cont. presentation

Speck-Analysis.ipynb

@@ -37,7 +37,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 2,
+   "execution_count": 41,
    "id": "9dd8320a",
    "metadata": {},
    "outputs": [],
@@ -71,7 +71,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 3,
+   "execution_count": 43,
    "id": "7793787d",
    "metadata": {},
    "outputs": [
@@ -124,7 +124,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 4,
+   "execution_count": 44,
    "id": "4cc49970",
    "metadata": {},
    "outputs": [],
@@ -142,7 +142,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 5,
+   "execution_count": 45,
    "id": "de6112ec",
    "metadata": {},
    "outputs": [
@@ -173,7 +173,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 6,
+   "execution_count": 46,
    "id": "103040b9",
    "metadata": {},
    "outputs": [],
@@ -197,7 +197,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 7,
+   "execution_count": 47,
    "id": "bdfe5aba",
    "metadata": {},
    "outputs": [
@@ -224,7 +224,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 8,
+   "execution_count": 48,
    "id": "180eb01b",
    "metadata": {},
    "outputs": [
@@ -261,7 +261,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 9,
+   "execution_count": 49,
    "id": "a56a4fc2",
    "metadata": {
     "scrolled": true
@@ -270,12 +270,12 @@
     {
      "data": {
       "application/vnd.jupyter.widget-view+json": {
-       "model_id": "c784e8b4262d44279e91a7e038fbeec9",
+       "model_id": "15d7f951094a482492478813d98b3c96",
        "version_major": 2,
        "version_minor": 0
       },
       "text/plain": [
-       "Capturing traces:   0%|          | 0/5000 [00:00<?, ?it/s]"
+       "Capturing traces:   0%|          | 0/20000 [00:00<?, ?it/s]"
       ]
      },
      "metadata": {},
@@ -295,7 +295,7 @@
     "random.seed(0x5222322223) \n",
     "\n",
     "\n",
-    "N = 5000\n",
+    "N = 20000\n",
     "for i in trange(N, desc='Capturing traces'):\n",
     "    pt = bytes([random.randint(0, 255) for i in range(4)])\n",
     "    scope.arm()\n",
@@ -327,13 +327,13 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 10,
+   "execution_count": 50,
    "id": "82acc7fa",
    "metadata": {},
    "outputs": [],
    "source": [
-    "np.save(\"sample_traces/5000_encryption_traces.npy\", trace_array)\n",
-    "np.save(\"sample_traces/5000_plaintext_traces.npy\", textin_array)"
+    "np.save(\"sample_traces/20000_encryption_traces_regular.npy\", trace_array)\n",
+    "np.save(\"sample_traces/20000_plaintext_traces_regular.npy\", textin_array)"
    ]
   },
   {
@@ -1769,8 +1769,8 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 18,
-   "id": "63f53d49",
+   "execution_count": 20,
+   "id": "f129c36f",
    "metadata": {},
    "outputs": [],
    "source": [
@@ -1810,7 +1810,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 16,
+   "execution_count": 21,
    "id": "8a54a633",
    "metadata": {},
    "outputs": [],
@@ -2892,17 +2892,19 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 89,
-   "id": "5288a5f1",
+   "execution_count": 52,
+   "id": "fbff0129",
    "metadata": {},
    "outputs": [],
    "source": [
     "%matplotlib notebook\n",
     "import matplotlib.pylab as plt\n",
+    "import json\n",
+    "\n",
     "def analyze_correlations(traces, plaintexts):\n",
     "    \n",
-    "    steps = 100\n",
-    "    max_traces = 5000\n",
+    "    steps = 200\n",
+    "    max_traces = 20000\n",
     "    \n",
     "    allkeys = {}\n",
     "    for j in range(256):\n",
@@ -2929,58 +2931,137 @@
     "\n",
     "    plt.ylabel('Correlation')\n",
     "    plt.xlabel('Number of Traces')\n",
-    "\n",
+    "    \n",
+    "    \n",
     "    #plt.legend(loc=\"upper left\")\n",
     "    plt.show()\n",
+    "    return allkeys\n",
     "    \n"
    ]
   },
   {
    "cell_type": "code",
    "execution_count": null,
-   "id": "528e23fd",
+   "id": "5a083190",
    "metadata": {},
    "outputs": [
     {
      "name": "stdout",
      "output_type": "stream",
      "text": [
-      "[+] Calculating Correlations with 100 traces\n",
       "[+] Calculating Correlations with 200 traces\n",
-      "[+] Calculating Correlations with 300 traces\n",
       "[+] Calculating Correlations with 400 traces\n",
-      "[+] Calculating Correlations with 500 traces\n",
       "[+] Calculating Correlations with 600 traces\n",
-      "[+] Calculating Correlations with 700 traces\n",
       "[+] Calculating Correlations with 800 traces\n",
-      "[+] Calculating Correlations with 900 traces\n",
       "[+] Calculating Correlations with 1000 traces\n",
-      "[+] Calculating Correlations with 1100 traces\n",
       "[+] Calculating Correlations with 1200 traces\n",
-      "[+] Calculating Correlations with 1300 traces\n",
       "[+] Calculating Correlations with 1400 traces\n",
-      "[+] Calculating Correlations with 1500 traces\n",
       "[+] Calculating Correlations with 1600 traces\n",
-      "[+] Calculating Correlations with 1700 traces\n",
       "[+] Calculating Correlations with 1800 traces\n",
-      "[+] Calculating Correlations with 1900 traces\n",
       "[+] Calculating Correlations with 2000 traces\n",
-      "[+] Calculating Correlations with 2100 traces\n",
