 Research
 Open access
 Published:
Enhancing nonprofiled sidechannel attacks by timefrequency analysis
Cybersecurity volumeÂ 6, ArticleÂ number:Â 15 (2023)
Abstract
Sidechannel analysis (SCA) has become an increasing important method to assess the physical security of cryptographic systems. In the process of SCA, the number of attack data directly determines the performance of SCA. With sufficient attack data, the adversary can achieve a successful SCA. However, in reality, the cryptographic device may be protected with some countermeasures to limit the number of encryptions using the same key. In this case, the adversary cannot use casual numbers of data to perform SCA. The performance of SCA will be severely dropped if the attack traces are insufficient. In this paper, we introduce wavelet scatter transform (WST) and shorttime fourier transform (STFT) to nonprofiled sidechannel analysis domains, to improve the performance of sidechannel attacks in the context of insufficient data. We design a practical framework to provide suitable parameters for WST/STFTbased SCA. Using the proposed method, the WST/STFTbased SCA method can significantly enhance the performance and robustness of nonprofiled SCA. The practical attacks against four public datasets show that the proposed method is able to achieve more robust performance. Compared with the original correlation power analysis (CPA), the number of attack data can be reduced by 50â€“95%.
Introduction
SideChannel Analysis has become a serious threat to cryptographic hardware units since the groundbreaking work by Kocher (1996). SCA can break mathematically sound cryptographic algorithms by utilizing time (Kocher 1996), power consumption (Goubin and Patarin 1999) and electromagnetic radiation (EM) (Gandolfi etÂ al. 2001) and other physical sidechannel leakages only. According to different assumptions about adversariesâ€™ attack capability, current SCA methods generally have two categories:

Profiled attacks. Typical examples include Template Attack (TA) (Chari etÂ al. 2003), Stochastic Attack (SA) (Schindler etÂ al. 2005), MachineLearning based Profiled Attacks (Lerman etÂ al. 2015) and DeepLearning based Profiled Attacks (Maghrebi etÂ al. 2016; Cagli etÂ al. 2017).

