[PPT] - Deep Learning For Embedded Security Evaluation Emmanuel PROUFF Joint PowerPoint Presentation

SLIDE 1

Deep Learning For Embedded Security Evaluation

Emmanuel PROUFF

Joint work with Ryad Benadjila, Eleonora Cagli (CEA LETI), C´

ecile Dumas (CEA LETI), Houssem Maghrebi (UL), Loic Masure (CEA LETI), Thibault Portigliatti (ex SAFRAN), R´ emi Strullu and Adrian Thillard

ANSSI (French Network and Information Security Agency)

June 17, 2019

June 2019, Summer School, ˇ Sibenik, Croatia| E. Prouff| 0/18

SLIDE 2

Probability distribution function (pdf) of Electromagnetic Emanations

Cryptographic Processing with a secret k = 1.

1/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 3

Probability distribution function (pdf) of Electromagnetic Emanations

Cryptographic Processing with a secret k = 1.

1/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 4

Probability distribution function (pdf) of Electromagnetic Emanations

Cryptographic Processing with a secret k = 2.

1/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 5

Probability distribution function (pdf) of Electromagnetic Emanations

Cryptographic Processing with a secret k = 3.

1/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 6

Probability distribution function (pdf) of Electromagnetic Emanations

Cryptographic Processing with a secret k = 4.

1/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 7

Context:

Target Device Clone Device

2/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 8

Context:

Target Device Clone Device

[On Clone Device] For every k estimate the pdf of − → X | K = k.

k = 4 k = 1 k = 2 k = 3

2/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 9

Context:

Target Device Clone Device

[On Clone Device] For every k estimate the pdf of − → X | K = k.

k = 4 k = 1 k = 2 k = 3

2/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 10

Context:

Target Device Clone Device

[On Clone Device] For every k estimate the pdf of − → X | K = k.

k = 4 k = 1 k = 2 k = 3

[On Target Device] Estimate the pdf of − → X. k = ?

2/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 11

Context:

Target Device Clone Device

[On Clone Device] For every k estimate the pdf of − → X | K = k.

k = 4 k = 1 k = 2 k = 3

[On Target Device] Estimate the pdf of − → X. k = ? [Key-recovery] Compare the pdf estimations.

2/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 12

Side Channel Attacks (Classical Approach)

Notations

X observation of the device behaviour

P public input of the processing Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X

3/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 13

Side Channel Attacks (Classical Approach)

Notations

X observation of the device behaviour

P public input of the processing Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

3/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 14

Side Channel Attacks (Classical Approach)

Notations

X observation of the device behaviour

P public input of the processing Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks

Profiling phase (using profiling traces under known Z) Attack phase (N attack traces xi, e.g. with known plaintexts pi)

Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ X = xi|Z = f(pi, k)]

3/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 15

Side Channel Attacks (Classical Approach)

Notations

X observation of the device behaviour

P public input of the processing Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks

Profiling phase (using profiling traces under known Z)

◮ estimate Pr[ X|Z = z] by simple distributions for each value of z

Attack phase (N attack traces xi, e.g. with known plaintexts pi)

Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ X = xi|Z = f(pi, k)]

3/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 16

Side Channel Attacks (Classical Approach)

Notations

X observation of the device behaviour

P public input of the processing Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks

Profiling phase (using profiling traces under known Z)

◮ estimate Pr[ X|Z = z] for each value of z

Attack phase (N attack traces xi, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ X = xi|Z = f(pi, k)]

3/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 17

Side Channel Attacks (Classical Approach)

Notations

X observation of the device behaviour

P public input of the processing Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks

Profiling phase (using profiling traces under known Z)

◮ mandatory dimensionality reduction ◮ estimate Pr[ X|Z = z] for each value of z

Attack phase (N attack traces xi, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ X = xi|Z = f(pi, k)]

3/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 18

Side Channel Attacks (Classical Approach)

Notations

X observation of the device behaviour

P public input of the processing Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks

Profiling phase (using profiling traces under known Z)

◮ manage de-synchronization problem ◮ mandatory dimensionality reduction ◮ estimate Pr[ε( ˜ X)|Z = z] for each value of z

Attack phase (N attack traces xi, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ε( ˜ X) = ε(˜ xi)|Z = f(pi, k)]