       "[+] Calculating Correlations with 2200 traces\n",
-      "[+] Calculating Correlations with 2300 traces\n",
       "[+] Calculating Correlations with 2400 traces\n",
-      "[+] Calculating Correlations with 2500 traces\n"
+      "[+] Calculating Correlations with 2600 traces\n",
+      "[+] Calculating Correlations with 2800 traces\n",
+      "[+] Calculating Correlations with 3000 traces\n",
+      "[+] Calculating Correlations with 3200 traces\n",
+      "[+] Calculating Correlations with 3400 traces\n",
+      "[+] Calculating Correlations with 3600 traces\n",
+      "[+] Calculating Correlations with 3800 traces\n",
+      "[+] Calculating Correlations with 4000 traces\n",
+      "[+] Calculating Correlations with 4200 traces\n",
+      "[+] Calculating Correlations with 4400 traces\n",
+      "[+] Calculating Correlations with 4600 traces\n",
+      "[+] Calculating Correlations with 4800 traces\n",
+      "[+] Calculating Correlations with 5000 traces\n",
+      "[+] Calculating Correlations with 5200 traces\n",
+      "[+] Calculating Correlations with 5400 traces\n",
+      "[+] Calculating Correlations with 5600 traces\n",
+      "[+] Calculating Correlations with 5800 traces\n",
+      "[+] Calculating Correlations with 6000 traces\n",
+      "[+] Calculating Correlations with 6200 traces\n",
+      "[+] Calculating Correlations with 6400 traces\n",
+      "[+] Calculating Correlations with 6600 traces\n",
+      "[+] Calculating Correlations with 6800 traces\n",
+      "[+] Calculating Correlations with 7000 traces\n",
+      "[+] Calculating Correlations with 7200 traces\n",
+      "[+] Calculating Correlations with 7400 traces\n",
+      "[+] Calculating Correlations with 7600 traces\n",
+      "[+] Calculating Correlations with 7800 traces\n",
+      "[+] Calculating Correlations with 8000 traces\n",
+      "[+] Calculating Correlations with 8200 traces\n",
+      "[+] Calculating Correlations with 8400 traces\n",
+      "[+] Calculating Correlations with 8600 traces\n",
+      "[+] Calculating Correlations with 8800 traces\n",
+      "[+] Calculating Correlations with 9000 traces\n",
+      "[+] Calculating Correlations with 9200 traces\n",
+      "[+] Calculating Correlations with 9400 traces\n",
+      "[+] Calculating Correlations with 9600 traces\n",
+      "[+] Calculating Correlations with 9800 traces\n",
+      "[+] Calculating Correlations with 10000 traces\n",
+      "[+] Calculating Correlations with 10200 traces\n",
+      "[+] Calculating Correlations with 10400 traces\n",
+      "[+] Calculating Correlations with 10600 traces\n",
+      "[+] Calculating Correlations with 10800 traces\n",
+      "[+] Calculating Correlations with 11000 traces\n",
+      "[+] Calculating Correlations with 11200 traces\n",
+      "[+] Calculating Correlations with 11400 traces\n",
+      "[+] Calculating Correlations with 11600 traces\n",
+      "[+] Calculating Correlations with 11800 traces\n",
+      "[+] Calculating Correlations with 12000 traces\n",
+      "[+] Calculating Correlations with 12200 traces\n",
+      "[+] Calculating Correlations with 12400 traces\n",
+      "[+] Calculating Correlations with 12600 traces\n",
+      "[+] Calculating Correlations with 12800 traces\n",
+      "[+] Calculating Correlations with 13000 traces\n",
+      "[+] Calculating Correlations with 13200 traces\n",
+      "[+] Calculating Correlations with 13400 traces\n",
+      "[+] Calculating Correlations with 13600 traces\n",
+      "[+] Calculating Correlations with 13800 traces\n",
+      "[+] Calculating Correlations with 14000 traces\n",
+      "[+] Calculating Correlations with 14200 traces\n",
+      "[+] Calculating Correlations with 14400 traces\n",
+      "[+] Calculating Correlations with 14600 traces\n",
+      "[+] Calculating Correlations with 14800 traces\n",
+      "[+] Calculating Correlations with 15000 traces\n",
+      "[+] Calculating Correlations with 15200 traces\n",
+      "[+] Calculating Correlations with 15400 traces\n",
+      "[+] Calculating Correlations with 15600 traces\n",
+      "[+] Calculating Correlations with 15800 traces\n",
+      "[+] Calculating Correlations with 16000 traces\n",
+      "[+] Calculating Correlations with 16200 traces\n",
+      "[+] Calculating Correlations with 16400 traces\n",
+      "[+] Calculating Correlations with 16600 traces\n",
+      "[+] Calculating Correlations with 16800 traces\n",
+      "[+] Calculating Correlations with 17000 traces\n",
+      "[+] Calculating Correlations with 17200 traces\n",
+      "[+] Calculating Correlations with 17400 traces\n"
      ]
     }
    ],
    "source": [
-    "analyze_correlations(trace_array, textin_array)"
+    "data = analyze_correlations(trace_array, textin_array)\n",
+    "import json\n",
+    "with open(\"20kregular.json\", \"w\") as out:\n",
+    "    out.write(json.dumps(data))"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 38,
+   "id": "038a9215",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "import json\n",
+    "with open(\"out.json\", \"w\") as out:\n",
+    "    out.write(json.dumps(data))"
    ]
   },
   {
    "cell_type": "code",
    "execution_count": 78,
-   "id": "dbee4adc",
+   "id": "ece32d8b",
    "metadata": {},
    "outputs": [
     {

