Commit 385c063f authored by YUSHIQIAN's avatar YUSHIQIAN

target all bits

parent cd20d561
......@@ -38,6 +38,7 @@ information see the LICENCE-fr.txt or LICENSE-en.txt files.
#include <stdint.h>
#include <inttypes.h>
#include <string.h>
#include <math.h>
#include <utils.h>
#include <traces.h>
......@@ -59,11 +60,9 @@ int p_table[32] = {
};
tr_context ctx; /* Trace context (see traces.h) */
int target_bit; /* Index of target bit. */
int target_sbox; /* Index of target SBox. */
int best_guess; /* Best guess */
int best_idx; /* Best argmax */
float best_max; /* Best max sample value */
int best_guess[32]; /* Best guess */
int best_idx[32]; /* Best argmax */
float best_max[32]; /* Best max sample value */
float *dpa[64]; /* 64 DPA traces */
/* A function to allocate cipher texts and power traces, read the
......@@ -80,19 +79,21 @@ void average (char *prefix);
* an intermediate DES data, one per guess on a 6-bits subkey. In this example
* the decision is the computed value of bit index <target_bit> of L15. Each of
* the 64 decisions is thus 0 or 1.*/
void decision (uint64_t ct, int d[64]);
void decision (uint64_t ct, int d[64], int target_bit);
/* Apply P. Kocher's DPA algorithm based on decision function. Computes 64 DPA
* traces dpa[0..63], best_guess (6-bits subkey corresponding to highest DPA
* peak), best_idx (index of sample with maximum value in best DPA trace) and
* best_max (value of sample with maximum value in best DPA trace). */
void dpa_attack (void);
void dpa_attack (int target_bit);
int
main (int argc, char **argv)
{
int n; /* Number of experiments to use. */
int g; /* Guess on a 6-bits subkey */
int target_bit; /* Index of target bit. */
int target_sbox; /* Index of target SBox. */
/************************************************************************/
/* Before doing anything else, check the correctness of the DES library */
......@@ -121,48 +122,137 @@ main (int argc, char **argv)
/* Target bit is argument #3, convert it to integer and store the result in
* variable target_bit. */
target_bit = atoi (argv[3]);
if (target_bit < 1 || target_bit > 32) /* If invalid target bit index. */
if (target_bit == 0)
{
printf("target all 32 bits \n");
}
else if (target_bit < 1 || target_bit > 32) /* If invalid target bit index. */
{
ERROR (-1, "invalid target bit index: %d (shall be between 1 and 32 included)", target_bit);
}
/* Compute index of corresponding SBox */
target_sbox = (p_table[target_bit - 1] - 1) / 4 + 1;
/* Read power traces and ciphertexts. Name of data file is argument #1. n is
* the number of experiments to use. */
read_datafile (argv[1], n);
/*****************************************************************************
/*****************************************************************************
* Compute and print average power trace. Store average trace in file
* "average.dat" and gnuplot command in file "average.cmd". In order to plot
* the average power trace, type: $ gnuplot -persist average.cmd
*****************************************************************************/
average ("average");
/***************************************************************
* Attack target bit in L15=R14 with P. Kocher's DPA technique *
***************************************************************/
dpa_attack ();
/*****************************************************************************
* Print the 64 DPA traces in a data file named dpa.dat. Print corresponding
* gnuplot commands in a command file named dpa.cmd. All DPA traces are
* plotted in blue but the one corresponding to the best guess which is
* plotted in red with the title "Trace X (0xY)" where X and Y are the decimal
* and heaxdecimal forms of the 6 bits best guess.
*****************************************************************************/
/* Plot DPA traces in dpa.dat, gnuplot commands in dpa.cmd */
tr_plot (ctx, "dpa", 64, best_guess, dpa);
/*****************
* Print summary *
*****************/
printf ("Target bit: %d\n", target_bit);
printf ("Target SBox: %d\n", target_sbox);
printf ("Best guess: %d (0x%02x)\n", best_guess, best_guess);
printf ("Maximum of DPA trace: %e\n", best_max);
printf ("Index of maximum in DPA trace: %d\n", best_idx);
printf ("DPA traces stored in file 'dpa.dat'. In order to plot them, type:\n");
printf ("$ gnuplot -persist dpa.cmd\n");
average ("average");
if (target_bit == 0){
int ordered_best_guess[8][4]; /* Best guess */
int ordered_best_idx[8][4]; /* Best argmax */
float ordered_best_max[8][4]; /* Best max sample value */
int ordered_target_bit[8][4];
char *key_bits[8] = {"1-6", "7-12", "13-18", "19-24", "25-30", "31-36", "37-42", "43-48"};
int sbox_idx[8] = {0};
int i = 0;
int j = 0;
int k = 0;
for (i = 1; i <= 32; i++) /* for all 32 target bits of L15 */
{
/* Compute index of corresponding SBox */
target_sbox = (p_table[i - 1] - 1) / 4 + 1;
printf ("targetting bit %d sbox %d index %d\n", i, target_sbox, sbox_idx[target_sbox]);
/***************************************************************
* Attack target bit in L15=R14 with P. Kocher's DPA technique *
***************************************************************/
dpa_attack (i);
ordered_best_guess[target_sbox-1][sbox_idx[target_sbox-1]] = best_guess[i-1];
