kth.sePublications KTH
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Deep Learning Side-Channel Attacks on Advanced Encryption Standard
KTH, School of Electrical Engineering and Computer Science (EECS), Electrical Engineering, Electronics and Embedded systems, Electronic and embedded systems.ORCID iD: 0000-0001-9630-5869
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Side-channel attacks (SCAs) have become one of the most realistic threats to implementations of cryptographic algorithms. By exploiting the nonprime, unintentional physical leakage, such as different amount of power consumed by the device during the execution of the cryptographic algorithm, SCAs are able to bypass the theoretical strength of cryptography and extract the secret key. A compromised cryptographic implementation can definitely lead to a complete loss of information security.

Recently, with advances in deep learning, SCAs found a powerful ally. A well-trained deep-learning model is feasible to make the attack several fold more efficient than traditional SCAs. Therefore, it is important to understand the capabilities and limitations of deep-learning side-channel attacks (DLSCAs) to design trustworthy countermeasures in the future. 

To that end, we investigate to which extent DLSCAs can compromise implementations of Advanced Encryption Standard (AES) in different attack scenarios, as AES is the most widely used symmetric encryption algorithm. The demonstrated attacks in this dissertation focus on two side channels: power consumption and far field electromagnetic (EM) emissions, as the power consumption is one of the most widely exploited side channels and far field EM SCAs are one of the most threatening attacks.

For the power based analysis, we first conduct a successful attack on an Atmel ATXmega128D4 microcontroller implementation of AES-128. By training and testing the deep-learning model on traces captured from different boards, we experimentally show that ignoring the board diversity can easily lead to an overestimation of the attack efficiency. Afterwards, to mitigate the effect caused by the board diversity and to achieve a more efficient attack, we propose three aggregation approaches at data, model and output level to combine multiple training sources. Our results show that all these aggregation approaches improve the attack efficiency by at least about 45% compared to the conventional DLSCA. 

Next, we move to hardware implementations of AES, since hardware implementations execute instructions in parallel, which makes SCAs inherently more difficult. We propose a tandem technique which utilizes the classification results of models trained on multiple attack points instead of one and apply this scheme to break a Xilinx Artix-7 FPGA implementation of AES. We show that our 3-attack-point tandem model is about 30% more efficient than the model trained on a single attack point.

Apart from the power analysis, it is crucial to consider the newly proposed far field EM SCAs which waive the requirement of the physical access to the victim device. The main idea behind far field EM SCA is to exploit the indirect EM emission, typically in the radio frequency (RF) range, caused by the coupling effect between various components on a mixed-signal chip. We present the first deep-learning far field EM SCA up to 15 m distance to implementations of TinyAES. All our experiments are conducted on a Nordic Semiconductor nRF52832 system-on-chip with an ARM Cortex M4 CPU embedded, which supports Bluetooth 5. By using the deep-learning model trained on 'clean' traces captured by a coaxial cable with 100 repetitions, we achieve a four orders of magnitude improvement over the previous template attack.

Afterwards, we experimentally show that well-trained neural networks are capable of recovering the secret key from implementations of AES with the Rivain-Prouff (RP) masking scheme by using indirect EM emissions as the side channel. To bypass the strength of the addition-chain based masked SBox, we build deep-learning models on trace segment corresponding to the MixColumns operation in which the data loading instructions leak information about the SBox output. By comparing two deep-learning based higher-order attack strategies, we conclude that the multi-step approach outperforms the single-step approach.
Abstract [sv]

