deep learning to evaluate secure rsa implementations
play

Deep Learning to Evaluate Secure RSA Implementations Mathieu - PowerPoint PPT Presentation

Jan 18, 2024 •371 likes •677 views

Deep Learning to Evaluate Secure RSA Implementations Mathieu Carbone, Vincent Conin, Marie-Angela Cornlie, Franois Dassance, Guillaume Dufresne, Ccile Dumas, Emmanuel Prouff and Alexandre Venelli CEA LETI, France Thales ITSEF, France

  1. Deep Learning to Evaluate Secure RSA Implementations Mathieu Carbone, Vincent Conin, Marie-Angela Cornélie, François Dassance, Guillaume Dufresne, Cécile Dumas, Emmanuel Prouff and Alexandre Venelli CEA LETI, France Thales ITSEF, France SERMA Safety and Security, France ANSSI, France CHES 2019

  2. Context Context ANSSI asked french ITSEFs to evaluate several secure RSA implementations against various attacks based on Machine Learning • software developed by CryptoExperts • hardware implements Montgomery Arithmetic • evaluations should include horizontal attacks and machine learning techniques • only the Deep Learning aspects are discussed here Deep Learning against Secure RSA Implementation 1/18

  3. Target Description RSA in Secure Elements dddddddddd Deep Learning against Secure RSA Implementation 1/18

  4. Target Description Hardware Specifications Deep Learning against Secure RSA Implementation 1/18

  5. Target Description Software Specifications RSA_SFM (u32* output , u32* input , u32* modulus , u32* exponent , u32* euler_totient , int len ) • output is the memory address where the output is written on len words, • input is the memory address where the input is stored on len words, • modulus is the memory address where the modulus is stored on len words, • exponent is the memory address where the modulus is stored on len words, • Euler totien t is the memory address where the Euler totient of the modulus is stored on len words, • len is the word-length of the RSA modulus. Deep Learning against Secure RSA Implementation 2/2

  6. Target Description Memory Organization COPRO Memory Segment 1 × Segment 2 Segment 3 × Segment 4 Deep Learning against Secure RSA Implementation 2/2

  7. Target Description SQUARE & MULTIPLY ALWAYS seg_1 = 1; // input seg_2 = 2; // accumulator seg_3 = 3; // dummy register //--- Exponentiation loop ---// //--- Exponentiation loop ---// // MMM = Montgomery Modular Multiplier // MMM = Montgomery Modular Multiplier FOR i = len-1 TO i = 0 FOR i = len-1 TO i = 0 exp_bit = exponent [i] exp_bit = exponent [i] seg_4 = 9 - seg_2 - seg_dum seg_4 = 9 - seg_2 - seg_dum //--- Square accumulator ---// MMM ( seg_4, seg_2 , seg_2 ) MMM ( seg_free, seg_2 , seg_2 ) //--- Square accumulator ---// seg_2 = seg_4 MMM ( seg_4, seg_2 , seg_2 ) //--- Square accumulator ---// seg_2 = seg_4 seg_2 = seg_4 seg_4 = 9 - seg_2 - seg_3 //--- Multiply accumulator and Input ---// seg_4 = 9 - seg_2 - seg_3 //--- Multiply accumulator and input ---// seg_4 = 9 - seg_2 - seg_3 //--- Multiply accumulator and input ---// MMM ( seg_4 , seg_2 , seg_1)) MMM ( seg_4 , seg_2 , seg_1)) MMM ( seg_4 , seg_2 , seg_1)) seg_2 = exp_bit * seg_4 + (1-exp_bit) * seg_2 //--- Assign Result wrt current exp bit ---// seg_2 = exp_bit * seg_4 + (1-exp_bit) * seg_2 //--- Assign result wrt current bit ---// seg_2 = exp_bit * seg_4 + (1-exp_bit) * seg_2 //--- Assign result wrt current bit ---// seg_3 = exp_bit* seg_3 + (1-exp_bit) * seg_4 //--- Assign result wrt current bit ---// seg_3 = exp_bit* seg_3 + (1-exp_bit) * seg_4 seg_3 = exp_bit* seg_3 + (1-exp_bit) * seg_4 //--- Assign result wrt current bit ---// ENDFOR ENDFOR Deep Learning against Secure RSA Implementation 4/18

