Takaya Kubota,Kota Yoshida,Mitsuru Shiozaki,Takeshi Fujino

DOI: https://doi.org/10.1016/j.micpro.2020.103383

IF: 3.503

2021-11-01

Microprocessors and Microsystems

Abstract:<p>In the field of image recognition, machine learning technologies, especially deep learning, have been rapidly advancing alongside the advances of hardware such as GPUs. In image recognition, in general, large numbers of labeled images to be identified are input to a neural network, and repeatedly learning the images enables the neural network to identify objects with high accuracy. A new profiling side-channel attack method, the deep learning side-channel attack (DL-SCA), utilizes the neural network's high identifying ability to unveil a cryptographic module's secret key from side-channel information. In DL-SCAs, the neural network is trained with power waveforms captured from a target cryptographic module, and the trained network extracts the leaky part that depends on the secret. However, at this stage, the main target of investigation has been software implementation, and studies regarding hardware implementation, such as ASIC, are somewhat lacking. In this paper, we first depict deep learning techniques, profiling side-channel attacks, and leak models to clarify the relation between secret and side channels. Next, we investigate the use of DL-SCA against hardware implementations of AES and discuss the problem derived from the Hamming distance model and ShiftRow operation of AES. To solve the problem, we propose a new network training method called "mixed model dataset based on round-round XORed value." We prove that our proposal solves the problem and gives the attack capability to neural networks. We also compare the attack performance and characteristics of DL-SCA to conventional analysis methods such as correlation power analysis and conventional template attack. In our experiment, a dedicated ASIC chip for side-channel analysis is utilized and the chip is also equipped with a side-channel countermeasure AES. We show how DL-SCA can recover secret keys against the side-channel countermeasure circuit. Our results demonstrate that DL-SCA can be a more powerful option against side-channel countermeasure implementations than conventional SCAs.</p>

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Marvin Staib,Amir Moradi

DOI: https://doi.org/10.46586/tches.v2023.i3.422-444

2023-06-09

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:With the breakthrough of Deep Neural Networks, many fields benefited from its enormously increasing performance. Although there is an increasing trend to utilize Deep Learning (DL) for Side-Channel Analysis (SCA) attacks, previous works made specific assumptions for the attack to work. Especially the concept of template attacks is widely adapted while not much attention was paid to other attack strategies. In this work, we present a new methodology, that is able to exploit side-channel collisions in a black-box setting. In particular, our attack is performed in a non-profiled setting and requires neither a hypothetical power model (or let’s say a many-to-one function) nor details about the underlying implementation. While the existing non-profiled DL attacks utilize training metrics to distinguish the correct key, our attack is more efficient by training a model that can be applied to recover multiple key portions, e.g., bytes. In order to perform our attack on raw traces instead of pre-selected samples, we further introduce a DL-based technique that can localize input-dependent leakages in masked implementations, e.g., the leakages associated to one byte of the cipher state in case of AES. We validated our approach by targeting several publicly available power consumption datasets measured from implementations protected by different masking schemes. As a concrete example, we demonstrate how to successfully recover the key bytes of the ASCAD dataset with only a single trained model in a non-profiled setting.

DOI: https://doi.org/10.1007/s13389-023-00312-6

2023-03-28

Journal of Cryptographic Engineering

Abstract:Deep-learning side-channel attacks, applying deep neural networks to side-channel attacks, are known that can easily attack some existing side-channel attack countermeasures such as masking and random jitter. While there have been many studies on profiled deep-learning side-channel attacks, a new approach that involves applying deep learning to non-profiled attacks was proposed in 2018. In our study, we investigate the structure of multi-layer perceptrons and points of interest for non-profiled deep-learning side-channel attacks using the ANSSI database with a masking countermeasure. The results of investigations indicate that it is better to use a simple network model, apply regularization to prevent over-fitting, and select a wide range of power traces that contain side-channel information as the points of interest. We also implemented AES-128 software implementation protected with the Rotating Sboxes Masking countermeasure, which has never been attacked by non-profiled deep-learning side-channel attacks, on the Xmega128 microcontroller and carried out non-profiled deep-learning side-channel attacks against it. Non-profiled deep-learning side-channel attacks successfully recovered all partial keys while the conventional power analysis could not. The attack results also showed that the least significant bit is the adequate selection for successful non-profiled deep-learning side-channel attacks, but the best labeling method may vary depending on the implementation of the countermeasure algorithm. We conducted two experimental analyses to clarify that deep-learning side-channel attacks learn mask values used in the masking countermeasure. One is the gradient visualization used in previous studies, and the other is a new analysis method using partial removal of power traces.

