Keep it Unsupervised: Horizontal Attacks Meet Deep Learning

Guilherme Perin,Stjepan Picek,Lejla Batina,Łukasz Chmielewski

doi:10.46586/tches.v2021.i1.343-372

Guilherme Perin, Stjepan Picek + Show 2 more

Open Access

https://doi.org/10.46586/tches.v2021.i1.343-372

Copy DOI

Abstract

To mitigate side-channel attacks, real-world implementations of public-key cryptosystems adopt state-of-the-art countermeasures based on randomization of the private or ephemeral keys. Usually, for each private key operation, a “scalar blinding” is performed using 32 or 64 randomly generated bits. Nevertheless, horizontal attacks based on a single trace still pose serious threats to protected ECC or RSA implementations. If the secrets learned through a single-trace attack contain too many wrong (or noisy) bits, the cryptanalysis methods for recovering remaining bits become impractical due to time and computational constraints. This paper proposes a deep learning-based framework to iteratively correct partially correct private keys resulting from a clustering-based horizontal attack. By testing the trained network on scalar multiplication (or exponentiation) traces, we demonstrate that a deep neural network can significantly reduce the number of wrong bits from randomized scalars (or exponents).When a simple horizontal attack can recover around 52% of attacked multiple private key bits, the proposed iterative framework improves the private key accuracy to above 90% on average and to 100% for at least one of the attacked keys. Our attack model remains fully unsupervised and excludes the need to know where the error or noisy bits are located in each separate randomized private key.

Highlights

Modern implementations of public-key cryptosystems in embedded devices are usually protected against side-channel attacks (SCAs)
This paper proposes a new approach to improve single trace attacks that reduce the number of wrong bits in a recovered private key
This paper presented a novel deep learning-based iterative framework to correct the remaining wrong bits resulting from horizontal attacks

Summary

Introduction

Modern implementations of public-key cryptosystems in embedded devices are usually protected against side-channel attacks (SCAs). When considering RSA or ECC-based protocols such as key generation or signature verification, the operation to protect is modular exponentiation or scalar multiplication, which are the most securitycritical operations (including the operations they consist of). The curve Curve25519 [Ber06] is a Montgomery curve defined by the equation y2 = x3 + 486662x2 + x over the prime field defined by the prime number 2255 − 19. It uses x = 9 as the base point, which generates a cyclic subgroup of order 2252 + 27742317777372353535851937790883648493 (prime) and cofactor 8

Objectives

Methods

Results

Conclusion