├── sbox.mat
├── README.md
└── second_order.m


/sbox.mat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ermin-sakic/second-order-dpa/HEAD/sbox.mat


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Second Order Differential Power Analysis
 2 | ================
 3 | 
 4 | ### Introduction:
 5 | In order to test the enhanced AES procedure, extended by masking and shuffling security measures, 
 6 | the second order differential power analysis (DPA), adapted from the 1 and 2, was implemented and 
 7 | executed. Compared to the normal DPA, the second order DPA makes use of two points in the 
 8 | trace array instead of one, combines them with a preprocessing function, in order to expose 
 9 | correlation of these points with the, later created, Hamming weight matrix consisting of hypothetical 
10 | intermediate state values. 
11 | 
12 | ### Attack description:
13 | 
14 | Two attack possibilities exist, attacking either one or two masked table 
15 | look-ups. In order to attack only one masked output, the masked input needs to be known as well, and the 
16 | input and output masks of the S-Box need to be equal in order to cancel each other out. The second solution 
17 | combines two S-Box outputs, so that two key bytes need to be guessed and taken into consideration 
18 | (65536 combinations). For the preprocessing function, we have chosen the, in the literature recommended, 
19 | absolute difference, which in the case of a 1-bit scenario results with the highest correlation value of 1. 
20 | In case of an 8-bit scenario, the highest possible achievable correlation with the matrix of hypothetical 
21 | intermediate value vectors is 0,24. In our case, the S-Box lookups in the last round were targeted as the 
22 | vulnerable spot. The masked S-Box is implemented as `S_m(P⊕K_2⊕M) = Inv_S(P⊕K_2) + M'`, where K_2 represents the key generated for the second round of the AES encryption procedure 
23 | (10th round key of the AES decryption procedure).
24 | 
25 | In an ideal case, we were hoping that the use of the absolute difference, when combining each point in 
26 | the power trace matrix with the all other points would at least once result with the masks canceling 
27 | each other. For this to work, we had to assume that the secure implementation uses the same values 
28 | for M and M' for the testing/attacking simplifications.
29 | 
30 | The searched combination in the preprocessing matrix is represented by the difference 
31 | `|C(Inv_S(P⊕K_2)⊕M)−C(P⊕K_2⊕M)|` which in turn correlates with Hamming weights of the guessed 
32 | and backwards-computed pair `HW(S(C⊕K_1)⊕(C⊕K_1))`. Here, the guessed value `C⊕K_1` 
33 | represents the S-Box output `Inv_S(P⊕K_2)` and `S(C⊕K_1)` represents the S-Box input `P⊕K_2` in the 
34 | decrpytion phase, if a correct key hypothesis was used. Therefore, only one byte of the plaintext 
35 | would need to be used and one byte of the key would need to be guessed. The size of the preprocessing 
36 | matrix equals the number of traces multiplied by `l*(l-1)/2` possible combinations. The matrix consisting 
37 | of hypothetical intermediate values equals the number of cyphertexts multiplied by the 256 possible 
38 | key candidates.
39 | 
40 | After setting up the matrix of hypothetical intermediate values `addRoundKey -> ShiftRows -> SubBytes`, 
41 | executing the exclusive or (XOR) operation element-wise `S(C⊕K_1)⊕(C⊕K_1)`, the Hamming weights of 
42 | the individual elements need to be computed and correlation of this and the preprocessing matrix
43 | performed (vector-wise). The row in the correlation matrix having the highest overall correlation 
44 | value represents the correct key guess. The same procedure is repeated for the remaining 15 bytes.
45 | 
46 | ### References:
47 | 1: Power Analysis Attacks: Revealing the Secrets of Smart Cards; Stefan Mangard, Elisabeth Oswald, Thomas Popp  
48 | 2: Practical Second-Order DPA Attacks for Masked Smart Card Implementations of Block Ciphers; Elisabeth Oswald, Stefan Mangard, Christoph Herbst, Stefan Tilich
49 | 
50 | 