computer science, theory & methods

Huanyu Wang

DOI: https://doi.org/10.1007/s13389-024-00347-3

2024-03-15

Journal of Cryptographic Engineering

Abstract:Recently a new type of side channels was discovered, called amplitude-modulated electromagnetic (EM) emanations from mixed-signal circuits. Unlike power analysis or near field EM analysis, attacks based on amplitude-modulated EM emanations do not require the close physical access to the victim device, which makes the attack particularly threatening. However, all existing amplitude-modulated EM attacks on AES focus on implementations of unprotected TinyAES, which is less likely to be used when the implementation is not overly resource constrained. This paper presents the first deep learning based side-channel attack on AES-128 with a Rivain–Prouff masking scheme by using amplitude-modulated EM emanations as the side channel. Rivian–Prouff masking scheme is a provably secure higher-order masking scheme for AES. To bypass the theoretical strength of the addition-chain based Boolean masked SBox , we train neural networks on trace segments corresponding to the MixColumns operation in which the data loading instructions for SBox output leak information. By comparing two different training strategies, we show that it is feasible to recover the key from an ARM Cortex-M4 CPU implementation of AES-128 with a Rivain–Prouff masking scheme by using the amplitude-modulated EM emanations leaked from the victim device, which has a Bluetooth module embedded on the board.

computer science, theory & methods

Yajing Chang,Yingjian Yan,Chunsheng Zhu,Yanjiang Liu

DOI: https://doi.org/10.1145/3611670

IF: 1.447

2023-08-03

ACM Transactions on Design Automation of Electronic Systems

Abstract:Post-quantum cryptography (PQC) has become the most promising cryptographic scheme against the threat of quantum computing to conventional public-key cryptographic schemes. Saber, as the finalist in the third round of the PQC standardization procedure, presents an appealing option for embedded systems due to its high encryption efficiency and accessibility. However, side-channel attack (SCA) can easily reveal confidential information by analyzing the physical manifestations, and several works demonstrate that Saber is vulnerable to SCAs. In this work, a ciphertext comparison method for masking design based on bitslicing technique and zerotest is proposed, which balances the trade-off between the performance and security of comparing two arrays. The mathematical description of the proposed ciphertext comparison method is provided, and its correctness and security metrics are analyzed under the concept of PINI. Moreover, a high-order masking approach based on the state-of-the-art, including the hash functions, centered binomial sampling, masking conversions, and proposed ciphertext comparison is presented, using the bitslicing technique to improve throughput. As a proof of concept, the proposed implementation of Saber is on the ARM Cortex-M4. The performance results show that the run-time overhead factor of 1 st -, 2 nd -, and 3 rd -order masking is 3.01x, 5.58x, and 8.68x, and the dynamic memory used for 1 st -, 2 nd -, and 3 rd -order masking is 17.4kB, 24.0kB, and 30.2kB, respectively. The SCA-resilience evaluation results illustrate that the first-order Test Vectors Leakage Assessment (TVLA) result fails to reveal the secret key with 100,000 traces.

computer science, software engineering, hardware & architecture

Anuj Dubey,Rosario Cammarota,Vikram Suresh,Aydin Aysu

DOI: https://doi.org/10.1145/3465377

IF: 2.013

2022-07-31

ACM Journal on Emerging Technologies in Computing Systems

Abstract:Machine learning (ML) models can be trade secrets due to their development cost. Hence, they need protection against malicious forms of reverse engineering (e.g., in IP piracy). With a growing shift of ML to the edge devices, in part for performance and in part for privacy benefits, the models have become susceptible to the so-called physical side-channel attacks. ML being a relatively new target compared to cryptography poses the problem of side-channel analysis in a context that lacks published literature. The gap between the burgeoning edge-based ML devices and the research on adequate defenses to provide side-channel security for them thus motivates our study. Our work develops and combines different flavors of side-channel defenses for ML models in the hardware blocks. We propose and optimize the first defense based on Boolean masking . We first implement all the masked hardware blocks. We then present an adder optimization to reduce the area and latency overheads. Finally, we couple it with a shuffle-based defense. We quantify that the area-delay overhead of masking ranges from 5.4× to 4.7× depending on the adder topology used and demonstrate a first-order side-channel security of millions of power traces. Additionally, the shuffle countermeasure impedes a straightforward second-order attack on our first-order masked implementation.

