# Part 3, Topic 1: Large Hamming Weight Swings (MAIN)

---
NOTE: This lab references some (commercial) training material on [ChipWhisperer.io](https://www.ChipWhisperer.io). You can freely execute and use the lab per the open-source license (including using it in your own courses if you distribute similarly), but you must maintain notice about this source location. Consider joining our training course to enjoy the full experience.

---

**SUMMARY:** *In the previous part of the course, you saw that a microcontroller's power consumption changes based on what it's doing. In the case of a simple password check, this allowed us to see how many characters of the password we had correct, eventually resulting in the password being broken.*

*That attack was based on different code execution paths showing up differently in power traces. In this next set of labs, we'll posit that, not only does different instructions affect power consumption, the data being manipulated in the microcontroller also affects power consumption.*


**LEARNING OUTCOMES:**

* Using a power measurement to 'validate' a possible device model.
* Detecting the value of a single bit using power measurement.
* Breaking AES using the classic DPA attack.

## Prerequisites

Hold up! Before you continue, check you've done the following tutorials:

* ☑ Jupyter Notebook Intro (you should be OK with plotting & running blocks).
* ☑ SCA101 Intro (you should have an idea of how to get hardware-specific versions running).
* ☑ SCA101 Part 2 (you should understand how power consumption changes based on what code is being run)

## Power Trace Gathering

At this point you've got to insert code to perform the power trace capture. There are two options here:
* Capture from physical device.
* Read from a file.

You get to choose your adventure - see the two notebooks with the same name of this, but called `(SIMULATED)` or `(HARDWARE)` to continue. Inside those notebooks you should get some code to copy into the following section, which will define the capture function.

Be sure you get the `"✔️ OK to continue!"` print once you run the next cell, otherwise things will fail later on!


In [1]:
# always run this cell ! either for the hardware or simulated test
%matplotlib notebook
import matplotlib.pylab as plt
import matplotlib.font_manager as font_manager

import numpy as np

## [Hardware]

In [10]:
SCOPETYPE = 'CWNANO'
PLATFORM = 'CWNANO'
CRYPTO_TARGET = 'TINYAES128C'
SS_VER = 'SS_VER_2_1'

In [11]:
%run "../../Setup_Scripts/Setup_Generic.ipynb"

INFO: Found ChipWhisperer😍


In [12]:
%%bash -s "$PLATFORM" "$CRYPTO_TARGET" "$SS_VER"
cd ../../../hardware/victims/firmware/simpleserial-aes
make PLATFORM=$1 CRYPTO_TARGET=$2 SS_VER=$3 -j

Building for platform CWNANO with CRYPTO_TARGET=TINYAES128C
SS_VER set to SS_VER_2_1
SS_VER set to SS_VER_2_1
Blank crypto options, building for AES128
Building for platform CWNANO with CRYPTO_TARGET=TINYAES128C
SS_VER set to SS_VER_2_1
SS_VER set to SS_VER_2_1
Blank crypto options, building for AES128
make[1]: '.dep' is up to date.
Building for platform CWNANO with CRYPTO_TARGET=TINYAES128C
SS_VER set to SS_VER_2_1
SS_VER set to SS_VER_2_1
Blank crypto options, building for AES128
arm-none-eabi-gcc.exe (GNU Arm Embedded Toolchain 10-2020-q4-major) 10.2.1 20201103 (release)
Copyright (C) 2020 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

.
Welcome to another exciting ChipWhisperer target build!!
.
Assembling: .././hal/stm32f0/stm32f0_startup.S
arm-none-eabi-gcc -c -mcpu=cortex-m0 -I. -x assembler-with-cpp -mthumb -mfloat-abi=soft -ffunction-sections -

In [13]:
cw.program_target(scope, prog, "../../../hardware/victims/firmware/simpleserial-aes/simpleserial-aes-{}.hex".format(PLATFORM))

Detected known STMF32: STM32F03xx4/03xx6
Extended erase (0x44), this can take ten seconds or more
Attempting to program 5859 bytes at 0x8000000
STM32F Programming flash...
STM32F Reading flash...
Verified flash OK, 5859 bytes


**My notes :** The code below capture the power traces on a TINYAES128C. It captures 100 energy traces (with 5000 samples each) while sending a series of simple messages (16 * Byte) to the target and stores the energy traces and the messages sent in separate arrays (trace_array ad textin_array).

