It's Not Just a Phase: On Investigating Phase Transitions in Deep Learning-based Side-channel Analysis

Thank you for the review. We are glad the motivations and phenomena we describe are clear.

W1: As mentioned in the paper, the (potential) reasons for learning occurring in discrete phase transitions are initially discussed in [1], offering preliminary insights into the phenomenon. More elaborate theoretical discussions on phase transitions can be found in the literature on Singular Learning Theory [2,3], which we consider out of scope for this work. However, we will add references relevant to these theoretical aspects to address the reviewer's concern.

Other Suggestions: 1: We believe that our current structure already incorporates this principle. The introduction and the subsequent sections on SCA and MI are designed to provide a broad, general overview of the necessary background and concepts. These sections establish the foundation for understanding our approach, which is introduced and detailed in Section 4. We can highlight this further in our paper if it is not immediately apparent.

2: Our work has a section discussing the results and their implications in the SCA domain. We are not quite sure what you mean by `impact of the main layers', but if this concern is similar to the concerns raised by reviewer 6ugN (see weaknesses 2 and 4), please see the corresponding response. The dataset details and training process are provided in Appendices A and B.

[1]: Michaud, E. J., Liu, Z., Girit, U., and Tegmark, M. The quantization model of neural scaling. NeurIPS 2023

[2]: Watanabe, Sumio. Algebraic geometry and statistical learning theory. Vol. 25. Cambridge university press, 2009.

[3]: Wei, Susan, et al. "Deep learning is singular, and that’s good." IEEE Transactions on Neural Networks and Learning Systems 34.12 (2022): 10473-10486.

Thank you for the positive review. We are glad you found the analyses both deep and accessible.

W1: While this might be true, we hope this initial work will simplify future analyses by enumerating some (potentially) common structures. Additionally, automating some of these analyses could be possible in future work to streamline the use of interpretability analysis. We can expand the discussion on this in Section 7.

W2: While we only focus on MLPs in this work, the results on CNNs in [1] imply that these methods would translate there. Additionally, we see that MLPs from [2] and transformers from [3] learn the same algorithms for the same tasks, indicating consistency across architectures. We will add some more discussion on this to the camera-ready version.

W3: The computational load for applying the methods in the paper is very low. The main computational load in this work is training the initial model, which was already done before applying our MI analysis and is the core part of conducting DLSCA. Since models in SCA are typically small compared to those from NLP or CV domains, training models for the considered targets generally takes under an hour on an RTX 4080 GPU.

Alternative analytical techniques are either unsuitable or incomparable in this context. Many MI methods utilize input interventions that are impossible for the DLSCA analysis (as discussed in the paper), and the input visualization techniques previously used in SCA do not target model internals. Lastly, [1] requires access to masks, which makes it not directly comparable.

W4: Indeed, analyzing more difficult targets will be more challenging. However, we want to emphasize that our dataset selection already includes a range of complexity, with ESHARD being significantly noisier than CHES_CTF. However, we recognize this as a critical area for future investigation.

Our analysis objective here is to understand what the model has learned rather than what it should have learned. The introduction of biases during training is indeed a concern. If a model fails to capture certain leakage during training, our analysis will not reveal them. However, classical SCA approaches often rely on significant assumptions about the targets, introducing their own biases, while (black-box) DLSCA potentially mitigates having to make these assumptions. We will expand the discussion in Section 7.

[1]: Perin, G., Karayalcin, S., Wu, L., and Picek, S. I know what your layers did: Layer-wise explainability of deep learning side-channel analysis. Cryptology ePrint Archive, Paper 2022/108

[2]: Chughtai, B., Chan, L., and Nanda, N. A toy model of universality: Reverse engineering how networks learn group operations. In Krause, A., Brunskill, E., Cho, K., Engelhardt, B., Sabato, S., and Scarlett, J. (eds.), International Conference on Machine Learning, ICML 2023

[3]: Nanda, N., Chan, L., Lieberum, T., Smith, J., and Steinhardt, J. Progress measures for grokking via mechanistic interpretability. In The Eleventh International Conference on Learning Representations, ICLR 2023

Thank you for the feedback. We are pleased you think DLSCA might be a valuable testbed for future MI research.

