### Description:

AES-128 algorithm with a hardcoded key is available as service.

To perform encryption, the service requires 16-bytes plaintext (in hex):

```
    https://training.usec.ch/student/sca2?ptext=00112233445566778899aabbccddeeff
```    
The result is JSON data
```
    {"ctext":"EB944E460582EE9FF1C65AC368ADA13C","trace":"4FE6247265A174AE9D32A3B105477D8F"}

```    
where:
```
    EB944E460582EE9FF1C65AC368ADA13C is a ciphertext
    
    4FE6247265A174AE9D32A3B105477D8F is a trace (information left by a programmer)
```
### Tips:

A 'trace' is a side-channel information left by a programmer to debug the implementation.

In this example a trace is a 10th round input state of the AES-128 algorithm, i.e., a State before the Sbox operation in the last round.

### Task:

Your task is to find the Master key (round key 0) embedded into the binary. 

The master key is in the form of SCA{XXXXXXXXXX}, where X is an ASCII printable symbol.

### Leakage illustration

<img src="support/Slide.png">

In [210]:
import numpy as np
import binascii
import string

import sca_training
#----------------------------------------------------------------------------
# This function calls tested service either with a user-defined 
# plaintext (if plaintext satisfies all the requirements) or with a 
# predefined plaintext (the same as in the header above)
#
# INPUTS:
#     plaintext - a string of 32 symbols representing 16 hex bytes of ciphertext
#     verbose   - a flag to print values in the function call or not
# OUTPUTS:
#     output  - a raw JSON output
#     ctext   - resulted ciphertext converted to numpy array of uint8
#     trace   - a trace associated with encryption process
#----------------------------------------------------------------------------
def binary_aes128_encrypt(plaintext, verbose=False):
    import requests
    
    if all(c in string.hexdigits for c in plaintext) and len(plaintext) == 32:
        output = requests.get("https://training.usec.ch/student/sca2?ptext="+plaintext).json()
    else:
        output = requests.get("https://training.usec.ch/student/sca2?ptext=00112233445566778899aabbccddeeff").json()
    
    #Transform the result into numpy array
    ctext = np.frombuffer(binascii.unhexlify(output["ctext"]), dtype=np.uint8)
    trace = np.frombuffer(binascii.unhexlify(output["trace"]), dtype=np.uint8)

    if (verbose):
        print('Binary output:', output)
        print('Ciphertext as numpy array:', ctext)
        print('Trace as numpy array:', trace)
    
    return output, ctext, trace


#----------------------------------------------------------------------------
# This function calls supportive library to compute a master key from
# the last round key.
#
# INPUTS:
#     last_round_key - a numpy array of 16 elements representing 16 hex bytes of
#                      the last round key, i.e., Round Key 10
# OUTPUTS:
#     key_schedule  - 11 round keys of 16 bytes each (key_schedule[0,0,:] is the
#                     master key
#----------------------------------------------------------------------------
# key_schedule = sca_training.inverse_key_expansion(last_round_key)

In [211]:
output, ctext, trace = binary_aes128_encrypt("010203040506070809000a0b0c0d0e1f", verbose=True)

Binary output: {'ctext': '7D4DFFEC45986BF860D72FBA26F9D58F', 'trace': '05040406040403020306040203040704'}
Ciphertext as numpy array: [125  77 255 236  69 152 107 248  96 215  47 186  38 249 213 143]
Trace as numpy array: [5 4 4 6 4 4 3 2 3 6 4 2 3 4 7 4]


### ATTACK CODE
Here you need to implement your attack which gives you the last round key.

Once the last round key is found - you need to compute the master key: this can be done with the function get_master_key()

### Programming tips
#### Numpy code
* np.arange(256).astype(np.uint8)
* np.bitwise_xor(m1, m2)
* np.where()

#### Code prepared for training
* sca_training.invSbox[sbox_out]
* sca_training.shift_rows(trace)

#### Various cod
* ''.join('{:02x}'.format(c) for c in int_array)

In [212]:
def bytes_to_hex(byte_data):
    """
    Converts a bytes object to its hexadecimal representation.

    Args:
        byte_data (bytes): The bytes object to convert.

    Returns:
        str: The hexadecimal representation of the bytes.
    """
    return byte_data.hex()

# Function to pad text to 16 bytes
def pad_to_16_bytes(plaintext):
    """
    Pads the plaintext to 16 bytes using PKCS7 padding.

    Args:
        plaintext (bytes): The plaintext to pad.