analysis/correlation_graph.py

@@ -0,0 +1,137 @@
+import matplotlib as plt
+import math
+import numpy as np
+import json
+
+#Hamming Weight
+HW = [bin(n).count("1") for n in range(0, 256)]
+def popcount(x):
+    x -= (x >> 1) & 0x5555555555555555
+    x = (x & 0x3333333333333333) + ((x >> 2) & 0x3333333333333333)
+    x = (x + (x >> 4)) & 0x0f0f0f0f0f0f0f0f
+    return ((x * 0x0101010101010101) & 0xffffffffffffffff ) >> 56
+
+# Helper Functions
+def mean(X):
+    return np.sum(X, axis=0)/len(X)
+
+def std_dev(X, X_bar):
+    return np.sqrt(np.sum((X-X_bar)**2, axis=0))
+
+def cov(X, X_bar, Y, Y_bar):
+    return np.sum((X-X_bar)*(Y-Y_bar), axis=0)
+
+def to16(byte1, byte2):
+    return int((byte1 << 8) + byte2)
+
+
+# Speck Model
+
+NUM_ROUNDS = 22
+BLOCK_SIZE = 32
+KEY_SIZE = 64
+WORD_SIZE = 16
+
+
+# SHIFTs for SPECK
+ALPHA = 7
+BETA = 2
+
+mod_mask = (2 ** WORD_SIZE) -1
+mod_mask_sub = (2 ** WORD_SIZE)
+
+def ER16(x, y, k):
+    rs_x = ((x << (16 - ALPHA)) + (x >> ALPHA)) & mod_mask
+    add_sxy = (rs_x + y) & mod_mask
+    new_x = k ^ add_sxy
+    ls_y = ((y >> (16 - BETA)) + (y << BETA)) & mod_mask
+    new_y = new_x ^ ls_y
+
+    return new_x, new_y
+
+
+
+def simple_speck(plaintext, key):
+    Ct_0 = (int(plaintext[1]) << 8) + int(plaintext[0])
+    Ct_1 = (int(plaintext[3]) << 8) + int(plaintext[2])
+
+    Ct_1, Ct_0 = ER16(Ct_1, Ct_0, key)   # fixed 16 bit key of 0x55
+    return popcount((Ct_1 << 8) + Ct_0)
+
+
+def calc_corr(traces, plaintexts):
+
+    maxcpa = [0] * 256   # Correlations
+
+    # Calculate mean and standard derivation
+    t_bar = mean(traces)
+    o_t = std_dev(traces, t_bar)
+
+
+    for key in range(0, 256):
+
+        hws = np.array([[simple_speck(pt, (key << 8) + 0x00) for pt in plaintexts]]).transpose()
+
+        hws_bar = mean(hws)
+        o_hws = std_dev(hws, hws_bar)
+        correlation = cov(traces, t_bar, hws, hws_bar)
+        cpaoutput = correlation/(o_t*o_hws)
+        maxcpa[key] = max(abs(cpaoutput))
+
+    # Return the two best guesses
+    best_guess = int(np.argmax(maxcpa))
+
+    return best_guess, maxcpa
+
+
+def analyze_correlations(traces, plaintexts):
+
+    steps = 200
+    max_traces = 1000
+
+    allkeys = {}
+    for j in range(256):
+        allkeys[j] = []
+
+    stats = []
+
+    for i in range(steps, max_traces, steps):
+        best, corrs = calc_corr(traces[:i], plaintexts[:i])
+
+        for j in range(256):
+            allkeys[j].append(corrs[j])
+        stats.append(i)
+
+
+
+    plt.figure()
+
+
+    for keybyte, correlations in allkeys.items():
+        if keybyte == 0x22:
+            plt.plot(stats, correlations, color='gray')
+        else:
+            plt.plot(stats, correlations, color='lightgray')
+
+    plt.ylabel('Correlation')
+    plt.xlabel('Number of Traces')
+
+
+    #plt.legend(loc="upper left")
+    plt.save("plot_hiding.png")
+    return allkeys
+
+
+# Load Inputs
+print("[+] Loading Hiding Data")
+trace_array = np.load("../sample_traces/5000_encryption_traces_with_hiding_random.npy")
+textin_array = np.load("../sample_traces/5000_plaintext_traces_with_hiding_random.npy")
+
+print("[+] Calculating Correlations")
+allkeys = analyze_correlations(trace_array, textin_array)
+
+
+with open("2000k_correlations.json", "w") as out:
+    out.write(json.dumps(allkeys))
+
+