3/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 19

Defensive Mechanisms

+

Misaligning Countermeasures

Random Delays, Clock Jittering, ... In theory: assume to be insufficient to provide security In practice: one of the main issues for evaluators = ⇒ Need for efficient resynchronization techniques

4/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 20

Defensive Mechanisms

+

Misaligning Countermeasures

Random Delays, Clock Jittering, ... In theory: assume to be insufficient to provide security In practice: one of the main issues for evaluators = ⇒ Need for efficient resynchronization techniques

Masking Countermeasure

Each key-dependent internal state element is randomly split into 2 shares The crypto algorithm is adapted to always manipulate shares at = times The adversary needs to recover information on the two shares to recover K = ⇒ Need for efficient Methods to recover tuple of leakage samples that jointly depend on the target secret

4/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 21

Motivating Conclusions

5/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 22

Motivating Conclusions

Now: preprocessing to prepare data

◮ Traces resynchronisation ◮ Selection of PoIs

make strong hypotheses on the statistical dependency

◮ e.g. Gaussian approximation

characterization to extract information

◮ e.g. Maximum Likelihood

The proposed perspective: preprocessing to prepare data

◮ Traces resynchronisation ◮ Selection of PoIs

make strong hypotheses on the statistical dependency

◮ e.g. Gaussian approximation

Train algorithms to directly extract information

5/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 23

Side Channel Attacks

Notations

X side channel trace

Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks Machine Learning Side Channel Attacks

Profiling phase (using profiling traces under known Z)

◮ manage de-synchronization problem ◮ mandatory dimensionality reduction ◮ estimate Pr[ X|Z = z] for each value of z

Attack phase (N attack traces, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ X = xi|Z = f(pi, k)]

6/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 24

Side Channel Attacks with a Classifier

Notations

X side channel trace

Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks Machine Learning Side Channel Attacks

Profiling phase (using profiling traces under known Z)

◮ manage de-synchronization problem ◮ mandatory dimensionality reduction ◮ estimate Pr[ X|Z = z] for each value of z

Attack phase (N attack traces, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ X = xi|Z = f(pi, k)]

6/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 25

Side Channel Attacks with a Classifier

Notations

X side channel trace

Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks Machine Learning Side Channel Attacks

Training phase (using training traces under known Z)

◮ manage de-synchronization problem ◮ mandatory dimensionality reduction ◮ estimate Pr[ X|Z = z] for each value of z

Attack phase (N attack traces, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ X = xi|Z = f(pi, k)]

6/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 26

Side Channel Attacks with a Classifier

Notations

X side channel trace

Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks Machine Learning Side Channel Attacks

Training phase (using training traces under known Z)

◮ manage de-synchronization problem ◮ mandatory dimensionality reduction ◮ construct a classifier F s.t. F( x)[z] = y ≈ Pr[Z = z| X = x]

Attack phase (N attack traces, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log Pr[ X = xi|Z = f(pi, k)]

6/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 27

Side Channel Attacks with a Classifier

Notations

X side channel trace

Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks Machine Learning Side Channel Attacks

Training phase (using training traces under known Z)

◮ manage de-synchronization problem ◮ mandatory dimensionality reduction ◮ construct a classifier F s.t. F( x)[z] = y ≈ Pr[Z = z| X = x]

Attack phase (N attack traces, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log F( xi)[f(pi, k)]

6/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 28

Side Channel Attacks with a Classifier

Notations

X side channel trace

Z target (a cryptographic sensitive variable Z = f(P, K)) Goal: make inference over Z, observing X Pr[Z| X]

Template Attacks Machine Learning Side Channel Attacks

Training phase (using training traces under known Z)   Integrated approach

◮ manage de-synchronization problem ◮ mandatory dimensionality reduction ◮ construct a classifier F s.t. F( x)[z] = y ≈ Pr[Z = z| X = x]

Attack phase (N attack traces, e.g. with known plaintexts pi)

◮ Log-likelihood score for each key hypothesis k dk =

N

i=1

log F( xi)[f(pi, k)]

6/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 29

Machine Learning Approach

Overview of Machine Learning Methodology

Human effort: choose a class of algorithms choose a model to fit + tune hyper-parameters Automatic training: automatic tuning of trainable parameters to fit data aaa

