scalib.attacks.Cpa#

class scalib.attacks.Cpa(nc, kind, use_64bit=False)[source]#

Performs a Correlation Power Attacks (CPA) by computing the pearson correlation between the traces associated to a specific intermediate state and an arbitrary leakage model [BrierCO04] . The correlation metric is computed over a range of key guesses, such that the key value maximising the correlation absolute value is considered as the correct key guess.

The intermediate state \(y \in [0; nc[\) is modeled as a function of the value \(x \in [0; nc[\) and the key guess \(k_g \in [0; nc[\) such that \(y=\text{intermediate}(x, k_g)\). Currently, two intermediate functions are supported: the bitwise xor and the addition modulo nc.

The correlation metric between the leakages samples \(L_x\) and their models \(M_y\) is computed according to following equation:

\[\mathrm{\hat{\rho}(L_x;M_y)} = \dfrac{\hat{\text{cov}}\left( L_x;M_y\right)}{\hat{\sigma}_{L_x}\sigma_{M_y}}\]

where

\(\hat{\text{cov}}\left( L_x;M_y\right)\) :: is the unbiased estimation of the covariance between the leakage and the models,
\(\hat{\sigma}_{L_x}\) :: is the unbiased estimation of the leakages samples standard deviation.
\(\sigma_{M_y}\) :: is the exact value of the model standard deviation, computed over the exhaustive model distribution provided.

Parameters:

nc (int) – Number of possible values for the random variable \(X\) (e.g., 256 for 8-bit target). nc must be between \(2\) and \(2^{16}\) (included).
kind (scalib._scalib_ext.CpaIntermediateKind) – Addition function between key and label (Cpa.Xor, Cpa.Add).
use_64bit (bool (default False)) – Use 64 bits for intermediate sums instead of 32 bits. When using 64-bit sums, SNR can accumulate up to \(2^{32}\) traces, while when 32-bit sums are used, the bound is \(n_i < 2^{32}/b\), where b is the maximum absolute value of a sample rounded to the next power of 2, and \(n_i\) is the maximum number of times a variable can take a given value. Concretely, the total number of traces n should be at most \((nc \cdot 2^{32}/b) - k\) , where \(k = O(\sqrt{n})\), typ. \(k>=3*\sqrt{n}\) (see https://mathoverflow.net/a/273060).

Examples

>>> from scalib.attacks import Cpa
>>> import numpy as np
>>> # 500 traces of 200 points, 8-bit samples
>>> traces = np.random.randint(0,256,(500,200),dtype=np.int16)
>>> # 10 variables on 8 bit (256 classes = 2^8)
>>> x = np.random.randint(0,256,(500,10),dtype=np.uint16)
>>> cpa = Cpa(nc=256, kind=Cpa.Xor)
>>> cpa.fit_u(traces,x)
>>> hamming_weights = np.array([x.bit_count() for x in range(256)], dtype=np.float64)
>>> models = np.tile(hamming_weights[np.newaxis,:,np.newaxis], (10, 1, 200))
>>> cpa_val = cpa.get_correlation(models)

Notes

[BrierCO04]

“Correlation Power Analysis with a Leakage Model”, Eric Brier, Christophe Clavier, Francis Olivier, CHES 2004: 16-29

Methods

`fit_u`(traces, x)	Updates the CPA with samples of traces for the classes x.
`get_correlation`(models)	Compute the correlation metric for a given model, which gives the leakage value for each of the `ns` samples, for each value of the intermediate variable.

Attributes

`Add`
`IntermediateKind`
`Xor`

fit_u(traces, x)[source]#

Updates the CPA with samples of traces for the classes x. This method may be called multiple times.

Parameters:

traces (numpy.typing.NDArray.numpy.int16) – Array that contains the leakage traces. The array must be of dimension (n, ns).
x (numpy.typing.NDArray.numpy.uint16) – Labels for each trace. Must be of shape (n, nv).

get_correlation(models)[source]#

Compute the correlation metric for a given model, which gives the leakage value for each of the ns samples, for each value of the intermediate variable. The correlation is computed for possible key values.

Parameters:

models (numpy.typing.NDArray.numpy.float64) – Array that contains the leakage models. The array must be of shape (nv, nc, ns) and is formatted such that the element at location [i,j,k] is the leakage model for k-th leakage sample associated to the j-th class of the intermediate state for the i-th variable.

Returns:

Correlations as an array of shape (nv, nc, ns), such that the
element at location [i,j,k] is the correlation computed for the
k-th leakage sample of the i-th variable, under the assumption
that the key guess j is used.

Return type:

numpy.typing.NDArray.numpy.float64