 Hello everyone, welcome to this presentation. The topic of this presentation is Remove some noise on the preprocessing of side-channel management to its auto-encoders. The authors are Li Chaowu and Stephen Pistak from Delft University of Technology, the Netherlands. The outline of the presentation, first we introduce the background of the side-channel analysis and denoising auto-encoder, then we validate and benchmark our denoising method with different evaluation settings such as white-box settings and black-box settings. And finally, we move to the conclusion and future works. So what is side-channel analysis? Assuming we have the hardware that can run the encryption algorithm, to encrypt the plaintext, we fade the plaintext to the hardware, then the hardware run the encryption algorithms and eventually output the cybertext. However, when the hardware is processing the encryption algorithm, encryption or data-related information can be leaked by different sources, such as power consumptions, EM relations, acoustic sound, or temperature. The side-channel analysis can be considered as a time-series classification problem. The goal of the side-channel analysis is to classify the traces by learning and analyzing the correlation between the traces' values and the data being processed. Once this process is finished, together with the understanding of the encryption algorithm, the original plaintext can be retrieved by an attacker. Side-channel analysis has been proved to be successful in various devices and encryption algorithms. To enhance the security level of the device, the developer introduces different types of countermeasures when performing their critical functions. The countermeasures can be implemented in both hardware and software levels, which can be normally characterized into hiding and masking. Masking splits the sensitive intermediate values into different shares to decrease the k-dependency. Hiding, on the other hand, aims to reduce the side-channel information by adding randomness to the leakage signals or making it constant. This paper focuses on dealing with hiding noise. There are several approaches in dealing with the individual type of countermeasures or noise. For instance, using arranging to remove the Gaussian noise, using static alignments to deal with the misalignment. Indeed, removing a single type of noise or countermeasure could be possible by smartly select a correctly-noising method. However, we still miss a more general approach in fighting with noise. Moreover, when they are combined, which is no more in the real world, they become more difficult to deal with. The motivation of this paper is to develop an effective method that can be used to denoise various types of noise and countermeasures, as well as a combination of them. To achieve this goal, we use an autoencoder. An autoencoder consists of two parts, encoder and decoder. Unlike other neural network architectures that map the relationship between the input and labels, an autoencoder transforms input into output with the least possible amount of distortion. The most representative input features are forced to be kept into the smallest layer in the network, which is in the middle of this graph. Benefit from this unsupervised learning characteristic, an autoencoder is applicable in settings such as data compressions, anomaly detections, and image recovery. When applying the autoencoders for the denoising purpose, the input and output are not identical, but present by the noise-clean data pairs. A similar idea can also be applied to remove the countermeasures from the leakage traces. A well-trained denoising autoencoder can keep the most representative information in its latent space while neglecting other random factors. Since the original noiseless traces can be recovered by feeding noisy traces into the autoencoder's input, one cannot expect that the attack efficiency will be significant improved with recovered traces. So, to implement the denoising autoencoders, we designed the denoising strategies for different settings, as we mentioned before, the white box settings and black box settings. We will first cover the white box settings. In terms of adaptation and benchmarks, we simulated several types of hiding countermeasures and noise. We present some of the typical results, which is the first four countermeasures in this presentation. The details of the rest can be found in the paper. As discussed in the previous slide, we require a noisy-clean traces pair to train the denoising autoencoder. For practical attack scenarios, the biggest challenge for this strategy is how to obtain the clean traces. The application of denoising autoencoder is intuitive if we consider the white box settings. In our context, we assume an attacker with full control of the device, we call it device A. Specifically, he can enable or disable the implemented countermeasures. To attack the real device with the countermeasures enabled, we call it device B. He first requires traces with and without the countermeasures from device A to build the training set. Then the attacker uses these traces to train the denoising autoencoder. Once the training process is finished, the trained model can pre-process the leakage traces obtained from the device B. Finally, with the clean or at least cleaner traces reconstructed by the denoising autoencoder, an attacker could eventually retrieve the security information with less effort. Know that this denoising strategy cannot be directly applied to the black box settings considering the difficulties in disabling the black box settings countermeasures. Following