Nonprofiled attacks. Typical examples include Differential Power Analysis (DPA) (Goubin and Patarin 1999), Correlation Power Analysis (CPA) (Brier etÂ al. 2004), Mutual Information Analysis (MIA) (Gierlichs etÂ al. 2008) and recent Nonprofiled DeepLearning based SideChannel Attack (Timon 2019).
In profiled attacks scenario, the adversary is allowed to have full access to a cloned device, where the cryptographic implementation is the same as the targeted cryptographic implementation. Profiled attacks usually consist of two stages: (1) Profile stage; (2) Attack stage. In the profile stage, the adversary can collect a lot of data from the cloned device, and construct online templates to profile the leakage characteristics of each possible intermediate value, using prior knowledge about the cryptographic implementation, secret key, collected traces and corresponding plaintext/ciphertext. In the attack stage, the adversary collects a few physical traces from the analysis target, and then utilizes the constructed templates to extract the secret key from the analysis target. Compared with nonprofiled attacks, profiled attacks allow adversaries to extract the secret key with much fewer traces. However, in realistic, the adversary usually is unable to have full access to cloned devices. In this case, profiled attacks cannot efficiently work.
Unlike profiled attacks, nonprofiled attacks do not require full access to cloned devices. The adversary can search the whole hypothesis key value space and calculate corresponding intermediate value. The adversary can utilize some leakage models, such as hamming weight (HW) leakage model and hamming distance (HD) leakage model, to calculate the information leakage value of intermediate value, then adopt some mathematical metrics to calculate the linear relationship (e.g. mutual information, Pearson correlation coefficient) between the information leakage value and physical traces, to directly recover the secret key. Usually, the adversary selects the hypothesis key with the maximum metrics as the secret key.
In the past two decades, nonprofiled attacks have emerged as an increasing important method for physical security evaluations. Liu etÂ al. (2015) and Jin etÂ al. (2022) adopted CPA to break commercial 3G/4G Universal Subscriber Identity Module (USIM) cards. They showed that the sensitive parameters of USIM cards can be fully extracted within 100,000 traces. In USENIX Security Symposium 2019, Batina etÂ al. (2019) applied DPA to extract weight and bias parameters of Multilayer Perceptron (MLP) model and Convolutional Neural Networks (CNN) model. They showed that the adversary can efficiently reverseengineer the machinelearning models if the target is not protected with some sidechannel countermeasures (e.g. masking (Akkar and Giraud 2001), shuffling (VeyratCharvillon etÂ al. 2012) and random delay (Coron and Kizhvatov 2010)). Besides, International Organization for Standardization (ISO)/ International Electro technical Commission (IEC) 197902012 International Standard (ISO/IEC17825 2016) and American Federal Information Processing Standards (FIPS) 1403 Standard (FIPS_1403 2020) also adopt DPA and CPA to assess the physical security of crypto products. However, these works mainly focus on an idealized scenario that the adversary can use casual numbers of attack data. In an ideal scenario, the implementation details of the cryptographic devices is public to the adversary. The adversary can design a corresponding analysis method according to the characteristic of cryptographic implementation, and use sufficient traces to break the target. This kind of attack strategy is rational in an ideal scenario. However, when it applies to some specific applications or commercial crypto products, this kind of attack strategy can not efficiently work due to time and countermeasure constraints. In reality, the secret key, source code, and implementation details belong to the proprietary intellectual property of hardware vendors and are usually kept secret to the public. Some cryptographic devices or applications even adopt some countermeasures to limit the adversaryâ€™s attack capability. For instance, National Institute of Standards and Technology (NIST) Counter Deterministic Random Byte Generator (CTR_DRBG) specification (Barker and Kelsey 2015) limits the number of times the same key used in Advanced Encryption Standard Counter Mode (AESCTR) encryption to 4096. In this case, using a lot of attack data to perform CPA becomes impossible. Adversaries need to extract the secret key of CTR_DRBG within 4096 traces. Besides, some newest crypto products also adopt some specific protections to render adversariesâ€™ attack capability. For example, Zynq Ultracale+ (ZU+) Encryption Engine employs a key rolling scheme and Rivest Shamir Adleman (RSA) authentication to resist sidechannel attacks (Hettwer etÂ al. 2021). Similar to NIST CTR_DRBG specification, ZU+ utilizes key rolling scheme in AESCTR encryption. ZU+ Encryption Engine only operates on specific data which is authenticated by RSA authentication. In this case, using sufficient traces to perform SCA becomes impossible. Consequently, the performance of SCA will be severely dropped.
To enhance original SCA methods, some researchers have considered applying certain dataaugmentation techniques, such as Synthetic Minority Oversampling Technique (SMOTE) (Picek etÂ al. 2019), adding gaussian noise (Kim etÂ al. 2019), to increase the size of original dataset. They show that these kinds of methods (Picek etÂ al. 2019; Kim etÂ al. 2019) can efficiently enhance profiled SCA in the case of analyzing public datasets. However, dataaugmentation techniques are only limited to profiled attacks scenario. In addition to enlarging the number of attack data, some researchers considered applying some preprocessing techniques to improve the quality of collected signals. For instance, Pozo et al. and Bruneau et al. applied Singular Spectrum Analysis (SSA) (Merino Del Pozo and Standaert 2015) and Principal Component Analysis (PCA) (Bruneau etÂ al. 2015) to preprocess the original traces. They showed that SSA and PCA can enhance CPA in the case of analyzing unprotected softwarebased implementations of Advanced Encryption Standard (AES). With suitable parameters selection, PCA and SSA can reduce the number of attack data by 20% at least. Unlike the researches (Merino Del Pozo and Standaert 2015; Bruneau etÂ al. 2015), Yang etÂ al. (2020) and Wu and Picek (2020) adopted denoiseautoencoder to preprocess the physical traces. They showed that deeplearning based preprocessing methods have superior performances than traditional preprocessing methods (Merino Del Pozo and Standaert 2015; Bruneau etÂ al. 2015) in the case of analyzing hiding countermeasures. However, this kind of method (Yang etÂ al. 2020; Wu and Picek 2020) is limited to profiled attacks scenario. The adversary needs to have prior knowledge about the secret key, plaintext/ciphertext when training denoiseautoencoders. This kind of method (Yang etÂ al. 2020; Wu and Picek 2020) requires a lot of training data and is not practical in nonprofiled attack scenario. In addition to applying timedomain based preprocessing methods to preprocess the physical traces, some researches considered applying frequencybased preprocessing method, such as wavelet transform (WT) (Debande etÂ al. 2012; Udvarhelyi etÂ al. 2021; Destouet etÂ al. 2021), fast fourier transform (FFT) (Zhang etÂ al. 2020) to enhance SCA. In MICRO 2012, Debande etÂ al. (2012) adopted wavelet transform to enhance CPA in the case of analyzing DPA Contest V4. They showed that wavelet transform can reduce the number of attack data by 30% when the parameters are properly selected. Based on the research (Debande etÂ al. 2012), Udvarhelyi etÂ al. (2021) and Destouet etÂ al. (2021) applied wavelet transform to enhance profiled attacks in the case of analyzing masked implementation of AES and commercial crypto products. In Design Automation Conference (DAC) 2020, Zhang etÂ al. (2020) applied FFT to enhance crossdevice attacks in the case of analyzing heterogeneous devices. Compared with dataaugmentation techniques (Picek etÂ al. 2019; Kim etÂ al. 2019), frequencybased methods are applicable for nonprofiled attacks and profiled attacks. Compared with typical timedomain based preprocessing methods (Merino Del Pozo and Standaert 2015; Bruneau etÂ al. 2015), frequencybased preprocessing methods do not have specific requirements for input datadimension. Frequencybased preprocessing method can be applied to analyze arbitrarily distributed dataset. In general, frequencybased preprocessing method theoretically has more appealing technique potential in the case of enhancing nonprofiled attacks. However, current related works (Gebotys etÂ al. 2005; Belgarric etÂ al. 2014) are mostly limited to an ideal scenario that the adversary is assumed to know the suitable parameters, and they are limited to unprotected implementations and specific platforms. They do not deeply investigate whether frequencybased preprocessing methods are applicable for other more complex cryptographic implementations. In addition, previous works (Udvarhelyi etÂ al. 2021; Destouet etÂ al. 2021; Gebotys etÂ al. 2005; Belgarric etÂ al. 2014) require highexpert degree. They do not consider how to select suitable parameters for frequencybased parameters in nonprofiled attacks scenario. The adversary needs to select frequency components empirically to enhance original SCA methods. The effect of parameters setting on the performance of frequencybased SCA has not been studied in depth. In practice, the parameter values, such as the standard deviation value, the size of the Gaussian window and the frequency component (used in the STFTbased SCA scenario), play important roles in the scenario of frequencybased SCA. Frequencybased SCA can significantly reduce the sidechannel distinguisherâ€™s requirement for the scale of attack data with suitable parameters setting. However, if the parameters are not properly selected, it may even reduce the performance of the original SCA. Hence, designing a practical framework for proper selection of parameters is the most paramount thing for improving the performance of frequencybased SCA.
Aiming to address the limitation of current researches (Udvarhelyi etÂ al. 2021; Destouet etÂ al. 2021; Gebotys etÂ al. 2005; Belgarric etÂ al. 2014), we propose a practical framework to provide suitable parameters for frequencybased SCA. Specifically, we apply the concept of gridsearch method to search the suitable parameters for frequencybased SCA, and design three evaluation metrics to evaluate the quality of extracted frequency components. The framework updates the parameters of frequencybased preprocessing methods iteratively according to the feedbacks from designed evaluation metrics. Unlike traditional gridsearch methods, our framework can obtain the suitable parameters settings in nonprofiled attack scenarios. As a result, our method can efficiently enhance original CPA methods in the case of analyzing multiple unprotected/protected implementations of AES. Compared with previous works (Udvarhelyi etÂ al. 2021; Destouet etÂ al. 2021; Gebotys etÂ al. 2005; Belgarric etÂ al. 2014), our work is more generic and does not require any expertknowledge dependence degree. To summarize, the contributions of our work mainly include following:

Introduce Wavelet Scatter Transform (WST) (andÃ©n and Mallat 2013) to nonprofiled SCA domain, to efficiently improve the performance of CPA attacks. This is the first work that applies WST to enhance nonprofiled attacks in the context of analyzing different AES implementations (e.g. software/hardwarebased implementation of AES, which is unprotected or protected with masking or random delay countermeasures).

Propose a practical framework to select suitable parameters for WSTbased CPA and STFTbased CPA. With our proposed framework, the adversary can obtain suitable parameters without any expertknowledge dependence. The performance of original CPA can be significantly enhanced with our proposed method.

Evaluate the extendability and applicability of our attack framework, we present practical attacks on four public datasets, including DPA Contest V4 (DPA_Contest_v4 2014), AES_HD (AES_HD 2018), AES_RD (AES_RD 2017) and ASCAD (2018) datasets. The result of our experiment shows that our method can reduce the number of attack traces by 50â€“95% in comparison with original CPA attacks, which achieves more robust performance of attacks.

