cascada.primitives.aes_masked module

SMT-based experiments of A Low-Randomness Second-Order Masked AES.

To run, call find_best_key_schedule_characteristic or find_best_encryption_characteristic.

class cascada.primitives.aes_masked.SboxA(**kwargs)[source]

Bases: cascada.primitives.aes.SboxLut

Represent a generic S-box with the following absolute correlations:

  • zero -> zero: \(1\)

  • non-zero -> non-zero: \(2^{-3}\)

  • zero -> non-zero: \(2^{-3.8}\)

linear_model

alias of cascada.linear.opmodel.get_weak_model.<locals>.MyWeakModel

class cascada.primitives.aes_masked.SboxB(**kwargs)[source]

Bases: cascada.primitives.aes.SboxLut

Represent a generic S-box with the following absolute correlations:

  • zero -> zero: \(1\)

  • non-zero -> non-zero: \(2^{-2.6}\)

  • zero -> non-zero: \(2^{-4}\)

linear_model

alias of cascada.linear.opmodel.get_weak_model.<locals>.MyWeakModel

class cascada.primitives.aes_masked.SboxZeroWeight(**kwargs)[source]

Bases: cascada.primitives.aes.SboxLut

Represent a generic S-box with the following absolute correlations:

  • zero -> zero: 1

  • non-zero -> non-zero: 1

  • zero -> non-zero: 1

linear_model

alias of cascada.linear.opmodel.get_weak_model.<locals>.MyWeakModel

class cascada.primitives.aes_masked.AESMaskedKeySchedule(*args, **options)[source]

Bases: cascada.primitives.aes.AESKeySchedule

Key schedule of masked AES-128.

classmethod set_num_rounds(new_num_rounds)[source]

Set RoundBasedFunction.num_rounds and update input_widths and output_widths if necessary.

classmethod eval(*master_key)[source]

Evaluate the function (internal method).

cascada.primitives.aes_masked.get_key_schedule_constraints(ch_model, verbose=False, filename=None)[source]

Get the following initial constraints:

  • extra cells not active

  • (at most 2 adjacent cells in the last column of the input) OR (at most 1 row active in the input)

  • (at most 2 adjacent cells in the last column of the output) OR (at most 1 row active in the output)

cascada.primitives.aes_masked.find_best_key_schedule_characteristic(verbose=False)[source]

Find the best trail spanning eight rounds and activating 21 masked S-boxes, with total absolute correlation \(2^{−63.60}\).

>>> from cascada.primitives.aes_masked import find_best_key_schedule_characteristic
>>> found_ch = find_best_key_schedule_characteristic(verbose=False)
>>> print(found_ch.srepr())  
Ch(w=63.60, id=00 04 00 00 00 53 00 00 00 24 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00,
            od=00 04 00 00 00 53 00 00 00 24 00 00 00 72 00 00)
class cascada.primitives.aes_masked.AESMaskedEncryption(*args, **options)[source]

Bases: cascada.primitives.aes_like.AESLikeFunction

Encryption of masked AES-128.

mix_columns_bit_matrix

alias of cascada.primitives.aes.MixColumnsBitMatrix

classmethod eval(*plaintext)[source]

Evaluate the function (internal method).

cascada.primitives.aes_masked.get_encryption_constraints(ch_model, verbose=False, filename=None)[source]

Get the initial constraint ensuring exactly 1 cell active in the input and 1 cell active in the output.

cascada.primitives.aes_masked.find_best_encryption_characteristic(verbose=False)[source]

Find the best trail spanning 3 rounds and activating 21 masked S-boxes, with total absolute correlation \(2^{-51.60}\).

>>> from cascada.primitives.aes_masked import find_best_encryption_characteristic
>>> found_ch = find_best_encryption_characteristic(verbose=False)
>>> print(found_ch.srepr())  
Ch(w=52.20, id=00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00,
            od=00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00)