presentation/slides.html

@@ -115,13 +115,17 @@
 <section id="speck" class="slide level1">
 <h1>Speck</h1>
 <ul>
-<li>Symmentrische ARX Schiffre</li>
-<li>Entworfen von der NSA (Zusammen mit Simon)</li>
+<li>Symmentrische ARX Schiffre
+<ul>
+<li>Add/Rotate/XOR</li>
+</ul></li>
+<li>Entworfen von der NSA (Zusammen mit der Schiffre Simon)</li>
 <li>Performant in Hard-/Software</li>
 <li>Speck bietet mehrere mögliche Modis
 <ul>
-<li>Runden, Schlüssellänge, …</li>
+<li>Anzahl Runden, Schlüssellänge, Blocklänge</li>
 </ul></li>
+<li>Paper: <a href="https://csrc.nist.gov/csrc/media/events/lightweight-cryptography-workshop-2015/documents/papers/session1-shors-paper.pdf">Simon and Speck: Block Ciphers for the Internet of Things</a></li>
 </ul>
 </section>
 <section id="speck---setups" class="slide level1">
@@ -253,50 +257,226 @@
 <section id="speck---möglicher-angriff-1" class="slide level1">
 <h1>Speck - Möglicher Angriff</h1>
 <ul>
-<li>Der Roundkey steckt in der XOR Operation</li>
+<li>Der Rundenschlüssel steckt in der XOR Operation</li>
 </ul>
-<p><img data-src="img/er16_annot.png" /></p>
+<p><img data-src="img/er16_enc_rk.png" /> <img data-src="img/er16_annot.png" /></p>
 </section>
 <section id="correlation-power-analysis" class="slide level1">
 <h1>Correlation Power Analysis</h1>
 <ul>
 <li>Variante von Differential Power Analysis (DPA)</li>
 <li>Nutzt Pearson Correlation Coefficient (PCC)</li>
-<li><strong>Bei Speck:</strong> Korrelation zwischen Power-Trace und Key</li>
+<li><strong>Bei Speck:</strong> Korrelation zwischen Power-Trace und Rundenschlüssel</li>
+<li>Vorgehen:
+<ul>
+<li>Modell erstellen</li>
+<li>Finden der Korrelationen im Modell</li>
+<li>Anwenden auf Hardware Implementierung</li>
+</ul></li>
 </ul>
 </section>
 <section id="theoretischer-angriff" class="slide level1">
 <h1>Theoretischer Angriff</h1>
 </section>
-<section id="speck---modell" class="slide level1">
-<h1>Speck - Modell</h1>
-</section>
 <section id="hamming-weight" class="slide level1">
 <h1>Hamming Weight</h1>
+<ul>
+<li>Passendes Modell zum ‘bewerten’ des Stromverbrauchs</li>
+<li>Chip hat ein gewissen Basisverbrauch (IDLE)</li>
+<li>Werden Bytes im Chip verändert (<span class="math inline">0 → 1; 1 → 0</span>) wird Strom benötigt</li>
+<li>Verhalten kann durch die Hamming-Distanz simuliert werden</li>
+<li><strong>Hamming Distanz:</strong> Anzahl der Veränderter Bits:</li>
+</ul>
+<p><span class="math display"><em>H</em><em>a</em><em>m</em><em>m</em><em>i</em><em>n</em><em>g</em><em>D</em><em>i</em><em>s</em><em>t</em><em>a</em><em>n</em><em>c</em><em>e</em>(0100101,0010101) = 2</span></p>
+<p>Der Unterschied zweier per XOR verknüpfter Daten, wird als Hamming-Gewicht bezeichnet:</p>
+<p><span class="math display"><em>H</em><em>a</em><em>m</em><em>m</em><em>i</em><em>n</em><em>g</em><em>D</em><em>i</em><em>s</em><em>t</em><em>a</em><em>n</em><em>c</em><em>e</em>(0100101,0010101) = <em>H</em><em>a</em><em>m</em><em>m</em><em>i</em><em>n</em><em>g</em><em>W</em><em>e</em><em>i</em><em>g</em><em>h</em><em>t</em>(0100101⊕0010101)</span></p>
+</section>
+<section id="speck---modell" class="slide level1">
+<h1>Speck - Modell</h1>
+<ul>
+<li>Einfaches Modell der Speck Verschlüsselung</li>
+<li>Kann für die ersten 2 Byte des Rundenschlüssels genutzt werden:</li>
+</ul>
+<div class="sourceCode" id="cb3"><pre class="sourceCode python"><code class="sourceCode python"><span id="cb3-1"><a href="#cb3-1" aria-hidden="true" tabindex="-1"></a><span class="kw">def</span> simple_speck(plaintext, key):</span>
+<span id="cb3-2"><a href="#cb3-2" aria-hidden="true" tabindex="-1"></a>    Ct_0 <span class="op">=</span> (<span class="bu">int</span>(plaintext[<span class="dv">1</span>]) <span class="op">&lt;&lt;</span> <span class="dv">8</span>) <span class="op">+</span> <span class="bu">int</span>(plaintext[<span class="dv">0</span>]) <span class="co"># RIGHT Key</span></span>
+<span id="cb3-3"><a href="#cb3-3" aria-hidden="true" tabindex="-1"></a>    Ct_1 <span class="op">=</span> (<span class="bu">int</span>(plaintext[<span class="dv">3</span>]) <span class="op">&lt;&lt;</span> <span class="dv">8</span>) <span class="op">+</span> <span class="bu">int</span>(plaintext[<span class="dv">2</span>]) <span class="co"># LEFT Key</span></span>
+<span id="cb3-4"><a href="#cb3-4" aria-hidden="true" tabindex="-1"></a>                                                </span>
+<span id="cb3-5"><a href="#cb3-5" aria-hidden="true" tabindex="-1"></a>    Ct_1, Ct_0 <span class="op">=</span> ER16(Ct_1, Ct_0, key)     <span class="co"># Calculate Roundfunction</span></span>
+<span id="cb3-6"><a href="#cb3-6" aria-hidden="true" tabindex="-1"></a>    </span>
+<span id="cb3-7"><a href="#cb3-7" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> popcount((Ct_1 <span class="op">&lt;&lt;</span> <span class="dv">8</span>) <span class="op">+</span> Ct_0)    <span class="co"># Return Hamming Wight (aka Popcount)</span></span></code></pre></div>
 </section>
 <section id="t-test" class="slide level1">
 <h1>T-Test</h1>
+<ul>
+<li>Wird verwendet um <em>Leakage</em> zu erkennen
+<ul>
+<li>Gibt das Berechnen einer Chiffre mehr Information zurück als geplant: Leakage</li>
+<li>z.B. durch die Power Traces</li>
+</ul></li>
+<li>Berechnet durch:</li>
+</ul>
+<p><img data-src="img/ttest_calc.png" /></p>
+<ul>
+<li>Vergleicht zwei unabhängige Stichproben miteinander, und vergleicht Mittelwerte</li>
+<li>Je unterschiedlicher die Mittelwerte <span class="math inline">→</span> desto weniger Leakage</li>
+</ul>
+</section>
+<section id="t-test-1" class="slide level1">
+<h1>T-Test</h1>
+<ul>
+<li>T-Test der aufgezeichneten Power-Traces:</li>
+</ul>
+<p><img data-src="img/t_test_original.png" /></p>
 </section>
 <section id="angriff" class="slide level1">
 <h1>Angriff</h1>
+<ol type="1">
+<li>Implementierung von Speck auf CW</li>