Carry out a systematic empirical research about the effectiveness and applicability of STFTbased CPA and WSTbased CPA. The performance of WSTbased CPA and STFTbased CPA is evaluated under different parameter values in a finegrain manner. According to the analysis results, we provide empirical suggestions about parameter selections for nonprofiled attacks scenario.
The graphic summary of our work is given in Fig.Â 1.
The paper is organized as 7 main sections: "Introduction" Section gives an introduction of the paper. "Preliminary" Section gives a brief background about some frequencybased preprocessing methods. "A practical framework for frequencybased CPA attack" SectionÂ proposes the practical framework for frequencybased CPA attack. "Experiment results" SectionÂ presents experiment analysis and practical attacks on four public datasets. "A finegrain analysis on parameter settings for frequencybased CPA attacks" SectionÂ presents a finegrain analysis on parameter settings for Frequencybased CPA attack. According to the experiment results (Sects.Â "Experiment results" and "A finegrain analysis on parameter settings for frequencybased CPA attacks") and "Discussions" Section discusses related works, the advantages/disadvantages of attack framework and future works. The paper is concluded "Conclusions" Section
The abbreviations used in the paper are listed in the section of Abbreviations.
Preliminary
A brief background about the three typical timefrequency transformations  DFT, STFT and WST that are used for SCA is presented in this paper. We illustrate the advantages/disadvantages of these three timefrequency transformations used in SCA and then point out the importance of suitable parameters selection for timefrequency transformations. In the following, the collected power traces are denoted by the vector \(\mathrm {\times \,1\in {\mathbb {R}}^{d1}}\), where \(\textrm{d1}\) represents the number of sampling points.
Discrete fourier transform (DFT)
In signal preprocessing, DFT is most popularly used to transform the signal from time domain to frequency domain. DFT can be regarded as the specific projection on periodic signals \(\{e^{2ik_{1}\pi /d_{1}}\}_{0\le k_{1}\le d_{1}1}\), which is contrary to the analysis done on the Dirac basis. In the scenario of discrete Fourier transformation, the original signal \(\mathrm {x_{1}}\) is considered to consist of periodic signals with infinitesimally small frequency bandwidth. EquationÂ 1 and 2 depict the representations of DFT and inverse DFT respectively. In Eqs.Â 1 and Â 2, \(\mathrm {\widehat{x_{1}}}\) denotes DFT of \(\mathrm {x_{1}}\), \(\mathrm {k_{1}}\) and \(\mathrm {p_{1}}\) denote the index of time and frequency respectively.
In practice, the adversary can adopt Fast Fourier Transform (FFT) algorithm to further optimize DFT. Fast Fourier Transform has shown powerful technical potential in the scenario of SCA. For instance, Zhang etÂ al. (2020) applied FFT to enhance the performance of cross homogeneous/heterogeneous device attack. They showed that with the FFT preprocessing method, the adversary can extract the secret key of heterogeneous devices within 1000 traces. However, it is not always the case that FFT can significantly enhance origianl SCA method. For instance, we find that FFTbased CPA has poorer performance than original CPA in the context of analyzing DPA Contest V4 and AES_HD datasets. The Fourier transform has inherent limitations in dealing with nonstationary signals. It can only obtain the components of which frequencies are contained in a signal as a whole, but it can not capture the moment when each component appears. Hence, if the collected traces are nonstationary signals, directly applying FFT may make the performance of CPA attacks even worse. To address the limitation of FFT, we introduce shorttime Fourier transform to nonprofiled attacks domain.
Shorttime fourier transform (STFT)
The central idea of STFT is adding a specific slidingwindow function (e.g. Gaussian window function) on the temporal sampling points, and then performing Fourier transformation on the signal inside the window to extract a spectrogram of original signals. Currently, STFT is one of the most popular preprocessing method in the context of analyzing nonstationary signals, which can be applied to obtain the frequency and phase of local timevarying signals. The representation of discrete shorttime Fourier transformation can be denoted by Eq.Â 3. In Eq.Â 3, \(x_{1}[d_{1}]\) denotes the temporal signals, \(w_{1}[d_{1}m_{1}]\) denotes the selected slidewindow and \(m_{1}\) denotes a variable value. In this paper, we select the gaussian window function to perform STFT.
With a smallersized window, the adversary can obtain a finer division of timedomain based signals and better timedomain resolution. However, the frequency domain resolution will become worse if the selected window function is a smaller one. In practice, the parameters of STFT, such as the size of the window function \(w_{1}\), the standard deviation value std, and the frequency component f play important roles in frequencybased SCA attacks. The adversary needs to select the above parameters carefully to enhance STFTbased CPA attacks.
Wavelet scatter transform
In the context of analyzing timevarying nonstationary signals, small windows are considered to be suitable for high frequencies while large windows are considered to be suitable for low frequencies (Allen 1977). In practice, the size of window used in STFT kept fixed, and the width is unchangeable during timefrequency transformation. Hence, STFT cannot fully meet the requirements for extracting the frequency components in the context of analyzing unsteady changeable signals. To better extract various frequency components from unsteady changeable signals, Wavelet Transform (WT) (Debande etÂ al. 2012) \(\{\psi _{u_{1},s_{1}}\}_{u_{1},s_{1}}\) adopts finitelength decaying wavelet basis \(\psi _{u_{1},s_{1}}(t_{1})=\frac{1}{\sqrt{s_{1}}}\psi (\frac{t_{1}u_{1}}{s_{1}})\) to preprocess the signals, where \(t_{1}\) denotes the sampling point in the time domain, \(\psi\) denotes the mother wavelet, \(s_{1}\) represents dilation coefficients and \(u_{1}\) represents translation. The notation of wavelet transformation can be formulated as the following equation:
\(\widetilde{x_{1}}\) denotes the original signal, \(*\) represents the convolutional operator and \(x_{1}^{*}\) represents \(x_{1}\)â€™s complex conjugate (\(\overline{x_{1}}(t_{1})=x_{1}^{*}(t_{1})\)).
In the process of WT, dilation coefficient \(s_{1}=2^{j}(j\in {\mathbb {N}})\) is varied. Given the mother wavelet \(\psi\) and corresponding center frequency \(f_{0}\), the jth dilated version of \(f_{0}\) can be formalized as \(\frac{f_{0}}{2^{j}}\). In the process of STFT, the origianl signals are concentrated into a fix area  timefrequency boxes \(\alpha (t,f)\), expressed as \(\alpha (t,f)=\gamma _{f}(t)\gamma _{t}(f)\). \(\gamma _{t}\) and \(\gamma _{f}\) represent constant temporal support and frequency bandwidth for the window \(w_{1}\). In WT, the bandwidth \(\gamma _{f}\) is inversely proportional to the temporal support \(\gamma _{t}\) when variable parameter s is changing. Unlike STFT, the shape of area \(\alpha (t,f)\) keeps variable across the timefrequency domain. Compared with STFT, WT is stable to small deformations but does not have translation invariance, whereas STFT is unstable to small deformation but is robust to translation invariance. To enable WT stable to translation invariant, Mallat et al. (andÃ©n and Mallat 2013) proposed wavelet scattering transform (WST). The notation of WST can be formalized as:
where \(t_{1}\) denotes the sampling point in the time domain, \(u_{1}\) represents translation, \(x_{1}\) denotes the original signal, \(*\) and \(\psi\) denote convolutional operator and the mother wavelet respectively. The wavelet \(\psi _{\lambda }\) is composed of scale parameters \(\lambda\) that are applied to the nonlinear operation . and averaged on the timedomain of \(2^{j1}\) signals with \(A_{j1}x_{1}=x_{1}*\phi _{2^{j1}}\). Given the path \(p1=(\lambda _{1},...,\lambda _{m})\) with \(\lambda _{i}>2^{j1}\), the windowed scattering transform \(S_{j1}\) of the timedomain signals \(x_{1}\) can be formalized as:
where \(U[\lambda ]x_{1}=W[\lambda ]x_{1}=x_{1}*\psi _{\lambda }\). In practice, \(S_{j1}\) is calculated on the path subset \(\Omega _{j1,m}\), where m denotes the maximum length of paths \(p\in \Omega _{j1,m}\) and \(\lambda\) satisfies \(\lambda >2^{j1}\) (andÃ©n and Mallat 2013). In the scenario of WST, the wavelet transform only captures specific frequency components that are superior than \(2^{j1}\), and the rest frequency components are captured by \(\phi _{2^{j1}}\). In the python softwarebased implementation of WST (Andreux etÂ al. 2020), the wavelets are used on dyadic scales \(2^{j}(0\le j<J)\) or on intermediate scales \(2^{\frac{j}{Q}}(0\le j<JQ)\), in which Q denotes the amount of wavelet by an octave. In practice, the WST is composed of three parameters, such as the scale \(2^{J}(J\ge 1,J\in N)\) of signals for averaging, the octave \(Q (Q\ge 1,Q\in N)\) and the number of levels of the scattering transform \(m\in [1,2]\). Previous works showed that WST can provide stability over timetranslation invariant (andÃ©n and Mallat 2013) and can achieve a satifactory improvement in the case of profiled attack against jitterprotected implementations of AES (Destouet etÂ al. 2021) when the parameters are properly selected. However, these works mainly focus on an idealized scenario that adversaries can fully control cloned devices. They can empirically select the parameters in the profile stage by exploiting sensitive information about the cryptographic implementation, whereas in nonprofiled attacks scenario, it is difficult to empirically select suitable parameters as the adversary has no detailed information about the analysis target prior to the attack. Besides, the parameter settings vary according to different cryptographic implementations. In this case, the adversary needs to consider designing a practical framework to select suitable parameters for WST. In this paper, we focus on providing suitable parameters for \(\{j,q,f\}\)(\(m=2\)) to enhance the performance of WSTbased CPA attacks, where \(j\in J\), \(q\in Q\) and f represents the extracted frequency component.
A practical framework for frequencybased CPA attack
Our method
CPA is currently the most popular nonprofiled sidechannel analysis method. Focusing on the CPA performance optimization, we design a practical framework to provide suitable parameters for WST/STFTbased nonprofiled CPA. The general measurement setup for WST/STFTbased nonprofiled CPA can be illustrated in Fig.Â 2. In this paper, we aim to solve two challenges where previous works (Udvarhelyi etÂ al. 2021; Destouet etÂ al. 2021; Gebotys etÂ al. 2005; Belgarric etÂ al. 2014) do not investigate in depth:

