Deep Learning Side Channel Attacks and Randomness Beacons

Deep Learning Side-Channel Attacks on Smart Cards

  • Overview of Smart Cards and Scopes

    • Smart cards are ubiquitous in modern life, including bank cards, SIM cards, bus cards, and building access cards.

    • These cards utilize Secure Element (SE) chips to protect sensitive user data.

    • While cryptographic algorithms used in these chips are mathematically strong, the physical hardware presents a vulnerability.

  • Side-Channel Attacks (SCA)

    • Definition: Exploiting information leaked by physical hardware during data processing rather than attempting to break the cryptographic algorithm itself.

    • Leakage Types: Information is leaked through power usage or electromagnetic (EM) emissions.

    • Mechanism: Attackers "listen" to the hardware signals to steal secret keys, such as PINs, passwords, and encryption keys.

  • The Role of Deep Learning (DL) in SCA

    • Transformation: Deep learning has changed the nature of these attacks by bypassing traditional countermeasures and automating the entire process.

    • Attack Types:

      • Profiled Attack: The attacker trains a deep learning model on a cloned device first to learn leakage patterns. They then apply these learned patterns to the target device to extract secret keys.

      • Non-profiled Attack: The attacker observes the target device directly and uses statistical methods to gain secret keys without a prior training phase.

    • Technological Advantages:

      • Data Cleaning: DL models automate data cleaning.

      • Pattern Capture: Traditional methods look for specific points where power consumption correlates with a key; DL models capture the full leakage pattern across the entire trace.

      • Convolutional Neural Networks (CNN): These models slide a filter across the trace to identify patterns regardless of where they appear in time.

      • Black Box Treatment: DL can treat the hardware as a black box and still decode the key.

  • Research Gaps and Problem Statement

    • Modern SE chips are underevaluated regarding their resistance to deep learning side-channel attacks.

    • Identified Gaps:

      1. Modern chips are under-studied.

      2. Resistance to deep learning SCA is largely unknown.

      3. There are no standard metrics to verify or compare the security claims of different chips.

  • Traditional Countermeasures vs. Deep Learning Attacks

    • Current Defense Mechanisms:

      • Masking: Splitting data into fragments to hide the secret.

      • Synchronization/Desynchronization: Shifting operations to random places so leakage does not appear in the same place twice.

      • Secure Logic: Keeping power consumption constant regardless of the data being processed.

      • Noise Injection: Flooding signals with fake noise to obscure the real signal.

      • TFAD Technology: Draws so little power that traditional methods cannot distinguish the correct key from a wrong one.

    • Vulnerabilities to DL:

      • Masking: DL models learn higher-order patterns to break the split fragments.

      • Desynchronization: CNNs find leakage regardless of position.

      • Logic: DL detects patterns that remain consistent across time, bypassing secure logic.

      • Noise: LU net can clean out fake noise and reconstruct real signals.

      • TFAD: Even this is not immune; DL models pick up subtle distributed patterns from the correct key that traditional methods overlook.

  • Proposed Solution: A Three-Layer Framework

    • Layer 1: Fixed Environment Setup: Defines every setting that could change the result to ensure reproducibility. This includes trace length, preprocessing, and training settings.

    • Layer 2: Evaluation Metrics: Countermeasure tests against standardized metrics with a pass/fail verdict. It currently supports AES, with post-quantum cryptography (PQC) planned for the future.

    • Layer 3: Verification Layer: Asks whether the results are trustworthy through multi-device testing, multimodal validation, and repeated runs to report variance.

  • Methodology: Isolated vs. Combined Testing

    • Isolated Testing: Checks each countermeasure alone to provide a diagnostic overview and see how much resistance each adds (measured by the NGE index).

    • Combined Testing: Layers all countermeasures together, matching how real chips function. This is the only level that can grant a "secure" verdict.

Trusting Public Randomness: Randomness Beacons

  • The Need for Public Randomness

    • Distributed systems and various consensus mechanisms assume access to public randomness.

    • Idealized Properties:

      1. Reliability: No adversary should be able to prevent the protocol from publishing randomness.

      2. Verifiability: Anyone can easily verify the randomness, and everyone sees the same value.

      3. Unpredictability: No one can compute the randomness before it is published.

      4. Unbiasability: No adversary can introduce bias into the randomness.

  • Centralized Randomness Beacons

    • Similar to certificate authorities in internet security.

    • Examples:

      • NIST Randomness Beacon: Uses a quantum mechanical source.

      • Random.org: Uses a chaotic system (atmospheric noise).

    • Drawback: They satisfy unpredictability but violate verifiability. Users cannot prove the third party is managing the beacon correctly. Centralization also undermines the philosophy of decentralized systems.

  • Decentralized Randomness Beacon Protocols

    • Uses a set of nodes contributing to a protocol (Σ\Sigma) that outputs randomness regularly.

    • The Last Reveal Attack: Nodes make a cryptographic commitment of their entropy. During the reveal phase, an adversary reveals last. If they do not like the computed output, they choose not to publish their revealed commitment.

    • Potential Resolutions:

      • Protocol Failure: If all nodes fail to reveal, the protocol fails. This makes it trivial for an adversary to block the protocol.

      • Continue with Partial Entropy: If the protocol continues despite missing reveals, it becomes trivial for the adversary to bias the output.

  • Specific Decentralized Implementations

    • RANDAU (Ethereum):

      • Used in Ethereum’s proof-of-stake for selecting validators.

      • Economic punishment model: Nodes must pledge capital (e.g., 3232 Ethereum, valued at approximately "110110 New Zealand dollars" in the presentation context).

      • Nodes that fail to reveal entropy lose their capital. This turns the cryptographic problem into a game theory problem.

    • DRAND (League of Entropy):

      • Uses threshold cryptography.

      • Setup Phase: Distributed Key Generation (DKG) gives nodes private key shares of a collective private key. No individual node knows the full key.

      • Beacon Phase: Nodes create partial BLS signatures. Once a threshold (TT) of signatures is collected, the full signature can be recovered. The random value is a hash of this full BLS signature.

      • Security: Randomness is a pseudo-random generator. If a threshold of nodes is corrupted, the beacon becomes predictable to the attackers, though they cannot bias it.

    • Verifiable Delay Function (VDF) Beacons:

      • Proposed under Unicorn by Arjen Lenstra and Benjamin Wesolowski in 20152015.

      • Designed to handle cases where only one honest node remains.

      • Benefit: Proves a certain amount of time was spent computing a function. This prevents adversaries from beating the beacon to compute its output.

Questions & Discussion

  • Q: What is the deep learning model architecture?

    • A: There are hundreds of thousands of possible models; the researcher focused on specific metrics like trace growth and success rate derived from literature.

  • Q: How do you evaluate the model?

    • A: side-channel information is fed into the deep learning model, and the output is compared against the "ground truth" to evaluate performance based on success rate and entropy guessing.

  • Q: How many honest nodes are required to preserve randomness in decentralized systems?

    • A: It depends on the protocol. In DRAND, it requires a threshold. The League of Entropy, for example, used 2020 nodes with a threshold of 1010. If 1111 nodes are corrupted, the output becomes predictable.

  • Q: Is there a scientific way to decide the threshold?

    • A: The threshold choice is a trade-off. Too low, and it is easy to corrupt; too high, and the protocol fails if a few nodes go offline. It is designed to account for node availability as much as security.