  8. Attack Paths Operations Sequence bit 1 0 1 1 0 1 0 op Square mult Square mult Square mult Square mult Square mult Square mult Square op A seg 2 4 2 4 4 3 4 3 4 3 3 2 3 m 10 m 11 m 22 m 22 m 44 m 45 m 2 m 2 m 4 m 5 val 1 1 m op B seg 2 1 2 1 4 1 4 1 4 1 3 1 3 m 2 m 5 m 11 m 22 m 45 val 1 m m m m m m m res seg 4 2 4 2 3 4 3 4 3 4 2 3 2 m 10 m 11 m 22 m 23 m 44 m 45 m 90 m 2 m 3 m 4 m 5 val 1 m Deep Learning against Secure RSA Implementation 5/18

  9. Attack Paths Operations Sequence bit 1 0 1 1 0 1 0 op Square mult Square mult Square mult Square mult Square mult Square mult Square op A seg 2 4 2 4 4 3 4 3 4 3 3 2 3 m 10 m 11 m 22 m 22 m 44 m 45 m 2 m 2 m 4 m 5 val 1 1 m op B seg 2 1 2 1 4 1 4 1 4 1 3 1 3 m 2 m 5 m 11 m 22 m 45 val 1 m m m m m m m res seg 4 2 4 2 3 4 3 4 3 4 2 3 2 m 10 m 11 m 22 m 23 m 44 m 45 m 90 m 2 m 3 m 4 m 5 val 1 m Deep Learning against Secure RSA Implementation 7/18

  10. Attack Paths Operands Sequence bit 1 0 1 1 0 1 0 op Square mult Square mult Square mult Square mult Square mult Square mult Square op A seg 2 4 2 4 4 3 4 3 4 3 3 2 3 m 10 m 11 m 22 m 22 m 44 m 45 m 2 m 2 m 4 m 5 val 1 1 m op B seg 2 1 2 1 4 1 4 1 4 1 3 1 3 m 2 m 5 m 11 m 22 m 45 val 1 m m m m m m m res seg 4 2 4 2 3 4 3 4 3 4 2 3 2 m 10 m 11 m 22 m 23 m 44 m 45 m 90 m 2 m 3 m 4 m 5 val 1 m Deep Learning against Secure RSA Implementation 7/18

  11. Campaigns Power Consumption Measurements Exponent of size n = 1088 = 1024 + 64. Measured at 50 MS/s using a Lecroy WaveRunner 625Zi oscilloscope. 25 , 000 , 000 time samples per trace Succession of Square and Mult with MMM Single MMM Deep Learning against Secure RSA Implementation 7/18

  12. Campaigns Electromagnetic Measurements (EM) Signal acquired at 2 . 5 GS/s sampling rate over 200 μs Each trace is composed of 5 , 000 , 000 time samples which correspond to the 7 MSB of the masked exponent Lecroy WaveRunner 625Zi oscilloscope and Langer ICR EM probe Succession of Squares and Mults Square followed by Mult Deep Learning against Secure RSA Implementation 7/18

  13. Leakage Assessment Leakage Assessment Phase (EM) Goal: detect time samples that statistically depend on register index EM Campaign - SNR for seg_4 versus the squaring initialization (bottom) and the original EM trace (top) Deep Learning against Secure RSA Implementation 7/18

  14. Leakage Assessment Leakage Assessment Phase (EM) Goal: detect time samples that statistically depend on operand bits Monobit SNRs (on 50, 000 traces) for the first operand of the MMM. Deep Learning against Secure RSA Implementation 7/18

  15. Deep Learning Deep Neural Networks (Perceptron) Goal: from observations associated to labels, build an algorithm/model which correctly associates a label to a new observation Fundamental Example : the Perceptron Deep Learning against Secure RSA Implementation 7/18