engineering, electrical & electronic,computer science, hardware & architecture,nanoscience & nanotechnology

Jimmy Dani,Kalyan Nakka,Nitesh Saxena

2024-05-30

Abstract:In this research, we introduce MIND-Crypt, a novel attack framework that uses deep learning (DL) and transfer learning (TL) to challenge the indistinguishability of block ciphers, specifically SPECK32/64 encryption algorithm in CBC mode (Cipher Block Chaining) against Known Plaintext Attacks (KPA). Our methodology includes training a DL model with ciphertexts of two messages encrypted using the same key. The selected messages have the same byte-length and differ by only one bit at the binary level. This DL model employs a residual network architecture. For the TL, we use the trained DL model as a feature extractor, and these features are then used to train a shallow machine learning, such as XGBoost. This dual strategy aims to distinguish ciphertexts of two encrypted messages, addressing traditional cryptanalysis challenges. Our findings demonstrate that the DL model achieves an accuracy of approximately 99% under consistent cryptographic conditions (Same Key or Rounds) with the SPECK32/64 cipher. However, performance degrades to random guessing levels (50%) when tested with ciphertext generated from different keys or different encryption rounds of SPECK32/64. To enhance the results, the DL model requires retraining with different keys or encryption rounds using larger datasets (10^7 samples). To overcome this limitation, we implement TL, achieving an accuracy of about 53% with just 10,000 samples, which is better than random guessing. Further training with 580,000 samples increases accuracy to nearly 99%, showing a substantial reduction in data requirements by over 94%. This shows that an attacker can utilize machine learning models to break indistinguishability by accessing pairs of plaintexts and their corresponding ciphertexts encrypted with the same key, without directly interacting with the communicating parties.

Cryptography and Security,Machine Learning

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Hao Luo

DOI: https://doi.org/10.1587/transfun.e96.a.332

2012-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:This paper proposes several improved Side-channel cube attacks (SCCAs) on PRESENT-80/128 under single bit leakage model. Assuming the leakage is in the output of round 3 as in previous work, we discover new results of SCCA on PRESENT. Then an enhanced SCCA is proposed to extract key related non-linear equations. 64-bit key for both PRESENT-80 and 128 can be obtained. To mount more effective attack, we utilize the leakage in round 4 and enhance SCCA in two ways. A partitioning scheme is proposed to handle huge polynomials, and an iterative scheme is proposed to extract more key bits. With these enhanced techniques, the master key search space can be reduced to 28 for PRESENT-80 and to 229 for PRESENT-128.

Qingqing Zhang,Hongxing Zhang,Xiaotong Cui,Xing Fang,Xingyang Wang

DOI: https://doi.org/10.3390/s22134671

2022-06-21

Abstract:Although side-channel attacks based on deep learning are widely used in AES encryption algorithms, there is little research on lightweight algorithms. Lightweight algorithms have fewer nonlinear operations, so it is more difficult to attack successfully. Taking SPECK, a typical lightweight encryption algorithm, as an example, directly selecting the initial key as the label can only crack the first 16-bit key. In this regard, we evaluate the leakage of SPECK's operations (modular addition, XOR, shift), and finally select the result of XOR operation as the label, and successfully recover the last 48-bit key. Usually, the divide and conquer method often used in side-channel attacks not only needs to train multiple models, but also the different bytes of the key are regarded as unrelated individuals. Through the visualization method, we found that different key bytes overlap in the position of the complete electromagnetic leakage signal. That is, when SPECK generates a round key, there is a connection between different bytes of the key. In this regard, we propose a transfer learning method for different byte keys. This method can take advantage of the similarity of key bytes, improve the performance starting-point of the model, and reduce the convergence time of the model by 50%.

