Neural Networks as a Side-Channel Countermeasure: Challenges and Opportunities

摘要

Specialized acceleration hardware for artificial deep neural network inference is available from the cloud to the edge. FPGAs in particular are heavily advertised for the acceleration of neural network-based applications. Traditionally, those applications are classification or nonlinear regression tasks with the goal to approximate an unknown function. However, they can be trained to replicate a fully known deterministic function - a classical example being the boolean XOR - as well. On the other hand, side-channel attacks remain a concern from the cloud to the edge, where attackers are often able to extract secret information through direct or indirect measurements of observables like power, voltage, electromagnetic emanation or timing. In this work, we show how an FPGA-mapped neural network implementation of the AES S-Box can improve side-channel resistance against Correlation Power Analysis (CPA) attacks. Although the implementation of a hardware-optimized algorithm such as the AES as a neural network introduces significant overhead, the generality of the representation allows to mitigate leakage in a manner agnostic to the overlying cryptographic primitive. We demonstrate the benefits of a generic representation, by optimizing an initially vulnerable neural network implementation towards side-channel resilience, through careful choice of activation function and input representation. The implementation is evaluated both against an external attacker measuring power with an oscilloscope, as well as a remote, internal adversary, who is able to capture voltage traces through FPGA-internal sensors in multi-tenant FPGAs. Our results show, how external attacks on the optimized neural network are no longer possible with up to one million traces, whereas an internal attacker is still able to recover the secret key. The latter result also exposes that in some cases measurement through internal sensors can be even more beneficial for an attacker than physical access with measurement equipment.