W1: Improving the security of devices requires a good understanding of the devices' vulnerabilities, and this work provides a concrete approach to understanding how and why a particular attack was successful. Additionally, this work offers several insights into the training dynamics in DLSCA, which can aid chip designers in utilizing countermeasures that aim to make these structures more challenging to learn. The recently introduced prime-field masking approach from [1] seems a viable approach. We will add some more discussion on this.

W2: The SNR plots with reverse-engineered masks tie the extracted masks back to specific input points. Furthermore, the learned structures within the model provide insights into how the input values leak (HW for ESHARD/CHES and 2 LSBs for ASCADr). Therefore, we want to emphasize that our analysis does connect learned features to specific input characteristics that cause leakage, but we will highlight these points more in the paper.

W3: The reviewer makes a valid point regarding the potential limitations of relying on PCA. However, we argue that the characteristics of the DLSCA models mitigate this limitation. As discussed in Section 4 (Activation Analysis) and supported by experimental findings using information bottlenecks in [2], DLSCA models typically learn a relatively small number of features. This reduces the likelihood and impact of significant feature superposition. On the other hand, alternative techniques could be useful and offer potential improvements if there is significant feature superposition, such as sparse autoencoders [3].

[1]: Cassiers, G., Masure, L., Momin, C., Moos, T., & Standaert, F.-X. (2023). Prime-Field Masking in Hardware and its Soundness against Low-Noise SCA Attacks. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2023(2), 482-518. https://doi.org/10.46586/tches.v2023.i2.482-518

[2]: Perin, G., Karayalcin, S., Wu, L., and Picek, S. I know what your layers did: Layer-wise explainability of deep learning side-channel analysis. Cryptology ePrint Archive, Paper 2022/108

[3]: Bricken, et al., "Towards Monosemanticity: Decomposing Language Models With Dictionary Learning", Transformer Circuits Thread, 2023.

Thank you for the feedback. We are glad to hear the core concepts were understandable, even without extensive prior knowledge of MI or DLSCA.

Q1: The principles of MI can indeed be extended to other security-related tasks, but the specific analysis techniques and challenges can vary significantly across domains. Our focus on DLSCA was motivated by the unique challenges it presents for MI, as it involves noisy and complex data, and we cannot perform well-defined input interventions. Moreover, we observe that the number of phase transitions in DLSCA models is small, allowing us to perform a detailed, individual examination of each transition, as the number of features relevant for classification is relatively small (see W3 for reviewer kqw9). Thus, the specific techniques and the scale of the MI analysis must be adapted to the unique characteristics of the task and will (presumably) require significant expertise in those tasks. This work on DLSCA (and other related work) provides a valuable foundation for exploring these adaptations in future research.

We also note that for security-related tasks, network performance alone is often not sufficient for wide adoption. In tasks like malware detection [1] or fraud detection [2], using classification algorithms (without specific explanations) in production might not be allowed for legal reasons. Similarly, for NNs that attack cryptography (either using DLSCA or more ML-based differential cryptanalysis [3]), a pass/fail condition is only of limited use without explanations. We will add some more discussion on the broader uses of MI in security-related applications.

Q2: Utilized datasets consist of power (CHES_CTF) and electromagnetic emission (ESHARD and ASCAD) measurements from cryptographic executions on embedded devices (e.g., 15,000 points of power use across the first round of AES for CHES_CTF). This information is already stated in Appendix A, but we will mention it in the main text to clarify further.

[1]: Saqib, Mohd, et al. "A Comprehensive Analysis of Explainable AI for Malware Hunting." ACM Computing Surveys 56.12 (2024): 1-40.

[2]: Parkar, Erum, et al. "Comparative study of deep learning explainability and causal ai for fraud detection." International Journal on Smart Sensing and Intelligent Systems 1 (2024).

[3]: Gohr, Aron. "Improving attacks on round-reduced speck32/64 using deep learning." Advances in Cryptology–CRYPTO 2019: 39th Annual International Cryptology