+<li>Aufzeichnen von X PowerTraces</li>
+<li>Berechnung des Software Modells</li>
+<li>Berechnen der Korrelationen zwischen Modell/Powertraces
+<ol type="1">
+<li>Keybyte für Keybyte</li>
+<li>Rückrechnen des Rundenschlüssels</li>
+</ol></li>
+</ol>
+</section>
+<section id="korrelationen-des-ersten-keybytes" class="slide level1">
+<h1>Korrelationen des ersten Keybytes</h1>
+<ul>
+<li>Correlationen des ersten Keybytes</li>
+<li>Deutliches Maximum der Korrelation bei 0x11</li>
+</ul>
+<p><img data-src="img/correlation_keybyte.png" width="550" /></p>
+</section>
+<section id="problem-blocksize" class="slide level1">
+<h1>Problem: Blocksize</h1>
+<ul>
+<li>Bei <strong>Speck1632:</strong> Operationen nicht auf Byte sondern auf 16-Bit Ebene</li>
+<li>Erste Idee: Modell und Korrelation auf <span class="math inline">2<sup>16</sup></span> Keys</li>
+<li><span class="math inline">→</span> Zu langsam, Unschön</li>
+<li><span class="math inline">→</span> Nicht möglich für andere Modis von Speck</li>
+<li><strong>Lösung:</strong> Modell funktioniert auch auf allen Teilbytes:</li>
+</ul>
+<div class="sourceCode" id="cb4"><pre class="sourceCode python"><code class="sourceCode python"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a>rightkey <span class="op">=</span> <span class="bn">0x00</span></span>
+<span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a><span class="cf">for</span> guess_key <span class="kw">in</span> <span class="bu">range</span>(<span class="dv">256</span>):</span>
+<span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a>    leftkey <span class="op">=</span> model( (guess_key <span class="op">&lt;&lt;</span> <span class="dv">8</span>) <span class="op">+</span> righkey )</span>
+<span id="cb4-4"><a href="#cb4-4" aria-hidden="true" tabindex="-1"></a></span>
+<span id="cb4-5"><a href="#cb4-5" aria-hidden="true" tabindex="-1"></a><span class="cf">for</span> guess_key <span class="kw">in</span> <span class="bu">range</span>(<span class="dv">256</span>):</span>
+<span id="cb4-6"><a href="#cb4-6" aria-hidden="true" tabindex="-1"></a>    rightkey <span class="op">=</span> model( (leftkey <span class="op">&lt;&lt;</span> <span class="dv">8</span>) <span class="op">+</span> guess_key )</span></code></pre></div>
+<ul>
+<li>Auch umsetzbar auf Speck mit Blocksize &gt; 16 Bit</li>
+</ul>
+</section>
+<section id="problem-nth-keybytes" class="slide level1">
+<h1>Problem: <span class="math inline"><em>n</em><sup><em>t</em><em>h</em></sup></span> Keybytes</h1>
+<ul>
+<li>Modell kann nur für die ersten zwei Keybytes genutzt werden, da:</li>
+</ul>
+<div class="sourceCode" id="cb5"><pre class="sourceCode c"><code class="sourceCode c"><span id="cb5-1"><a href="#cb5-1" aria-hidden="true" tabindex="-1"></a><span class="cf">for</span> i in <span class="fl">0.</span><span class="er">.</span><span class="op">&lt;</span><span class="dv">22</span></span>
+<span id="cb5-2"><a href="#cb5-2" aria-hidden="true" tabindex="-1"></a>    ER16<span class="op">(</span>Ct<span class="op">[</span><span class="dv">1</span><span class="op">],</span> Ct<span class="op">[</span><span class="dv">0</span><span class="op">],</span> rk<span class="op">[</span>i<span class="op">++])</span></span></code></pre></div>
+<ul>
+<li>Die Rundenkeys zuvor müssen miteingeschlossen werden</li>
+<li>Muss an der richtigen Stelle passieren (<span class="math inline">⊕</span>-Operation)</li>
+</ul>
+</section>
+<section id="problem-nth-keybytes-1" class="slide level1">
+<h1>Problem: <span class="math inline"><em>n</em><sup><em>t</em><em>h</em></sup></span> Keybytes</h1>
+<div class="sourceCode" id="cb6"><pre class="sourceCode python"><code class="sourceCode python"><span id="cb6-1"><a href="#cb6-1" aria-hidden="true" tabindex="-1"></a> <span class="co"># -------------- for one key -----------------#</span></span>
+<span id="cb6-2"><a href="#cb6-2" aria-hidden="true" tabindex="-1"></a>    x <span class="op">=</span> ((x <span class="op">&lt;&lt;</span> (<span class="dv">16</span> <span class="op">-</span> ALPHA)) <span class="op">+</span> (x <span class="op">&gt;&gt;</span> ALPHA)) <span class="op">&amp;</span> mod_mask           <span class="co"># x = ROR(x, 7)</span></span>
+<span id="cb6-3"><a href="#cb6-3" aria-hidden="true" tabindex="-1"></a>    x <span class="op">=</span> (x <span class="op">+</span> y) <span class="op">&amp;</span> mod_mask                                        <span class="co"># x = ADD(x, y)</span></span>
+<span id="cb6-4"><a href="#cb6-4" aria-hidden="true" tabindex="-1"></a>    </span>
+<span id="cb6-5"><a href="#cb6-5" aria-hidden="true" tabindex="-1"></a>    x <span class="op">=</span> x <span class="op">^</span> knownkey[<span class="dv">0</span>]   </span>
+<span id="cb6-6"><a href="#cb6-6" aria-hidden="true" tabindex="-1"></a>    </span>
+<span id="cb6-7"><a href="#cb6-7" aria-hidden="true" tabindex="-1"></a>    <span class="co"># -------------- for second key -----------------#</span></span>
+<span id="cb6-8"><a href="#cb6-8" aria-hidden="true" tabindex="-1"></a>    </span>
+<span id="cb6-9"><a href="#cb6-9" aria-hidden="true" tabindex="-1"></a>    y <span class="op">=</span> ((y <span class="op">&gt;&gt;</span> (<span class="dv">16</span> <span class="op">-</span> BETA)) <span class="op">+</span> (y <span class="op">&lt;&lt;</span> BETA)) <span class="op">&amp;</span> mod_mask            <span class="co"># y = ROL(y, 2)</span></span>
+<span id="cb6-10"><a href="#cb6-10" aria-hidden="true" tabindex="-1"></a>    y <span class="op">=</span> y <span class="op">^</span> x                                                    <span class="co"># y = XOR(y, x)</span></span>
+<span id="cb6-11"><a href="#cb6-11" aria-hidden="true" tabindex="-1"></a>    x <span class="op">=</span> ((x <span class="op">&lt;&lt;</span> (<span class="dv">16</span> <span class="op">-</span> ALPHA)) <span class="op">+</span> (x <span class="op">&gt;&gt;</span> ALPHA)) <span class="op">&amp;</span> mod_mask          <span class="co"># x = ROR(x, 7)</span></span>
