# Lecture 3.2: Attack on AES with Differential-Power-Analysis (Kocher et al. 1999) using Lascar

#### Learning goals
- Learn how to apply a DPA attack using Lascar

#### References
- https://github.com/Ledger-Donjon/lascar

In [None]:
%load_ext autoreload
%autoreload 2

import os
import random

import numpy as np
import plotly.graph_objects as pgo

from securec.capture import capture

## Why Lascar?

When it comes to "real" side-channel analysis the author favours [Lascar](https://github.com/Ledger-Donjon/lascar) with the following reasons:

- High performance
- Well structured and documented code
- Easy start due to good examples
- Citations given for the methods of analysis

## Main aspects of lascar

While lascar's tutorial and the examples provide a comprehensive entry point the main concepts are demonstrated here to make the subsequent analysis understandable.

In [None]:
import lascar

### Container

In [None]:
import sys
print(sys.modules['lascar.container'].__doc__)

We will mainly use the following container:

In [None]:
lascar.TraceBatchContainer

As described [here](https://github.com/Ledger-Donjon/lascar/blob/master/tutorial/01-discovering-containers.py) it takes to items:


A side-channel trace (Trace in lascar), is a couple of two items:
- The first item is "leakage" and represents the side-channel observable
- The second item is "value" and represents the handled values during the observation of "leakage".
The only restriction here is that "leakage" and "data" must be numpy.arrays of any shape.
trace = (leakage, value) where leakage and value are numpy.arrays
The __str__ method of Trace displays the shape and dtype for both leakage and value.

### Engine

The most important concept is `Engine`. It performs the actual analysis.

In [None]:
print(lascar.Engine.__doc__)

One example is `DpaEngine`.

In [None]:
print(lascar.DpaEngine.__doc__)

### OutputMethod

The data which is produced by an Engine is passed to an `OutputMethod.`

In [None]:
print(lascar.OutputMethod.__doc__)

### Session

The final ingredient to perform an analysis is a `Session`.

In [None]:
print(lascar.Session.__doc__)

### Note

Lascar uses `numba.jit` to speed up calculations.
This "costs" an initial effort when compiling the functions but provides awesome speed afterwards.
Jit is enabled by default and can be configured for some engines.

<div style="border: 3px solid plum; border-radius: 5px; padding: 5px; width: calc(100% - 20px);">
<div class="h2" style="font-variant: all-small-caps;">Exercise 1</div>

Perform a DPA attack on [sbox_lookup.c](sbox_lookup.c) on the LSB of the output of the first SBox lookup using Lascar. Use
- `TraceBatchContainer`
- `DpaEngine`
- `ConsoleOutputMethod`

</div>

<div style="border: 3px solid plum; border-radius: 5px; padding: 5px; width: calc(100% - 20px);">
<div class="h2" style="font-variant: all-small-caps;">Exercise 2 (optional)</div>

Perform the attack using two output modes together: `ConsoleOutputMode` and `MatplotlibOutputMethod`.

</div>

<div style="border: 3px solid plum; border-radius: 5px; padding: 5px; width: calc(100% - 20px);">
<div class="h2" style="font-variant: all-small-caps;">Exercise 3 (optional)</div>

Perform a full DPA attack (i.e. reveal all key bytes) using Lascar.

Hints:
- Multiple Engines are needed
- 16 different selection functions are needed. Create a function that returns a selection function.

</div>