# Speck Analysis Notebook

The following block initializes the chipwhisperer, as always

In [1]:
import chipwhisperer as cw
import time



In [2]:
# Path to the Speck .hex file for reflashing
PATH="/home/msc/documents/obsidian_notes/master-aits/subjects/implementation_attacks_and_countermeasures/praktikum/speck_cpa_cw/cw_firmware/simple-speck-CWLITEARM.hex"

In [269]:
scope.dis()

True

In [3]:
def flash(scope, prog):
    cw.program_target(scope, prog, PATH)

def reset_target(scope):
    scope.io.nrst = 'low'
    time.sleep(0.05)
    scope.io.nrst = 'high_z'
    time.sleep(0.05)

try:
    if not scope.connectStatus:
        scope.con()
except NameError:
    scope = cw.scope()

try:
    target = cw.target(scope)
except IOError:
    print("INFO: Caught exception on reconnecting to target - attempting to reconnect to scope first.")
    print("INFO: This is a work-around when USB has died without Python knowing. Ignore errors above this line.")
    scope = cw.scope()
    target = cw.target(scope)

print("INFO: Found ChipWhispereršŸ˜")

prog = cw.programmers.STM32FProgrammer
time.sleep(0.05)
scope.default_setup()

INFO: Found ChipWhispereršŸ˜


**Reset the target if required:**

In [4]:
reset_target(scope)

**Reflash the target if required:**

In [5]:
flash(scope, prog)

Detected known STMF32: STM32F302xB(C)/303xB(C)
Extended erase (0x44), this can take ten seconds or more
Attempting to program 5431 bytes at 0x8000000
STM32F Programming flash...
STM32F Reading flash...
Verified flash OK, 5431 bytes


**Set an encryption key:**

In [6]:
# 32 bytes of encryption key
#encryption_key = b"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"

# 8 byte encryption key
encryption_key = b"\x11\x22\x33\x44\x55\x66\x77\x88"
if len(encryption_key) == 8:
    target.simpleserial_write("s", encryption_key)

**Get the encryption key:**

In [7]:
target.simpleserial_write("k", b'\x00'*4)
print(target.simpleserial_read("o", 8))

CWbytearray(b'11 22 33 44 55 66 77 88')


**Encrypt a 4-byte block:**

In [8]:
#pt = b"\x70\x6f\x6f\x6e\x65\x72\x2e\x20\x49\x6e\x20\x74\x68\x6f\x73\x65"
pt = b"\x4c\x69\x74\x65"
target.simpleserial_write("e", pt)
print(target.simpleserial_read("c", 4))

CWbytearray(b'5d 7c 46 6d')


## Capturing the Data

The following code snippet traces the encryption process with random plaintetext 2000 times

In [9]:
from tqdm.notebook import trange
import random
import numpy as np

ktp = cw.ktp.Basic()
trace_array = []
textin_array = []

pt = b"\x4c\x69\x74\x65" 
random.seed(0x5222223) 


N = 2250
for i in trange(N, desc='Capturing traces'):
    pt = bytes([random.randint(0, 255) for i in range(4)])
    scope.arm()
    
    
    target.simpleserial_write('e', pt)
    
    ret = scope.capture()
    if ret:
        print("Target timed out!")
        continue
    
    response = target.simpleserial_read('c', 4)
    
    trace_array.append(scope.get_last_trace())
    textin_array.append(pt)

    
trace_array = np.array(trace_array)

Capturing traces:   0%|          | 0/2250 [00:00<?, ?it/s]

## Plotting the Data

In [225]:
%matplotlib notebook
import matplotlib.pylab as plt
plt.figure()
plt.plot(trace_array[2], 'r')
#plt.plot(trace_array[4], 'g')
plt.show()

<IPython.core.display.Javascript object>

# Hamming Weight and Speck Model

In [10]:
#Hamming Weight
HW = [bin(n).count("1") for n in range(0, 256)]
def popcount(x):
    x -= (x >> 1) & 0x5555555555555555
    x = (x & 0x3333333333333333) + ((x >> 2) & 0x3333333333333333)
    x = (x + (x >> 4)) & 0x0f0f0f0f0f0f0f0f
    return ((x * 0x0101010101010101) & 0xffffffffffffffff ) >> 56

### Further functions for Pearson

In [11]:
def mean(X):
    return np.sum(X, axis=0)/len(X)

def std_dev(X, X_bar):
    return np.sqrt(np.sum((X-X_bar)**2, axis=0))

def cov(X, X_bar, Y, Y_bar):
    return np.sum((X-X_bar)*(Y-Y_bar), axis=0)