7/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 30

Machine Learning Approach

Overview of Machine Learning Methodology

Human effort: choose a class of algorithms Neural Networks choose a model to fit + tune hyper-parameters Automatic training: automatic tuning of trainable parameters to fit data Stochastic Gradient Descent aaa

7/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 31

Machine Learning Approach

Overview of Machine Learning Methodology

Human effort: choose a class of algorithms Neural Networks choose a model to fit + tune hyper-parameters MLP, ConvNet Automatic training: automatic tuning of trainable parameters to fit data Stochastic Gradient Descent aaa

7/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 32

Machine Learning Approach

Overview of Machine Learning Methodology

Human effort: choose a class of algorithms Neural Networks choose a model to fit + tune hyper-parameters MLP, ConvNet Automatic training: automatic tuning of trainable parameters to fit data Stochastic Gradient Descent aaa

7/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 33

Convolutional Neural Networks

An answer to translation-invariance

0% 20% 40% 60% Classification Horse Dog Cat Classifier

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 34

Convolutional Neural Networks

An answer to translation-invariance

0% 20% 40% 60% Classification Horse Dog Cat Classifier

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 35

Convolutional Neural Networks

An answer to translation-invariance

0% 20% 40% 60% Classification Horse Dog Cat Classifier

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 36

Convolutional Neural Networks

An answer to translation-invariance

0% 20% 40% 60% Classification Horse Dog Cat Classifier

It is important to explicit the data translation-invariance

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 37

Convolutional Neural Networks

An answer to translation-invariance

0% 10% 20% 30% 40% 50% Classification Horse Dog Cat Classifier

? ? ?

It is important to explicit the data translation-invariance

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 38

Convolutional Neural Networks

An answer to translation-invariance

Classifier 0% 50% 100% P(Z|X=x) Z=1 Z=0 x

It is important to explicit the data translation-invariance

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 39

Convolutional Neural Networks

An answer to translation-invariance

Classifier 0% 50% 100% P(Z|X=x) Z=1 Z=0 x

It is important to explicit the data translation-invariance

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 40

Convolutional Neural Networks

An answer to translation-invariance

Classifier 0% 50% 100% P(Z|X=x) Z=1 Z=0 x

It is important to explicit the data translation-invariance

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 41

Convolutional Neural Networks

An answer to translation-invariance

Classifier 0% 50% 100% P(Z|X=x) Z=1 Z=0 x

It is important to explicit the data translation-invariance Convolutional Neural Networks: share weights across space

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 42

Convolutional Neural Networks

An answer to translation-invariance

Classifier 0% 50% 100% P(Z|X=x) Z=1 Z=0 x

It is important to explicit the data translation-invariance Convolutional Neural Networks: share weights across space

8/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 43

Basic Example

Figure: Convolutional filtering: W = 2, nfilter = 4, stride = 1, padding = same. Max pooling layer: W = stride = 3.