--------------------------------------------------------------------------------
/second_order.m:
--------------------------------------------------------------------------------
  1 | %{  
  2 |        An implementation of the second-order Differential Power 
  3 |        Analysis (DPA) attack, suited for evaluations of AES-128 
  4 |        algorithm on microcontrollers leaking Hamming Weight power 
  5 |        models.
  6 | 
  7 | 
  8 |        Authors:: Ermin Sakic, Yigit Dincer
  9 |  
 10 |        Licensed to the Apache Software Foundation (ASF) under one
 11 |        or more contributor license agreements.  See the NOTICE file
 12 |        distributed with this work for additional information
 13 |        regarding copyright ownership.  The ASF licenses this file
 14 |        to you under the Apache License, Version 2.0 (the
 15 |        "License"); you may not use this file except in compliance
 16 |        with the License.  You may obtain a copy of the License at
 17 | 
 18 |          http://www.apache.org/licenses/LICENSE-2.0
 19 | 
 20 |        Unless required by applicable law or agreed to in writing,
 21 |        software distributed under the License is distributed on an
 22 |        "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 23 |        KIND, either express or implied.  See the License for the
 24 |        specific language governing permissions and limitations
 25 |        under the License.
 26 | %}
 27 | 
 28 | %%--------------- DPA-Attack
 29 | clear all;
 30 | clc
 31 | tic
 32 | %% Initialize
 33 | load sbox.mat
 34 | numTraces = 400;
 35 | 
 36 | % number of elements, whose mean should be calculated in order to reduce
 37 | % the trace size 
 38 | numberMean=50;
 39 | 
 40 | % read ciphertext
 41 | Cipher=csvread('ciphertext.csv');
 42 | 
 43 | % read traces into matlab
 44 | load('trace_matrix.mat');
 45 | 
 46 | % Read Ciphertext, where first row is unusable
 47 | Cipher=Cipher(1:numTraces+1,:);
 48 | Cipher(1,:)=[]; 
 49 | 
 50 | % Delete first trace, as it can not be used for the attack
 51 | Trace=trace_matrix(2:numTraces+1, :);
 52 | %% Main
 53 | 
 54 | % COMPRESSION
 55 | % calculate the mean of Trace for the defined interval above in order to
 56 | % compress the data. mean-calculation can be applied to columns quickly in
 57 | % MATLAB. So we reshape the trace_matrix and calculate the mean of it, then
 58 | % reshape it back.
 59 | u=reshape(Trace',numberMean,(size(Trace,2)*size(Trace,1))/numberMean);
 60 | u=mean(u);
 61 | Trace=reshape(u,size(u,2)/size(Trace,1),size(Trace,1));
 62 | Trace=Trace';
 63 | plot(Trace(2,:));
 64 | % Key vector (repmat command is used to improve calculation speed later)
 65 | hypothese =repmat([0:255],[numTraces,1,16]); 
 66 | 
 67 | display('Data loaded and compressed.');
 68 | toc
 69 | 
 70 | lengthvector = size(Trace,2);
 71 | clear P;
 72 | P = zeros(numTraces, ((lengthvector-1) * lengthvector)/2);  % da |I_a - I_b| = |I_b - I_a| gilt, SQUARED complexity!
 73 | 
 74 | e=0;
 75 | s=1;
 76 | for i=1:lengthvector
 77 |     e=s+lengthvector-i-1;
 78 |     P(:,s:e) = abs(bsxfun(@minus,Trace(:,(i+1):end),Trace(:,i)));
 79 |     s=e+1;
 80 | end
 81 | 
 82 | 
 83 | display('Preprocessing finished.');
 84 | toc
 85 | 
 86 | % Reshape D-Matrix in order to avoid any for-loops & do calculations in one
 87 | % 3D-Matrix for optimized calculations
 88 | manipulatedCipher = reshape(Cipher,numTraces,1,16);
 89 | manipulatedCipher = repmat(manipulatedCipher,1,256);
 90 | 
 91 | %% Crack the key
 92 | % 1) Add round Key
 93 | addRoundKey = bitxor(manipulatedCipher, hypothese);
 94 | 
 95 | % 2) SubByte, here the output of the SBox operation is estimated
 96 | subByte = sbox(addRoundKey+1);
 97 | 
 98 | % 3) SubByte, here the input of the SBox operation is estimated
 99 | sboxinput = bitxor(subByte, addRoundKey);
100 | 
101 | % 4) Hamming Distance
102 | Hamming = arrayfun(@(x) sum(bitget(x,1:8)),sboxinput);
103 | 
104 | display('Hypothetical values calculated.');
105 | toc
106 | 
107 | clear addRoundKey;
108 | clear subByte;
109 | clear sboxinput;
110 | clear trace_matrix;
111 | clear u;
112 | clear manipulatedCipher;
113 | clear Trace;
114 | % calculate correlationmatrix for each byte
115 | Correlation = zeros(256, size(P,2));
116 | %% Plot
117 | figure;
118 | 
119 | for i=1:16
120 |     display(['Calculating correlation ' int2str(i)]);
121 |     toc
122 |     Correlation = corr(Hamming(:,:,i),P);
123 |     
124 |     [~, index] = max(abs(Correlation(:)));
125 |     [row(i),column(i)] = ind2sub(size(Correlation),index);
126 |     display(['Row: ' int2str(row(i))]);
127 |     display(['Column: ' int2str(column(i))]);
128 |     display(max(abs(Correlation(:))));
129 | 
130 |     key = row(:)' -1;
131 |     display(key);
132 | end
133 | 
134 | % Find maximum values of the correlation matrix
135 | % sizeCorr=size(Correlation);
136 | % reshapedCorrelation = reshape(Correlation, [sizeCorr(1)*sizeCorr(2),1,sizeCorr(3)]);
137 | % [~, index] = max(abs(reshapedCorrelation));
138 | % [row,column] = ind2sub(sizeCorr(1:2),index);
139 | 
140 | % find the final key
141 | key=row(:)'-1
142 | keyHex= dec2hex(key)
143 | 
144 | display('finished.');
145 | toc
146 | 
147 | % test whether if the cracked key is correct
148 | % keyCorrect=min(key==[85 193 121 4 195 220 4 82 42 12 118 239 232 202 72 181])
149 | 
150 | 


--------------------------------------------------------------------------------