### Description:

AES-128 algorithm with a hardcoded key is available as service.

To perform encryption, the service requires 16-bytes plaintext (in hex):

```
    https://training.usec.ch/student/sca3?ptext=00112233445566778899aabbccddeeff
```    
The result is JSON data
```
    {"ctext":"EB944E460582EE9FF1C65AC368ADA13C","trace":"4FE6247265A174AE9...D32A3B105477D8F"}

```    
where:
```
    EB944E460582EE9FF1C65AC368ADA13C is a ciphertext
    
    4FE6247265A174AE9...D32A3B105477D8F is a trace (information left by a programmer)
```
### Tips:

A 'trace' is a side-channel information left by a programmer to debug the implementation.

In this example a trace consists of random information plus at certain position the trace has Hamming weights of a 10th round input state bytes of the AES-128 algorithm, i.e., a State before the Sbox operation in the last round.

### Task:

Your task is to find the Master key (round key 0) embedded into the binary. 

The master key is in the form of SCA{XXXXXXXXXX}, where X is an ASCII printable symbol.

### Leakage illustration

<img src="support/Slide.png">

In [59]:
import numpy as np
import binascii
import string

import sca_training
#----------------------------------------------------------------------------
# This function calls tested service either with a user-defined 
# plaintext (if plaintext satisfies all the requirements) or with a 
# predefined plaintext (the same as in the header above)
#
# INPUTS:
#     plaintext - a string of 32 symbols representing 16 hex bytes of ciphertext
#     verbose   - a flag to print values in the function call or not
# OUTPUTS:
#     output  - a raw JSON output
#     ctext   - resulted ciphertext converted to numpy array of uint8
#     trace   - a trace associated with encryption process
#----------------------------------------------------------------------------
def binary_aes128_encrypt(plaintext, verbose=False):
    import requests
    
    if all(c in string.hexdigits for c in plaintext) and len(plaintext) == 32:
        output = requests.get("https://training.usec.ch/student/sca3?ptext="+plaintext).json()
    else:
        output = requests.get("https://training.usec.ch/student/sca3?ptext=00112233445566778899aabbccddeeff").json()
    
    #Transform the result into numpy array
    ctext = np.frombuffer(binascii.unhexlify(output["ctext"]), dtype=np.uint8)
    trace = np.frombuffer(binascii.unhexlify(output["trace"]), dtype=np.uint8)

    if (verbose):
        print('Binary output:', output)
        print('Ciphertext as numpy array:', ctext)
        print('Trace as numpy array:', trace)
    
    return output, ctext, trace


#----------------------------------------------------------------------------
# This function calls supportive library to compute a master key from
# the last round key.
#
# INPUTS:
#     last_round_key - a numpy array of 16 elements representing 16 hex bytes of
#                      the last round key, i.e., Round Key 10
# OUTPUTS:
#     key_schedule  - 11 round keys of 16 bytes each (key_schedule[0,0,:] is the
#                     master key
#----------------------------------------------------------------------------
# key_schedule = sca_training.inverse_key_expansion(last_round_key)

In [60]:
output, ctext, trace = binary_aes128_encrypt("010203040506070809000a0b0c0d0e1f", verbose=True)

Binary output: {'ctext': 'C946DB57427E363574578D10BB2D883E', 'trace': '00030303000303000502060107030105040502010307050601040107030706070405040400060506030606010700000100000301010700010401040403070707020306030501010403060504040203030403030200030204010306010503010504050201'}
Ciphertext as numpy array: [201  70 219  87  66 126  54  53 116  87 141  16 187  45 136  62]
Trace as numpy array: [0 3 3 3 0 3 3 0 5 2 6 1 7 3 1 5 4 5 2 1 3 7 5 6 1 4 1 7 3 7 6 7 4 5 4 4 0
 6 5 6 3 6 6 1 7 0 0 1 0 0 3 1 1 7 0 1 4 1 4 4 3 7 7 7 2 3 6 3 5 1 1 4 3 6
 5 4 4 2 3 3 4 3 3 2 0 3 2 4 1 3 6 1 5 3 1 5 4 5 2 1]


In [61]:
def bytes_to_hex(byte_data):
    """
    Converts a bytes object to its hexadecimal representation.

    Args:
        byte_data (bytes): The bytes object to convert.

    Returns:
        str: The hexadecimal representation of the bytes.
    """
    return byte_data.hex()

# Function to pad text to 16 bytes
def pad_to_16_bytes(plaintext):
    """
    Pads the plaintext to 16 bytes using PKCS7 padding.

    Args:
        plaintext (bytes): The plaintext to pad.

    Returns:
        bytes: The padded plaintext.
    """
    # Calculate the number of bytes to pad
    padding_length = 16 - (len(plaintext) % 16)
    # Create the padding bytes
    padding = bytes([padding_length] * padding_length)
    # Add the padding to the plaintext
    padded_plaintext = plaintext + padding
    return padded_plaintext
def hamming_weight(byte):
    return bin(byte).count("1")
def reverse_operations(cipher,key10):
    state = np.bitwise_xor(cipher,key10).astype(np.uint8)
    return sca_training.HW_uint8[sca_training.invSbox[state]]
    

In [62]:
# Generate multiple ciphered texts
ciphered_matrix = np.empty((25,16), dtype=object)
trace_matrix = np.empty((25,100), dtype=object)
for i in range(25): 
    # Modify the plaintext (e.g., append a number to make it unique)
    plaintext = b"This " + int.to_bytes(i)
    padded = pad_to_16_bytes(plaintext)
    # Convert the plaintext to hex
    hex_plaintext = bytes_to_hex(padded)
    # Encrypt the plaintext
    output, ctext, trace = binary_aes128_encrypt(hex_plaintext, verbose=True)
    # Append the result as a tuple to the list
    ciphered_matrix[i] = ctext
    trace_matrix[i] = trace

Binary output: {'ctext': '40427EF73AFAEA31BAF7CF694988E3AB', 'trace': '00060700070305020306050503040302050707070100020400040101060604030101000400050406040307070507010600070105000101010207000003040600000303050205030703020104010403000306070307030204030505050404030205070707'}
Ciphertext as numpy array: [ 64  66 126 247  58 250 234  49 186 247 207 105  73 136 227 171]
Trace as numpy array: [0 6 7 0 7 3 5 2 3 6 5 5 3 4 3 2 5 7 7 7 1 0 2 4 0 4 1 1 6 6 4 3 1 1 0 4 0
 5 4 6 4 3 7 7 5 7 1 6 0 7 1 5 0 1 1 1 2 7 0 0 3 4 6 0 0 3 3 5 2 5 3 7 3 2
 1 4 1 4 3 0 3 6 7 3 7 3 2 4 3 5 5 5 4 4 3 2 5 7 7 7]
Binary output: {'ctext': '1D1614C69D1F3D2D118FD7DC166DB476', 'trace': '04070106060503030206040506010100020505020307000601060402010100040700000401050302070205070603020603000701000305050604050404030207010502000406010403040705020005070707010606050304040304050501010002050502'}
Ciphertext as numpy array: [ 29  22  20 198 157  31  61  45  17 143 215 220  22 109 180 118]
Trace as numpy array: [4 7 1 6 6 5 3 3 2

In [63]:
trace_matrix[:,0]

array([0, 4, 6, 1, 2, 0, 2, 5, 1, 2, 6, 6, 7, 3, 7, 1, 5, 4, 2, 0, 0, 4,
       5, 5, 5], dtype=object)

In [64]:
key10 = np.array([0,0,0,0,
                0,0,0,0,
                0,0,0,0,
                0,0,0,0], dtype=np.uint8)
for i in range(0,16):
    test = np.array([0, 0, 0, 0, 
                    0, 0, 0, 0, 
                    0, 0 ,0, 0, 
                    0 ,0, 0, 0], dtype=np.uint8)
    for j in range(0,256):
        hyp = np.array([0,0,0,0,
                        0,0,0,0,
                        0,0,0,0,
                        0,0,0,0], dtype=np.uint8)
        
        hyp[i] = j

        m = reverse_operations(ciphered_matrix[:, i], hyp[i])
        
        for l in range(0,100):
            match = (m == trace_matrix[:,l]).all()
            if match:
                key10[i] = j
                print(i, j)
            
master_key = sca_training.get_master_key(key10)
int_val = int(''.join('{:02x}'.format(x) for x in master_key),16)
print(binascii.unhexlify(hex(int_val)[2:]))
            


0 235
1 136
2 188
3 66
4 58
5 192
6 108
7 101
8 95
9 32
10 11
11 21
12 185
13 14
14 64
15 85
b'SCA{CanYouGetIt}'


### ATTACK CODE
Here you need to implement your attack which gives you the last round key.

Once the last round key is found - you need to compute the master key: this can be done with the function get_master_key()

### Programming tips
#### Numpy code
* np.arange(256).astype(np.uint8)
* np.bitwise_xor(m1, m2)
* np.where()

#### Code prepared for training
* sca_training.invSbox[sbox_out]
* sca_training.shift_rows(trace)

#### Various cod
* ''.join('{:02x}'.format(c) for c in int_array)