Uživatelské nástroje

Nástroje pro tento web


Postranní lišta

Překlady této stránky:

Obsah

software:dpatools:start

DPA tools

DOWNLOAD HERE

DPAtools 0.2alfa is a software kit providing basic functionality for the computational part of the CPA (correlation power analysis) attack.

Powermodel tool demonstrates the computation of the power model data based on the Hamming distance/weight for the AES128 cipher. Correlation tool computes 16 correlation matrices and prints out the keyguess based on the maximum/minimum coefficient.

Disclaimer: This software is not intended for public usage. It's primary purpose is the algorithm demonstration and performance analysis. Demonstrated algorithms will be used in the DPA SW toolkit in the future.


EXAMPLE USAGE

  1. Suppose we have file „textfile.bin“ containing plaintext/ciphertext (in binary form) used while measuring the power traces, which are stored in the „tracesfile.bin“ (also binary file). Suppose we have 1.000 samples in each trace, and we have measured 10.000 power traces.
  2. Following utilities suppose that the „textfile.bin“ contains the data (either plaintext or ciphertext, see powermodel section) in the binary form. If the „asciifile.txt“ contains the plaintext/ciphertext in hexadecimal form as ASCII chars (1-9a-f), ascii2hex utility can be used to convert the file to the binary form:
    • $ ./ascii2hex -i "asciifile.txt" -o "textfile.bin"
      Job done, 0.008137s elapsed.

  3. Power model data based on text is computed:
    • $ ./powermodel -n 10000 -i "textfile.bin" -o "powermodel.bin"
      Job done, 0.124677s elapsed.

  4. Finally, the correlation matrices and keyguess are computed. Correlation matrices are stored in the „correlations.bin“ file:
    • $ ./correlation -n 10000 -s 1000 -t "traces.bin" -p "powermodel.bin" -o "correlations.bin"
      Job done, 13.253965s elapsed.
      ec9b0f921d3af79c9fa6ab1d036c1fb6

Optional parameter -m sets the maximum size of memory buffer:

$ ./correlation -n 10000 -s 1000 -t "traces.bin" -p "powermodel.bin" -o "correlations.bin" -m 5

Note: Format of the input and output files (stored matrices) is described below, in the Tools Descriptions section. Size of the matrix elements can be set in the source code using the typedefs at the beginning of the file.


TOOLS DESCRIPTIONS

This software pack, at the moment, consists of following tools: ascii2hex, powermodel, correlation. Descriptions of each tool follows.

ascii2hex

ascii2hex takes input file, containing 128 bits (16 bytes) on each line in plain ASCII text, and converts it into raw binary file.

USAGE:

./ascii2hex  -i <Name of an existing file> -o <Name of a file to be created> [--] [--version] [-h]

Where:

- i <Name of an existing file> - - input <Name of an existing file> (required) Name of input ascii file
- o <Name of a file to be created> - - output <Name of a file to be created> (required) Name of binary file where converted hex values are saved
- - - - ignore_rest Ignores the rest of the labeled arguments following this flag
- - version Displays version information and exits
- h - - help Displays usage information and exits

This program is used to convert hex values in ASCII to a binary file.


powermodel

This program is used to precompute power model for differential power analysis of AES. It can be used for attacking both the first and the last round.

First round:
When attacking the first round of AES, powermodel takes binary input file, containing „n“ times 16B plaintext values used while measuring „n“ power traces. Generated power model is based on Hamming weight of data after SubBytes operation in the first round. This is applicable e.g. when attacking MCU (software) implementations of AES.

Last round:
When attacking the last round of AES (switch -b), powermodel takes binary input file, containing „n“ times 16B ciphertext values used while measuring „n“ power traces. Generated power model is based on Hamming distance between ciphertext data and the data before the last round of AES. This is applicable e.g. when attacking FPGA (hardware) implementations of AES.

USAGE:

./powermodel  -n <Natural number> -i <Name of an existing file> -o <Name of a file to be created> [-b] [--] [--version] [-h]

Where:

- n <Natural number> - - blocks <Natural number> (required) Number of blocks/measurements.
- i <Name of an existing file> - - input <Name of an existing file> (required) Name of input binary (not ASCII!) file (must contain n times 128 bits).
- o <Name of a file to be created> - - output <Name of a file to be created> (required) Name of binary file where generated power model will be saved.
- b - - back Attack the last round of AES.
- - - - ignore_rest Ignores the rest of the labeled arguments following this flag.
- - version Displays version information and exits.
- h - - help Displays usage information and exits.

INPUT FILE FORMAT

The program expects 128 bits (16 bytes) long blocks, used while measuring, in binary format.

