# Correlation Power Analysis Second Order

### Masking the SBox output

Given a mask $m_o$ then a _SBox with output mask_ is a modified AES-SBOX $\mathrm{SBOX'}$ with the property:

$$ \mathrm{SBOX'}(\mathrm{pt}_i \oplus k_i) = \mathrm{SBOX}(\mathrm{pt}_i \oplus k_i) \oplus m_o $$

Where $k_i$ is the $i$-th key byte and $\mathrm{pt}_i$ the $i$-th input byte.


## Second Order Power Analysis

Multiplying two different timestamps in the power trace reveals the XOR of the processed data at these timestamps.

In [1]:
%load_ext autoreload
%autoreload 2

import os
import random

import lascar
import numpy as np
import plotly.graph_objects as pgo
from cwtoolbox import CaptureDevice
from cwtoolbox.analyze import cpa

In [None]:
capture_device = CaptureDevice.create("CWLITEXMEGA")
capture_device.compile(file=os.path.abspath("sbox_lookup_masking_second_order.c"))
capture_device.flash()

In [None]:
data = capture_device.capture(
    number_of_traces=1000,
    input=lambda _: random.randbytes(32),
)

In [None]:
fig = pgo.Figure()
fig.add_trace(pgo.Scatter(y=data["trace"][0]))
fig.show()

In [None]:
def selection_function(value, guess):
    return lascar.hamming(lascar.tools.aes.sbox[value["input"][0] ^ guess])

correlations = cpa(
    dataset=data,
    selection_functions={"key 0": selection_function},
    guess_range=range(256),
    higherorder_rois=(range(40, 50), range(9309, 10584)),
    progressbar=True,
)

In [None]:
fig = pgo.Figure()
for _, correlation in correlations[0][1]:
    fig.add_trace(pgo.Scattergl(y=abs(correlation)))
fig.show()

Result: 
The position of the peak corresponds to two specific timestamps:
One, where the `sbox_output_mask` is loaded.
And the other, where `masked_sbox[input[0] ^ stored_key[0]]` is calculated.

Multiplying these trace values is proportional to 
```
HW(sbox_output_mask ^ (masked_sbox[input[0] ^ stored_key[0]]))
= HW(AES_SBOX[input[0] ^ stored_key[0]])
```

## Full Second Order Attack

In [None]:
def sbox_output_selection_function(key_index):
    def selection_function(value, guess):
        return lascar.hamming(lascar.tools.aes.sbox[value["input"][key_index] ^ guess])
    return selection_function

correlations = cpa(
    dataset=data,
    selection_functions={f"key {i}": sbox_output_selection_function(i) for i in range(16)},
    guess_range=range(256),
    higherorder_rois=(range(40, 50), range(9309, 10584)),
    progressbar=True,
)

In [None]:
fig = pgo.Figure()
for key_index, corrs in correlations[:5]:
    for idx, corr in corrs[:5]:
        fig.add_trace(pgo.Scattergl(y=abs(corr), name=f"{key_index}: Guess {idx}"))
fig.show()

for key_index, corrs in correlations:
    max_corrs = [max(abs(corr)) for _, corr in corrs]
    print(f"Key {key_index}: Best guess: {np.argmax(max_corrs):02x}")