DATA and CODE for project GRIZZLY: efficient and portable template attacks.
Author: Marios Omar Choudary (omar.choudary@cl.cam.ac.uk,marios.choudary@cs.pub.ro)
Version: 1.2
Last updated: 22 December 2017

PAPERS

The data and code in this folder allow you to reproduce the results shown
in these papers:

1) Marios O. Choudary and Markus G. Kuhn, "Efficient, Portable Template Attacks",
IEEE Transactions on Information Forensics and Security, 13(2), 2018, pp.490--501.

2) Marios O. Choudary and Markus G. Kuhn,
"Efficient stochastic methods: profiled attacks beyond 8 bits",
CARDIS 2014, Paris, 2014. Springer LNCS 8968, pp. 85--103.

3) Omar Choudary and Markus G. Kuhn, "Template attacks on different devices",
COSADE 2014, Paris, 2014. Springer LNCS 8622, pp. 179--198.

4) Omar Choudary and Markus G. Kuhn, "Efficient Template Attacks", CARDIS 2013,
Berlin, 27--29 November, 2013. Springer LNCS 8419, pp. 253--270.

If you find the associated data or code useful please cite the relevant papers
in your results.

DATA

You can download the data associated with these papers here:
https://www.cl.cam.ac.uk/research/security/datasets/grizzly/

Then you should uncompress each of the data files by running gunzip, e.g.:
"gunzip e2_bat_fb_beta_raw_s_0_3071.raw.gz"

and put the resulting file (e.g. e2_bat_fb_beta_raw_s_0_3071.raw) in the same folder
as this readme file (i.e. the folder with all the MATLAB scripts).

Each of the uncompressed data files contain the raw traces that we
acquired from our four evaluation boards (Alpha, Beta, Gamma, Delta) on the
Atmel XMEGA A3U microcontroller, by using a Tektronix TDS 7054 oscilloscope
using the full bandwidth (500MHz) and batteries via a voltage regulator 3.3 V
as power supply.

For the Grizzly experiments (8-bit attacks), there are five datasets available:
four corresponding to each device (alpha, beta, gamma, delta) and a second
dataset on device Beta, which corresponds to a different acquisition campaign
to observe similarities and differences between attacks on different devices
and attacks on different acquisition campaigns on the same device (see papers
for details).

The full acquisition settings for all these campaigns/devices are:
Power supply from batteries via voltage regulator at 3.3V,
1MHz sine clk (3 Vpp,1.5 V DC offset, 50 Ohm load, sine),
10 Ohm resistor, active probe. Bandwidth 500MHz,250MS/s,4ns/point,1us/div,
2500 pt/frame,SAMPLE mode with Fastframe, 10mV/div vertical resolution,
DC coupling.

These experiments (which we called E2) are as follows:
Loading bytes into registers r8:r15. All bytes are 0 except for the
second byte that gets loaded into r9, which is changed between 0 and 255.
The experiment is as follows:
  - for nr_trials=1310720=256*5120 times do:
    1. initialize registers with zeros.
    2. copy 8 bytes of data into r8:r15 at address A=0x2525
  - each block of 8 bytes has first byte 0, next byte is a value between 0
    and 255 and the next 6 bytes are 0.
  - every 256 trials all the 256 values {0, ..., 255} are used for byte 2.
    That is, a random permutation of the values {0, ..., 255} is used as
    byte 2 over 256 trials, so we use every byte value for 5120 times.

This is the code that is being run from the point of trigger:
// signal start of loading data trigger (PC1)
sbi _SFR_IO_ADDR(VPORT0_DIR), _SFR_IO_ADDR(PIN1_bp)     ; 1 clock cycle
sbi _SFR_IO_ADDR(VPORT0_OUT), _SFR_IO_ADDR(PIN1_bp)     ; 1 clock cycle
nop
cbi _SFR_IO_ADDR(VPORT0_OUT), _SFR_IO_ADDR(PIN1_bp)     ; 1 clock cycle
cbi _SFR_IO_ADDR(VPORT0_DIR), _SFR_IO_ADDR(PIN1_bp)     ; 1 clock cycle
// add a few more nops after signal to remove influence on power consumption
// there are 6 clock cycles between trigger and mov instruction
nop
nop
nop

// load the data
movw r30, r24   ; 1 clock cycle
ld r8, Z+       ; 2 clock cycles per ld when accessing internal RAM
ld r9, Z+
ld r10, Z+
ld r11, Z+
ld r12, Z+
ld r13, Z+
ld r14, Z+
ld r15, Z+

// 3 nops
nop
nop
nop

The initial values of the registers r8-r15 are 0x00.