these strategies, we demonstrate the effectiveness of the autoencoder by removing different types of noise and countermeasures. First, we remove the most common noise, the Gaussian noise. Here, Gaussian noise is simulated with mean of zero and standard deviation of weight. Several attack methods such as template attack, PSA-based template attack, deep learning attack including multi-layer perceptrons and convolutional neural network, as well as convolutional neural network with added noise to the input layer as a regulation factor. I use to perform the attack based on these noisy traces. As can be seen from the attack result which is shown on the right of the slide, the principle component analysis-based template attack performs the best, indicating that PCA could be an effective method to remove the Gaussian noise. However, none of the attack method is able to retrieve the key within 10,000 traces. Next, we try to remove the Gaussian noise with traces averaging, as well as denoising autoencoder proposed in this paper. From the attack put perspective, the gap entry will be converted in both cases when the number of the traces increase. After denoising with either averaging or denoising autoencoder, then attack performance is significantly improved over the noisy versions. Next, we move to the synchronization. The well synchronized traces can significantly improve the correlation of the intermediate data. The alignment of the traces is therefore an essential step for the side channel attack. Different from Gaussian noise, the desynchronization of the traces adds randomness to the time domain. To show the effect of the traces of the synchronization, we use traces with a maximum of 50 points of desynchronization, then attack them with different methods. After showing the result, none of them is successful in retrieving the key within 10,000 attack traces. Next, we attack the denoised traces proposed by static alignment or denoising autoencoder. Now that static alignment is a well known method to align the traces, so we use a static alignment to benchmark with our denoising autoencoder. From the result, the Gaussian entropy of the traces processed by the denoising autoencoder converges faster than the static aligned traces. Indicating that the denoising autoencoder could be a generic approach to synchronize the traces. By training the denoising autoencoder with desynchronized traces pairs, the model can automatically align the traces. Also, we see the effectiveness of the denoising autoencoder in dealing with the noise in the time domain. To further demonstrate this effect, we play with the random delay interrupts, another countermeasure normally present in the traces as a countermeasure. Unlike the desynchronization that introduces global time randomness to the entire traces, the random delay interrupts, on the other hand, lead to the time randomness locally. As a type of countermeasure typically implemented in the software, the existence of the random delay interrupts break the traces into fragments, thus significantly increasing the randomness of the traces in the time domain and reducing the correlation of the attack-intermediate data. We simulate random delay interrupts based on the floating mean method. The implementation details can be found in the paper. From the result, both five attack methods are not powerful enough to extract the useful patterns and retrieve the key. Here, frequency analysis is used to benchmark with denoising autoencoders. With frequency analysis, the Gaussian entropy slowly decreases when using the convolutional neural network or template attack for the attack. On the other hand, the effect of the random delay interrupts has been reduced dramatically with the help of the denoising autoencoder. The Gaussian entropy converges significantly faster when attacking with template attack, multi-layer percentiles, and convolutional neural network. Note that the attack results within an MLP are close to one with the original dataset. In other words, the attack performance is really close to the attack result when attacking the original clean dataset. Therefore, we can conclude that the denoising autoencoders can effectively recover the original traces from the noisy traces with RDI countermeasures. Next, we investigate an extreme situation by adding all five noise and countermeasures discussed in the paper and trying to verify the denoising autoencoders approach's effectiveness. Since there are no specific approaches in reducing the effect of combined noise sources, we evaluate Gaussian entropy of the noisy traces and traces after applying frequency analysis and denoising autoencoder. From the result, as expected, the attack method used in this paper, I mean, both five attack methods, cannot obtain the correct key within 10,000 traces. While precisely, the noisy traces could not converge with the increasing number of the traces. Note that there would be fewer countermeasures combined in the traces in the realistic settings, so the traces will be less noisy. In such cases, we expect that the proposed denoising autoencoders performance would be better, as evident from the scenarios when handling only a single type of countermeasure. Now we try to denoise it with frequency analysis and the denoising autoencoder. In terms of the denoising performance, the frequency analysis is not working when dealing with a combination of noise and countermeasures. The Gaussian entropy of the noise traces with the denoising autoencoder on the other hand reaches 27,000 with 10,000 traces when using the convolutional neural network, which means that