How to select suitable parameters for WST/STFTCPA attacks? From "Shorttime fourier transform (STFT)" and "Wavelet scatter transform" sections, we can learn that the parameter \(\{j,q,f\}\) and \(\{w,std,f\}\) directly determine the performance of WSTCPA and STFTCPA attacks. With suitable parameters setting, WST/STFTCPA can significantly enhance the performance of original CPA attacks. In practice, the value of suitable parameters setting varies according to discrete cryptographic implementations.

How to evaluate the quality of extracted frequency components? In nonprofiled attack scenario, the secret key, the intermediate value and implementation details kept secret prior to the attack. To find the best parameters setting, the adversary needs to select or design suitable and reliable metrics to evaluate the quality of extracted frequency components. The metrics should be closely related to SCA metric, such as Success Rate (SR), Guess Entropy (GE) or minimum number of attack data \(n_{min}\) (Standaert etÂ al. 2009).
In an ideal scenario, the adversary is assumed to have sufficient attack data and know detailed information about cryptographic implementations, such as secret key, noise level and the characteristics of collected signals. In this case, the adversary can directly obtain suitable frequency components using prior knowledge about the cryptographic implementations. Hence, precious works do not consider how to select suitable parameters for WST/STFTCPA attacks and evaluate the quality of extracted frequency components in nonprofiled attacks scenario. In reality, the cryptographic implementations details are usually kept secret to the public. Designers may even adopt countermeasures, such as key rolling schemes, to limit the adversaryâ€™s attack ability. In this case, direct extraction of the suitable parameters becomes impossible. Designing a practical framework to properly select suitable parameters becomes the most paramount thing in the case of enhancing WST/STFTCPA attacks with insufficient data. To address this issue, we introduce the concept of gridsearch method from deeplearning (DL) domain to nonprofiled SCA domain, to select suitable parameters for WST/STFTCPA attacks. Grid search (Pontes etÂ al. 2016) method is one of the most popular hyperparameters tuning method in machine learning domain. It can efficiently work when the parameter categories and attack data are not quite large. In DL domain, grid search is applied to search the suitable hyperparameters, such as learning rate and network architecture, for neural network models. The adversary updates the hyperparameters with fixed sizes according to the feedbacks from accuracy or loss value. Unlike traditional DL methods, we apply gridsearch method to search suitable parameters for WST/STFT. FigureÂ 3 provides an example for gridsearch used in WST/STFT. The overall process of grid method used for parameters selection can be divided into four steps:

(1)
Design the evaluation metric \(\textrm{D}\), evaluate the quality of original data \(\mathrm {D(T)}\) and assign \(\mathrm {temp=D(T)}\).

(2)
Search every possible parameters setting \(\mathrm {\{j,q\}}\) or \(\mathrm {\{w,std\}}\) for WST/STFT. Preprocess the physical traces \(\textrm{T}\) with the selected parameters setting \(\mathrm {\{j1,q1\}}\)(\(\mathrm {\{w1,std1\}}\)), and then extract corresponding frequency components \(\mathrm {\{f_{1},f_{2},f_{3},...,f_{n}\}}\).

(3)
Evaluate the quality of extracted frequency components with the designed metric \(\textrm{D}\):
$$\begin{aligned} \begin{aligned} \textrm{S}_{1}&={\textrm{D}}({\textrm{f}}_{1})\\ \textrm{S}_{2}&={\textrm{D}}({\textrm{f}}_{2})\\ \textrm{S}_{3}&={\textrm{D}}({\textrm{f}}_{3})\\&\cdot \cdot \cdot \\ \textrm{S}_{n}&={\textrm{D}}({\textrm{f}}_{\textrm{n}}) \end{aligned} \end{aligned}$$(7)Sort the evaluation scores in descending order. Compare \(\textrm{temp}\) and \(\mathrm {S_{1}}\). If \(\mathrm {S_{1}>temp}\), set \(\mathrm {temp=S_{1}}\) and store the parameters setting \(\mathrm {\{j1,q1,f1\}}\) (\(\mathrm {\{w1,std1,f1\}}\)) with the highest scores.