Xinjie Zhao,Shize Guo,Fan Zhang,Tao Wang,Zhijie Shi,Huiying Liu,Keke Ji,Jing Huang

DOI: https://doi.org/10.1016/j.jss.2012.11.007

IF: 3.5

2013-01-01

Journal of Systems and Software

Abstract:The side-channel cube attack (SCCA) is a powerful cryptanalysis technique that combines the side-channel and cube attack. This paper proposes several advanced techniques to improve the Hamming weight-based SCCA (HW-SCCA) on the block cipher PRESENT. The new techniques utilize non-linear equations and an iterative scheme to extract more information from leakage. The new attacks need only 2^8^.^9^5 chosen plaintexts to recover 72 key bits of PRESENT-80 and 2^9^.^7^8 chosen plaintexts to recover 121 key bits of PRESENT-128. To the best of our knowledge, these are the most efficient SCCAs on PRESENT-80/128. To show the feasibility of the proposed techniques, real attacks have been conducted on PRESENT on an 8-bit microcontroller, which are the first SCCAs on PRESENT on a real device. The proposed HW-SCCA can successfully break PRESENT implementations even if they have some countermeasures such as random delay and masking.

ZHAO Xin-jie,GUO Shi-ze,WANG Tao,ZHANG Fan,LIU Huiying,JI Ke-ke

DOI: https://doi.org/10.3969/j.issn.1671-1742.2012.04.001

2012-01-01

Abstract:The security of a lightweight block cipher KLEIN against the algebraic side-channel attack is evaluated by combining algebraic attack with side-channel attack under the Hamming weight leakage model.Firstly,the algebraic representation of KLEIN is given.Then,the Hamming weights of the intermediate states are deduced from analyzing the power leakages and converted into algebraic equations.Finally,the CryptoMinisat solver is applied to solve for the key.Based on three different error tolerant strategies,many physical experiments are conducted on KLEIN under an 8-bit microcontroller and the complexity of the attack is also evaluated.Experiment results show that: the unprotected software implementation of KLEIN is vulnerable to algebraic side-channel attack.Full 64-bit master key of KLEIN can be recovered by analyzing the Hamming weight leakages of the first round under know plaintext/ciphertext scenario and 2 rounds under unknown plaintext/ciphertext scenario.

Hasindu Gamaarachchi,Harsha Ganegoda

DOI: https://doi.org/10.48550/arXiv.1801.00932

2018-01-03

Abstract:Power analysis is a branch of side channel attacks where power consumption data is used as the side channel to attack the system. First using a device like an oscilloscope power traces are collected when the cryptographic device is doing the cryptographic operation. Then those traces are statistically analysed using methods such as Correlation Power Analysis (CPA) to derive the secret key of the system. Being possible to break Advanced Encryption Standard (AES) in few minutes, power analysis attacks have become a serious security issue for cryptographic devices such as smart card. As the first phase of our project, we build a testbed for doing research on power analysis attacks. As power analysis is a practical type of attack in order to do any research, a testbed is the first requirement. Since building a test bed is a complicated process, having a pre-built testbed would save the time of future researchers. The second phase of our project is to attack the latest cryptographic algorithm called Speck which has been released by National Security Agency (NSA) for use in embedded systems. In spite it has lot of differences to AES making impossible to directly use the power analysis approach used for AES, we introduce novel approaches to break Speck in less than an hour. In the third phase of the project, we select few already introduced countermeasures and practically attack them on our testbed to do a comparative analysis. We show that software countermeasures such as random instruction injection and randomly shuffling S-boxes are good enough for their simplicity and cost. But we identify the possible threat due to the problem of generating a good seed for the pseudo-random algorithm running on the microcontroller. We attempt to address this issue by using a hardware-based true random generator that amplifies a random electrical signal and samples to generate a proper seed.