  16. Deep Learning Deep Neural Networks (MLP) Goal: extend to non-linear classification problems Use the same non-linear activation function to Combine several perceptrons in layers add non-linearity btw consecutive layers Deep Learning against Secure RSA Implementation 7/18

  17. Deep Learning Deep Neural Networks (CNN) Goal: extend to non-linear classification, while being robust to some geometrical changes Deep Learning against Secure RSA Implementation 7/18

  18. Results Deep Neural Networks vs RSA An input will be a leakage during a square (or a mult) MMM operation The associated label will be: • the value of seg_4 index • or a tuple composed of some bits of the Operand A Goal : train an algorithm to correctly associate a new MMM trace to the corresponding seg_4 (or Operand A ) label Deep Learning against Secure RSA Implementation 7/18

  19. Results Register Index Recovery Template Attack (EM Case) Deep Learning against Secure RSA Implementation 10/18

  20. Supervised Attacks Register Index Recovery MLP (EM Case) Deep Learning against Secure RSA Implementation 11/18

  21. Supervised Attacks Register Index Recovery CNN (EM Case) Deep Learning against Secure RSA Implementation 12/18

  22. Supervised Attacks Register Index Recovery Power Consumption Case [SW14]: W. Schindler et al. - Power attacks in the presence of exponent blinding (2014) Deep Learning against Secure RSA Implementation 13/18

  23. Supervised Attacks Profiling the Operand Collisions Targeted Sensitive Data: operand A in mult then square If collision, then exponent bit is 0 → recover information on the operand A values → decide whether they are equal or not Initial Step: get leakages on the twelve bit of each 32-bits word of A • Since |A| = 1088 for the tests, 34 bits are targeted by operation. Deep Learning against Secure RSA Implementation 18/18

  24. Supervised Attacks Profiling the Operand Collisions • 34 attacks/matchings for each operand A • 10,000 traces for profiling and 1,400 traces for matching Template Attacks → success rate for each bit: 93% CNN → success rate for each bit: 97% Deep Learning against Secure RSA Implementation 18/18

  25. Conclusion and Discussion Conclusions • Deep learning may be very efficient against secure RSA implementations • Selection of POI is less important than in TA attacks • Deep Learning techniques currently used are very basic and attacks can be greatly improved • Reported tests are for a Toy Implementation (RSA evaluated in CC should be much more resistant) Deep Learning against Secure RSA Implementation 18/18

  26. Supervised Attacks Register Index Recovery Best MLP Model Deep Learning against Secure RSA Implementation 14/18

  27. Supervised Attacks Register Index Recovery Best CNN Model Deep Learning against Secure RSA Implementation 14/18

  28. Supervised Attacks Partial Operand A Recovery Best MLP Model Deep Learning against Secure RSA Implementation 14/18

  29. Supervised Attacks Partial Operand A Recovery Best CNN Model Deep Learning against Secure RSA Implementation 14/18

Recommend

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Evaluate Deep Q-Learning for Sequential Targeted Marketing with 10-fold Cross Validation

Evaluate Deep Q-Learning for Sequential Targeted Marketing with 10-fold Cross Validation

Agent Actions Evaluate Deep Q-Learning for Sequential Targeted Marketing with 10-fold Cross Validation Rewards Observations Jian Wu Full Stack Engineer Marketing Environment The idea of this talk was developed at Samsung SDSRA AI Lab

208 views • 19 slides
Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment

Secure and efficient deep learning everywhere Octomizer Outline Who we are (recap) Deployment pain The vision The Octomizer: TVM for everyone 2 Simple, secure, and efficient Drive TVM adoption Expand the set of users who can deployment of

370 views • 14 slides
Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms

Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms

Deep 3D Representation Learning for Visual Computing Hao Su July 6, 2017 Outline Overview of 3D deep learning 3D deep learning algorithms Conclusion 2 Outline Overview of 3D deep learning Background 3D deep learning tasks 3D deep