Sidokanalattacker (SCAs) har blivit ett av de mest realistiska hoten motimplementationer av kryptografiska algoritmer. Genom att utnyttja oavsiktligafysiska läckage t.ex. strömförbrukningen som enheten förbrukar under utförandetav algoritmen kryptografins teoretiska styrka, kan kringgås av SCAs och extraherakrypteringsnyckeln. En sårbar kryptografisk implementation kan leda till attsäkerheten helt går förlorad.Med de senaste årens framsteg inom djupinlärning har SCA fått ettkraftfullt vapen. En vältränad djupinlärningsmodell gör attacken en storleksordningeffektivare än traditionella SCAs. Det är därför viktigt att förstå kapaciteten ochbegränsningarna i sidokanalattacker med djupinlärning (DLSCA) för att kunnadesigna pålitliga motåtgärder i framtiden.Därför undersöker vi i vilken utsträckning DLSCAs kan kompromisseraimplementationer av Advanced Encryption Standard (AES) i olikaangreppsscenarier, eftersom AES är den mest använda symmetriskakrypteringsalgoritmen. De påvisade attackerna är inriktade på två sidokanaler:strömförbrukning och elektromagnetiska (EM) emissioner i fjärrfält, eftersomströmförbrukning är en av de mest utnyttjade sidokanalerna och EM-baseradeattacker i fjärrfält för närvarande är de mest hotfulla.För den strömförbrukningsbaserade analysen genomför vi först enframgångsrik attack mot en Atmel ATXmega128D4-mikrokontrollersgenomförande av AES-128. Genom att använda den djupinlärningsmodellsom tränats på mätdata från en profileringsenhet för att klassificera data frånenheten som attackeras visar vi experimentellt att om man ignorerar enheternasmångfald kan det lätt leda till en överskattning av attackens effektivitet. För attmildra effekten av enheternas mångfald och uppnå en effektivare attack föreslår vitre aggregeringsmetoder på data-, model- och outputnivå för att kombinera fleraträningskällor. Våra resultat visar att alla dessa föreslagna aggregeringsmetoderförbättrar angreppseffektiviteten med minst 45% jämfört med konventionellaDLSCAs.Därefter övergår vi till hårdvaruimplementationer av AES, eftersomhårdvaruimplementationer utför instruktioner parallellt, vilket gör SCA:ersvårare. Vi föreslår en tandemteknik som utnyttjar klassificeringsresultaten frånmodeller som tränats på olika angreppspunkter och tillämpar detta system på enXilinx Artix-7 FPGA-implementation av AES. Vi visar att vår tandemmodell medtre angreppspunkter är 30% effektivare än den modell som tränats på endast enangreppspunkt.Förutom strömförbrukningsanalysen är det viktigt att ta hänsyn till de nyligenföreslagna EM SCAs för fjärrfält som eliminerar kravet på fysisk tillgång till offrets  iv | Sammanfattningenhet. Huvudidén med en SCA av EM i fjärrfält är att utnyttja de indirekta EM-emissionerna som orsakas av kopplingseffekten mellan olika komponenter på ettchip med mixed signal. Vi presenterar den första EM SCA baserad på djupinlärningi fjärrfält på upp till 15 meters avstånd mot implementationer av TinyAES. Allavåra experiment utförs på ett Nordic Semiconductor nRF52832 system-on-chipmed en ARM Cortext M4 CPU, med stöd för Bluetooth 5. Genom att använda dendjupinlärningsmodell som tränats på ”ren” mätdata som fångats via koaxialkabelmed en upprepningsteknik uppnår vi en förbättring på fyra storleksordningarjämfört med tidigare profilattacker.Därefter visar vi experimentellt att det är möjligt för djupinlärningsmodelleratt återskapa den hemliga nyckeln från implementationen av AES med Rivain-Prouff (RP)-maskeringssystemet. För att kringgå den teoretiska styrkan hos denadditionskedjebaserade maskerade SBox-en bygger vi djupinlärningsmodeller påmätdatasegmentet som motsvarar MixColumns-operationen, där instruktionernaför datainläsning läcker informationen om värdet av SBox-output. Genom attjämföra två djupinlärningsbaserade angreppsstrategier av högre ordning drar vislutsatsen att flerstegsmetoden är bättre än enstegsmetoden.
Place, publisher, year, edition, pages
Stockholm: KTH Royal Institute of Technology, 2023. , p. 194
Series
TRITA-EECS-AVL ; 2023:13
Keywords [en]
Side-channel attack, Deep learning, Advanced Encryption Standard, Hardware security
National Category
Embedded Systems
Research subject
Information and Communication Technology
Identifiers
URN: urn:nbn:se:kth:diva-323661ISBN: 978-91-8040-478-5 (print)OAI: oai:DiVA.org:kth-323661DiVA, id: diva2:1735246
Public defence
2023-03-06, Ka-Sal C, Electrum., Kistagången 16, Kista, 09:00 (English)
Opponent
Supervisors
Note