Cryptography and Security

Saleh Khalaj Monfared,Tahoura Mosavirik,Shahin Tajik

DOI: https://doi.org/10.48550/arXiv.2310.07014

2023-05-08

Cryptography and Security

Abstract:The threat of physical side-channel attacks and their countermeasures is a widely researched field. Most physical side-channel attacks rely on the unavoidable influence of computation or storage on voltage or current fluctuations. Such data-dependent influence can be exploited by, for instance, power or electromagnetic analysis. In this work, we introduce a novel non-invasive physical side-channel attack, which exploits the data-dependent changes in the impedance of the chip. Our attack relies on the fact that the temporarily stored contents in registers alter the physical characteristics of the circuit, which results in changes in the die's impedance. To sense such impedance variations, we deploy a well-known RF/microwave method called scattering parameter analysis, in which we inject sine wave signals with high frequencies into the system's power distribution network (PDN) and measure the echo of the signals. We demonstrate that according to the content bits and physical location of a register, the reflected signal is modulated differently at various frequency points enabling the simultaneous and independent probing of individual registers. Such side-channel leakage violates the $t$-probing security model assumption used in masking, which is a prominent side-channel countermeasure. To validate our claims, we mount non-profiled and profiled impedance analysis attacks on hardware implementations of unprotected and high-order masked AES. We show that in the case of profiled attack, only a single trace is required to recover the secret key. Finally, we discuss how a specific class of hiding countermeasures might be effective against impedance leakage.

Xiaozhong Pan,Shuiyu He,Yuechuan Wei,Lipeng Chang

DOI: https://doi.org/10.3390/app12168246

2022-08-18

Applied Sciences

Abstract:With the in-depth integration of deep learning and side-channel analysis (SCA) technology, the security threats faced by embedded devices based on the Internet of Things (IoT) have become increasingly prominent. By building a neural network model as a discriminator, the correlation between the side information leaked by the cryptographic device, the key of the cryptographic algorithm, and other sensitive data can be explored. Then, the security of cryptographic products can be evaluated and analyzed. For the AES-128 cryptographic algorithm, combined with the CW308T-STM32F3 demo board on the ChipWhisperer experimental platform, a Correlation Power Analysis (CPA) is performed using the four most common deep learning methods: the multilayer perceptron (MLP), the convolutional neural network (CNN), the recurrent neural network (RNN), and the long short-term memory network (LSTM) model. The performance of each model is analyzed in turn when the samples are small data sets, sufficient data sets, and data sets of different scales. Finally, each model is comprehensively evaluated by indicators such as classifier accuracy, network loss, training time, and rank of side-channel attacks. The experimental results show that the convolutional neural network CNN classifier has higher accuracy, lower loss, better robustness, stronger generalization ability, and shorter training time. The rank value is 2, that is, only two traces can recover the correct key byte information. The comprehensive performance effect is better.

Engineering,Computer Science

Jimmy Gammell,Anand Raghunathan,Kaushik Roy

2024-10-30

Abstract:Supervised deep learning has emerged as an effective tool for carrying out power side-channel attacks on cryptographic implementations. While increasingly-powerful deep learning-based attacks are regularly published, comparatively-little work has gone into using deep learning to defend against these attacks. In this work we propose a technique for identifying which timesteps in a power trace are responsible for leaking a cryptographic key, through an adversarial game between a deep learning-based side-channel attacker which seeks to classify a sensitive variable from the power traces recorded during encryption, and a trainable noise generator which seeks to thwart this attack by introducing a minimal amount of noise into the power traces. We demonstrate on synthetic datasets that our method can outperform existing techniques in the presence of common countermeasures such as Boolean masking and trace desynchronization. Results on real datasets are weak because the technique is highly sensitive to hyperparameters and early-stop point, and we lack a holdout dataset with ground truth knowledge of leaking points for model selection. Nonetheless, we believe our work represents an important first step towards deep side-channel leakage localization without relying on strong assumptions about the implementation or the nature of its leakage. An open-source PyTorch implementation of our experiments is provided.

Machine Learning,Cryptography and Security

Farabi Mahmud,Sungkeun Kim,Harpreet Singh Chawla,Chia-Che Tsai,Eun Jung Kim,Abdullah Muzahid

DOI: https://doi.org/10.1145/3627106.3627199

2023-06-01

Abstract:For a distributed last-level cache (LLC) in a large multicore chip, the access time to one LLC bank can significantly differ from that to another due to the difference in physical distance. In this paper, we successfully demonstrated a new distance-based side-channel attack by timing the AES decryption operation and extracting part of an AES secret key on an Intel Knights Landing CPU. We introduce several techniques to overcome the challenges of the attack, including the use of multiple attack threads to ensure LLC hits, to detect vulnerable memory locations, and to obtain fine-grained timing of the victim operations. While operating as a covert channel, this attack can reach a bandwidth of 205 kbps with an error rate of only 0.02%. We also observed that the side-channel attack can extract 4 bytes of an AES key with 100% accuracy with only 4000 trial rounds of encryption