## The Speck Simulation

The following Code calculates the basic Speck encryption routine (one xor):

In [12]:
import math

NUM_ROUNDS = 22
BLOCK_SIZE = 32
KEY_SIZE = 64
WORD_SIZE = 16


# SHIFTs for SPECK
ALPHA = 7
BETA = 2

mod_mask = (2 ** WORD_SIZE) -1
mod_mask_sub = (2 ** WORD_SIZE)

def ER16(x, y, k):

    rs_x = ((x << (16 - ALPHA)) + (x >> ALPHA)) & mod_mask

    add_sxy = (rs_x + y) & mod_mask

    new_x = k ^ add_sxy

    ls_y = ((y >> (16 - BETA)) + (y << BETA)) & mod_mask

    new_y = new_x ^ ls_y

    return new_x, new_y



def simple_speck(plaintext, key):
    Ct_0 = (int(plaintext[1]) << 8) + int(plaintext[0])
    Ct_1 = (int(plaintext[3]) << 8) + int(plaintext[2])
                                                
    
    Ct_1, Ct_0 = ER16(Ct_1, Ct_0, key)   # fixed 16 bit key of 0x55
    return popcount((Ct_1 << 8) + Ct_0)

def PowerRightHalfKey(plaintext, key):
    pt2 = (int(plaintext[1]) << 8) + int(plaintext[0])
    pt1 = (int(plaintext[3]) << 8) + int(plaintext[2])
    
    temp = ((pt1 << (16 - ALPHA)) + (pt1 >> ALPHA)) & mod_mask
    p1 = (temp + pt2) & mod_mask
    intermediate = ((p1 >> 8 )& 0xFF) ^ key
    
    return popcount(intermediate)


def PowerLeftHalfKey(plaintext, key):
    pt2 = (int(plaintext[1]) << 8) + int(plaintext[0])
    pt1 = (int(plaintext[3]) << 8) + int(plaintext[2])
    
    temp = ((pt1 << (16 - ALPHA)) + (pt1 >> ALPHA)) & mod_mask
    p1 = (temp + pt2) & mod_mask
    
    r1 = p1 ^ 0x2211
    
    temp = ((pt2 >> (16 - BETA)) + (pt2 << BETA)) & mod_mask
    s1 = temp ^ r1
    temp = ((r1 << (16 - ALPHA)) + (r1 >> ALPHA)) & mod_mask
    p2 = (temp + s1) & mod_mask
    intermediate = (p2 & 0xFF) ^ key
    
    return popcount(intermediate)
    

def simple_speck_partial(plaintext, key, knownkey):
    Ct_0 = (int(plaintext[1]) << 8) + int(plaintext[0])
    Ct_1 = (int(plaintext[3]) << 8) + int(plaintext[2])
                                                
    Ct_1, Ct_0 = ER16(Ct_1, Ct_0, knownkey)
    

    Ct_1, Ct_0 = ER16(Ct_1, Ct_0, key)   # fixed 16 bit key of 0x55
    return popcount((Ct_1 << 8) + Ct_0)


def speck_keyschedule(plaintext, key, known_keys):
    Ct_0 = (int(plaintext[1]) << 8) + int(plaintext[0])
    Ct_1 = (int(plaintext[3]) << 8) + int(plaintext[2])
    
    for known_key in known_keys:
        Ct_1, Ct_0 = ER16(Ct_1, Ct_0, known_key)    

    Ct_1, Ct_0 = ER16(Ct_1, Ct_0, key)   # fixed 16 bit key of 0x55
    return popcount((Ct_1 << 8) + Ct_0)


def speck_keyschedule_model(last_keybyte, key_guess):
    D = 0x00
    C = 0x00
    B = 0x00
    A = last_keybyte
    '''
    u16 i,D=K[3],C=K[2],B=K[1],A=K[0];

    rk[i]=A; ER16(B,A,i++);
    rk[i]=A; ER16(C,A,i++);
    rk[i]=A; ER16(D,A,i++);
    '''
    key_guess, last_keybyte = ER16(key_guess, last_keybyte, key)
    
    return popcount((key_guess << 8) + last_keybyte)
    
    
    

In [13]:
simple_speck(b'\xf5\xf9\xa97', 0x1)

