Gradient Visualization for General Characterization in Profiling Attacks

Abstract

In Side-Channel Analysis (SCA), several papers have shown that neural networks could be trained to efficiently extract sensitive information from implementations running on embedded devices. This paper introduces a new tool called Gradient Visualization that aims to proceed a post-mortem information leakage characterization after the successful training of a neural network. It relies on the computation of the gradient of the loss function used during the training. The gradient is no longer computed with respect to the model parameters, but with respect to the input trace components. Thus, it can accurately highlight temporal moments where sensitive information leaks. We theoretically show that this method, based on Sensitivity Analysis, may be used to efficiently localize points of interest in the SCA context. The efficiency of the proposed method does not depend on the particular countermeasures that may be applied to the measured traces as long as the profiled neural network can still learn in presence of such difficulties. In addition, the characterization can be made for each trace individually. We verified the soundness of our proposed method on simulated data and on experimental traces from a public side-channel database. Eventually we empirically show that the Sensitivity Analysis is at least as good as state-of-the-art characterization methods, in presence (or not) of countermeasures.

Appendices

A Profiling Attacks

As the model is aiming at approximating the conditional pdf, a Maximum Likelihood score can be used for the guessing:

(8)

Based on these scores, the key hypotheses are ranked in a decreasing order. Finally, the attacker chooses the key that is ranked first (resp. the set of first o ranked keys). More generally, the rank \(g_{S_{a}}(k^{\star })\) of the correct key hypothesis \(k^{\star }\) is defined as:

(9)

Remark 2

In practice, to compute \(\mathrm {GE}(N_a)\), sampling many attack sets may be very prohibitive in an evaluation context, especially if we need to reproduce the estimations for many values of \(N_a\); one solution to circumvent this problem is, given a validation set \(S_{v}\) of \(N_v\) traces, to sample some attack sets by permuting the order of the traces into the validation set. can then be computed with a cumulative sum to get a score for each \(N_a\in [|1, N_v|]\), and so is \(g_{S_{a}}(k^{\star })\). While this trick gives good estimations for \(N_a\ll N_v\), one has to keep in mind that the estimates become biased when \(N_a\rightarrow N_v\). This problem also happens in Machine Learning when one lacks data to validate a model. A technique called Cross-Validation [34] enables to circumvent this problem by splitting the dataset into q parts called folds. The profiling is done on \(q-1\) folds and the model is evaluated with the remaining fold. By repeating this step q times, the measured results can be averaged so that they are less biased.

B Study of an Optimal Model

Informally, Assumption 1 tells that the leaking information is non-uniformly distributed over the trace \(\mathbf X \), i.e. only a few coordinates contain clues about the attacked sensitive variable. Assumption 1 has been made in many studies such as [4]. Depending on the countermeasures implemented into the attacked device, the nature of \(\mathcal {I}_{Z}\) may be precised. Without any countermeasure, and supposing that the target sensitive variable only leaks once, Assumption 1 states that \(\mathcal {I}_{Z}\) is only a set of contiguous and constant coordinates, regardless the input traces.

Adding masking will split \(\mathcal {I}_{Z}\) into several contiguous and fixed sets whose number is equal to the number of shares in the masking scheme (or at least equal to the number of shares if we relax the hypothesis of one leakage per share). For example if M (resp. \(Z \oplus M\)) denotes the mask (resp. masked data) variable leaking at coordinate \(t_1\) (resp. \(t_2\)), then M and X[t] with \(t \ne t_1\) are independent (resp. Z and X[t] with \(t \ne t_2\) are independent). The conditional probability \(\mathrm {Pr}[Z= z\vert \mathbf X = \mathbf x ]\) satisfies:

(10)

Adding de-synchronization should force \(\mathcal {I}_{Z}\) to be non-constant between each trace.

Likewise, Assumption 2 is realistic because it is a direct corollary of a Gaussian leakage model for the traces [7, 9]. Such an hypothesis is common for Side Channel Analysis [7]. It implies that \(\mathbf x \mapsto \mathrm {Pr}[\mathbf X = \mathbf x | Z= z]\) is differentiable and:

$$\begin{aligned} \nabla _\mathbf{x } \mathrm {Pr}[\mathbf X = \mathbf x | Z= z]= & {} \varSigma _{z}^{-1} (\mathbf x - \mu _{z}) \mathrm {Pr}[\mathbf X = \mathbf x | Z= z] \end{aligned}$$

(11)

where \(\mu _{z}\) and \(\varSigma _{z}^{-1}\) respectively denote the mean vector and the covariance matrix of the normal probability distribution related to the target sensitive value hypothesis \(z\). Then, from Bayes’ theorem, (11) and the basic rules for derivatives computation, it gives an analytic expression of \(\nabla _\mathbf{x }F^*(\mathbf x )\), thereby proving that \(F^*\) is differentiable with respect to the input trace.

C Neural Networks

Neural Networks (NN) are nowadays the privileged tool to address the classification problem in Machine Learning [19]. They aim at constructing a function \(F:\mathcal {X}\rightarrow \mathcal {P}(\mathcal {Z})\) that takes data \(\mathbf x \) and outputs vectors \(\mathbf y \) of scores. The classification of \(\mathbf x \) is done afterwards by choosing the label , but the output can be also directly used for soft decision contexts, which corresponds more to Side Channel Analysis as the NN outputs on attack traces will be used to compute the score vector in (8). In general \(F\) is obtained by combining several simpler functions, called layers. An NN has an input layer (the identity over the input datum \(\mathbf x \), an output layer (the last function, whose output is the scores vector \(\mathbf y \) and all other layers are called hidden layers. The nature (the number and the dimension) of the layers is called the architecture of the NN. All the parameters that define an architecture, together with some other parameters that govern the training phase, have to be carefully set by the attacker, and are called hyper-parameters. The so-called neurons, that give the name to the NNs, are the computational units of the network and essentially process a scalar product between the coordinate of its input and a vector of trainable weights (or simply weights) that have to be trained. We denote \(\theta \) the vector containing all the trainable weights. Therefore, for a fixed architecture, an NN is completely parameterized by \(\theta \). Convolutional Neural Networks (CNN) implement other operations, but can be rewritten as regular NN with specific constraints on the weights [18]. Each layer processes some neurons and the outputs of the neuron evaluations will form new input vectors for the subsequent layer.

The ability of a Neural Network to approximate well a target probabilistic function \(F^*\) by minimizing a loss function on sampled training data with Stochastic Gradient Descent is still an open question. This is what we call the mystery of Deep Learning. It theoretically requires a huge quantity of training data so that the solution obtained by loss minimization generalizes well, though it empirically works with much less data. Likewise, finding the minimum with Stochastic Gradient Descent is theoretically not proved, but has been empirically shown to be a good heuristic. For more information, see [14]. Indeed, though it raises several theoretical issues, it has been empirically shown to be efficient, especially in SCA with CNN based attacks [5, 30].

Fig. 8.

Jacobian matrix for the best models in application contexts (Exp. 1) (top) and (Exp. 2) (bottom).

Fig. 9.

The SNR in the case where de-synchronization is considered.

D Experimental Results

1.1 D.1 The Jacobian Matrix

In this appendix, we present the Jacobian matrix visualization, equivalent to the GV. It shows, in addition, that some target values seem more sensitive, especially those whose Hamming weight is shared by only few other values (so it gives clues about how the traces leak sensitive information). Figure 8 (top) shows such a matrix in application context (Exp. 1) as described in Sect. 6, while Fig. 8 (bottom) shows the Jacobian matrix corresponding to the application context (Exp. 2). Fig. 9 shows the SNR computed on de-synchronized traces.