+<span id="cb6-12"><a href="#cb6-12" aria-hidden="true" tabindex="-1"></a>    x <span class="op">=</span> (x <span class="op">+</span> y) <span class="op">&amp;</span> mod_mask                                       <span class="co"># x = ADD(x, y)</span></span>
+<span id="cb6-13"><a href="#cb6-13" aria-hidden="true" tabindex="-1"></a>    </span>
+<span id="cb6-14"><a href="#cb6-14" aria-hidden="true" tabindex="-1"></a>    x <span class="op">=</span> x <span class="op">^</span> knownkey[<span class="dv">1</span>]                                          <span class="co"># x = XOR(x, k) </span></span>
+<span id="cb6-15"><a href="#cb6-15" aria-hidden="true" tabindex="-1"></a>    </span>
+<span id="cb6-16"><a href="#cb6-16" aria-hidden="true" tabindex="-1"></a>    <span class="co"># -------------- for third key -----------------#</span></span>
+<span id="cb6-17"><a href="#cb6-17" aria-hidden="true" tabindex="-1"></a>    <span class="co"># [...]</span></span></code></pre></div>
+</section>
+<section id="korrelationen-des-ersten-keybytes-1" class="slide level1">
+<h1>Korrelationen des ersten Keybytes</h1>
+<p><img data-src="img/traces.png" width="550" /></p>
 </section>
 <section id="gegenmaßnahmen" class="slide level1">
 <h1>Gegenmaßnahmen</h1>
 </section>
 <section id="hiding" class="slide level1">
 <h1>Hiding</h1>
+<ul>
+<li>Verstecken des eigentlichen “Leakages” in Rauschen</li>
+<li><span class="math inline">→</span> Erhöhung des vorhandenen Rauschens während der Berechnung</li>
+<li>Mehrere Möglichkeiten
+<ul>
+<li>Mischen der Instruction-Order</li>
+<li><strong>Hinzufügen von “Dummy Instructionen”</strong></li>
+<li>Clock Jitter</li>
+</ul></li>
+</ul>
 </section>
 <section id="hiding---code" class="slide level1">
 <h1>Hiding - Code</h1>
+<ul>
+<li><strong>Ansatz:</strong> Korrelation kommt von <code>ER16()</code>
+<ul>
+<li>XOR/Add/Rotate</li>
+</ul></li>
+<li>Hinzufügen weitere RXA Operationen um Noice zu erhöhen</li>
+<li>Ersetzen von jeder XOR Operatione mit folgender:</li>
+</ul>
+<div class="sourceCode" id="cb7"><pre class="sourceCode c"><code class="sourceCode c"><span id="cb7-1"><a href="#cb7-1" aria-hidden="true" tabindex="-1"></a><span class="dt">uint16_t</span> XOR<span class="op">(</span><span class="dt">uint16_t</span> a<span class="op">,</span> <span class="dt">uint16_t</span> b<span class="op">,</span> <span class="dt">int</span> random<span class="op">)</span> <span class="op">{</span></span>
+<span id="cb7-2"><a href="#cb7-2" aria-hidden="true" tabindex="-1"></a>    <span class="dt">uint8_t</span> tmp <span class="op">=</span> random <span class="op">^</span> <span class="bn">0x5F</span><span class="op">;</span></span>
+<span id="cb7-3"><a href="#cb7-3" aria-hidden="true" tabindex="-1"></a>    tmp <span class="op">^=</span> <span class="op">(</span>random <span class="op">^</span> a<span class="op">);</span></span>
+<span id="cb7-4"><a href="#cb7-4" aria-hidden="true" tabindex="-1"></a>    tmp <span class="op">^=</span> <span class="op">(</span>tmp <span class="op">^</span> b<span class="op">);</span></span>
+<span id="cb7-5"><a href="#cb7-5" aria-hidden="true" tabindex="-1"></a>    tmp <span class="op">&amp;=</span> <span class="op">(</span>tmp <span class="op">&amp;</span> a<span class="op">);</span></span>
+<span id="cb7-6"><a href="#cb7-6" aria-hidden="true" tabindex="-1"></a>    tmp <span class="op">&amp;=</span> <span class="op">(</span>tmp <span class="op">&amp;</span> b<span class="op">);</span></span>
+<span id="cb7-7"><a href="#cb7-7" aria-hidden="true" tabindex="-1"></a>    <span class="cf">return</span> a <span class="op">^</span> b<span class="op">;</span></span>
+<span id="cb7-8"><a href="#cb7-8" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
+<ul>
+<li>Random wird bei jeder Verschlüsslung erneut generiert</li>
+</ul>
 </section>
 <section id="hiding---t-test" class="slide level1">
 <h1>Hiding - T-Test</h1>
+<ul>
+<li>Ergebnisse des T-Tests mit implementierter Hiding Maßnahmen:</li>
+</ul>
+<p><img data-src="img/t_test_hiding_random.png" /></p>
+<ul>
+<li>Bedarf weitere Analysen, Unterschied der beiden T-Tests sind nur Minimal</li>
+<li>Keine Indikation dass Hiding funktioniert</li>
+</ul>
 </section>
-<section id="korrelationen" class="slide level1">
-<h1>Korrelationen</h1>
+<section id="korrelationen-des-ersten-keybytes-2" class="slide level1">
+<h1>Korrelationen des ersten Keybytes</h1>
+<ul>
+<li>Besseres Ergbniss der Korrelationen bis 5000 Traces</li>
+<li>Keine Korrelation sticht heraus</li>
+</ul>
+<p><img data-src="img/corr_traces_hiding_5k.png" width="550" /></p>
+</section>
+<section id="hiding-bypass" class="slide level1">
+<h1>Hiding Bypass</h1>
+<ul>
+<li>Korrelation sollte weiterhin möglich sein wenn man die Operationen in Betracht zieht</li>
+<li>Schwierigkeit hängt am Zufallszahlengenerator</li>
+<li><strong>Problem:</strong> Sichere Zufallszahlen auf Embedded Chips ist nicht trivial</li>
+</ul>
+<p><span class="math inline">→</span> Bypass konnte <strong>nicht</strong> realisiert werden</p>
 </section>
 <section id="referenzen" class="slide level1">
 <h1>Referenzen</h1>
+<ul>
+<li><a href="Improved%20Differential%20Cryptanalysis%20of%20Round-Reduced%20Speck">Improved Differential Cryptanalysis of Round-Reduced Speck</a></li>
+<li><a href="Breaking%20Speck%20cryptosystem%20using%20correlation%20power%20analysis%20attack">Breaking Speck cryptosystem using correlation power analysis attack</a></li>
+<li><a href="%7BSpeck-R:%20An%20ultra%20light-weight%20cryptographic%20scheme%20for%20Internet%20of%20Things">{Speck-R: An ultra light-weight cryptographic scheme for Internet of Things</a></li>
+</ul>
 </section>
     </div>
   </div>