9/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

Input Trace Length = 9

4 2 7 8 2 8 2 4 9

Depth = 1

10 1 4 4 2 8 4 6

4 conv. filters

f size 2

Filtered Traces Depth= 4

58 76 52 70 28 34 24 32 84 24 40 44 36 66 40 56

Before Pooling Depth= 4

84 28 58

After Pooling Depth= 4

84

SLIDE 44

Example: masked manipulation of a sensitive datum Z

Figure: Deep Learning Behaviour Against Masked Datum

10/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

Z ⊕ R R Input Trace

7 7 1 1 4 7 6 1 5

Depth = 1

8 9 2 7 7 1 5 2

Filtered Traces Depth= 4

43 14 27 17 55 55 17 44 98 69 44 61 81 43 43 42

After Pooling Depth= 4

98 69 44 61 8 3 3 1 7 3 7 8 1 10 9 6

Filtered Traces Depth= 4

SLIDE 45

Example: masked manipulation of a sensitive datum Z

Figure: Deep Learning Behaviour Against Masked Datum

11/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

Input Trace Z ⊕ R R 9

1 10 1 2 4 5 10 1

Depth = 1

2 4 6 1 7 8 1 9

Filtered Traces Depth= 4

27 48 61 19 8010040 95 43 56 29 49 32 40 16 38

After Pooling Depth= 4

8010061 95 4 4 4 8 3 4 9 7 8 8 9 5

Filtered Traces Depth= 4

SLIDE 46

Example: masked manipulation of a sensitive datum Z

Figure: Deep Learning Behaviour Against Masked Datum

12/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

Input Trace Z ⊕ R R 3

7 6 6 9 2 10 1 3

Depth = 1

1 3 1 4 9 4 9 2

Filtered Traces Depth= 4

28 15 28 10 19 34 19 42 92 46 92 28 27 35 27 40

After Pooling Depth= 4

92 46 92 42 10 8 2 1 9 3 6 5 9 6 10 2

Filtered Traces Depth= 4

SLIDE 47

Training of Neural Networks

Trading Side-Channel Expertise for Deep Learning Expertise .... or huge computational power!

Training

13/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 48

Training of Neural Networks

Trading Side-Channel Expertise for Deep Learning Expertise .... or huge computational power!

Training

Aims at finding the parameters of the function modelling for the dependency btw the target value and the leakage.

13/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 49

Training of Neural Networks

Trading Side-Channel Expertise for Deep Learning Expertise .... or huge computational power!

Training

Aims at finding the parameters of the function modelling for the dependency btw the target value and the leakage. The search is done by solving a minimization problem with respect to some metric (aka loss function)

13/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 50

Training of Neural Networks

Trading Side-Channel Expertise for Deep Learning Expertise .... or huge computational power!

Training

Aims at finding the parameters of the function modelling for the dependency btw the target value and the leakage. The search is done by solving a minimization problem with respect to some metric (aka loss function) The training algorithm has itself some training hyper-parameters:

the number of iterations (aka epochs) of the minimization procedure, the number of input traces (aka batch) treated during a single iteration.

13/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 51

Training of Neural Networks

Trading Side-Channel Expertise for Deep Learning Expertise .... or huge computational power!

Training

Aims at finding the parameters of the function modelling for the dependency btw the target value and the leakage. The search is done by solving a minimization problem with respect to some metric (aka loss function) The training algorithm has itself some training hyper-parameters:

the number of iterations (aka epochs) of the minimization procedure, the number of input traces (aka batch) treated during a single iteration.

The trained model has architecture hyper-parameters:

the size of the layers, the nature of the layers, the number of layers, etc.

13/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 52

Training of Neural Networks

Trading Side-Channel Expertise for Deep Learning Expertise .... or huge computational power!

Training

Aims at finding the parameters of the function modelling for the dependency btw the target value and the leakage. The search is done by solving a minimization problem with respect to some metric (aka loss function) The training algorithm has itself some training hyper-parameters:

the number of iterations (aka epochs) of the minimization procedure, the number of input traces (aka batch) treated during a single iteration.

The trained model has architecture hyper-parameters:

the size of the layers, the nature of the layers, the number of layers, etc.

Tricky Points

Find sound hyper-parameters is the main issue in Deep Learning: this can be done thanks to a good understanding of the underlying structure of the data and/or access to important computational power.

13/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 53

Creation of an open database for Training and Testing

ANSSI recently publishes

source codes of secure implementations of AES128 for public 8-bit architectures (https://github.com/ANSSI-FR/secAES-ATmega8515)

◮ first version: 10-masking + processing in random order ◮ second version: affine masking + processing in random order (plus other minor tricks)

data-bases of electromagnetic leakages (https://github.com/ANSSI-FR/ASCAD) example scripts for the training and testing of models in SCA contexts

Goal

Enable fair and easy benchmarking Initiate discussions and exchanges on the application of DL to SCA Create a community of contributors on this subject

14/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 54

Comparisons with State-Of-the-Art Methods

15/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 55

Feedbacks & Open Issues

Feedbacks

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 56

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 57

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000 Model architectures are relatively complex (more than 10 layers)

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 58

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000 Model architectures are relatively complex (more than 10 layers) Data-bases for the training must be large

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 59

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000 Model architectures are relatively complex (more than 10 layers) Data-bases for the training must be large Require important processing capacities (several GPUs, RAM memory, etc.)

