Lowering the Bar: Deep Learning for Side Channel Analysis. Guilherme Perin, Baris Ege, Jasper van December 4, 2018

Transcription

1 Lowering the Bar: Deep Learning for Side Channel Analysis Guilherme Perin, Baris Ege, Jasper van December 4,

2 Before Signal processing Leakage modeling 2

3 After 3

4 Helping security Implementation flaws Vulnerabilities Source of leakages Fixes / Improvement Activation paths Secure Product Faster certification Metrics 4

5 Power / EM side channel analysis 5

6 6

7 Power analysis Some crypto algorithm 7

8 Example (huge) leakage Data leakage Noise 8

9 Signal processing Raw trace Processed trace 9

10 Misalignment 10

11 AES-128 first round attack Unknown k 0 k 1 k 2 k 3 k 4 k 5 k 6 k 7 Known k 8 k 12 k 9 k 13 k 10 k 14 k 11 k 15 Leakage model, Power prediction i 0 i 1 i 2 i 3 x 0 x 1 x 2 x 3 s 0 s 1 s 2 s 3 i 4 i 8 i 5 i 9 i 6 i 10 i 7 i 11 x 4 x 8 x 5 x 9 x 6 x 10 x 7 x 11 S-BOX s 4 s 8 s 5 s 9 s 6 s 10 s 7 s 11 i 12 i 13 i 14 i 15 Key Addition x 12 x 13 x 14 x 15 s 12 s 13 s 14 s 15 11

12 Points of interest selection Correlation, T-test, Difference of Means Data leakage Noise Samples showing statistical dependency between intermediate (key-related) data and power consumption. 12

13 Concept of Template Analysis Ciphertext Keys Open Sample Measure Learn (Profiling) Phase Leakage Model Templates Input Fixed Key Closed Sample Measure Attack (Exploitation) Phase Input Analysis 13

14 Key Byte Rank Key recovery AES key bytes 0-15 Number of traces 14

15 The actual process Setup Analysis Acquisition Processing 15

16 Deep learning background 16

17 Deep Learning Data with labels cat cat cat dog dog dog 17

18 Deep Learning Data with labels machine Cat (%) Dog (%) Train a machine to classify these data Error function BACK-PROPAGATION ALGORITHM 18

19 Deep Learning Data with labels Trained Cat (%) machine Dog (%) Train a machine to classify these data Test the machine on new data 19

20 Deep Learning Data with labels Train a machine to classify these data Change parameters No Trained machine Machine = Deep Neural Network Cat Test the machine on new data Is classification accuracy good enough? Yes We are done! 20

21 Convolutional Neural Networks (CNNs) Input Layer (the size is equivalent to the number of samples) Output Layer (the size is equivalent to the number of classes) Conv. Layers (feature extractor + encoding) Dense Layers (classifiers) The convolutional layers are able to detect the features independently of their positions 21

22 Creating training/test/validation data sets features label samples HW = 5 samples HW = 7 samples HW = 3 samples HW = 4 Leakage model 22

23 Classification Trained Model Trace (samples) 0.02 HW = 4 HW = HW = Key enumeration using output probabilities (Bayes) HW = Softmax ( p i = 1) 23

24 Deep learning on side channels in practice 24

25 Step 1: Define initial hyper-parameters HW = 0 HW = 1 25

26 Step 2: Make sure it s capable of learning Increase the number of training traces and observe the training and validation accuracy Overfitting too fast? Training accuracy: 100% Validation accuracy: low Neural network is too big for the number of traces and samples 26

27 Step 3: Make it generalize Make sure the training accuracy/recall is increasing NN is learning from its training set Validation recall stays above the minimum threshold value = model is generalizing = 1/9 (9 is the number of classes HW of a byte) 27

28 Step 3: Make it generalize Regularization techniques: x 2 x 2 x 2 L1, L2 (penalty applied to the weights) Dropout Data Augmentation (+traces) Early Stopping x 1 x 1 Linear Separation Good Regularization Overfitting Low Training Accuracy Low Validation Accuracy Good Training Accuracy Good Validation Accuracy x 1 High Training Accuracy Low Validation Accuracy 28

29 Key Byte Rank Step 4: Key Recovery In this analysis, we only need slightly-above coin flip accuracy! Number of traces 29

30 Getting keys from the thingz! 30

31 Piñata AES-128 with misalignment 31

32 Key Byte Rank Bypassing Misalignment with CNNs Neural Network: Input Layer > ConvLayer > 36 > 36 > 36 > Output Layer Training/validation/test sets: 90000/5000/5000 traces of 500 samples Leakage Model: HW of S-Box Out (Round 1) 9 classes Use Data Augmentation as regularization technique to improve generalization Results for key byte 0: Number of traces 32

33 Breaking protected ECC on Piñata Supervised deep learning attack: - Curve25519, Montgomery ladder, scalar blinding - Messy signal - Brute-force methods for ECC are needed if test accuracy < 100% - Need to get (almost) all bits from one trace! 33

