Finding The Needle In The Haystack: Metrics For Best Trace Selection In Unsupervised Side-Channel Attacks On Blinded Rsa

For asymmetric ciphers, such as RSA and ECC, side-channel attacks on the underlying exponentiation are mitigated by countermeasures like constant-time implementation and blinding. This restricts an attacker to a single side-channel trace for an attack as a different representation of the private key is used for each exponentiation. In this work, we propose an unsupervised machine learning framework for side-channel attacks on asymmetric cryptography that analyzes leakage in multiple side-channel traces, identifying the best trace for key retrieval. We apply Principal Component Analysis (PCA) preprocessing followed by a classification step that assigns segments of traces to elementary operations of the Square and Multiply exponentiation of RSA. In order to estimate the attack complexity for each trace in terms of key enumeration effort, we introduce two new metrics: The Entropy-based Cost Function (EBCF) is used to select a trace for the attack as well as bits which have to be brute-forced if not all bits can be determined correctly from this single trace. To reduce brute-force complexity further, we introduce Illegal Sequence Detection (ISD) to remove brute-force candidates which do not fit to the Square-and-Multiply scheme. We first provide a proof of concept for 320-bit key length traces and, moving towards a more realistic scenario, retrieve the key from a 1024-bit RSA implementation protected by message and exponent blinding. We are able to select the trace with the least remaining brute-force complexity from 1000 power measurements of the signature generation with randomized inputs and blinding values on a 32-bit ARM Cortex-M4 microcontroller.