OUTPUT FILE FORMAT

The output file format respects the fact, that CPA attacks the key one byte at a time: Each value is 1 byte long. The file begins with 256 powermodel values (for every possible key) for the first byte of first block of plain/ciphertext. Another 256 values for the first byte of the second used plain/ciphertext follow. After „n“ times 256 values, the powermodel for second byte begins. The format is described in the following figure:

Each value is 1 byte long and contains Hamming weight/distance:

key = 0 key = 1 key = 255 1st byte of the 1st block
key = 0 key = 1 key = 255 1st byte of the 2nd block
key = 0 key = 1 key = 255 1st byte of the n-th block
key = 0 key = 1 key = 255 2nd byte of the 1st block
key = 0 key = 1 key = 255 16th byte of the (n-1)-th block
key = 0 key = 1 key = 255 16th byte of the n-th block

correlation

correlation is used to compute correlation coefficients between measured power traces and precomputed AES power model (generated by powermodel tool, see above). Sixteen matrices (one matrix for each byte of a key) are saved in the output binary file.

USAGE:

./correlation  -n <Natural number> -s <Natural number> -t <Name of an existing file> -p <Name of an existing file> -o <Name of a file to be created> [-m <Natural number>] [--] [--version] [-h]

Where:

- n <Natural number> - - numberoftraces <Natural number> (required) Number of power traces
- s <Natural number> - - numberofsamples <Natural number> (required) Number of samples per trace
- t <Name of an existing file> - - traces <Name of an existing file> (required) Name of input binary file with measured power traces
- p <Name of an existing file> - - powermodel <Name of an existing file> (required) Name of input binary file with precomputed power model
- o <Name of a file to be created> - - output <Name of a file to be created> (required) Name of output binary file where correlation coefficient matrices will be saved
- m <Natural number> - - maxbuffersize <Natural number> Maximum amount of RAM to be used, in MiB
- - - - ignore_rest Ignores the rest of the labeled arguments following this flag
- - version Displays version information and exits
- h - - help Displays usage information and exits

INPUT FILE FORMAT - POWER MODEL

The power model input file's format is the same, as the output format of powermodel tool, described above.

INPUT FILE FORMAT - TRACES

The power traces input file's format is following: Each signed value is 2 bytes long. First, „s“ values from the 1st measurement are present. After that, „s“ values of the 2nd measurement follow. The file contains „s“ times „n“ values. The format is described in the following figure:

Each value is 2 bytes long signed integer:

1st sample 2nd sample s-th sample 1st powertrace measured with 1st block of powermodel input
1st sample 2nd sample s-th sample 2nd powertrace measured with 2nd block of powermodel input
1st sample 2nd sample s-th sample n-th powertrace measured with n-th block of powermodel input

Note: size of the elements, both power model and traces, can be set using typedefs at the beginning of the source file.

OUTPUT FILE FORMAT

The output file contains correlation coefficients. The file contains „s“(columns) times 256(rows) large matrices, one matrix for each byte, 16 matrices in total. The matrices are stored in row-major format. Each element is a double floating point (64 bits long).

The 32 byte keyguess is printed out at the standard output:

  • The first half (first 16 bytes) is the keyguess based on the maximum correlation coefficient (i.e., the most positive correlation coefficient). This applies when higher power consumption is represented by higher value in the powertrace.
  • the second half (last 16 bytes) is the keyguess based on the minimum correlation coefficient (i.e., the most negative correlation coefficient). This applies when higher power consumption is represented by lower value in the powertrace.

The proper half of the keyguess has to be selected by user, according to the process used during measuring. In the example at the top of this page, correlation tool outputs „ec9b0f921d3af79c9fa6ab1d036c1fb6“, where „ec9b0f921d3af79c“ is the keygess based on the maximum correlation coefficient and „9fa6ab1d036c1fb6“ is the keygess based on the minimum correlation coefficient.

MEMORY MANAGEMENT

  • The program always loads power model for one processed byte (i.e., 1/16 of the file with precomputed power model; switch -p <Name of an existing file>).
  • When maximum amount of memory is not set, all the power traces are loaded in the memory at once. Option -m allows for setting up maximum memory limit, which determines the amount of power traces to be loaded dynamically at a time.

MISSING FEATURES

When attacking the last round, correlation tool provides value of the last round subkey. Appropriate inversion of the last round subkey into AES key has to be done by the user.


CITE AS

Socha, P.; Miškovský, V.; Kubátová, H.; Novotný, M.: Optimization of Pearson correlation coefficient calculation for DPA and comparison of different approaches, In: Proceedings of the 2017 IEEE 20th International Symposium on Design and Diagnotics of Electronic Circuit & Systems. Piscataway, NJ: IEEE, 2017. pp. 188-193. ISBN 978-1-5386-0473-1.


CONTACT

2017 Petr Socha, Vojtech Miskovsky
Czech Technical University in Prague
Faculty of Information Technology
Department of Digital Design

sochapet@fit.cvut.cz

This alfa version distribution is intended for internal testing use only!

Created 13/03/2017, last modified 18/07/2017 by Petr Socha, sochapet@fit.cvut.cz

/var/www/app/current/data/pages/software/dpatools/start.txt · Poslední úprava: 4. 08. 2017 18:50:26 CEST autor: novotnym

Nástroje pro stránku