In [14]:
from tqdm import tnrange # To see the progress
import time              # in time

ktp = cw.ktp.Basic()     # It creates a KTP object (Key-Text Pair) 
print(ktp)

trace_array = []
textin_array = []

key, text = ktp.next()   # when calling ktp.next the object returns the next key/text pair. By default the sequence is random/unique to each exec

target.set_key(key)

N = 100
for i in tnrange(N, desc='Capturing traces'):
    scope.arm()
    print('text[0] avant, ', text[0])
    print('text avant, ', text)
    
    # looking if the last bit is 1 or 0
    if text[0] & 0x01:
        text[0] = 0xFF
    else:
        text[0] = 0x00
    target.simpleserial_write('p', text)
    print(text, '\n')
    
    ret = scope.capture()
    if ret:
        print("Target timed out!")
        continue
    
    response = target.simpleserial_read('r', 16)
    
    trace_array.append(scope.get_last_trace())
    textin_array.append(text)
    
    key, text = ktp.next() 
    #print(ktp)

key: ['0x2b', '0x7e', '0x15', '0x16', '0x28', '0xae', '0xd2', '0xa6', '0xab', '0xf7', '0x15', '0x88', '0x9', '0xcf', '0x4f', '0x3c']
text: ['0x0', '0x1', '0x2', '0x3', '0x4', '0x5', '0x6', '0x7', '0x8', '0x9', '0xa', '0xb', '0xc', '0xd', '0xe', '0xf']


  for i in tnrange(N, desc='Capturing traces'):


Capturing traces:   0%|          | 0/100 [00:00<?, ?it/s]

text[0] avant,  254
text avant,  CWbytearray(b'fe 75 11 f9 b8 e4 12 f1 a4 5a 78 dc d6 85 f4 af')
CWbytearray(b'00 75 11 f9 b8 e4 12 f1 a4 5a 78 dc d6 85 f4 af') 

text[0] avant,  197
text avant,  CWbytearray(b'c5 30 54 a1 31 c9 ab 25 e0 89 5e 01 f2 69 d6 14')
CWbytearray(b'ff 30 54 a1 31 c9 ab 25 e0 89 5e 01 f2 69 d6 14') 

text[0] avant,  40
text avant,  CWbytearray(b'28 8d e2 a7 89 8b 51 9b 1c 6e 77 eb 62 40 52 14')
CWbytearray(b'00 8d e2 a7 89 8b 51 9b 1c 6e 77 eb 62 40 52 14') 

text[0] avant,  66
text avant,  CWbytearray(b'42 f7 6d e3 72 46 d1 7d 16 d6 09 a6 1f 4a 02 a2')
CWbytearray(b'00 f7 6d e3 72 46 d1 7d 16 d6 09 a6 1f 4a 02 a2') 

text[0] avant,  145
text avant,  CWbytearray(b'91 49 a3 af 1d 2e aa 20 21 af 2e d3 27 00 f8 a8')
CWbytearray(b'ff 49 a3 af 1d 2e aa 20 21 af 2e d3 27 00 f8 a8') 

text[0] avant,  32
text avant,  CWbytearray(b'20 ab be ea e4 0c 3e 00 31 44 78 b0 68 eb fe f0')
CWbytearray(b'00 ab be ea e4 0c 3e 00 31 44 78 b0 68 eb fe f0') 

text[0] avant,  159
text 

text[0] avant,  37
text avant,  CWbytearray(b'25 54 e6 53 fc dc 43 8e de 6b 49 54 5b 5b 62 2e')
CWbytearray(b'ff 54 e6 53 fc dc 43 8e de 6b 49 54 5b 5b 62 2e') 

text[0] avant,  175
text avant,  CWbytearray(b'af 46 32 d3 84 d1 76 8b 65 67 d8 34 43 ea 59 fc')
CWbytearray(b'ff 46 32 d3 84 d1 76 8b 65 67 d8 34 43 ea 59 fc') 

text[0] avant,  138
text avant,  CWbytearray(b'8a b0 17 4f 5b 1e cf 4f f9 ab f4 98 14 38 01 14')
CWbytearray(b'00 b0 17 4f 5b 1e cf 4f f9 ab f4 98 14 38 01 14') 

text[0] avant,  63
text avant,  CWbytearray(b'3f b5 b2 25 13 89 35 ed 16 cf 39 a5 af 5a c4 cc')
CWbytearray(b'ff b5 b2 25 13 89 35 ed 16 cf 39 a5 af 5a c4 cc') 

text[0] avant,  205
text avant,  CWbytearray(b'cd 77 5f bc 43 7b 14 b0 d7 7e 80 fc f4 5f 2e 70')
CWbytearray(b'ff 77 5f bc 43 7b 14 b0 d7 7e 80 fc f4 5f 2e 70') 

text[0] avant,  43
text avant,  CWbytearray(b'2b 80 f2 b7 17 2c f9 23 bc a1 90 de ca 29 ea 0f')
CWbytearray(b'ff 80 f2 b7 17 2c f9 23 bc a1 90 de ca 29 ea 0f') 

text[0] avant,  90
text a

In [15]:
assert len(trace_array) == 100
print("✔️ OK to continue!")