34 Breaking protected ECC Misaligned traces Unsupervised/Supervised Horizontal Attack: 60% success rate Deep learning: 90% success rate Deep learning( + data augmentation): 99.4% success rate Data augmentation: 25k 200k traces. Input (4000) 3 Conv Layers (10 filters) 4 Dense Layers (100 Neurons) Output (2 Classes) RELU TANH SOFTMAX 34

35 Breaking AES with First-Order Masking Target published in 2013 ( 40k traces available AES-256 (Atmel ATMega-163 smart card) Countermeasure: Rotating S-box Masking (RSM) 35

36 How does DPA contest V4 masking work? Masking is expensive in performance and memory Rotating mask helps by pre-computing masked S-boxes 36

37 Second order attack on masked implementations XM 1 XM 2 X 1 X 2 Y 1 Y 2 We cannot predict YM j, but we can predict Y j We cannot measure Y j, but we can measure YM j YM 1 = M (i+1) Y 1 YM 2 = M (i+1) Y 2 YM 1 YM 2 YM 1 YM 2 = Y 1 Y 2 By measuring two S-box output leakage points (YM 1 and YM 2 ), and subtracting their values, we get a value that corresponds to the leakage of Y 1 Y 2 second order attack Cost: Must know or guess position of YM j leakage Attacking two S boxes 2 sub keys quadratic complexity 37

38 Breaking AES with First-Order Masking Neural Network: Input Layer > ConvLayer > 50 > 50 > 50 > Output Layer Training/validation/test sets: 36000/2000/2000 traces Leakage Model: HW of S-Box Out (Round 1) 9 classes Results for key byte 0: The processing of 8 traces is sufficient to recover the key 1/9 38

39 1 st cool thing DL is up there with dozens of SCA research teams 39

40 2 nd cool thing This shouldn t work why? 40

41 Identifying leakage 41

42 Where is the leak? Correlation Analysis Correlation Template Analysis POI Deep Learning Visualization Techniques? 42

43 Visualization Object detection in images Visualizing what neural networks learn from input data (proposed by Keras creator): Observe effect of occlusion (input blocking) Create heat maps of class activations Something else (1%). Elephant (99%). Something else (80%). Elephant (20%). Feature location 43

44 Activation path (illustration) Input Data Conv. Pooling Conv. Pooling Feature Map Dense Layers Output HW = 5 Feature Extraction + Dimensionality Reduction Feature Combination + Classification 44

45 Our method Input Data Conv. Pooling Conv. Pooling Feature Map Dense Layers Output HW = 5 Feature Extraction + Dimensionality Reduction Feature Combination + Classification 45

46 Results (unprotected target) Raw trace T-test (first round key byte) CPA succeeds CPA fails Our visualization method 46

47 Digging deeper 47

48 Leakage Assessment (White-box) 40k Traces HW (Masked S-Box Out) ID (Masked S-Box Out) HW (S-Box Out) ID (S-Box Out) 48

49 Visualize the learned features (CNN) Validation accuracy: Key Byte 0 rank: 16 Leaking section 49

50 Optimized results / / Overfitting Very small generalization Select leaking section No Overfitting Significant generalization Key byte 0 found (rank 1) after: 9 traces! Helping DL by sample selection improves quality 50

51 Actual (HW) Actual (HW) Confusion Matrix Predicted (HW) Ideal (when we have high accuracy) Predicted (HW) Expected Predicted HW 0 HW 2, HW 4, HW6 HW 1 HW 3, HW 5 HW 2 HW 2, HW 4, HW6 HW 3 HW 3, HW 5 HW 4 HW 2, HW 4, HW6 HW 5 HW 3, HW 5 HW 6 HW 2, HW 4, HW6 HW 7 HW 3, HW 5 HW 8 HW 2, HW 4, HW6 Imperfect leakage, but good enough 51

52 Wrapping up 52

53 Thoughts on Spectre & friends Spectre relies on 1d measurement: time Plain old statistics probably better than DL Speculation: DL could be useful for an attacker that combines multiple micro-architectural side channels 53

54 Key takeaways If SCA is a concern, DL can exploit and identify leakage DL does SCA art + science and scales DL still requires humans, the bar is low, not yet at 0 More automation needed to put a dent in insecurity 54

55 I want to learn more!? By Colin & Jasper Deeplearningbook.org riscure.com/training bookstores nostarch 55

56 References S. Haykin, Neural Networks and Learning Machines. E. Cagli et al, Breaking Cryptographic Implementations Using Deep Learning Benadjila et al, Study of Deep Learning Techniques for Side-Channel Analysis and Introduction to ADCAD Database H. Maghrebi et al, Convolutional Neural Networks with Data Augmentation Against Jitter-Based Countermeasures Zhang et al, Understanding deep learning requires re-thinking generalization Keskar et al, On Large-Batch Training for Deep Learning: Generalization Gap and Sharp Minima, Shwartz and Tishby, Opening the black-box of Deep Learning via Information, 56

57 Riscure B.V. Frontier Building, Delftechpark XJ Delft The Netherlands Phone: Riscure North America 550 Kearny St., Suite 330 San Francisco, CA USA Phone: Riscure China Room , No. 989, Changle Road, Shanghai China Phone: Challenge your 57