    Returns:
        bytes: The padded plaintext.
    """
    # Calculate the number of bytes to pad
    padding_length = 16 - (len(plaintext) % 16)
    # Create the padding bytes
    padding = bytes([padding_length] * padding_length)
    # Add the padding to the plaintext
    padded_plaintext = plaintext + padding
    return padded_plaintext
def hamming_weight(byte):
    return bin(byte).count("1")

In [213]:
inverse_shift_rows_new_index(4)

7

In [214]:
print("Hamming Weights before Sbox : ", trace)

Hamming Weights before Sbox :  [5 4 4 6 4 4 3 2 3 6 4 2 3 4 7 4]


In [215]:
print("Ciphered text : ", ctext)

Ciphered text :  [125  77 255 236  69 152 107 248  96 215  47 186  38 249 213 143]


In [216]:
# Generate multiple ciphered texts
ciphered_texts = []
for i in range(25): 
    # Modify the plaintext (e.g., append a number to make it unique)
    plaintext = b"This " + int.to_bytes(i)
    print(len(plaintext))
    padded = pad_to_16_bytes(plaintext)
    # Convert the plaintext to hex
    hex_plaintext = bytes_to_hex(padded)
    print("Plaintext ,", plaintext)
    print("Hex Plaintext", hex_plaintext)
    # Encrypt the plaintext
    output, ctext, trace = binary_aes128_encrypt(hex_plaintext, verbose=True)
    # Append the result as a tuple to the list
    ciphered_texts.append((output, ctext, trace))

6
Plaintext , b'This \x00'
Hex Plaintext 5468697320000a0a0a0a0a0a0a0a0a0a
Binary output: {'ctext': 'A44DC5CD172B2C9EA15FE9057157B41D', 'trace': '03040403020404020504060201050404'}
Ciphertext as numpy array: [164  77 197 205  23  43  44 158 161  95 233   5 113  87 180  29]
Trace as numpy array: [3 4 4 3 2 4 4 2 5 4 6 2 1 5 4 4]
6
Plaintext , b'This \x01'
Hex Plaintext 5468697320010a0a0a0a0a0a0a0a0a0a
Binary output: {'ctext': 'A017BF9B75EAC9DFD99C9390196E0F24', 'trace': '03060504040206030204040505050206'}
Ciphertext as numpy array: [160  23 191 155 117 234 201 223 217 156 147 144  25 110  15  36]
Trace as numpy array: [3 6 5 4 4 2 6 3 2 4 4 5 5 5 2 6]
6
Plaintext , b'This \x02'
Hex Plaintext 5468697320020a0a0a0a0a0a0a0a0a0a
Binary output: {'ctext': '73262C44ABD1C52322A975F9C13CB9BF', 'trace': '03040402030303020405030103030502'}
Ciphertext as numpy array: [115  38  44  68 171 209 197  35  34 169 117 249 193  60 185 191]
Trace as numpy array: [3 4 4 2 3 3 3 2 4 5 3 1 3 3 5 2]
6
Plaintext ,

In [217]:
def reverse_operations(cipher,key10):
    state = np.bitwise_xor(cipher,key10)
    sbox_state = sca_training.inv_shift_rows(state)
    invSbox = sca_training.invSbox
    return np.array([sca_training.invSbox[sbox_state[i]] for i in range(len(sbox_state))], dtype=np.uint8)
    

In [227]:
key10 = np.array([0,0,0,0,
                0,0,0,0,
                0,0,0,0,
                0,0,0,0], dtype=np.uint8)
for i in range(0,16):
    test = np.array([0, 0, 0, 0, 
                    0, 0, 0, 0, 
                    0, 0 ,0, 0, 
                    0 ,0, 0, 0], dtype=np.uint8)
    test[i] = 1
    test = sca_training.inv_shift_rows(test)
    trace_index = np.where(test == 1)[0][0]
    for j in range(0,256):
        
        hyp = np.array([0,0,0,0,
                        0,0,0,0,
                        0,0,0,0,
                        0,0,0,0], dtype=np.uint8)
        
        hyp[i] = j
        match = True
        for idx, (output, ctext, trace) in enumerate(ciphered_texts):
            match = trace[trace_index] == hamming_weight(reverse_operations(ctext,hyp)[trace_index]) and match

        if match:
            print("Match found byte ", i)
            key10[i] = j
            print("byte val, ", hex(j) )
master_key = sca_training.get_master_key(key10)
int_val = int(''.join('{:02x}'.format(x) for x in master_key),16)
print(binascii.unhexlify(hex(int_val)[2:]))
            


Match found byte  0
byte val,  0x48
Match found byte  1
byte val,  0x21
Match found byte  2
byte val,  0x5c
Match found byte  3
byte val,  0x40
Match found byte  4
byte val,  0xd3
Match found byte  5
byte val,  0x59
Match found byte  6
byte val,  0x64
Match found byte  7
byte val,  0xd9
Match found byte  8
byte val,  0x24
Match found byte  9
byte val,  0x78
Match found byte  10
byte val,  0x46
Match found byte  11
byte val,  0xd5
Match found byte  12
byte val,  0x6
Match found byte  13
byte val,  0xc7
Match found byte  14
byte val,  0xfc
Match found byte  15
byte val,  0x72
b'SCA{HammingHWW8}'