✔️ OK to continue!


## Grouping Traces

As we've seen in the slides, we've made an assumption that setting bits on the data lines consumes a measurable amount of power. Now, we're going test that theory by getting our target to manipulate data with a very high Hamming weight (0xFF) and a very low Hamming weight (0x00). For this purpose, the target is currently running AES, and it encrypted the text we sent it. If we're correct in our assumption, we should see a measurable difference between power traces with a high Hamming weight and a low one.

Currently, these traces are all mixed up. Separate them into two groups: `one_list` and `zero_list`. Here's an example of how we use the first byte to check for a 0x00, and assume if it's not that it's 0xFF. Here is a simple iteration to print them:

Now extend this to append them to two arrays, a `one_list` and a `zero_list`:

In [16]:
# ###################
# Let's remember that the message will go through a chiffrement process
# ###################

one_list = [] # list of traces where the first byte of the sent message is 0, really really a bad name
zero_list = [] # list of traces where the first byte of the sent message is 0

for i in range(len(trace_array)):
    if textin_array[i][0] == 0x00:
        one_list.append(trace_array[i])
    else:
        zero_list.append(trace_array[i])

print (len(one_list))
print (len(zero_list))

assert len(one_list) > len(zero_list)/2 # to know if it's balanced
assert len(zero_list) > len(one_list)/2


54
46


We should have two different lists. Whether we sent 0xFF or 0x00 was random, so these lists likely won't be evenly dispersed. Next, we'll want to take an average of each group (make sure you take an average of each trace at each point! We don't want an average of the traces in time), which will help smooth out any outliers and also fix our issue of having a different number of traces for each group.

The easiest way to accomplish this will be to use `np.mean()`, which can take a list as an argument. You'll need to specify the `axis` parameter as well, to ensure you take the correct dimension. Check the resulting size to make sure you still have traces of the same length as one input - the following block shows how you can verify that, assuming you used `one_avg` as the average.

In [17]:
trace_length = len(one_list[0])
print("Traces had original sample length of %d"%trace_length)

one_avg = np.mean(one_list, axis=0) # traces ou je sais que le 1er byte envoié est 0
zero_avg = np.mean(zero_list, axis=0) # traces ou je sais que le 1er byte envoié est 1

if len(one_avg) != trace_length:
    raise ValueError("Average length is only %d - check you did correct dimensions!"%one_avg)

Traces had original sample length of 5000


In [18]:
# I always like to compare traces without operation before
font = font_manager.FontProperties(style='normal', size=5)
plt.figure();
plt.xlabel('Simples')
plt.ylabel('Means of power cons')
plt.grid(True)
plt.title('Average Power Consumption \n message with first byte 0x11 vs 0x00')

plt.plot(zero_avg)
plt.plot(one_avg)

plt.show()

<IPython.core.display.Javascript object>

Finally, subtract the two averages and plot the resulting data:

In [19]:
font = font_manager.FontProperties(style='normal', size=5)
plt.figure();
plt.xlabel('Samples')
plt.ylabel('0x11.mean - 0x00.mean')
plt.grid(True)
plt.title('Subtraction of means \n')

resul_sub = np.abs(zero_avg - one_avg)  
plt.plot(resul_sub)
plt.show()

<IPython.core.display.Javascript object>

You should see a very distinct trace near the beginning of the plot, meaning that the data being manipulated in the target device is visible in its power trace! Again, there's a lot of room to explore here:

* Try setting multiple bytes to 0x00 and 0xFF.
* Try using smaller hamming weight differences. Is the spike still distinct? What about if you capture more traces?
* We focused on the first byte here. Try putting the difference plots for multiple different bytes on the same plot.
* The target is running AES here. Can you get the spikes to appear in different places if you set a byte in a later round of AES (say round 5) to 0x00 or 0xFF?

## [Simulated]

In [2]:
aes_traces_100_tracedata = np.load(r"traces/lab3_1_traces.npy")
aes_traces_100_textindata = np.load(r"traces/lab3_1_textin.npy")

trace_array = aes_traces_100_tracedata
textin_array = aes_traces_100_textindata

assert len(trace_array) == 100
print("✔️ OK to continue!")

✔️ OK to continue!


