Try it like this... (I need to fix shift rows probably)

2019-07-14 03:27:39 +02:00
parent 3ff595e5e8
commit 5005e13a0b
3 changed files with 130 additions and 33 deletions
--- a/aes.cpp
+++ b/aes.cpp
@@ -23,7 +23,7 @@ const uint8_t AES::sbox[256] = {
 	0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
 	0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 };
-const uint8_t AES::inv_sbox[256] = {
+const uint8_t AES::r_sbox[256] = {
 	0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
 	0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
 	0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
@@ -41,8 +41,6 @@ const uint8_t AES::inv_sbox[256] = {
 	0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
 	0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d };
 const uint8_t AES::shiftrows_targets[16] = {0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12, 1, 6, 11};
 const uint8_t AES::rc[10] = {
 	0b00000001,
 	0b00000010,
@@ -82,6 +80,23 @@ void AES::encrypt_ecb(uint8_t data[16], const uint8_t key[16])
 	add_round_key(data, round_keys[10]);
 }
 void AES::decrypt_ecb(uint8_t data[16], const uint8_t key[16])
 {
 	uint8_t round_keys[11][16];
 	construct_round_keys(key, round_keys);
 	add_round_key(data, round_keys[10]);
 	r_shift_rows(data);
 	r_sub_bytes(data);
 	for (int r = 9;r > 0;r--)
 	{
 		add_round_key(data, round_keys[r]);
 		r_mix_columns(data);
 		r_shift_rows(data);
 		r_sub_bytes(data);
 	}
 	add_round_key(data, round_keys[0]);
 }
 void AES::add_round_key(uint8_t data_[16], const uint8_t key_[16])
 {
 	const uint32_t (&key)[4] = *reinterpret_cast<const uint32_t (*)[4]>(key_);
@@ -100,6 +115,14 @@ void AES::sub_bytes(uint8_t data[16])
 	}
 }
 void AES::r_sub_bytes(uint8_t data[16])
 {
 	for (int i = 0;i < 16;i++)
 	{
 		data[i] = r_sbox[data[i]];
 	}
 }
 #define SWAP(x, y, tmp) tmp = x; x = y; y = tmp
 void AES::shift_rows(uint8_t data[16])
@@ -120,6 +143,24 @@ void AES::shift_rows(uint8_t data[16])
 	data[3] = tmp;
 }
 void AES::r_shift_rows(uint8_t data[16])
 {
 	uint8_t tmp = data[13];
 	data[13] = data[9];
 	data[9] = data[5];
 	data[5] = data[1];
 	data[1] = tmp;
 	SWAP(data[2], data[10], tmp);
 	SWAP(data[6], data[14], tmp);
 	tmp = data[3];
 	data[3] = data[7];
 	data[7] = data[11];
 	data[11] = data[15];
 	data[15] = tmp;
 }
 #undef SWAP
 void AES::mix_columns(uint8_t data[16])
@@ -135,13 +176,27 @@ void AES::mix_columns(uint8_t data[16])
 	memcpy(data, data_new, 16);
 }
-void AES::mix_column(uint8_t data[4])
+void AES::r_mix_columns(uint8_t data[16])
 {
 	uint8_t data_new[16];
 	for (int i = 0;i < 4;i++)
 	{
 		data_new[i * 4 + 0] = gf_multE(data[i * 4 + 0]) ^ gf_multB(data[i * 4 + 1]) ^ gf_multD(data[i * 4 + 2]) ^ gf_mult9(data[i * 4 + 3]);
 		data_new[i * 4 + 1] = gf_mult9(data[i * 4 + 0]) ^ gf_multE(data[i * 4 + 1]) ^ gf_multB(data[i * 4 + 2]) ^ gf_multD(data[i * 4 + 3]);