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 60

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000 Model architectures are relatively complex (more than 10 layers) Data-bases for the training must be large Require important processing capacities (several GPUs, RAM memory, etc.) Importance of cross-validation

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 61

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000 Model architectures are relatively complex (more than 10 layers) Data-bases for the training must be large Require important processing capacities (several GPUs, RAM memory, etc.) Importance of cross-validation

Open Issues

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 62

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000 Model architectures are relatively complex (more than 10 layers) Data-bases for the training must be large Require important processing capacities (several GPUs, RAM memory, etc.) Importance of cross-validation

Open Issues

Models are trained to recover manipulated values (e.g. sbox outputs) but not the key itself

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 63

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000 Model architectures are relatively complex (more than 10 layers) Data-bases for the training must be large Require important processing capacities (several GPUs, RAM memory, etc.) Importance of cross-validation

Open Issues

Models are trained to recover manipulated values (e.g. sbox outputs) but not the key itself Current loss functions measure the accuracy of pdf estimations but not the efficiency of the resulting attack

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 64

Feedbacks & Open Issues

Feedbacks

The number of epochs for the training is between 100 and 1000 Model architectures are relatively complex (more than 10 layers) Data-bases for the training must be large Require important processing capacities (several GPUs, RAM memory, etc.) Importance of cross-validation

Open Issues

Models are trained to recover manipulated values (e.g. sbox outputs) but not the key itself Current loss functions measure the accuracy of pdf estimations but not the efficiency of the resulting attack Adaptation to get (very) efficient key enumeration algorithms

16/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 65

Recent Results on DL for SCA Evaluation

DL for leakage identification after successful attack: HettwerGehrerG¨

uneysu2019, PerinEgeWoudenberg,MasureDumasProuff2019

Application to asymmetric cryptography running on defensive hardware:

CarboneConinCornelieDassanceDufresneDumasProuffVenelli2019

Various studies to explain the behaviour of deep learning analysis (and/or to improve it) in the context of side-channel attacks:

PicekHeuserJovicBhasinRegazzoni19, KimPicekHeuserBhasinHanjalic19, etc.

17/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 66

Conclusions

State-of-the-Art Template Attack separates resynchronization/dimensionality reduction from characterization

18/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 67

Conclusions

State-of-the-Art Template Attack separates resynchronization/dimensionality reduction from characterization Deep Learning provides an integrated approach to directly extract information from rough data (no preprocessing)

18/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 68

Conclusions

State-of-the-Art Template Attack separates resynchronization/dimensionality reduction from characterization Deep Learning provides an integrated approach to directly extract information from rough data (no preprocessing) Many recent results validate the practical interest of the Machine Learning approach

18/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 69

Conclusions

State-of-the-Art Template Attack separates resynchronization/dimensionality reduction from characterization Deep Learning provides an integrated approach to directly extract information from rough data (no preprocessing) Many recent results validate the practical interest of the Machine Learning approach We are in the very beginning and we are still discovering how much Deep Learning is efficient

18/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 70

Conclusions

State-of-the-Art Template Attack separates resynchronization/dimensionality reduction from characterization Deep Learning provides an integrated approach to directly extract information from rough data (no preprocessing) Many recent results validate the practical interest of the Machine Learning approach We are in the very beginning and we are still discovering how much Deep Learning is efficient New needs:

◮ big data-bases for the training, ◮ platforms to enable comparisons and benchmarking, ◮ create an open community ”ML for Embedded Security Analysis”, ◮ encourage exchanges with the Machine Learning community, ◮ understand the efficiency of the current countermeasures

18/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018

SLIDE 71

Conclusions

State-of-the-Art Template Attack separates resynchronization/dimensionality reduction from characterization Deep Learning provides an integrated approach to directly extract information from rough data (no preprocessing) Many recent results validate the practical interest of the Machine Learning approach We are in the very beginning and we are still discovering how much Deep Learning is efficient New needs:

◮ big data-bases for the training, ◮ platforms to enable comparisons and benchmarking, ◮ create an open community ”ML for Embedded Security Analysis”, ◮ encourage exchanges with the Machine Learning community, ◮ understand the efficiency of the current countermeasures

Thank You! Questions?

18/18 Emmanuel PROUFF - ANSSI / Invited Talk PANDA 2018