(4)
Execute step (2) and step (3) iteratively. Finally get the parameters setting \(\mathrm {\{j1,q1,f1\}}\) (\(\mathrm {\{w1,std1,f1\}}\)) with the highest scores.
To evaluate the quality of extracted frequency components f, we adopt Pearson Correlation Coefficient (PCC), SignaltoNoise Ratio (SNR) and AbsoluteDifferencesOfPCC (DOP) as main evaluation metrics to perform gridsearch method. The notation of PCC \(\mathrm {D_{PCC}^{P}(f)}\) can be formalized as:
where \(\mathrm {L_{k^{*}}^{p}}\) represents the hypothesis power assumption, \(\textrm{p}\) denotes ciphertext or plaintext, \(\mathrm {k^{*}}\) denotes the hypothesis key and \(\rho\) represents PCC value. The parameter \(\mathrm {L_{k^{*}}^{p}}\) can be further formalized as: \(\mathrm {L_{k^{*}}^{p}=h(F_{1}(k^{*},p_{1}),F_{2}(k^{*},p_{2})..F_{n}(k^{*},p_{n}))}\), where \(\textrm{F}\) represents sensitive cryptographic operation (e.g. AES SubBytes operation) and \(\textrm{h}\) denotes the selected leakage model. Let \(\textrm{m1}\) and \(\textrm{m2}\) denote the minimum number of attack data (\(\mathrm {n_{min}}\)) to perform a successful CPA for frequency components \(\mathrm {f_{1}}\) and \(\mathrm {f_{2}}\) respectively. We have
when
According to the theorem in Mangard etÂ al. (2007), there exists theoretical linear relationship between \(\mathrm {n_{min}}\) and \(\rho\): \(\mathrm {n_{min}=\frac{28}{\rho ^{2}}}\). If it satisfies Eq.Â 10, we can infer that
When it satisfies Eq.Â 12, we can directly infer that \(\mathrm {m1<m2}\). As a result, using the \(\mathrm {f_{1}}\) frequency component, the adversary can extract the secret key with fewer traces.
Like PCC evaluation metric, we have
when
The notation of SNR evaluation metric \(\mathrm {D_{SNR}(f)}\) can be formalized as:
In SCA domain, the sampling point of physical traces \(L_{total}\) can be formalized as \(L_{total}=L_{exp}+L_{noise}\), where \(L_{exp}\) denotes exploitable physical leakages and \(L_{noise}\) represents noise components. The relationship between \(\textrm{SNR}\) and \(\rho\) satisfies (Mangard etÂ al. 2007): \(\rho (h,L_{total})=\rho (h,L_{exp}+L_{noise})=\frac{\rho (h,L_{exp})}{\sqrt{1+\frac{1}{\textrm{SNR}}}}\), where h denotes the hypothesis leakage value. WST/STFT methods can be regarded as a special noise reduction method to reduce \(L_{noise}\). \(\textrm{SNR}\) will increase if \(L_{noise}\) becomes smaller. In theory, a higher \(\textrm{SNR}\) leads to a higher \(\rho\) value. If it satisfies Eq.Â 14, we can infer that
When it satisfies Eq.Â 18, we can infer that \(\mathrm {\rho _{f_{1}}>\rho _{f_{2}}}\). According to the equation \(\mathrm {n_{min}=\frac{28}{\rho ^{2}}}\), we can infer that \(\mathrm {m1<m2}\). Hence, the adversary can also adopt \(\mathrm {D_{SNR}(f)}\) to directly measure the quality of extracted frequency components.
In addition to adopting \(\mathrm {D_{PCC}^{p}(f)}\) and \(\mathrm {D_{SNR}(f)}\) evaluation metrics, we also consider DOP \(\mathrm {D_{DOP}(f)}\) as an alternative evaluate metric to assess the quality of extracted frequency components. The notation of \(\mathrm {D_{DOP}(f)}\) can be formalized as
where \(\mathrm {\rho _{K1}(h,f)}\) and \(\mathrm {\rho _{K2}(h,f)}\) represent the first and second maximum PCC value respectively. We have
when
In the process of CPA attacks, the PCC differences between the PCC of the correct key (with the maximum PCC) and other hypothesis key will become larger when the number of collected data is increasing or the quality of the collected data is significantly improved. Hence, given the same number of attack data, the frequency component \(\mathrm {f_{1}}\) is considered to lead a better SCA performance than \(\mathrm {f_{2}}\), when it satisfies Eq.Â 21.
Alg.Â 1 and Alg.Â 2 summarize the process of selecting suitable parameters with \(\mathrm {D_{PCC}^{p}(f)}\) metric for WST/STFTbased CPA attacks respectively. \(\mathrm {WST_{j,q}(T)}\) denotes the processed traces with WST method, while \(\mathrm {STFT_{w,std}(T)}\) represents the preprocessed traces with STFT method. The adversary utilizes \(\mathrm {D_{PCC}^{p}(f)}\) to calculate the score of original traces \(\mathrm {S_{ori}=D_{PCC}^{p}(T)}\), and then assign \(\mathrm {temp=S_{ori}}\). The adversary searches the whole parameters setting with gridsearch method, and calculates \(\mathrm {D_{PCC}^{p}}\) of each extracted frequency component \(\mathrm {D_{PCC}^{p}(f^{*})}\). If \(\mathrm {D_{PCC}^{p}(f^{*})}\) satisfies \(\mathrm {D_{PCC}^{p}(f^{*})>temp}\), assign \(\mathrm {D_{PCC}^{p}(f^{*})}\) to the variable parameter \(\textrm{temp}\). The adversary performs the process iteratively to obtain the best parameters setting. The processes of selecting suitable parameters for WST/STFTbased CPA with SNR and DOP are also similar to Alg.Â 1 and Alg.Â 2. The adversary just needs to replace the evaluation metric \(\mathrm {D_{PCC}^{p}}\) with \(\mathrm {D_{SNR}}\) or \(\mathrm {D_{DOP}}\) respectively. Hence, the detailed processes of selecting suitable parameters for WST/STFTbased CPA attacks with other evaluation metrics are not given here. The adversary utilizes the designed evaluation metrics to search the suitable parameters settings iteratively, and then performs CPA on the processed physical traces with the bestselected parameters setting.
Further optimization. Although gridsearch provides a straightforward way to achieve suitable hyperparameters selection in nonprofiled attacks scenario, it requires a lot of time when the number of attack data or parameters is large. The adversary needs to search all parameter settings to obtain suitable parameters setting, which inevitably brings additional time overhead. To further optimize gridsearchbased SCA, we propose to apply halvinggrid search method to accelerate the attack. The overall process of halvinggrid search method for WST/STFTCPA can be divided into six steps:

(1)
Measure the distribution of original dataset \(\textrm{T}\) by calculating the distribution of singlebyte plaintext value. Select a smaller size dataset \(\mathrm {T_{1}}\) from original dataset \(\textrm{T}\), where the distribution of \(\mathrm {T_{1}}\) is nearly the same as \(\textrm{T}\).