- Definir bits nas linhas de dados consome uma quantidade mensurável de energia. 
- Fazer o alvo manipular dados com um peso de Hamming muito alto (0xFF) e muito baixo (0x00). 
- Para isso, o alvo está executando o AES no momento e criptografou o texto que enviamos. 
- Ver uma diferença mensurável entre traços de energia com um peso de Hamming alto e um baixo.

Atualmente, esses traços estão todos misturados. Separe-os em dois grupos: one_list e zero_list. Aqui está um exemplo de como usamos o primeiro byte para verificar se há 0x00 e assumimos que, se não for, é 0xFF. Aqui está uma iteração simples para imprimi-los

In [4]:
print(trace_array.shape) # It means that trace_array has 100 subarrays and each one has 5000 samples

(100, 5000)


In [3]:
print(textin_array) # one message is a 16-position byte array

[[  0 176 161 ... 200 122 177]
 [  0 219 190 ... 249 212 222]
 [  0 198 153 ...  79  11  17]
 ...
 [  0 130  28 ...  46 114  45]
 [  0 140  51 ... 179 132 147]
 [  0 189 120 ...  71 108  85]]


Hamming weight goes from 00 to FF let's divide all these traces into 2 groups : one_list and zero_list

In [6]:
# ###################
# Let's remember that the message will go through a chiffrement process
# ###################

one_list = [] # list of traces where the first byte of the sent message is 0x00, really really a bad name
zero_list = [] # list of traces where the first byte of the sent message is 0xFF

for i in range(len(trace_array)):
    if textin_array[i][0] == 0x00:
        one_list.append(trace_array[i])
    else:
        zero_list.append(trace_array[i])

print (len(one_list))
print (len(zero_list))

assert len(one_list) > len(zero_list)/2 # to know if it's balanced
assert len(zero_list) > len(one_list)/2

55
45


- Devemos ter duas listas diferentes.
- Queremos obter uma média de cada grupo (uma média de cada traço em cada ponto! Não queremos uma média dos traços no tempo). 

axis : along which we want to calculate the arithmetic mean. Otherwise, it will consider arr to be flattened(works on all the axis). 
- axis = 0 means along the column 
- axis = 1 means working along the row

In [7]:
trace_length = len(one_list[0])
print("Traces had original sample length of %d"%trace_length)
one_avg = np.mean(one_list, axis=0) # traces ou je sais que le 1er byte envoié est 0

zero_avg = np.mean(zero_list, axis=0) # traces ou je sais que le 1er byte envoié est 1

if len(one_avg) != trace_length:
    raise ValueError("Average length is only %d - check you did correct dimensions!"%one_avg)

Traces had original sample length of 5000


In [8]:
font = font_manager.FontProperties(style='normal', size=5)
plt.figure();
plt.xlabel('Simples')
plt.ylabel('Means of power cons')
plt.grid(True)
plt.title('Average Power Consumption \nfirst byte 0x11 vs 0x00')

plt.plot(zero_avg)
plt.plot(one_avg)

plt.show()

<IPython.core.display.Javascript object>

Finally, subtract the two averages and plot the resulting data :

In [9]:
# here, I want to see the traces values in abs
font = font_manager.FontProperties(style='normal', size=5)
plt.figure();
plt.xlabel('Samples')
plt.ylabel('0x11.mean - 0x00.mean')
plt.grid(True)
plt.title('Subtraction of means \n')

resul_sub = np.abs(zero_avg - one_avg)  
plt.plot(resul_sub)
plt.show()

<IPython.core.display.Javascript object>

You should see a very distinct trace near the beginning of the plot, meaning that the data being manipulated in the target device is visible in its power trace! Again, there's a lot of room to explore here:

* Try setting multiple bytes to 0x00 and 0xFF.
* Try using smaller hamming weight differences. Is the spike still distinct? What about if you capture more traces?
* We focused on the first byte here. Try putting the difference plots for multiple different bytes on the same plot.
* The target is running AES here. Can you get the spikes to appear in different places if you set a byte in a later round of AES (say round 5) to 0x00 or 0xFF?

---
<small>NO-FUN DISCLAIMER: This material is Copyright (C) NewAE Technology Inc., 2015-2020. ChipWhisperer is a trademark of NewAE Technology Inc., claimed in all jurisdictions, and registered in at least the United States of America, European Union, and Peoples Republic of China.

Tutorials derived from our open-source work must be released under the associated open-source license, and notice of the source must be *clearly displayed*. Only original copyright holders may license or authorize other distribution - while NewAE Technology Inc. holds the copyright for many tutorials, the github repository includes community contributions which we cannot license under special terms and **must** be maintained as an open-source release. Please contact us for special permissions (where possible).

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</small>