 		data_new[i * 4 + 2] = gf_multD(data[i * 4 + 0]) ^ gf_mult9(data[i * 4 + 1]) ^ gf_multE(data[i * 4 + 2]) ^ gf_multB(data[i * 4 + 3]);
 		data_new[i * 4 + 3] = gf_multB(data[i * 4 + 0]) ^ gf_multD(data[i * 4 + 1]) ^ gf_mult9(data[i * 4 + 2]) ^ gf_multE(data[i * 4 + 3]);
 	}
 	mempcpy(data, data_new, 16);
 }
 void AES::r_mix_column(uint8_t data[4])
 {
 	const int i = 0;
 	uint8_t data_new[4];
-	data_new[0] = gf_mult2(data[0]) ^ gf_mult3(data[1]) ^ data[2] ^ data[3];
+	data_new[i * 4 + 0] = gf_multE(data[i * 4 + 0]) ^ gf_multB(data[i * 4 + 1]) ^ gf_multD(data[i * 4 + 2]) ^ gf_mult9(data[i * 4 + 3]);
-	data_new[1] = data[0] ^ gf_mult2(data[1]) ^ gf_mult3(data[2]) ^ data[3];
+	data_new[i * 4 + 1] = gf_mult9(data[i * 4 + 0]) ^ gf_multE(data[i * 4 + 1]) ^ gf_multB(data[i * 4 + 2]) ^ gf_multD(data[i * 4 + 3]);
-	data_new[2] = data[0] ^ data[1] ^ gf_mult2(data[2]) ^ gf_mult3(data[3]);
+	data_new[i * 4 + 2] = gf_multD(data[i * 4 + 0]) ^ gf_mult9(data[i * 4 + 1]) ^ gf_multE(data[i * 4 + 2]) ^ gf_multB(data[i * 4 + 3]);
-	data_new[3] = gf_mult3(data[0]) ^ data[1] ^ data[2] ^ gf_mult2(data[3]);
+	data_new[i * 4 + 3] = gf_multB(data[i * 4 + 0]) ^ gf_multD(data[i * 4 + 1]) ^ gf_mult9(data[i * 4 + 2]) ^ gf_multE(data[i * 4 + 3]);
 	memcpy(data, data_new, 4);
 }
@@ -196,3 +251,36 @@ uint8_t AES::gf_mult3(uint8_t value)
 {
 	return gf_mult2(value) ^ value;
 }
 uint8_t AES::gf_mult4(uint8_t value)
 {
 	return gf_mult2(gf_mult2(value));
 }
 uint8_t AES::gf_mult8(uint8_t value)
 {
 	return gf_mult2(gf_mult4(value));
 }
 uint8_t AES::gf_mult9(uint8_t value)
 {
 	return gf_mult8(value) ^ value;
 }
 uint8_t AES::gf_multB(uint8_t value)
 {
 	return gf_mult8(value) ^ gf_mult3(value);
 }
 uint8_t AES::gf_multD(uint8_t value)
 {
 	uint8_t gf4 = gf_mult4(value);
 	return gf_mult2(gf4) ^ gf4 ^ value;
 }
 uint8_t AES::gf_multE(uint8_t value)
 {
 	uint8_t gf2 = gf_mult2(value);
 	uint8_t gf4 = gf_mult2(gf2);
 	return gf_mult2(gf4) ^ gf4 ^ gf2;
 }
--- a/aes.hpp
+++ b/aes.hpp
@@ -6,23 +6,32 @@
 class AES
 {
 public:
 	static const uint8_t shiftrows_targets[16];
 	static const uint8_t sbox[256];
-	static const uint8_t inv_sbox[256];
+	static const uint8_t r_sbox[256];
 	static const uint8_t rc[10];
 	static const uint8_t irreducible_polynomial;
 	AES();
 	static void encrypt_ecb(uint8_t data[16], const uint8_t key[16]);
 	static void decrypt_ecb(uint8_t data[16], const uint8_t key[16]);
 	static void construct_round_keys(const uint8_t initial_key_[16], uint8_t round_keys_[11][16]);
 	static uint32_t roundkey_g(uint32_t last_roundkey, uint8_t round);
 	static void add_round_key(uint8_t data[16], const uint8_t key[16]);
 	static void shift_rows(uint8_t data[16]);
 	static void r_shift_rows(uint8_t data[16]);
 	static void sub_bytes(uint8_t data[16]);
 	static void r_sub_bytes(uint8_t data[16]);
 	static void mix_columns(uint8_t data[16]);
-	static void mix_column(uint8_t data[4]);
