DOWNLOAD HERE

DPAtools 0.2alfa is a software kit providing basic functionality for the computational part of the CPA (correlation power analysis) attack.

Powermodel tool demonstrates the computation of the power model data based on the Hamming distance/weight for the AES128 cipher. Correlation tool computes 16 correlation matrices and prints out the keyguess based on the maximum/minimum coefficient.

Disclaimer: This software is not intended for public usage. It's primary purpose is the algorithm demonstration and performance analysis. Demonstrated algorithms will be used in the DPA SW toolkit in the future.

1. Suppose we have file „textfile.bin“ containing plaintext/ciphertext (in binary form) used while measuring the power traces, which are stored in the „tracesfile.bin“ (also binary file). Suppose we have 1.000 samples in each trace, and we have measured 10.000 power traces.
2. Following utilities suppose that the „textfile.bin“ contains the data (either plaintext or ciphertext, see powermodel section) in the binary form. If the „asciifile.txt“ contains the plaintext/ciphertext in hexadecimal form as ASCII chars (1-9a-f), ascii2hex utility can be used to convert the file to the binary form:

   • $ ./ascii2hex -i "asciifile.txt" -o "textfile.bin"
     Job done, 0.008137s elapsed.

3. Power model data based on text is computed:

   • $ ./powermodel -n 10000 -i "textfile.bin" -o "powermodel.bin"
     Job done, 0.124677s elapsed.

4. Finally, the correlation matrices and keyguess are computed. Correlation matrices are stored in the „correlations.bin“ file:

   • $ ./correlation -n 10000 -s 1000 -t "traces.bin" -p "powermodel.bin" -o "correlations.bin"
     Job done, 13.253965s elapsed.
     ec9b0f921d3af79c9fa6ab1d036c1fb6

Optional parameter -m sets the maximum size of memory buffer:

$ ./correlation -n 10000 -s 1000 -t "traces.bin" -p "powermodel.bin" -o "correlations.bin" -m 5

Note: Format of the input and output files (stored matrices) is described below, in the Tools Descriptions section. Size of the matrix elements can be set in the source code using the typedefs at the beginning of the file.

This software pack, at the moment, consists of following tools: ascii2hex, powermodel, correlation. Descriptions of each tool follows.

ascii2hex takes input file, containing 128 bits (16 bytes) on each line in plain ASCII text, and converts it into raw binary file.

USAGE:

./ascii2hex  -i <Name of an existing file> -o <Name of a file to be created> [--] [--version] [-h]

Where:

This program is used to convert hex values in ASCII to a binary file.

This program is used to precompute power model for differential power analysis of AES. It can be used for attacking both the first and the last round.

First round:
When attacking the first round of AES, powermodel takes binary input file, containing „n“ times 16B plaintext values used while measuring „n“ power traces. Generated power model is based on Hamming weight of data after SubBytes operation in the first round. This is applicable e.g. when attacking MCU (software) implementations of AES.

Last round:
When attacking the last round of AES (switch -b), powermodel takes binary input file, containing „n“ times 16B ciphertext values used while measuring „n“ power traces. Generated power model is based on Hamming distance between ciphertext data and the data before the last round of AES. This is applicable e.g. when attacking FPGA (hardware) implementations of AES.

USAGE:

./powermodel  -n <Natural number> -i <Name of an existing file> -o <Name of a file to be created> [-b] [--] [--version] [-h]

Where:

INPUT FILE FORMAT

The program expects 128 bits (16 bytes) long blocks, used while measuring, in binary format.

OUTPUT FILE FORMAT

The output file format respects the fact, that CPA attacks the key one byte at a time: Each value is 1 byte long. The file begins with 256 powermodel values (for every possible key) for the first byte of first block of plain/ciphertext. Another 256 values for the first byte of the second used plain/ciphertext follow. After „n“ times 256 values, the powermodel for second byte begins. The format is described in the following figure:

Each value is 1 byte long and contains Hamming weight/distance:

correlation is used to compute correlation coefficients between measured power traces and precomputed AES power model (generated by powermodel tool, see above). Sixteen matrices (one matrix for each byte of a key) are saved in the output binary file.

USAGE:

./correlation  -n <Natural number> -s <Natural number> -t <Name of an existing file> -p <Name of an existing file> -o <Name of a file to be created> [-m <Natural number>] [--] [--version] [-h]

Where:

INPUT FILE FORMAT - POWER MODEL

The power model input file's format is the same, as the output format of powermodel tool, described above.

INPUT FILE FORMAT - TRACES

The power traces input file's format is following: Each signed value is 2 bytes long. First, „s“ values from the 1st measurement are present. After that, „s“ values of the 2nd measurement follow. The file contains „s“ times „n“ values. The format is described in the following figure:

Each value is 2 bytes long signed integer:

Note: size of the elements, both power model and traces, can be set using typedefs at the beginning of the source file.

OUTPUT FILE FORMAT

The output file contains correlation coefficients. The file contains „s“(columns) times 256(rows) large matrices, one matrix for each byte, 16 matrices in total. The matrices are stored in row-major format. Each element is a double floating point (64 bits long).

The 32 byte keyguess is printed out at the standard output:

• The first half (first 16 bytes) is the keyguess based on the maximum correlation coefficient (i.e., the most positive correlation coefficient). This applies when higher power consumption is represented by higher value in the powertrace.
• the second half (last 16 bytes) is the keyguess based on the minimum correlation coefficient (i.e., the most negative correlation coefficient). This applies when higher power consumption is represented by lower value in the powertrace.

The proper half of the keyguess has to be selected by user, according to the process used during measuring. In the example at the top of this page, correlation tool outputs „ec9b0f921d3af79c9fa6ab1d036c1fb6“, where „ec9b0f921d3af79c“ is the keygess based on the maximum correlation coefficient and „9fa6ab1d036c1fb6“ is the keygess based on the minimum correlation coefficient.

MEMORY MANAGEMENT

• The program always loads power model for one processed byte (i.e., 1/16 of the file with precomputed power model; switch -p <Name of an existing file>).
• When maximum amount of memory is not set, all the power traces are loaded in the memory at once. Option -m allows for setting up maximum memory limit, which determines the amount of power traces to be loaded dynamically at a time.

MISSING FEATURES

When attacking the last round, correlation tool provides value of the last round subkey. Appropriate inversion of the last round subkey into AES key has to be done by the user.

Socha, P.; Miškovský, V.; Kubátová, H.; Novotný, M.: Optimization of Pearson correlation coefficient calculation for DPA and comparison of different approaches, In: Proceedings of the 2017 IEEE 20th International Symposium on Design and Diagnotics of Electronic Circuit & Systems. Piscataway, NJ: IEEE, 2017. pp. 188-193. ISBN 978-1-5386-0473-1.

2017 Petr Socha, Vojtech Miskovsky
Czech Technical University in Prague
Faculty of Information Technology
Department of Digital Design

sochapet@fit.cvut.cz

This alfa version distribution is intended for internal testing use only!

Created 13/03/2017, last modified 18/07/2017 by Petr Socha, sochapet@fit.cvut.cz