the denoising autoencoder doubles the attack performance when compared with the frequency analysis. Indeed, the attack performance converges slower than the denoise traces for the denoised traces with single type of noise, but denoising autoencoders still prove its capabilities in removing the combined effect of noise and countermeasures. Then we verify the denoising autoencoders performance by trying to denoise the traces with random keys. To retrieve the correct keys from the decayed traces, we first train the models with leakage with random but known keys, then use the trained models to attack the leakage and try to retrieve the key. From the attack result, the Gaussian entropy of the noise traces fluctuates above 100 regardless of the number of traces, indicating that both the five-attack method is not successful. On the other hand, the Gaussian entropy indicates improved performance as a result of frequency analysis and denoising autoencoder. For the best cases shown in the figures, the denoising autoencoder doubles the attack performance compared with its counterpart. Finally, we conclude that the proposed denoising autoencoder can denoise leakage in a fixed and random case scenario, when the results are especially good when using the convolutional neural network as an attacking mechanism. After covering the denoising strategies for the white box settings, then we try to cover the denoising strategy for the black box settings. We will first talk about the denoising strategies, then we will have to demonstrate a change to show the effectiveness of this strategy. Now, we investigate the potential of the denoising autoencoder in the black box settings. As mentioned before, the denoising strategy for the white box settings cannot be directly applied because of the difficulties in disabling the black box settings countermeasure. Fortunately, the denoising autoencoder can denoise the traces even when the reference traces are not entirely clean. The less noisy traces generated by the traditional denoising method can also be used as clean traces for the denoising autoencoder's training. Here, the attacker can not obtain the clean measurement, but he can apply other denoising techniques like averaging or spectral analysis to reduce the influence of the noise and countermeasures. Then he can use the less noisy traces pair to train the denoising autoencoder. While this approach is not realistic for all countermeasures, we show it works for several of them. Even if we train the autoencoder for a different type of noise simultaneously, it is successful when applying the settings that do not use all types of noise. Here, we show the first demonstrations. We try to denoise the Gaussian noise and desynchronization with the less noisy traces pair. For the Gaussian noise, the less noisy traces pair is generated by the averaging, and for the desynchronization, the less noisy traces are generated by the static alignment. Compared with the denoise traces using the original clean traces and the reference, the noise to less noise cases attack performance is reduced. However, we still see the performance of denoising autoencoders indicating that by training in this method, the denoising autoencoder can indeed reduce the effect of the noise and the countermeasures. Finally, we denoise the traces with Gaussian noise and desynchronization in a combined setting. More precisely, 10,000 traces pair with Gaussian noise, which is noisy to averaged, and 10,000 traces pair with desynchronization, which is noisy to static aligned, are combined and used for training the denoising autoencoder. Based on the result, the joint training method lead to comparable or even better performance than the previous result on the single noise house. The result again shows that the denoising autoencoder model can learn and remove different types of noise simultaneously. More precisely, we can train the denoising autoencoder to remove various types of noise, and it will work even if the traces do not have all types of noise source. Finally, we move to the conclusions and future works. In this presentation, we introduce the convolutional autoencoders or denoising autoencoders to remove the noise and countermeasures from the leakage traces. The obtained result shows that the proposed denoising autoencoder can remove and reduce the noise and determines underlying the ground truth and eventually improve the attack performance. Our approach is especially powerful for the white box settings, but we demonstrate it has the potential also in the black box setting. We believe it is especially interesting to consider the denoising autoencoder as a generated denoiser technique. Since our results indicate it gives good results, well, it's super easy to apply it. Our results show that autoencoders reliably remove the noise and countermeasures, even if the measurements do not contain some noise sources. The autoencoder used in the training process. The denoising autoencoder provides an attacker with a powerful tool to prepare sensor traces. For the future work, we expect this technique could help with problems like probability. With the help of the autoencoder, this problem can be solved by considering the traces were reaching its noise and use denoising autoencoders to remove it. Additionally, the trained denoising autoencoder could be used for transfer learning. For example, the encoder part of the autoencoder could be further trained and used to launch the attacks. Finally, we plan to investigate whether the denoising autoencoder could also work for the masking countermeasures. Thank you for your attention.