(2)
Apply gridsearch method to search the whole parameters setting \(\mathrm {\{j,q\}}\) or \(\mathrm {\{w,std\}}\), and then calculate corresponding scores \(\textrm{S}\) with designed evaluation metrics (e.g. \(\mathrm {D_{PCC}^{p}}\), \(\mathrm {D_{SNR}}\) and \(\mathrm {D_{DOP}}\)).

(3)
Sort the evaluation values in descending order, and eliminate the last half of the parameters \(\mathrm {\{j,q\}}\) or \(\mathrm {\{w,std\}}\) according to the sorted values \(\textrm{S}\).

(4)
The adversary selects new subset \(\textrm{T2}\) from the remaining dataset \(\mathrm {T2=TT1}\), where \(\textrm{T2}\) is twice as large as \(\textrm{T1}\). The adversary searches the rest parameters setting \(\mathrm {\{j,q\}}\) or \(\mathrm {\{w,std\}}\) to calculate corresponding evaluation values. Sort the evaluation values in descending order, and eliminate the last half of the remaining parameters \(\mathrm {\{j,q\}}\) or \(\mathrm {\{w,std\}}\) according to the sorted values \(\textrm{S}\).

(5)
Repeat step (4) iteratively until the remaining dataset is not enough or there is only 1 group of parameters left.

(6)
Apply grid search to obtain the bestperformance parameters.
How to apply gridsearch or halvinggrid search method in nonprofiled attacks scenario? Compared with original gridsearch method, halvinggrid search method can efficiently reduce timeoverhead in the case of searching parameters. In this paper, we find that applying halvinggrid search method can achieve nearly the same performance as gridsearch method, when the initial selected data is set to around onethird number of original dataset. This kind of method certainly can be applicable for other similar preprocessing methods in the case of enhancing nonprofiled SCA attacks. However, halvinggrid search method does not always have absolute superior performance than gridsearch method in the case of performing nonprofiled SCA attacks. Halvinggrid search method has inherent limitations when the number of attack number is quite small. Evaluators may eliminate the suitable parameters wrongly if the number of selected data is extremely small. As a suggestion, we recommend applying gridsearch method to perform nonprofiled SCA attacks when the number of attack data is insufficient. When the number of attack data or parameters is large, we suggest applying halvinggrid search method to perform nonprofiled SCA. In this paper, we aim to enhance CPA in the case of insufficient attack data. Hence, we adopt gridsearch method as the main method to perform the attack.
Parameters setting
To efficiently enhance the performance of CPA attacks, it is vital to select suitable parameters for WST/STFT. We refer to the operation mode of gridsearch method to select the bestperformance parameters according to feedbacks from the designed evaluation metrics (Eqs.Â 8, 15 and 19). The finite set J1 and Q1 used for WSTbased CPA are designed as follows: \(J1\in [1,8]\) and \(Q1\in [2,6]\). In the scenario of STFTbased CPA attacks, the finite set W and STD are designed as follows: \(W\in \{0.01L,0.02L,0.04L,0.08L,0.1L\}\) and \(STD\in \{0.25,0.5,1,2,4,8,16\}\), where L denotes the length of sampling points. In this section, FFTbased CPA is regarded as a special type of STFTbased CPA attack.
To make our work reproducible, we utilize openedsource framework to implement the following preprocessing method. The FFT preprocessing method is implemented through \(\mathrm {Numpy.FFT.FFT}\) (Numpy 2022) function while the STFT preprocessing method is implemented through \(\mathrm {Scipy.signal.STFT}\) (Scipy 2022) function. We adopt \(\mathrm {Kymatio.numpy.Scattering1D}\) function from Andreux etÂ al. (2020) to implement WSTbased CPA attacks. Besides, we use the analysis of the variance as an alternative method (Bubberman etÂ al. 2020) to measure the SNR of the physical traces, as the intermediate value kept secret to the adversary in nonprofiled attacks scenario.
Experiment results
To access the effectiveness of our proposed attack framework (Figs.Â 2 and Â 3), we present practical attacks on four public datasets, including DPA Contest V4 (DPA_Contest_v4 2014), AES_HD (AES_HD 2018), AES_RD (AES_RD 2017) and ASCAD (2018) datasets. The practical attack results show that with the proposed attack framework, the WST/STFTbased CPA attack achieves more robust performance. Compared with the original CPA method, the number of attack traces can be reduced by 50â€“95%.
Public datasets
Four various public datasets covering main types of SCA scenarios are adopted in our experiment. The first one is a softwarebased unprotected implementation of AES, which represents an ideal scenario that the noise level is quite low and adversaries can use limited data to successfully extract the secret key. The second one is also a unprotected implementation of AES but with highlevel noises. As a consequence, the adversary needs to collect a lot of data to break the device. The third dataset adopts random delay countermeasure that is a typical hiding countermeasure and has been widely used in various commercial crypto products (e.g. commercial contactless/contact smart cards (Kim etÂ al. 2012)). Finally, the last dataset adopts firstorder boolean masking that is currently the most popular sidechannel countermeasure in SCA community nowadays. Detailed information about the public datasets are as follows:

(1)
DPA Contest V4 dataset (DPA_Contest_v4 2014). It measures EM leakages of firstorder boolean masked implementation of AES (Nassar etÂ al. 2012). In this paper, the mask value is assumed to be known prior to nonprofiled attacks, turning the protected implementation to the unprotected one. The notation of the intermediate value is formalized as follows:
$$\begin{aligned} Y(K^{*})=S(P_{i}\oplus K^{*})\oplus \underbrace{M}_{knownmask} \end{aligned}$$(22)where \(K^{*}\) denotes the secret AES key, Y represents the targeted intermediate value, \(P_{i}\) represents the ith byte of plaintext and S represents AES SubBytes operation. The maximum of measured SNR is up to 5.8577. We target the first byte of Y and select the hamming weight (HW) leakage model to perform SCA.