9

## This Methods works for calculating the correct key from the Power-Trace

For the following C-Implementation, the function `calc_mean_from_trace()` seems to gather the correct key from the trace:

```C
u16 i;
Ct[0]=Pt[0]; Ct[1]=Pt[1];

for(i=0;i<22; i++) {
    ER16(Ct[1],Ct[0],0x69);
}

```

This also works for 2-byte keys:

```C
ER16(Ct[1],Ct[0],0xdead);
```

In [14]:
from tqdm import tnrange


def calc_mean_from_trace(traces, plaintexts):

    maxcpa = [0] * 256

    t_bar = mean(traces) 
    o_t = std_dev(traces, t_bar)

    for key in range(0, 256):
        
        hws = np.array([[simple_speck(textin, (key << 8) + 0x00) for textin in textin_array]]).transpose()
        
        # The following line works for a one byte key
        #hws = np.array([[simple_speck(textin, key) for textin in textin_array]]).transpose()
        

        hws_bar = mean(hws)
        o_hws = std_dev(hws, hws_bar)
        correlation = cov(traces, t_bar, hws, hws_bar)
        cpaoutput = correlation/(o_t*o_hws)
        maxcpa[key] = max(abs(cpaoutput))
    
    plt.figure()
    plt.plot(maxcpa, 'orange')
    plt.show()
    guess = np.argmax(maxcpa)
    print(f"Key guess: (xored with) = ", hex(guess))
    return guess



In [87]:
calc_mean_from_trace(trace_array, textin_array)

<IPython.core.display.Javascript object>

Key guess: (xored with) =  0x22


34

In [15]:
def calc_mean_from_trace_two_byte_key(traces, plaintexts):

    maxcpa = [0] * 256

    t_bar = mean(traces) 
    o_t = std_dev(traces, t_bar)
    
    for key in range(0, 256):
        
        hws = np.array([[simple_speck(textin, (key << 8) + 0x00) for textin in textin_array]]).transpose()


        hws_bar = mean(hws)
        o_hws = std_dev(hws, hws_bar)
        correlation = cov(traces, t_bar, hws, hws_bar)
        cpaoutput = correlation/(o_t*o_hws)
        maxcpa[key] = max(abs(cpaoutput))

    rkey_byte = int(np.argmax(maxcpa))
    # Reset the arrays
    maxcpa = [0] * 256

    t_bar = mean(traces) 
    o_t = std_dev(traces, t_bar)
    print(f"Key guess (RKey): (xored with) = ", hex(rkey_byte))
    
    for key in range(0, 256):
        
        hws = np.array([[simple_speck(textin, (rkey_byte << 8) + key) for textin in textin_array]]).transpose()

        hws_bar = mean(hws)
        o_hws = std_dev(hws, hws_bar)
        correlation = cov(traces, t_bar, hws, hws_bar)
        cpaoutput = correlation/(o_t*o_hws)
        maxcpa[key] = max(abs(cpaoutput))

    lkey_byte = np.argmax(maxcpa)
    print(f"Key guess (RKey): (xored with) = ", hex(lkey_byte))
    print(f"Full Key = ", hex((rkey_byte << 8) +lkey_byte))
   

In [156]:
calc_mean_from_trace_two_byte_key(trace_array, textin_array)

Key guess (RKey): (xored with) =  0x22
Key guess (RKey): (xored with) =  0x11
Full Key =  0x2211


<IPython.core.display.Javascript object>

## Testing

In [91]:
from tqdm import tnrange


def get_keybyte(traces):

    maxcpa = [0] * 256

    t_bar = mean(traces) 
    o_t = std_dev(traces, t_bar)

    for key in range(0, 256):
        
        hws = np.array([[PowerRightHalfKey(textin, key) for textin in textin_array]]).transpose()
        
        # The following line works for a one byte key
        #hws = np.array([[simple_speck(textin, key) for textin in textin_array]]).transpose()
        

        hws_bar = mean(hws)
        o_hws = std_dev(hws, hws_bar)
        correlation = cov(traces, t_bar, hws, hws_bar)
        cpaoutput = correlation/(o_t*o_hws)
        maxcpa[key] = max(abs(cpaoutput))
    
    plt.figure()
    plt.plot(maxcpa, 'orange')
    plt.show()
    guess = np.argmax(maxcpa)
    print(f"Key guess: (xored with) = ", hex(guess))
    return guess



In [92]:
get_keybyte(trace_array)