In each trace, the point at 5% corresponds to the MOV instruction before the
sequence of LD instructions that load the DES key. Therefore, the point at 15%
corresponds to the first clock cycle of the first LD instruction, the point at
25% to the second clock cycle, the point at 35% to the first clock of the second
LD instruction and so on.

MATLAB SCRIPTS

The MATLAB scripts in this folder will allow you to run template attacks
on the raw data using different parameters. The scripts allow you to run
attacks both on a single device (i.e. data from a single board) as well
as attacks that use profiling from one device but target a different device.

Start by looking at:
'do_test_success_templates_bat_fb_dlinear.m'

which will run the template attacks for a single device (Beta).
The results of this method will be stored in:
'results/a2_bat_fb_templates_dlinear_n200r_slr_g1000_r10.mat'

(you must create the folder "results/". See the Makefile below)

You can then use the script:
'do_show_results_templates_a2_bat_fb.m'

on the results above to produce a figure similar to the ones in our papers.
The figure will be stored in:
'figures/a2_bat_fb_dlinear_n200r_ls_r10_guess_entropy.pdf'

(you must create the folder "figures/". See the Makefile below)

For results using different devices, you should look at the scripts:
'do_test_success_templates_a2d_ab_bat_fb_dlinear.m'
(normal template attacks)

and:
'do_test_success_templates_a2d_ab_adapt_boffset.m'
(template attack using our method to insert some random offset during training)

The associated scripts to produce figures from those attacks are:
'do_show_results_templates_a2d_ab_bat_fb.m'

and:
'do_show_results_templates_a2d_ab_adapt_boffset.m'

These scripts should allow you to reproduce some of the figures in our papers
and they should also allow you to easily build your own scripts to reproduce
all figures (e.g. using also the other campaigns, not just alpha and beta)
as well as to test your own algorithms on our datasets.

STOCHASTIC METHODS AND PANDA DATASET

In the same location:
https://www.cl.cam.ac.uk/research/security/datasets/grizzly/

you will find also a larger dataset:
e5_all_bat_fb_2mhz_n500_beta.raw.gz

called Panda in our "Efficient stochastic methods" paper,
which was used for our experiments on 16-bit data.
The acquisition settings for this dataset are:
Power supply from batteries via voltage regulator at 3.3V,
1MHz sine clk (3 Vpp,1.5 V DC offset, 50 Ohm load, sine),
10 Ohm resistor, active probe. Bandwidth 500MHz,125MS/s,HIRES mode,
500 pt/frame, 10mV/div vertical resolution, DC coupling.

The code running on the XMEGA for the Panda dataset is the same as for
Grizzly, except that two consecutive registers are now loaded with random
plaintext instead of a single register (as was the case for Grizzly).
This allows us to target 16-bit values (i.e. two concatenated 8-bit values).

See the scripts:
do_test_success_stochastic_e2_bat_fb_all.m
do_show_results_stochastic_f9_a2_bat_fb_master.m
do_test_success_stochastic_e5_bat_fb_all.m

for using the Panda and Grizzly datasets with stochastic methods.
This should provide a more efficient profiling phase than using
standard template attacks.

AUTOMATIC BUILD

In this folder there should also be a Makefile that allows you to
automatically build things (you need make, MATLAB in your path and perhaps
a Linux environment since I have not tested in any other environment).

Run one of the following:

"make" or "make all":
  download two data sets (alpha and beta), run the template attacks on
  single device (beta) as well as multiple devices (alpha, beta) and
  produce result figures.

"make multi":
  run only the attacks on different devices.

"make single":
  run only the attacks on a single device.

"make stochastic":
  run the stochastic-based template attacks on the Grizzly data.

"make data":
  download and uncompress the data only

See the file Makefile for more details.

Enjoy!