presentation/slides.md

@@ -30,10 +30,12 @@ data: 01.02.22
 # Speck
 
 * Symmentrische ARX Schiffre
-* Entworfen von der NSA (Zusammen mit Simon)
+	* Add/Rotate/XOR
+* Entworfen von der NSA (Zusammen mit der Schiffre Simon)
 * Performant in Hard-/Software
 * Speck bietet mehrere mögliche Modis
-    - Runden, Schlüssellänge, ...
+    - Anzahl Runden, Schlüssellänge, Blocklänge
+* Paper: [Simon and Speck: Block Ciphers for the Internet of Things](https://csrc.nist.gov/csrc/media/events/lightweight-cryptography-workshop-2015/documents/papers/session1-shors-paper.pdf)
 
 ---
 
@@ -119,8 +121,9 @@ void FuncER16(u16 *x, u16 *y, u16 k)
 
 # Speck - Möglicher Angriff
 
-* Der Roundkey steckt in der XOR Operation
+* Der Rundenschlüssel steckt in der XOR Operation
 
+![](img/er16_enc_rk.png)
 ![](img/er16_annot.png)
 
 ---
@@ -129,36 +132,165 @@ void FuncER16(u16 *x, u16 *y, u16 k)
 
 * Variante von Differential Power Analysis (DPA)
 * Nutzt Pearson Correlation Coefficient (PCC)
-* **Bei Speck:** Korrelation zwischen Power-Trace und Key
+* **Bei Speck:** Korrelation zwischen Power-Trace und Rundenschlüssel
+* Vorgehen: 
+	- Modell erstellen
+	- Finden der Korrelationen im Modell
+	- Anwenden auf Hardware Implementierung
 
 ---
 
 # Theoretischer Angriff
 
 
+
 ---
 
+# Hamming Weight
 
+* Passendes Modell zum 'bewerten' des Stromverbrauchs
+* Chip hat ein gewissen Basisverbrauch (IDLE)
+* Werden Bytes im Chip verändert ($0 \rightarrow 1 ; 1 \rightarrow 0$) wird Strom benötigt
+* Verhalten kann durch die Hamming-Distanz simuliert werden
+* **Hamming Distanz:**  Anzahl der Veränderter Bits:
 
-# Speck - Modell
+$$HammingDistance(0100101, 0010101) = 2$$
 
+Der Unterschied zweier per XOR verknüpfter Daten, wird als Hamming-Gewicht bezeichnet:
+
+$$HammingDistance(0100101, 0010101) = HammingWeight(0100101 \oplus 0010101)$$
 
 ---
 
-# Hamming Weight
+
+# Speck - Modell
+
+* Einfaches Modell der Speck Verschlüsselung
+* Kann für die ersten 2 Byte des Rundenschlüssels genutzt werden:
+
+
+```Python
+def simple_speck(plaintext, key):
+    Ct_0 = (int(plaintext[1]) << 8) + int(plaintext[0]) # RIGHT Key
+    Ct_1 = (int(plaintext[3]) << 8) + int(plaintext[2]) # LEFT Key
+                                                
+    Ct_1, Ct_0 = ER16(Ct_1, Ct_0, key)     # Calculate Roundfunction
+	
+    return popcount((Ct_1 << 8) + Ct_0)    # Return Hamming Wight (aka Popcount)
+```
+
 
 ---
 
+
+# T-Test
+
+* Wird verwendet um _Leakage_ zu erkennen
+	- Gibt das Berechnen einer Chiffre mehr Information zurück als geplant: Leakage
+	- z.B. durch die Power Traces
+* Berechnet durch:
+
+![](img/ttest_calc.png)
+
+* Vergleicht zwei unabhängige Stichproben miteinander, und vergleicht Mittelwerte
+* Je unterschiedlicher die Mittelwerte $\rightarrow$ desto weniger Leakage
+ 
+--- 
+ 
 # T-Test
 