QC 20230213

Available from: 2023-02-13 Created: 2023-02-08 Last updated: 2023-02-27Bibliographically approved
List of papers
1. How diversity affects deep-learning side-channel attacks
Open this publication in new window or tab >>How diversity affects deep-learning side-channel attacks
2019 (English)In: 2019 IEEE Nordic Circuits and Systems Conference, NORCAS 2019: NORCHIP and International Symposium of System-on-Chip, SoC 2019 - Proceedings, Institute of Electrical and Electronics Engineers (IEEE) , 2019Conference paper, Published paper (Refereed)
Abstract [en]

Deep learning side-channel attacks are an emerging threat to the security of implementations of cryptographic algorithms. The attacker first trains a model on a large set of side-channel traces captured from a chip with a known key. The trained model is then used to recover the unknown key from a few traces captured from a victim chip. The first successful attacks have been demonstrated recently. However, they typically train and test on power traces captured from the same device. In this paper, we show that it is important to train and test on traces captured from different boards. Otherwise, it is easy to overestimate the classification accuracy. For example, if we train and test an MLP model on power traces captured from the same board, we can recover all key byte values with 88.5% accuracy from a single trace. However, the single-trace attack accuracy drops to 13.7% if we test on traces captured from a board different from the one we used for training, even if both boards carry identical chips.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2019
Keywords
AES, CNN, deep learning, MLP, power analysis, Side-channel attack, Programmable logic controllers, Classification accuracy, Cryptographic algorithms, MLP model, Power traces, Side-channel, Side channel attack
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-268045 (URN)10.1109/NORCHIP.2019.8906945 (DOI)000722212700033 ()2-s2.0-85075973980 (Scopus ID)
Conference
2019 IEEE Nordic Circuits and Systems Conference, NORCAS 2019: NORCHIP and International Symposium of System-on-Chip (SoC), Helsinki, Finland, October 29-30, 2019
Note

Part of proceedings ISBN 9781728127699

QC 20200327

Available from: 2020-03-27 Created: 2020-03-27 Last updated: 2023-02-08Bibliographically approved
2. Multi-Source Training Deep-Learning Side-Channel Attacks
Open this publication in new window or tab >>Multi-Source Training Deep-Learning Side-Channel Attacks
2020 (English)In: Proceedings 50th IEEE International Symposium on Multiple-Valued Logic, ISMVL 2020, Institute of Electrical and Electronics Engineers (IEEE) , 2020, p. 58-63Conference paper, Published paper (Refereed)
Abstract [en]

Recently, several deep-learning side-channel attacks on cryptographic algorithms were demonstrated. With the help of a trained deep-learning model, the attacker extracts the key from a few power traces captured from a victim device. However, previous works have shown that the inter-chip variation may significantly reduce the attack success probability. In this paper, we quantify the effect of inter-chip variation on the classification accuracy of Multi-Layer Perceptron (MLP) models. We show that, by training on multiple chips, we can increase the probability of recovering the key from a single trace from 39.95% to 86.07% on average. We also evaluate how the printed circuit board diversity affects the classification accuracy.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2020
Series
International Symposium on Multiple-Valued Logic, ISSN 0195-623X
Keywords
Side-channel attack, power analysis, deep learning, multi-source training, AES
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-298617 (URN)10.1109/ISMVL49045.2020.00-29 (DOI)000656495500011 ()2-s2.0-85097343863 (Scopus ID)
Conference
50th IEEE International Symposium on Multiple-Valued Logic, ISMVL 2020, Miyazaki, Japan, November 9-11, 2020
Note

Part of proceedings: ISBN 978-1-7281-5406-0

QC 20210710

Available from: 2021-07-10 Created: 2021-07-10 Last updated: 2023-02-08Bibliographically approved
3. Federated Learning in Side-Channel Analysis
Open this publication in new window or tab >>Federated Learning in Side-Channel Analysis
2021 (English)In: Information Security and Cryptology – ICISC 2020: 23rd International Conference on Information Security and Cryptology, ICISC 202, Springer Science and Business Media Deutschland GmbH , 2021, p. 257-272Conference paper, Published paper (Refereed)
Abstract [en]

Recently introduced federated learning is an attractive framework for the distributed training of deep learning models with thousands of participants. However, it can potentially be used with malicious intent. For example, adversaries can use their smartphones to jointly train a classifier for extracting secret keys from the smartphones’ SIM cards without sharing their side-channel measurements with each other. With federated learning, each participant might be able to create a strong model in the absence of sufficient training data. Furthermore, they preserve their anonymity. In this paper, we investigate this new attack vector in the context of side-channel attacks. We compare the federated learning, which aggregates model updates submitted by N participants, with two other aggregating approaches: (1) training on combined side-channel data from N devices, and (2) using an ensemble of N individually trained models. Our first experiments on 8-bit Atmel ATxmega128D4 microcontroller implementation of AES show that federated learning is capable of outperforming the other approaches. 
Place, publisher, year, edition, pages
Springer Science and Business Media Deutschland GmbH, 2021
Series
Lecture Notes in Computer Science, ISSN 0302-9743, E-ISSN 1611-3349
Keywords
AES, Federated learning, Power analysis, Side-channel attack, Chromium compounds, Deep learning, Learning systems, Security of data, Smartphones, Attack vector, Learning models, Model updates, Secret key, Side-channel, Side-channel analysis, SIM cards, Training data, Side channel attack
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-307224 (URN)10.1007/978-3-030-68890-5_14 (DOI)000886642900014 ()2-s2.0-85102647706 (Scopus ID)
Conference
Information Security and Cryptology - ICISC 2020 - 23rd International Conference, Seoul, South Korea, December 2-4, 2020, Proceedings
Note

Part of proceedings: ISBN 978-3-030-68889-9

QC 20220118

Available from: 2022-01-18 Created: 2022-01-18 Last updated: 2023-02-08Bibliographically approved
4. Tandem Deep Learning Side-Channel Attack Against FPGA Implementation of AES
Open this publication in new window or tab >>Tandem Deep Learning Side-Channel Attack Against FPGA Implementation of AES
2020 (English)In: 2020 6Th IEEE International Symposium On Smart Electronic Systems (ISES 2020) (Formerly INIS), Institute of Electrical and Electronics Engineers (IEEE) , 2020, p. 147-150Conference paper, Published paper (Refereed)
Abstract [en]

The majority of recently demonstrated deep-learning side-channel attacks use a single neural network classifier to recover the key. The potential benefits of combining multiple classifiers with ensemble learning method have not been fully explored in the side-channel attack's context. In this paper, we show that, by combining several CNN classifiers which use different attack points, it is possible to considerably reduce (more than 40% on average) the number of traces required to recover the key from an FPGA implementation of AES by power analysis. We also show that not all combinations of classifiers improve the attack efficiency.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2020
Keywords
side-channel attack, CNN, tandem model, FPGA, AES
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-299960 (URN)10.1109/iSES50453.2020.00041 (DOI)000678807500030 ()2-s2.0-85106602226 (Scopus ID)
Conference
6th IEEE International Symposium on Smart Electronic Systems, iSES 2020, Virtual, Chennai, 14 December 2020 - 16 December 2020
Note

Part of proceedings ISBN 978-1-6654-0478-5

QC 20210826

Available from: 2021-08-26 Created: 2021-08-26 Last updated: 2023-02-09Bibliographically approved
5. Far Field EM Side-Channel Attack on AES Using Deep Learning
Open this publication in new window or tab >>Far Field EM Side-Channel Attack on AES Using Deep Learning
2020 (English)In: ASHES 2020 - Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security, Association for Computing Machinery (ACM) , 2020, p. 35-44Conference paper, Published paper (Refereed)
Abstract [en]

We present the first deep learning-based side-channel attack on AES-128 using far field electromagnetic emissions as a side channel. Our neural networks are trained on traces captured from five different Bluetooth devices at five different distances to target and tested on four other Bluetooth devices. We can recover the key from less than 10K traces captured in an office environment at 15 m distance to target even if the measurement for each encryption is taken only once. Previous template attacks required multiple repetitions of the same encryption. For the case of 1K repetitions, we need less than 400 traces on average at 15 m distance to target. This improves the template attack presented at CHES'2020 which requires 5K traces and key enumeration up to 223.
Place, publisher, year, edition, pages
Association for Computing Machinery (ACM), 2020
Keywords
aes, deep learning, em analysis, far field em emissions, profiled attack, side-channel analysis, Bluetooth, Hardware security, Bluetooth device, Distance to targets, Electromagnetic emissions, Far field, Office environments, Side-channel, Template Attacks, Side channel attack
National Category
Communication Systems
Identifiers
urn:nbn:se:kth:diva-291403 (URN)10.1145/3411504.3421214 (DOI)001436887200005 ()2-s2.0-85097354491 (Scopus ID)
Conference
4th ACM Workshop on Attacks and Solutions in Hardware Security Workshop, ASHES@CCS 2020, Virtual Event, USA, November 13, 2020
Note

QC 20210331

Available from: 2021-03-31 Created: 2021-03-31 Last updated: 2025-12-05Bibliographically approved
6. Tandem Deep Learning Side-Channel Attack on FPGA Implementation of AES
Open this publication in new window or tab >>Tandem Deep Learning Side-Channel Attack on FPGA Implementation of AES
2021 (English)In: SN Computer Science, ISSN 2662-995X, Vol. 2, no 5, article id 373Article in journal (Refereed) Published
Abstract [en]

Side-channel attacks have become a realistic threat to implementations of cryptographic algorithms, especially with the help of deep-learning techniques. The majority of recently demonstrated deep-learning side-channel attacks use a single neural network classifier to extract the secret from implementations of cryptographic algorithms. The potential benefits of combining multiple classifiers using the ensemble learning method have not been fully explored in the side-channel attack’s context. In this paper, we propose a tandem approach for the attack in which multiple models are trained on different attack points but are used in parallel to recover the key. Such an approach allows us to considerably reduce (33.5% on average) the number of traces required to recover the key from an FPGA implementation of AES by power analysis. We also show that not all combinations of classifiers improve the attack efficiency.
Place, publisher, year, edition, pages
Springer Nature, 2021
Keywords
AES, Deep learning, FPGA, Side-channel attack, Tandem model
National Category
Computer Sciences
Identifiers
urn:nbn:se:kth:diva-316145 (URN)10.1007/s42979-021-00755-w (DOI)2-s2.0-85131832140 (Scopus ID)
Note

QC 20220810

Available from: 2022-08-10 Created: 2022-08-10 Last updated: 2023-02-08Bibliographically approved
7. Advanced Far Field em Side-Channel Attack on AES
Open this publication in new window or tab >>Advanced Far Field em Side-Channel Attack on AES
2021 (English)In: CPSS 2021 - Proceedings of the 7th ACM Cyber-Physical System Security Workshop, Association for Computing Machinery, Inc , 2021, p. 29-39Conference paper, Published paper (Refereed)
Abstract [en]

Several attacks on AES using far field electromagnetic (EM) emission as a side channel have been recently presented. Unlike power analysis or near filed EM analysis, far field EM attacks do not require a close physical proximity to the device under attack. However, in all previous attacks traces for the profiling stage are also captured at a distance (fixed or variable) from the profiling devices. This degenerates the quality of profiling traces due to noise and interference. In this paper, we train deep learning models on "clean"traces, captured through a coaxial cable. Our experiments show that the resulting models can extract the AES key from less than 500 traces on average captured at 15 m from the victim device without repeating each encryption more than once. This is a 20-fold improvement over the previous attacks which require about 10K traces for the same conditions. 
Place, publisher, year, edition, pages
Association for Computing Machinery, Inc, 2021
Keywords
AES, deep learning, far field EM emissions, profiled attack, side-channel analysis, Embedded systems, Far field, Learning models, Near-filed, Physical proximity, Power analysis, Side-channel, Side channel attack
National Category
Computer Sciences Communication Systems
Identifiers
urn:nbn:se:kth:diva-310155 (URN)10.1145/3457339.3457982 (DOI)001468552300005 ()2-s2.0-85108554189 (Scopus ID)
Conference
7th ACM Cyber-Physical System Security Workshop, CPSS 2021, co-located with ACM AsiaCCS 2021, 7 June 2021
Note

Part of proceedings: ISBN 978-1-4503-8402-5

QC 20220330

Available from: 2022-03-30 Created: 2022-03-30 Last updated: 2025-12-05Bibliographically approved
8. Amplitude-Modulated EM Side-Channel Attack on Provably Secure Masked AES
Open this publication in new window or tab >>Amplitude-Modulated EM Side-Channel Attack on Provably Secure Masked AES
(English)Manuscript (preprint) (Other academic)
Abstract [en]

Recently a new type of side channels was discovered, called amplitude-modulated electromagnetic (EM) emanations from mixed-signal circuits. Unlike power analysis or near filed EM analysis, attacks based on amplitude-modulated EM emanations do not require a close physical access to the victim device, which makes the attack particularly threatening. However, all existing amplitude-modulated EM attacks on AES focus on implementations of unprotected TinyAES, which is unlikely to be used in practical situations. This paper presents the first deep learning based side-channel attack on AES-128 with a Rivain-Prouff masking scheme by using amplitude-modulated EM emanations as the side channel. Rivian-Prouff masking scheme is a provably secure higher-order masking scheme for AES. To bypass the theoretical strength of the addition-chain based Boolean masked SBox, we train neural networks on trace segments corresponding to the MixColumns operation in which the data loading instructions for SBox output leak information. By comparing two different training strategies, we show that it is feasible to recover the key from an ARM Cortex-M4 CPU implementation of AES-128 with a Rivain-Prouff masking scheme by using the amplitude-modulated EM emanations leaked from the victim device, which has a Bluetooth module embedded on the board.
Keywords
Side-channel attack, Amplitude-modulated EM emanation, Deep learning, AES, Rivian-Prouff masking scheme.
National Category
Embedded Systems
Research subject
Information and Communication Technology
Identifiers
urn:nbn:se:kth:diva-323741 (URN)
Note

QC 20230328

Available from: 2023-02-10 Created: 2023-02-10 Last updated: 2023-03-28Bibliographically approved

Open Access in DiVA

Kappa(25844 kB)2874 downloads
File information
File name FULLTEXT04.pdfFile size 25844 kBChecksum SHA-512
9acb915f60f0efe47d8cba8760ac96fd16a23131e030f9980e358775dd13e54d9183c33bfb6245509c9f94f18c92522b540598f1aaf4a437ece5a181c735e068
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Wang, Huanyu
By organisation
Electronic and embedded systems
Embedded Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 2875 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 2017 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
KTH Library
|
DiVA support
|
Register in DiVA
|
Posting your thesis
|
SwePub
|
About Open Access