(2)
AES_HD (AES_HD 2018). AES_HD dataset provides EM measurements of paralled implementation of AES. The AES128 is hardwarebased implemented on the Xilinx Virtex5 FPGA. AES_HD does not adopt sidechannel countermeasures. The maximum of measured SNR is up to 0.0096. The notation of the intermediate value is formalized as follows (Kim etÂ al. 2019):
$$\begin{aligned} Y(K^{*})=\underbrace{S^{1}(C_{a}\oplus K^{*})}_{previousregistervalue}\oplus \underbrace{C_{b}}_{ciphertextbyte} \end{aligned}$$(23)where \(K^{*}\) denotes the secret AES key, \(S^{1}\) represents inverse AES SubBytes operation, \(C_{a}\) denotes ath byte of ciphertext and \(C_{b}\) denotes bth byte of ciphertext. The relationship between a and b can be extracted through the inverse AES ShiftRows operation. Like previous works (Picek etÂ al. 2019; Kim etÂ al. 2019), we select \(a=12\) resulting in \(b=8\) to perform the attack as it is one of the easiest intermediate value byte to recover. In the context of analyzing AES_HD dataset, we select hamming distance (HD) as the main leakage model to present nonprofiled attacks as HD is suitable in the scenario of analyzing paralleled implementations.

(3)
AES_RD dataset (AES_RD 2017). AES_RD provides power measurements of protected softwarebased implementation of AES (Coron and Kizhvatov 2010). The random delay countermeasure is implemented on an 8bit AVR platform. The notation of the intermediate value is formalized as follows:
$$\begin{aligned} Y(K^{*})=S(P_{i}\oplus K^{*}) \end{aligned}$$(24)where \(K^{*}\) denotes the secret AES key, Y represents the targeted intermediate value, \(P_{i}\) represents the ith byte of plaintext and S represents AES SubBytes operation. The maximum of measured SNR is up to 0.0556. We target the first byte of Y and select the HW leakage model to perform the SCA.