+	static void r_mix_columns(uint8_t data[16]);
 	static void r_mix_column(uint8_t data[4]);
 	static void print_data(uint8_t data[16]);
 	static uint8_t gf_mult2(uint8_t value);
 	static uint8_t gf_mult3(uint8_t value);
 	static uint8_t gf_mult4(uint8_t value);
 	static uint8_t gf_mult8(uint8_t value);
 	static uint8_t gf_mult9(uint8_t value);
 	static uint8_t gf_multB(uint8_t value);
 	static uint8_t gf_multD(uint8_t value);
 	static uint8_t gf_multE(uint8_t value);
 	static uint8_t gf_reduce(uint8_t value);
 };
--- a/main.cpp
+++ b/main.cpp
@@ -43,51 +43,50 @@ traces_vector_t load_traces()
 int main(int argc, char **argv)
 {
 	const int faultpos = 1;
 	traces_vector_t traces = load_traces();
 	aes_col_vector_t deltas = aes_col_vector_t(256, aes_col());
 	for (int i = 0;i < 256;i++)
 	{
 		deltas[i].column[faultpos] = i;
 		AES::mix_column(deltas[i].column);
 	}
 	aes_col key;
 	set<aes_col> candidates;
 	for (int i = 0;i < no_traces;i++)
 	{
 		trace current_master = traces[i];
 		AES::r_shift_rows(current_master.ciphertext);
 		AES::r_shift_rows(current_master.faultytext);
 		cout << i;
 		cout.flush();
 		set<aes_col> round_candidates;
 		for (int k0 = 0;k0 < 256;k0++)
 		{
 			key.column[0] = k0;
 			for (int k1 = 0;k1 < 256;k1++)
 			{
 				key.column[1] = k1;
 				for (int k2 = 0;k2 < 256;k2++)
 				{
 					key.column[2] = k2;
 					for (int k3 = 0;k3 < 256;k3++)
 					{
 						key.column[0] = k0;
 						key.column[1] = k1;
 						key.column[2] = k2;
 						key.column[3] = k3;
 						if (i > 0 && round_candidates.find(key) == round_candidates.end())
 							continue;
 						trace current = current_master;
 						aes_col diff;
 						trace current = traces[i];
 						AES::shift_rows(current.ciphertext);
 						AES::shift_rows(current.faultytext);
 						for (int j = 0;j < 4;j++)
 						{
-							current.ciphertext[j] = AES::inv_sbox[current.ciphertext[j] ^ key.column[j]];
+							current.ciphertext[j] = AES::r_sbox[current.ciphertext[j] ^ key.column[j]];
-							current.faultytext[j] = AES::inv_sbox[current.faultytext[j] ^ key.column[j]];
+							current.faultytext[j] = AES::r_sbox[current.faultytext[j] ^ key.column[j]];
 							diff.column[j] = current.ciphertext[j] ^ current.faultytext[j];
 						}
-						for (int delta = 0;delta < 256;delta++)
+						AES::r_mix_column(diff.column);
 						int zero_bytes = 0;
 						for (int j = 0;j < 4;j++)
 						{
-							if (diff == deltas[delta])
+							if (diff.column[i] == 0)
 								zero_bytes++;
 						}
 						if (zero_bytes >= 3)
 						{
 							round_candidates.insert(key);
 								break;
 							}
 						}
 					}
 				}
@@ -111,7 +110,8 @@ int main(int argc, char **argv)
 		}
 		else if (candidates.size() == 0)
 		{
-			cout << endl << "Error!" << endl;
+			cout << " -> " << candidates.size() << endl;
 			cout << "Error!" << endl;
 			break;
 		}
 		else