1.66k views • 122 slides
ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP

ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP

ACCELERATE DEEP LEARNING WITH NVIDIA'S DEEP LEARNING PLATFORM | STEPHEN JONES | GTC16 DEEP LEARNING EVERYWHERE INTERNET & CLOUD MEDICINE & BIOLOGY MEDIA & ENTERTAINMENT SECURITY & DEFENSE AUTONOMOUS MACHINES Image

307 views • 26 slides
Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06

Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06

Bricks and Tools for Secure Hardware Implementations Francesco Regazzoni Francesco Regazzoni 06 June 2014, ibenik, Croatia P. 1 Why Electronic Design Automation? Surely the purpose of science is to ease human hardship Galileo,

846 views • 82 slides
Deep Learning on GPUs March 2016 What is Deep Learning? GPUs and DL AGENDA DL in practice

Deep Learning on GPUs March 2016 What is Deep Learning? GPUs and DL AGENDA DL in practice

Deep Learning on GPUs March 2016 What is Deep Learning? GPUs and DL AGENDA DL in practice Scaling up DL 2 What is Deep Learning? 3 DEEP LEARNING EVERYWHERE INTERNET & CLOUD MEDICINE & BIOLOGY SECURITY & DEFENSE MEDIA &

1.45k views • 39 slides
Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning

Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning

Reproducibility and Replicability in Deep Reinforcement Learning (and Other Deep Learning Methods) Peter Henderson Statistical Society of Canada Annual Meeting 2018 Contributors Riashat Islam Phil Bachman Doina Precup David Meger Joelle

850 views • 37 slides
Image Classification with DIGITS NVIDIA Deep Learning Institute 1 DEEP LEARNING INSTITUTE DLI

Image Classification with DIGITS NVIDIA Deep Learning Institute 1 DEEP LEARNING INSTITUTE DLI

Image Classification with DIGITS NVIDIA Deep Learning Institute 1 DEEP LEARNING INSTITUTE DLI Mission Helping people solve challenging problems using AI and deep learning. Developers, data scientists and engineers Self-driving cars,

1.44k views • 72 slides
Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and

Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and

Deep Neural Networks and Deep Reinforcement Learning Deep Neural Networks and Deep Reinforcement Learning Deep Learning, Goodfellow, Bengio and Courville [chapt. 6,7,8]; AIMA [sect. 21.1-21.3]; Sutton and Barto, Reinforcement Learning: an

527 views • 35 slides
Natural Language Processing with Deep Learning CS224N The Future of Deep Learning + NLP Kevin

Natural Language Processing with Deep Learning CS224N The Future of Deep Learning + NLP Kevin

Natural Language Processing with Deep Learning CS224N The Future of Deep Learning + NLP Kevin Clark Deep Learning for NLP 5 years ago No Seq2Seq No Attention No large-scale QA/reading comprehension datasets No TensorFlow or

1.41k views • 92 slides
An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning

An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning

An Overview of Deep Residual Learning Semih Yagcioglu 01.03.2016 Deep Residual Learning Microsoft Research Asia (MSRA) Kaiming He, Xiangyu Zhang, Shaoqing Ren, & Jian Sun. Deep Residual Learning for Image Recognition. arXiv

1.32k views • 54 slides
Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree

Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree

Deep Reinforcement Learning [Mastering the Game of Go with Deep Reinforcement Learning and Tree Search, Nature 2016] CS 486/686 University of Waterloo Lecture 21: July 12, 2017 Outline AlphaGo Supervised Learning of Policy Networks

540 views • 15 slides
Mocha.jl Deep Learning in Julia Chiyuan Zhang (@pluskid) CSAIL, MIT Deep Learning Learning

Mocha.jl Deep Learning in Julia Chiyuan Zhang (@pluskid) CSAIL, MIT Deep Learning Learning

Mocha.jl Deep Learning in Julia Chiyuan Zhang (@pluskid) CSAIL, MIT Deep Learning Learning with multi-layer (3~30) neural networks, on a huge training set. State-of-the-art on many AI tasks Computer Vision : Image Classification,

