Learning to localize leakage of cryptographic keys through power consumption

There are multiple weakness in this work.

1. Firstly, the technique requires tuning the hyperparameter \lambda which can be challenging and may not always yield optimal results without proper calibration.

2. Furthermore, the Points of Interest (PoIs) selected by the mask may not directly contribute to key recovery, requiring additional investigation. Specifically, it remains to be verified whether applying the mask effectively reduces the guessing entropy to zero when used in conjunction with a deep neural network. If not, the mask may provide misleading insights.

3. Furthermore, it is not the first time occlusion has been used in profiling side-channel analysis. Two very important works are not cited: [1] and [2]. Notably, the current work bears significant similarities to [1], making a comparative analysis essential to contextualize the contributions.

4. Additionally, the limited dataset selection raises concerns. Specifically, DPAv4 has known flaws in its masking schemes [3], rendering it a suboptimal choice. To enhance the robustness of the results, testing on ASCADv1 (random key setting) and other datasets like AES_HD or DPAv4.2 is recommended.

5. The paper would benefit from prominently featuring the C2.1 metric in the main text. Additionally, a clear definition of the C2.1 metric is necessary to facilitate understanding.

6. The abstract inaccurately suggests a defense methodology is proposed. Instead, the paper presents a model-agnostic explainability technique for deep neural networks. To avoid confusion, rephrase the abstract to reflect the correct focus on explainability.

Threat Model: What is the threat model assumed in this work? In hardware security research, particularly in side-channel attacks targeting AES key extraction, attackers are typically assumed to have strong capabilities, often operating in a white-box setup. This implies they can partition the victim’s software program and establish checkpoints for periodic power trace collection. Does this paper assume a similar setup?

Applicability Across Devices: Assuming a white-box setup, a natural follow-up question is: how transferable are the collected traces to other devices? In power side-channel attacks, traces collected from one specific device often cannot be directly applied to another due to inter-device variations, as discussed in prior work [1]. If an attacker has access to only one device, they must generally recollect traces for each new target device, unless they have complete device-specific knowledge (see Point 1 above). This raises an important question for the proposed defensive solution: is it universally effective across different device setups, or does it require extensive adaptation?

Hardware Platform Variability: AES is widely deployed across a range of hardware platforms, including MCU, FPGA, GPU, and CPU, each with unique programming and operational characteristics. Given the objective of securing the most vulnerable or leaky portions of code, it would be helpful to discuss whether the proposed solution can generalize across these varied hardware platforms. How feasible is it for this approach to offer a uniform level of security given these differences?

Comparison with Existing Baselines: This paper would benefit from a comparative analysis with existing baseline methods. Numerous techniques exist from hardware, algorithmic, and cryptographic perspectives to mitigate AES key leakage in side-channel attacks. A comparison would help establish the proposed method’s effectiveness and distinguish it from alternative solutions.

Reference: [1] Omar Choudary and Markus G. Kuhn. 2014. Template Attacks on Different Devices. Springer International Publishing, Cham, 179–198.

Acknowledging that this problem space is complex a few items would benefit with further explaination.

The proposed algorithm is stated as being highly sensitive to the choice of "lambda". How would "lambda" be chosen in practise with a given recorded AES power trace - grid search?. Does the power trace have to be normalized in some way as a precursor to establishing a value for "lambda".

In the first paragraph of section A.3, I would replace "imperfect manufacturing processes" with "PVT variations" a more standard term, familiar to digital designers (PVT==(Process, Voltage, Temperature).

The assumption that pre-charged busses lead to the claimed results is valid. However, pre-charged buses in the digital realization may apply to only a limited number of AES realizations and thus by implication a reduced scope of impact.

The experiments focus solely on defending against AES power leakage. However, it would be valuable to explore broader applications of this defense method, as AES already benefits from various existing techniques, such as MPC-based methods and S-box replacement. Demonstrating the potential of this defense for other encryption schemes or algorithmic leakages could further enhance the paper’s contribution. One AES demonstration cannot prove the authors' claim that “Our algorithm is generic enough to be applicable to other cryptographic standards as well.”

Power traces differ across hardware platforms, raising questions about the model’s transferability. A model trained on one device may not perform effectively on another due to variations in leakage characteristics. Does this imply that for each device, we would need to rebuild the model and collect a large number of traces to create a new dataset?

Additionally, the authors suggest that this method can help designers identify leakage points; however, what is more crucial is how to eliminate the leakage. On this point, the paper does not provide an effective solution.