+* T-Test der aufgezeichneten Power-Traces:
+
+![](img/t_test_original.png)
+
 
 ---
 
 # Angriff
 
+1) Implementierung von Speck auf CW
+2) Aufzeichnen von X PowerTraces
+3) Berechnung des Software Modells
+4) Berechnen der Korrelationen zwischen Modell/Powertraces
+	1) Keybyte für Keybyte
+	2) Rückrechnen des Rundenschlüssels
+
+---
+
 
+# Korrelationen des ersten Keybytes
+
+* Correlationen des ersten Keybytes
+* Deutliches Maximum der Korrelation bei 0x11
+
+![](img/correlation_keybyte.png){width=550px}
 
 
+---
+
+# Problem: Blocksize
+
+* Bei **Speck1632:** Operationen nicht auf Byte sondern auf 16-Bit Ebene 
+* Erste Idee:  Modell und Korrelation auf $2^16$ Keys
+* $\rightarrow$ Zu langsam, Unschön
+* $\rightarrow$ Nicht möglich für andere Modis von Speck
+* **Lösung:** Modell funktioniert auch auf allen Teilbytes:
+
+```Python
+rightkey = 0x00
+for guess_key in range(256):
+	leftkey = model( (guess_key << 8) + righkey )
+
+for guess_key in range(256):
+	rightkey = model( (leftkey << 8) + guess_key )
+```
+
+* Auch umsetzbar auf Speck mit Blocksize > 16 Bit
+ 
+---
+
+# Problem: $n^{th}$ Keybytes
+
+* Modell kann nur für die ersten zwei Keybytes genutzt werden, da:
+
+```C
+for i in 0..<22
+    ER16(Ct[1], Ct[0], rk[i++])
+```
+
+* Die Rundenkeys zuvor müssen miteingeschlossen werden
+* Muss an der richtigen Stelle passieren ($\oplus$-Operation)
+
+---
+
+# Problem: $n^{th}$ Keybytes
+
+```Python
+ # -------------- for one key -----------------#
+    x = ((x << (16 - ALPHA)) + (x >> ALPHA)) & mod_mask           # x = ROR(x, 7)
+    x = (x + y) & mod_mask                                        # x = ADD(x, y)
+    
+    x = x ^ knownkey[0]   
+    
+    # -------------- for second key -----------------#
+    
+    y = ((y >> (16 - BETA)) + (y << BETA)) & mod_mask            # y = ROL(y, 2)
+    y = y ^ x                                                    # y = XOR(y, x)
+    x = ((x << (16 - ALPHA)) + (x >> ALPHA)) & mod_mask          # x = ROR(x, 7)
+    x = (x + y) & mod_mask                                       # x = ADD(x, y)
+    
+    x = x ^ knownkey[1]                                     	 # x = XOR(x, k) 
+	
+    # -------------- for third key -----------------#
+	# [...]
+```
+
+---
+
+# Korrelationen des ersten Keybytes
+
+![](img/traces.png){width=550px}
+
 ---
 
 # Gegenmaßnahmen
@@ -167,23 +299,74 @@ void FuncER16(u16 *x, u16 *y, u16 k)
 
 # Hiding
 
+* Verstecken des eigentlichen "Leakages" in Rauschen
+* $\rightarrow$ Erhöhung des vorhandenen Rauschens während der Berechnung
+* Mehrere Möglichkeiten
+	* Mischen der Instruction-Order
+	* **Hinzufügen von "Dummy Instructionen"**
+	* Clock Jitter
+
+
 ---
 
 # Hiding - Code
 
+* **Ansatz:** Korrelation kommt von `ER16()`
+	* XOR/Add/Rotate
+* Hinzufügen weitere RXA Operationen um Noice zu erhöhen
+* Ersetzen von jeder XOR Operatione mit folgender:
 
+```C
+uint16_t XOR(uint16_t a, uint16_t b, int random) {
+    uint8_t tmp = random ^ 0x5F;
+    tmp ^= (random ^ a);
+    tmp ^= (tmp ^ b);
+    tmp &= (tmp & a);
+    tmp &= (tmp & b);
+    return a ^ b;
+}
+
+```
+
+* Random wird bei jeder Verschlüsslung erneut generiert
 
 ---
 
 # Hiding - T-Test
 
+*  Ergebnisse des T-Tests mit implementierter Hiding Maßnahmen:
+
+![](img/t_test_hiding_random.png)
+
+* Bedarf weitere Analysen, Unterschied der beiden T-Tests sind nur Minimal
+* Keine Indikation dass Hiding funktioniert
+
 ---
 
 
-# Korrelationen
+# Korrelationen des ersten Keybytes
+
+* Besseres Ergbniss der Korrelationen bis 5000 Traces
+* Keine Korrelation sticht heraus
+
+![](img/corr_traces_hiding_5k.png){width=550px}
+
+
+---
+
+# Hiding Bypass
+
+* Korrelation sollte weiterhin möglich sein wenn man die Operationen in Betracht zieht
+* Schwierigkeit hängt am Zufallszahlengenerator
+* **Problem:** Sichere Zufallszahlen auf Embedded Chips ist nicht trivial
+
+$\rightarrow$ Bypass konnte **nicht** realisiert werden
 
 ---
 
 # Referenzen
 
+* [Improved Differential Cryptanalysis of Round-Reduced Speck](Improved Differential Cryptanalysis of Round-Reduced Speck)
+* [Breaking Speck cryptosystem using correlation power analysis attack](Breaking Speck cryptosystem using correlation power analysis attack)
+* [{Speck-R: An ultra light-weight cryptographic scheme for Internet of Things]({Speck-R: An ultra light-weight cryptographic scheme for Internet of Things)