2025 Volume E108.A Issue 3 Pages 215-226
Side-channel attacks (SCAs) using deep learning techniques have been mainly reported as profiled attacks, but in TCHES 2019, differential deep learning analysis (DDLA) was proposed by Timon as a non-profiled attack. In this attack method, deep learning models for all candidate keys are trained, and the key corresponding to the most suitable learning metrics such as loss and accuracy is assumed to be the correct key. Timon focused on a single bit (least significant bit (LSB) or most significant bit (MSB)) of the intermediate value during the operation of the cryptographic circuit and successfully revealed the correct key against the software implementation of the advanced encryption standard (AES). However, when we applied this method to our hardware implementation, we could not reveal all partial keys due to the existence of registers whose Hamming distance (HD) leakage is difficult to observe. In this paper, we propose a multi-bit DDLA that focuses on all bits to solve this problem. When a DDLA was performed on the hardware implemented AES without SCA countermeasures, the HD-ID labels, which had been used as a conventional profiled type DL-SCA method focusing on 8 bits, cannot reveal the 0, 4, 8, and 12th byte keys, but the proposed multi-bit method succeeds in revealing all key bytes. On the other hand, compared to correlated power analysis (CPA) which is a typical non-profiled attack that does not use deep learning, the number of waveforms required to reveal all keys is 1.6 times higher, so the DDLA with our proposed method is not so useful to the target without SCA countermeasures. Thus, we also evaluated the proposed method against FPGA-implemented RSM-AES and WDDL-AES, which have some resistance to SCA, and successfully revealed all keys against RSM and WDDL with 100,000 and 50,000 waveforms, respectively. This is a significant improvement over conventional CPA, which reveals less than half of the key bytes despite using twice as many waveforms as the proposed method. These results suggest that multi-bit DDLA is effective on non-profiled attacks against hardware-implemented AES circuit with SCA countermeasures.
