how a DPA attack be be performed using a basic Python script. We'll experience much more effective attacks once we look at the CPA attack.

If you want to perform these attacks in practice, the Python code here isn't the most efficient! We'll look at faster options in later courses.

---
<small>NO-FUN DISCLAIMER: This material is Copyright (C) NewAE Technology Inc., 2015-2020. ChipWhisperer is a trademark of NewAE Technology Inc., claimed in all jurisdictions, and registered in at least the United States of America, European Union, and Peoples Republic of China.

Tutorials derived from our open-source work must be released under the associated open-source license, and notice of the source must be *clearly displayed*. Only original copyright holders may license or authorize other distribution - while NewAE Technology Inc. holds the copyright for many tutorials, the github repository includes community contributions which we cannot license under special terms and **must** be maintained as an open-source release. Please contact us for special permissions (where possible).

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</small>

In [61]:
scope.dis()
target.dis()