I have a target where I know the algorithm of the “hash” function but not the table containing secret values.
The algorithm looks like this:
table1[16] = {
0x58, 0x6B, 0x4D, 0x05, 0xB0, 0x69, 0x83, 0x16,
0xA6, 0x48, 0xDE, 0x5E, 0x0B, 0xAA, 0x49, 0xA9
};
table2[16] = {
0xC6, 0xE5, 0x93, 0x1A, 0xBE, 0x56, 0x73, 0x20,
0xFB, 0xF8, 0xCA, 0x08, 0x34, 0x29, 0x8A, 0x9B
};
void hash(uint8_t input_byte)
{
uint8_t b, c;
// initial output buffer state
uint8_t output[8] = { 0,0,0,0,0,0,0,0 };
for(int i = 0; i < 7; i++)
{
output[i] ^= input_byte;
b = table1[(output[i] >> 4)]; // point of attack?
c = table2[(output[i] & 0xF)]; // point of attack?
c = ~(c + b);
c = _rotate_left(c) + input_byte;
c = _rotate_left(c);
c = _swap_nibbles(c);
output[i+1] ^= c;
}
}
As you can see, it’s a rather primitive spin-your-own crypto hash function. I am looking for points of attack to get the values of table1 and table2.
I don’t think I can use the final output as the values from table1 and table2 are added together and rolled over in case of unsigned integer overflow. Many different values can result in the same output of c + b. I also don’t think that I can attack any iteration other than the first one, since the input is XORed with the last output and I cannot figure out what the output would be.
By attacking the first iteration where variables b and c are assigned (commented with point of attack? in the listing above), I could iterate the first input byte from 00 to FF and work out what the HW of output values of tables 1 and 2 are. High nibble of the input would target table1 and low nibble would target table2.
Would this work? Would the assignment of the variables cause a variation in power consumption. I am assuming that within the chip, it would be loading that value from a table in ROM/EEPROM into a register.
And would I be able to use the built in CPA attack algo to do the analysis or would I need to spin my own (a bit like here)?