1.53k views • 23 slides
Minjie Wang Deep Learning Deep Learning trend in the past 10 years Caffe State-of-art DL

Minjie Wang Deep Learning Deep Learning trend in the past 10 years Caffe State-of-art DL

Tofu: Parallelizing Deep Learning Systems with Automatic Tiling Minjie Wang Deep Learning Deep Learning trend in the past 10 years Caffe State-of-art DL system is based on dataflow GPU#0 w1 w2 data g1 g2 Forward propagation

405 views • 38 slides
Deep Learning: Theory and Practice Deep Learning - Practical 02-04-2020 Considerations

Deep Learning: Theory and Practice Deep Learning - Practical 02-04-2020 Considerations

Deep Learning: Theory and Practice Deep Learning - Practical 02-04-2020 Considerations deeplearning.cce2020@gmail.com Deep Networks Intuition Neural networks with multiple hidden layers - Deep networks [Hinton, 2006] Deep Networks Intuition

1.33k views • 28 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Deep Learning: State of the Art (2020) Deep Learning Lecture Series https://deeplearning.mit.edu

Deep Learning: State of the Art (2020) Deep Learning Lecture Series https://deeplearning.mit.edu

Deep Learning: State of the Art (2020) Deep Learning Lecture Series https://deeplearning.mit.edu 2020 For the full list of references visit: http://bit.ly/deeplearn-sota-2020 Outline Deep Learning Growth, Celebrations, and Limitations

1.1k views • 87 slides
12. Unsupervised Deep Learning CS 535 Deep Learning, Winter 2018 Fuxin Li With materials from

12. Unsupervised Deep Learning CS 535 Deep Learning, Winter 2018 Fuxin Li With materials from

12. Unsupervised Deep Learning CS 535 Deep Learning, Winter 2018 Fuxin Li With materials from Wanli Ouyang, Zsolt Kira, Lawrence Neal, Raymond Yeh, Junting Lou and Teck-Yian Lim Unsupervised Learning in General Unsupervised learning is

1.48k views • 115 slides
Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning

Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning

Regularization for Deep Learning Lecture slides for Chapter 7 of Deep Learning www.deeplearningbook.org Ian Goodfellow 2016-09-27 Definition Regularization is any modification we make to a learning algorithm that is intended to reduce

179 views • 13 slides
Secure Implementations for Typed Session Abstractions Ricardo Corin, Pierre-Malo Denilou,

Secure Implementations for Typed Session Abstractions Ricardo Corin, Pierre-Malo Denilou,

Secure Implementations for Typed Session Abstractions Ricardo Corin, Pierre-Malo Denilou, Cdric Fournet, Karthik Bhargavan, James Leifer INRIA Microsoft Research Joint Centre http://www.msr-inria.inria.fr/projects/sec/sessions/

584 views • 21 slides
Introduction to Deep Learning Outline Deep Learning RNN CNN Attention

Introduction to Deep Learning Outline Deep Learning RNN CNN Attention

Introduction to Deep Learning Outline Deep Learning RNN CNN Attention Transformer Pytorch Introduction Basics Examples RNNs Some slides borrowed from Fei-Fei Li & Justin Johnson &

1.1k views • 55 slides
Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on

Something with implementations Peter Schwabe June 23, 2016 PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Part I: How to make software secure Something with implementations 2 Timing Attacks General idea of those attacks Secret

1.47k views • 65 slides
Deep learning for NLP: Introduction CS 6956: Deep Learning for NLP Words are a very fantastical

Deep learning for NLP: Introduction CS 6956: Deep Learning for NLP Words are a very fantastical

Deep learning for NLP: Introduction CS 6956: Deep Learning for NLP Words are a very fantastical banquet, just so many strange dishes And yet, we seem to do fine We can understand and generate language effortlessly. Almost 1 Wouldnt it be

1.62k views • 52 slides

More recommend