<IPython.core.display.Javascript object>

Key guess: (xored with) =  0x22


34

In [177]:
from tqdm import tnrange


def get_keybytel(traces):

    maxcpa = [0] * 256

    t_bar = mean(traces) 
    o_t = std_dev(traces, t_bar)

    for key in range(0, 256):
        
        hws = np.array([[speck_keyschedule(textin, (0x00 << 8) + key, [0x2211, 0x00dd, 0xa8dc]) for textin in textin_array]]).transpose()
        
        # The following line works for a one byte key
        #hws = np.array([[simple_speck(textin, key) for textin in textin_array]]).transpose()
        

        hws_bar = mean(hws)
        o_hws = std_dev(hws, hws_bar)
        correlation = cov(traces, t_bar, hws, hws_bar)
        cpaoutput = correlation/(o_t*o_hws)
        maxcpa[key] = max(abs(cpaoutput))
    
    plt.figure()
    plt.plot(maxcpa, 'orange')
    plt.show()
    guess = np.argmax(maxcpa)
    second = np.argsort(maxcpa, axis=0)[-2]
    print(f"Key guess: (xored with) = ", hex(guess))
    return maxcpa


In [179]:
cpa2 = get_keybytel(trace_array)

<IPython.core.display.Javascript object>

Key guess: (xored with) =  0x9c


## The following functions receives a new roundkey each

In [16]:
def recv_roundkey(traces, roundkeys):

    maxcpa = [0] * 256

    t_bar = mean(traces) 
    o_t = std_dev(traces, t_bar)
    
    for key in range(0, 256):
        
        hws = np.array([[speck_keyschedule(textin, (0x00 << 8) + key, roundkeys) for textin in textin_array]]).transpose()


        hws_bar = mean(hws)
        o_hws = std_dev(hws, hws_bar)
        correlation = cov(traces, t_bar, hws, hws_bar)
        cpaoutput = correlation/(o_t*o_hws)
        maxcpa[key] = max(abs(cpaoutput))

    rkey_byte = int(np.argmax(maxcpa))
    # Reset the arrays
    maxcpa = [0] * 256

    t_bar = mean(traces) 
    o_t = std_dev(traces, t_bar)
    print(f"Key guess (RKey): (xored with) = ", hex(rkey_byte))
    
    for key in range(0, 256):
        
        hws = np.array([[speck_keyschedule(textin, (key << 8) + rkey_byte, roundkeys) for textin in textin_array]]).transpose()

        hws_bar = mean(hws)
        o_hws = std_dev(hws, hws_bar)
        correlation = cov(traces, t_bar, hws, hws_bar)
        cpaoutput = correlation/(o_t*o_hws)
        maxcpa[key] = max(abs(cpaoutput))

    lkey_byte = np.argmax(maxcpa)
    print(f"Key guess (RKey): (xored with) = ", hex(lkey_byte))
    print(f"Full Key = ", hex((lkey_byte << 8) +rkey_byte))
    return int((lkey_byte << 8) +rkey_byte)
   

In [17]:

def get_roundkey(firstkey):
    initial_key = [firstkey]
    
    for i in range(4):
        next_rk = recv_roundkey(trace_array, initial_key)
        initial_key.append(next_rk)
    print([hex(k) for k in initial_key])
    return initial_key

In [18]:
get_roundkey(0x2211)

Key guess (RKey): (xored with) =  0xdd
Key guess (RKey): (xored with) =  0x1
Full Key =  0x1dd
Key guess (RKey): (xored with) =  0x25
Key guess (RKey): (xored with) =  0x57
Full Key =  0x5725


KeyboardInterrupt: 

In [245]:
def get_key_from_roundkey(roundkey):
    if len(roundkey) != 5:
        raise Exception("Wrong length of roundkey")
    key = [roundkey[0]]
    for i in range(4):
        for keybyte in range(2**16):
            _, out = ER16(keybyte, known_keys[i], i)
            if out == roundkey[i+1]:
                key.append(keybyte)
                print(f"Found: {hex(keybyte)}")
    return [hex(k) for k in key]

In [213]:
known_keys = [0x2211, 0x00dd, 0xa8dc, 0x349c, 0xb5de]

In [214]:
get_key_from_roundkey(known_keys)

Found: 0x4433
Found: 0x6655
Found: 0x8877
Found: 0x8899


['0x2211', '0x4433', '0x6655', '0x8877', '0x8899']

In [246]:
get_key_from_roundkey([8721, 221, 43228, 51811, 18653])

Found: 0x4433
Found: 0x6655
Found: 0x1be0
Found: 0x933


['0x2211', '0x4433', '0x6655', '0x1be0', '0x933']