Signed-off-by: Vladimir Rozic <vrozic@lowrisc.org>

This commit contains several changes:
1. Fix leakage model computation. Previously, only the initial round and
   the first 9 regular rounds were computed. The final round couldn't be
   analyzed.
2. Now, all bytes and all rounds are computed. Basically when computing
   a single byte, the other bytes come for free. Similarly, if round 10
   is needed, all other rounds need to be computed anyway.
3. The computed leakage model is saved to disk as traces.npy and using
   a new command line argument can be loaded in a later run to re-use
   previous intermediate results and speed up the analysis.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

This gives a performance improvement of nearly 100x compared to the
previous implementation based on nested for loops.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

This commit modifies the histograms & t-test computation as well as
the plotting to run for all rounds and all bytes by default. Using new
command line arguments, the user can specify a single round and/or a
single byte if needed. Plots for all computed t-test results are saved
and the script now prints results in text format, highlighting in which
rounds and bytes, leakage above the threshold has been detected.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

This commit parallelizes the histograms computation across samples.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

In case either the fixed or random set is empty, the statistics can't
be computed. This can happen e.g. if few traces are used only, or if
using the hamming distance as sensitive variable and analyzing the
initial round. In the latter case, the hamming distance can only be
zero or non-zero if the corresponding key byte is zero or non-zero,
respectively. Thus, either the fixed or the random set is empty.

Previously we anyway computed the statistics producing meaningless
results. With this commit, we don't try to compute the statistics
anymore if either of the sets is empty and report this to the user.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

This commit switches to a t-test function provided by scipy which
operates on arrays. Also, the code around the t-test function is
refactored to make better use of numpy.ndarrays, to reduce the amount
of control code and to reduce the number of loops. All this allows for
a speedup of 20x for the t-test computation.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Added support for general fixed-vs-random TVLA.

Signed-off-by: vrozic <vrozic@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

The most important change of this commit is that it adds the option for
step-wise processing of trace sets using the `-n` argument and related
to that the capability to plot how the t-test values evolve with
increasing number of traces. Other usability improvements include:
- Filtered traces and the computed leakage are only saved to disk if
  the `-d` argument is provided.
- Figures are only plotted and saved to disk if the `-f` argument is
  provided.
- The t-test results can be written to disk using the `-d` argument.
  They can be loaded with the `-a` argument to only display results and
  plot figures if really needed. The results table is always printed.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

This allows both specific AES TVLA (as we were doing before) and fixed-
vs-random TVLA for AES and SHA3 using a single code base.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Fixes a way that a random set is constructed when running tvla
general tests.

Signed-off-by: vrozic <vrozic@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Add support for fixed-vs-random key TVLA when measurements are
taken in random order (rather than alternating between fixed and
random). The analysis works under the assumption is that the first
trace in the project is generated using a fixed key.

Signed-off-by: vrozic <vrozic@lowrisc.org>

Signed-off-by: Abdullah Varici <abdullah.varici@lowrisc.org>

The inrease in sampling rate by 2x and the trigger offset needs to be
accounted for when plotting these figures.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

This is not actually needed but may have a slightly negative impact when
doing more than one step as the offset may vary with each step.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Without this commit, it could happen that the wrong bytes/rounds would
be selected for the final results/figure plotting step in case only a
subset of bytes/rounds were analyzed.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>

Previously, we were generating 9 histograms one for each possible
Hamming weight of the sensitive variable. But the actual statistics
are then computed by combining the 8 histograms for the non-zero Hamming
weights (fixed vs. random). It this therefore more efficient to only
generate 2 histograms in the first place. One for Hamming weight = 0 and
one for Hamming weight > 0. Most importantly, this leads to a reduction
in memory footprint of roughly 4.5x.

Signed-off-by: Pirmin Vogel <vogelpi@lowrisc.org>