ordered_best_max[target_sbox-1][sbox_idx[target_sbox-1]] = best_max[i-1];
ordered_best_idx[target_sbox-1][sbox_idx[target_sbox-1]] = best_idx[i-1];
ordered_target_bit[target_sbox-1][sbox_idx[target_sbox-1]] = i;
sbox_idx[target_sbox-1]++;
printf ("end.....\n");
}
/*****************
* Print summary *
*****************/
printf ("DES chart.................\n");
int w = 20;
uint64_t subkey[(int)pow(4, 8)][8+1]; /* subkey 48 bits for every round */
int nBytes = 8;
int nBits = 6;
printf ("%*s%*s%*s%*s%*s\n", w, "key bits", w, "best guess", w, "target bit", w, "max amplitue", w, "max index");
for (i = 0; i < 8; i++) /* for every sbox */
{
for (j = 0; j < 4; j++) /* for every best key guess */
{
printf ("%*s%10d (0x%02x)%20d%20.2f%20d\n", w, key_bits[i], ordered_best_guess[i][j], ordered_best_guess[i][j],
ordered_target_bit[i][j], ordered_best_max[i][j]*1000, ordered_best_idx[i][j]);
for (k = 0; k < (int)pow(4, j); k++)
{
subkey[j*(int)pow(4, j) + k][j+1] = subkey[k][j] | ((uint64_t)ordered_best_guess[i][j] << ((nBytes-j-1) * nBits));
}
}
}
printf("check if the round key is right\n");
uint64_t key; /* 64 bits secret key */
uint64_t ks[16]; /* Key schedule (array of 16 round keys) */
key = tr_key (ctx); /* Extract 64 bits secret key from context */
des_ks (ks, key); /* Compute key schedule */
for (i = 0; i < (int)pow(4, 8); i++)
{
if (subkey[i][nBytes] == ks[15])
{
/* If guessed 16th round key matches actual 16th round key */
printf ("We got it!!!\n"); /* Cheers */
}
/*
else
{
printf ("Too bad...\n");
}
*/
}
}
else
{
/* Compute index of corresponding SBox */
target_sbox = (p_table[target_bit - 1] - 1) / 4 + 1;
/***************************************************************
* Attack target bit in L15=R14 with P. Kocher's DPA technique *
***************************************************************/
dpa_attack (target_bit);
printf ("Target bit: %d\n", target_bit);
printf ("Target SBox: %d\n", target_sbox);
printf ("Best guess: %d (0x%02x)\n", best_guess[target_bit-1], best_guess[target_bit-1]);
printf ("Maximum of DPA trace: %e\n", best_max[target_bit-1]);
printf ("Index of maximum in DPA trace: %d\n", best_idx[target_bit-1]);
printf ("DPA traces stored in file 'dpa.dat'. In order to plot them, type:\n");
printf ("$ gnuplot -persist dpa.cmd\n");
/*****************************************************************************
* Print the 64 DPA traces in a data file named dpa.dat. Print corresponding
* gnuplot commands in a command file named dpa.cmd. All DPA traces are
* plotted in blue but the one corresponding to the best guess which is
* plotted in red with the title "Trace X (0xY)" where X and Y are the decimal
* and heaxdecimal forms of the 6 bits best guess.
*****************************************************************************/
/* Plot DPA traces in dpa.dat, gnuplot commands in dpa.cmd */
tr_plot (ctx, "dpa", 64, best_guess[target_bit-1], dpa);
}
/*************************
* Free allocated traces *
......@@ -215,7 +305,7 @@ average (char *prefix)
}
void
decision (uint64_t ct, int d[64])
decision (uint64_t ct, int d[64], int target_bit)
{
int g; /* Guess */
uint64_t r16l16; /* R16|L16 (64 bits state register before final permutation) */
......@@ -239,7 +329,7 @@ decision (uint64_t ct, int d[64])
}
void
dpa_attack (void)
dpa_attack (int target_bit)
{
int i; /* Loop index */
int n; /* Number of traces. */
......@@ -272,7 +362,7 @@ dpa_attack (void)
{
t = tr_trace (ctx, i); /* Get power trace */
ct = tr_ciphertext (ctx, i); /* Get ciphertext */
decision (ct, d); /* Compute the 64 decisions */
decision (ct, d, target_bit); /* Compute the 64 decisions */
/* For all guesses (64) */
for (g = 0; g < 64; g++)
{
......@@ -288,20 +378,20 @@ dpa_attack (void)
}
} /* End for guesses */
} /* End for experiments */
best_guess = 0; /* Initialize best guess */
best_max = 0.0; /* Initialize best maximum sample */
best_idx = 0; /* Initialize best argmax (index of maximum sample) */
best_guess[target_bit-1] = 0; /* Initialize best guess */
best_max[target_bit-1] = 0.0; /* Initialize best maximum sample */
best_idx[target_bit-1] = 0; /* Initialize best argmax (index of maximum sample) */
for (g = 0; g < 64; g++) /* For all guesses for 6-bits subkey */
{
tr_scalar_div (ctx, t0[g], t0[g], (float) (n0[g])); /* Normalize zero-set */
tr_scalar_div (ctx, t1[g], t1[g], (float) (n1[g])); /* Normalize zero-set */
tr_sub (ctx, dpa[g], t1[g], t0[g]); /* Compute one-set minus zero-set */
max = tr_max (ctx, dpa[g], &idx); /* Get max and argmax of DPA trace */
if (max > best_max || g == 0) /* If better than current best max (or if first guess) */
if (max > best_max[target_bit-1] || g == 0) /* If better than current best max (or if first guess) */
{
best_max = max; /* Overwrite best max with new one */
best_idx = idx; /* Overwrite best argmax with new one */
best_guess = g; /* Overwrite best guess with new one */
best_max[target_bit-1] = max; /* Overwrite best max with new one */
best_idx[target_bit-1] = idx; /* Overwrite best argmax with new one */
best_guess[target_bit-1] = g; /* Overwrite best guess with new one */
}
} /* End for all guesses */
/* Free allocated traces */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment