Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Learning to Localize Leakage of Cryptographic Sensitive Variables

Jimmy Gammell, Anand Raghunathan, Abolfazl Hashemi, Kaushik Roy

TL;DR

This work addresses the challenge of locating time-specific leakage in cryptographic hardware caused by power/EM side channels. It introduces Adversarial Leakage Localization (ALL), a principled framework that defines a leakiness measure via a constrained optimization over erasure masks and learns conditional distributions for all masked subsets with a minimax neural network trained through a REBAR-based gradient estimator. The key contributions are (i) a formal information-theoretic leakage metric that captures high-order dependencies, (ii) the ALL algorithm that localizes leakage with a budgeted erasure mechanism, and (iii) extensive experiments on 6 public datasets against 8 baselines, including real AES/RSA/ECC traces, demonstrating superior leakage localization and robustness. The approach provides cryptographic hardware designers with actionable insight into where leakage arises, enabling targeted defenses and mitigations, and it is accompanied by open-source PyTorch code for reproducibility.

Abstract

While cryptographic algorithms such as the ubiquitous Advanced Encryption Standard (AES) are secure, *physical implementations* of these algorithms in hardware inevitably 'leak' sensitive data such as cryptographic keys. A particularly insidious form of leakage arises from the fact that hardware consumes power and emits radiation in a manner that is statistically associated with the data it processes and the instructions it executes. Supervised deep learning has emerged as a state-of-the-art tool for carrying out *side-channel attacks*, which exploit this leakage by learning to map power/radiation measurements throughout encryption to the sensitive data operated on during that encryption. In this work we develop a principled deep learning framework for determining the relative leakage due to measurements recorded at different points in time, in order to inform *defense* against such attacks. This information is invaluable to cryptographic hardware designers for understanding *why* their hardware leaks and how they can mitigate it (e.g. by indicating the particular sections of code or electronic components which are responsible). Our framework is based on an adversarial game between a family of classifiers trained to estimate the conditional distributions of sensitive data given subsets of measurements, and a budget-constrained noise distribution which probabilistically erases individual measurements to maximize the loss of these classifiers. We demonstrate our method's efficacy and ability to overcome limitations of prior work through extensive experimental comparison with 8 baseline methods using 3 evaluation metrics and 6 publicly-available power/EM trace datasets from AES, ECC and RSA implementations. We provide an open-source PyTorch implementation of these experiments.

Learning to Localize Leakage of Cryptographic Sensitive Variables

TL;DR

This work addresses the challenge of locating time-specific leakage in cryptographic hardware caused by power/EM side channels. It introduces Adversarial Leakage Localization (ALL), a principled framework that defines a leakiness measure via a constrained optimization over erasure masks and learns conditional distributions for all masked subsets with a minimax neural network trained through a REBAR-based gradient estimator. The key contributions are (i) a formal information-theoretic leakage metric that captures high-order dependencies, (ii) the ALL algorithm that localizes leakage with a budgeted erasure mechanism, and (iii) extensive experiments on 6 public datasets against 8 baselines, including real AES/RSA/ECC traces, demonstrating superior leakage localization and robustness. The approach provides cryptographic hardware designers with actionable insight into where leakage arises, enabling targeted defenses and mitigations, and it is accompanied by open-source PyTorch code for reproducibility.

Abstract

While cryptographic algorithms such as the ubiquitous Advanced Encryption Standard (AES) are secure, *physical implementations* of these algorithms in hardware inevitably 'leak' sensitive data such as cryptographic keys. A particularly insidious form of leakage arises from the fact that hardware consumes power and emits radiation in a manner that is statistically associated with the data it processes and the instructions it executes. Supervised deep learning has emerged as a state-of-the-art tool for carrying out *side-channel attacks*, which exploit this leakage by learning to map power/radiation measurements throughout encryption to the sensitive data operated on during that encryption. In this work we develop a principled deep learning framework for determining the relative leakage due to measurements recorded at different points in time, in order to inform *defense* against such attacks. This information is invaluable to cryptographic hardware designers for understanding *why* their hardware leaks and how they can mitigate it (e.g. by indicating the particular sections of code or electronic components which are responsible). Our framework is based on an adversarial game between a family of classifiers trained to estimate the conditional distributions of sensitive data given subsets of measurements, and a budget-constrained noise distribution which probabilistically erases individual measurements to maximize the loss of these classifiers. We demonstrate our method's efficacy and ability to overcome limitations of prior work through extensive experimental comparison with 8 baseline methods using 3 evaluation metrics and 6 publicly-available power/EM trace datasets from AES, ECC and RSA implementations. We provide an open-source PyTorch implementation of these experiments.

Paper Structure

This paper contains 47 sections, 3 theorems, 47 equations, 30 figures, 6 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and setting
  3. Probabilistic framing of power side-channel leakage
  4. Quantifying leakage with mutual information
  5. Existing work and its limitations
  6. Parametric statistics-based methods
  7. Neural net attribution
  8. Our method: Adversarial Leakage Localization (ALL)
  9. Optimization problem
  10. Deep learning-based implementation
  11. Experimental results
  12. Simple settings where our technique succeeds but all considered baselines fail
  13. Synthetic data experiments
  14. Real power and EM radiation leakage datasets
  15. Evaluating performance
  16. ...and 32 more sections

Key Result

Proposition 2.1

Consider the objective function $\mathcal{L}_{\mathrm{adv}}$ of equation eqn:adversarial-optimization-problem. Suppose there exists some $\bm{\theta}^* \in \mathbb{R}^P$ such that $\Phi_{\bm{\alpha}}(y \mid \bm{x}_{\bm{\alpha}}; \bm{\theta}^*) = p_{Y \mid \bm{X}_{\bm{\alpha}}}(y \mid \bm{x}_{\bm{\al Furthermore, for all $y \in \mathsf{Y}$ and for all $\bm{\gamma} \in [0, 1]^T,$$\bm{\alpha} \in \{0

Figures (30)

  • Figure 1: Diagram illustrating our probabilistic framing of side-channel leakage in the special case of power side-channel leakage from a symmetric-key (e.g. AES) cryptographic implementation. Cryptographic hardware encrypts a plaintext given a key, resulting in a ciphertext. The power consumption over time of the hardware is measured during encryption and encoded as a vector called a power trace. Consider a 'sensitive' intermediate variable in the cryptographic algorithm which is a known function of the key, plaintext, and ciphertext, and which gives information about the key given the plaintext and ciphertext. We view the power trace and sensitive variable as realizations of jointly-distributed random variables $\bm{X}, Y \sim p_{\bm{X}, Y}$ respectively, and side channel attacks can be carried out by using supervised learning to estimate $p_{Y \mid \bm{X}}.$
  • Figure 2: Our method entails estimating the conditional distributions $p_{Y \mid \bm{X}_{\bm{\alpha}}}$ for $\bm{\alpha} \in \{0, 1\}^T.$ We estimate all $2^T$ of these distributions using a single neural net $\Phi$ with weights $\bm{\theta},$ which takes two inputs: the binary random variable $\bm{\mathcal{A}}_{\bm{\gamma}}$, and a trace $\bm{X}$ with some of its elements randomly 'masked' out according to $\bm{\mathcal{A}}_{\bm{\gamma}}.$
  • Figure 3: Experiments in simple settings where our technique succeeds but all considered baselines fail. Here for brevity we only show ALL (our method), SNR (the best-performing parametric statistical method), and 1-occlusion (the best-performing neural net attribution method). (top row) A dataset with the following features: $X_{\mathrm{rand}}$ (red) which does not leak, $X_{\mathrm{1o}}$ (blue) which has first-order leakage, and $X_{\mathrm{2o,1}}$ (green) and $X_{\mathrm{2o,2}}$ (purple), neither of which has first-order leakage, but the combination of which has second-order leakage. SNR (left) detects the first-order leakage but fails to detect the second-order leakage. 1-occlusion (center) and ALL (ours, right) successfully detect both the first- and second-order leakage. (bottom row) A dataset with a single non-leaky feature $X_0$ (red), and $n$ first-order leaky features $X_i, i=1, \dots, n$ (blue). SNR (left) successfully distinguishes between leaky and non-leaky points regardless of $n$, and ALL (ours, right) succeeds for $n$ as large as $1024$ before failing. However, 1-occlusion (center) fails with $n$ as small as $32.$
  • Figure 4: We validate that our adversarial leakage localization algorithm is consistent with ground truth leaky instruction timesteps on simulated AES power side-channel leakage datasets. Vertical dotted lines denote the ground-truth timestep of a leaky instruction. (first row) Power trace low-pass filtering strength, increasing from left to right. (second row) Number of leaky instructions, increasing from left to right. (third row) Maximum duration of random delay inserted before the leaky instruction, increasing from left to right. (fourth row) Leaky instruction happens randomly at one of $n$ possible timesteps, with $n$ increasing from left to right.
  • Figure 5: We successfully apply our technique to the ASCADv1 fixed- and variable-key datasets. (top row) Visualization of the 'omniscient' Gaussian mixture model (oGMM)-based leakage assessment on ASCADv1-fixed (left) and ASCADv1-variable (right). (bottom row) Visualization of the output of our adversarial leakage localization algorithm on ASCADv1-fixed (left) and ASCADv1-variable (right). Observe that our method largely has the same peaks as the oGMM model, despite lacking explicit knowledge of the internal Boolean masks and masked sensitive variables. In contrast, first-order parametric methods completely fail in these settings, and prior deep learning approaches detect fewer of the peaks.
  • ...and 25 more figures

Theorems & Definitions (5)

  • Proposition 2.1
  • proof
  • Corollary 2.2
  • proof
  • Corollary 2.3