Cryptography and Security,Hardware Architecture

Yicheng Zhang,Rozhin Yasaei,Hao Chen,Zhou Li,Mohammad Abdullah Al Faruque

DOI: https://doi.org/10.1109/tifs.2021.3106169

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deep Neural Network (DNN) models have been extensively developed by companies for a wide range of applications. The development of a customized DNN model with great performance requires costly investments, and its structure (layers and hyper-parameters) is considered intellectual property and holds immense value. However, in this paper, we found the model secret is vulnerable when a cloud-based FPGA accelerator executes it. We demonstrate an end-to-end attack based on remote power side-channel analysis and machine-learning-based secret inference against different DNN models. The evaluation result shows that an attacker can reconstruct the layer and hyper-parameter sequence at over 90% accuracy using our method, which can significantly reduce her model development workload. We believe the threat presented by our attack is tangible, and new defense mechanisms should be developed against this threat.

computer science, theory & methods,engineering, electrical & electronic

ZHANG Jun

DOI: https://doi.org/10.3778/j.issn.1673-9418.2002047

2021-01-01

Abstract:Power side-channel attacks, have become a serious threat to embedded computing devices in cyber-physical systems because of the ability of deducing secret data using statistical analysis. A common strategy for designing countermeasures against power-analysis-based side-channel attacks uses random masking techniques to remove the statistical dependency between secret data and side-channel information. Although existing techniques can verify whether a piece of cryptographic software code is perfectly masked, they are limited in accuracy and scalability. In order to eliminate such limitations, a refinement-based method for verifying masking countermeasures is proposed. This method is more accurate than prior type-inference based approaches and more scalable than prior model-counting based approaches using satisfiability (SAT) or satisfiability modulo theories (SMT) solvers. Indeed, this method uses a set of semantic type-inference rules to reason about distribution type. These rules are kept abstract initially to allow fast deduction, and then specified when the abstract version is not able to resolve the verification problem. This method is implemented in a software tool called SCVerify and is evaluated on cryptographic benchmarks including advanced encryption standard (AES) and message authentication code Keccak (MAC-Keccak). The experimental results show that the method significantly outperforms state-of-the-art techniques in terms of accuracy and scalability.

W. Yu,J. Chen

DOI: https://doi.org/10.1049/el.2018.5411

2018-09-01

Electronics Letters

Abstract:A deep learning (DL)‐assisted and combined side‐channel attack (SCA) is exploited to disclose the secret key of an advanced encryption standard (AES) cryptographic circuit with a countermeasure. Different physical leakages of the protected AES cryptographic circuit such as power dissipation and electromagnetic (EM) emission are captured together at first. Then the deep neural networks are utilised to model the relationship between the power noise and the EM noise by analysing the captured power dissipation and EM emission profiles. Ultimately, a special power attack is performed on the protected AES cryptographic circuit to leak the secret key efficiently through using the EM noise to filter the power noise. As demonstrated in the results, for the conventional SCAs, the secret key of the protected AES cryptographic circuit is undisclosed to the adversary even if 1 million plaintexts are enabled. By contrast, only analysing 32,500 number of plaintexts are sufficient to leak the secret key if the DL‐assisted and combined SCA is executed.

engineering, electrical & electronic

Huanyu Wang,Martin Brisfors,Sebastian Forsmark,Elena Dubrova

DOI: https://doi.org/10.1109/norchip.2019.8906945

2019-10-01

Abstract:Deep learning side-channel attacks are an emerging threat to the security of implementations of cryptographic algorithms. The attacker first trains a model on a large set of side-channel traces captured from a chip with a known key. The trained model is then used to recover the unknown key from a few traces captured from a victim chip. The first successful attacks have been demonstrated recently. However, they typically train and test on power traces captured from the same device. In this paper, we show that it is important to train and test on traces captured from different boards. Otherwise, it is easy to overestimate the classification accuracy. For example, if we train and test an MLP model on power traces captured from the same board, we can recover all key byte values with 88.5% accuracy from a single trace. However, the single-trace attack accuracy drops to 13.7% if we test on traces captured from a board different from the one we used for training, even if both boards carry identical chips.