(4)
ASCAD dataset (ASCAD 2018). ASCAD dataset adopts firstorder boolean masking (Benadjila etÂ al. 2020) to resist sidechannel attack. The ATmega8515 microcontroller (8bit AVR) provides the platform for running the masked AES algorithm, and corresponding measurements are made by using EM leakages. The notation of the intermediate value is formalized as follows:
$$\begin{aligned} Y(K^{*})=S(P_{i}\oplus K^{*})\oplus Mask_{out} \end{aligned}$$(25)where \(K^{*}\) denotes the secret AES key, Y represents the targeted intermediate value, \(Mask_{out}\) represents the output mask value, \(P_{i}\) represents the ith byte of plaintext and S represents AES SubBytes operation. The maximum of measured SNR is up to 0.8. In this paper, we target the third byte of Y and perform 2ndorder CPA attacks (Rivain etÂ al. 2009) with the HW model.
Practical attacks on public datasets
Based on the designed "Parameters setting" section, we apply the proposed framework in ("A practical framework for frequencybased CPA attack" section, Figs.Â 2 and 3) to enhance original CPA attacks. In this paper, we mainly plot the performance of WST/STFT(PCC,SNR)based CPA attacks, as WST/STFTDOPbased CPA has nearly the same performance as WST/STFTPCCbased CPA attacks. We adopt success rate (SR) (Standaert etÂ al. 2009) as the main SCA evaluation metric to systematically compare the performance of WST/STFTbased CPA and the original CPA method in the context of analyzing DPAContest V4, AES_HD, AES_RD and ASCAD datasets. The practical attacks are repeated 100 times on average to calculate the value of SR.
In the scenario of analyzing DPA Contest V4 dataset, we select 500 traces to perform nonprofiled attacks. FiguresÂ 4 and 5 depict the performance of WST/STFTbased CPA attacks on DPA Contest V4 dataset respectively. The proposed attack framework achieves more robust performance. With the bestselected parameters, WST/STFTbased CPA enables adversaries to extract the secret key within 25 traces, while original CPA methods require 55 traces at least to achieve a successful nonprofiled CPA attack. Besides, we find that FFTbased CPA does not always have the amazing performance in the context of SCA. Sometimes, it might make the performance of original CPA attacks even worse, as shown in Fig.Â 5.
In the context of analyzing AES_HD dataset, we select 9000 traces to perform nonprofiled attacks. FiguresÂ 6 and 7 plot the performance of WST/STFTbased CPA attacks on AES_HD dataset respectively. As expected, the proposed method can also efficiently enhance nonprofiled attacks in the case of analyzing hardwarebased cryptographic implementation. Using the proposed attack framework (Alg.Â 1 and Alg.Â 2), WSTbased CPA attacks can reduce the number of attack data from 6000 to 3000 while STFTbased CPA attacks reduce the number of attack data from 6000 to 4000. Compared with STFTbased CPA attacks, WSTbased CPA attacks have relative superior performance in the case of analyzing AES_HD dataset. Besides, DOP/PCCWST/STFTbased CPA leads to a better performance than SNRWST/STFTbased CPA, as shown in Figs.Â 6 and 7. Although SNRWSTbased CPA is also able to efficiently improve the performance of CPA attacks, DOP/PCCWST/STFTbased CPA allows extracting the secret key within fewer traces. Similar to Fig.Â 5, FFTbased CPA has poorer performance in the context of analyzing AES_HD dataset, as shown in Fig.Â 7.
In the process of attacking ASCAD dataset, we select 5000 traces to perform nonprofiled attacks. The original data is preprocessed with window compress preprocessing method, reducing the dimension of the original sampling point from 700 to 70. After data dimension, we apply WST and STFT to preprocess the processed traces and then perform 2ndorder CPA attacks (Rivain etÂ al. 2009) subsequently. FiguresÂ 8 and 9 plot the performance of WST/STFTbased CPA attacks on ASCAD dataset respectively. As expected, our proposed attack framework can efficiently work in the context of analyzing ASCAD dataset and FFTbased CPA still has the poorest performance. With the proposed attack framework (Alg.Â 1 and Alg.Â 2), WST/STFTbased CPA attack can successfully extract the AES key within 1200 traces while original methods require 2700 traces at least to achieve successful 2ndorder CPA attacks. From Figs.Â 8 and 9, we can learn that PCC/DOP evaluation metrics have better performance than SNR evaluation metric in the scenario of WST/STFTbased CPA attacks. In the context of STFTbasedCPA attacks, SNRSTFTbased CPA makes the performance of original method even worse.
In the scenario of analyzing AES_RD dataset, we select 20,000 traces to perform nonprofiled attacks. Unlike analyzing three previous datasets, FFTbased CPA attacks achieve the best performance in the context of attacking AES_RD dataset, as shown in Figs.Â 10 and 11. The adversary can successfully extract the secret key within 3000 traces by FFTbased CPA attacks while WSTbased CPA attacks require 5500 traces to achieve successful nonprofiled CPA attacks. Compared with original CPA attacks, WST/FFTbased CPA attacks achieve more robust performance. The number of attack data can be reduced by 95% at least. Compared with SNR evaluation metric, PCC/DOP evaluation metrics achieve better performance in the scenario of WSTbased CPA attacks. Besides, we find that STFTbased CPA attacks do not efficiently enhance CPA attacks in the case of analyzing AES_RD dataset. Origianl CPA methods cannot achieve 20% success rate even though the number of attack data is increased to 18,000.
Comparing the proposed method with other popular preprocess methods
From "Practical attacks on public datasets" section it can be inferred that our method is able to effectively enhance original CPA attacks. However, it is uncertain whether our proposed method has superior performance than other popular preprocess methods (Bruneau etÂ al. 2015; Destouet etÂ al. 2021; Yang etÂ al. 2017; Riscure 2021) in the case of analyzing public datasets. Hence, we conduct a comparative experiment to investigate the performance of these preprocess methods (Bruneau etÂ al. 2015; Destouet etÂ al. 2021; Yang etÂ al. 2017; Riscure 2021) in the scenario of analyzing public datasets. In this section, we select Principal Component Analysis (PCA) (Bruneau etÂ al. 2015), Nonnegative Matrix Factorization (NMF) (Yang etÂ al. 2017), Ensemble method with WST (Destouet etÂ al. 2021), Lowpassfilter and Moving Average (Implemented by Riscure (2021)) as main methods to perform the attack. These methods are currently the most popular preprocess methods, and they can be easily reproduced by scikitlearn (Fabian Pedregosa etÂ al. 2020) and kymatio (Andreux etÂ al. 2020) library. Unlike the research (Destouet etÂ al. 2021), we apply the central idea of Ensemble method with WST to nonprofiled scenarios. We aim to investigate whether their proposed method can efficiently work in nonprofiled attacks scenario. The motivation of this study is certainly not to deform or replicate previous studies. Instead, our goal is to provide some practical insight into the selection of preprocessing methods to enhance the performance of nonprofiled attacks.
During the experiment, the number of components used in PCA/NMF is set to 10â€“40 and we select the parameter that leads to best SCA performance to perform the attack. To fairly compare Ensemble method with WST (Destouet etÂ al. 2021) and our proposed method, Ensemble method with WST uses the same bestselected parameters ("Practical attacks on public datasets" secton). In this section, WSTCPA adopts PCC as the main evaluation metric. FigureÂ 12 plots SR results of our method and other preprocess methods. As expected, our method is more generic and effective than other preprocess method. From Fig.Â 12, it can be learned that directly apply dimension reduction techniques (Bruneau etÂ al. 2015; Yang etÂ al. 2017) might make the performance of original CPA method even worse. Although previous works (Bruneau etÂ al. 2015; Yang etÂ al. 2017) discover that using PCA/NMF can enhance the performance of CPA in the case of analyzing cryptographic implementations, it does not have amazing performance as Bruneau etÂ al. (2015); Yang etÂ al. (2017) say in the context of analyzing four public datasets. Researchers need to conduct more investigations to further optimize NMF/PCACPA attacks. Besides, we find that Ensemble method with WST (Destouet etÂ al. 2021) cannot efficiently enhance the performance of nonprofiled attacks. It makes the performance of original CPA attacks worse in the context of analyzing DPA Contest V4, AES_HD and ASCAD datasets. In general, our method is more generic and effective in the scenario of enhancing the performance of CPA attacks.
Summary of the attack framework
To assess extendability and applicability of our method, we present practical attacks on four different cryptographic implementations. With suitable parameters, WSTbased CPA and STFT(FFT)based CPA attacks achieve more robust performance. Compared with original CPA attacks, the attack method can reduce the number of attack data by 50â€“95% which allows adversaries to extract the secret key within much fewer data.
Through the above comparative experiments, we can learn that WSTbased CPA attacks have superior performance than STFTbased CPA attacks in term of stability. With suitable parameters, WSTbased CPA attacks can effectively enhance the performance of nonprofiled attack in the case of analyzing four datasets while STFTbased CPA attacks do not efficiently work in the context of analyzing AES_RD dataset. Although FFTbased CPA attack achieves the best performance when analyzing AES_RD dataset, it makes the performance of original attack methods worse in the scenario of analyzing the rest three datasets. We speculate the main reason is that the critical information in sidechannel traces is contained in transient patterns, of which corresponding signals are nonstationary. As a consequence, the critical information in SCAâ€™s traces is not well captured by FFT method. The adversary needs to introduce STFT method to address the limitation of FFT while WST can efficiently work in the scenario of analyzing nonstationary signals. Besides, we find that DOP/PCC evaluation metrics have superior performance than SNR evaluation metric in the context of proposed attack framework. DOP/PCC evaluation metrics allow adversaries to extract the secret key with fewer traces in the scenario of analyzing AES_RD and AES_HD datasets. As a suggestion, we recommend selecting DOP/PCC as the primary evaluation metrics when applying the proposed attack framework.
Countermeasures. Through the practical experiment results, it can be learned that the proposed method can achieve significant improvements in the case of analyzing masking and random delay countermeasures. Designers need to consider the threats of our proposed method when implementing their cryptographic designs, especially designing random delay countermeasures. Current random delay countermeasures are mostly applied to resist timedomain based SCA. They can misalign the sampling points in the time domain to increase the difficulty to perform a successful timedomain based SCA. However, they do not ensure the sampling points that are transformed in the frequency domain are also misaligned. FigureÂ 10 and Fig.Â 11 plot the performance of frequencybased CPA in the case of analyzing random delay countermeasures. From Figs.Â 10 and 11, we can learn that random delay cannot efficiently resist frequencybased CPA attacks. The adversary can successfully recover the secret key with quite limited power traces by WST/FFTCPA attacks. WST/FFTCPA attacks do not even require additional align techniques to preprocess the traces. Designers need to additionally consider how to misalign the sampling points in the frequency domain when designing random delay countermeasures. In addition, designers also need to consider the threats of our proposed method when designing keyrolling scheme. Given N power traces, the adversary is unable to extract the secret key by timedomain based SCA method. However, the adversary may successfully extract the secret key within N power traces by our proposed method. Moreover, it is advisable to adopt multiple countermeasures to resist our proposed method. Through the practical experiment results, it can be inferred that using single sidechannel countermeasure (e.g. masking or random delay) cannot effectively resist WST/STFTbased CPA attacks. The adversary can successfully break masking or random delay countermeasure within 3000 traces by the proposed method. The designer needs to introduce additional countermeasures or more complex countermeasures to enhance the physical security level of crypto produces. For example, designers can combine shuffling and masking countermeasures to resist our proposed method. Although shuffling cannot resist SCA when the attack data is huge, it can randomize casual independent operations and efficiently increase the number of attack data to perform a successful SCA. The protection is considered effective when the cost of successful SCA is unaffordable for the adversary.
A finegrain analysis on parameter settings for frequencybased CPA attacks
Based on the experiment results ("Experiment results" section), we conduct a systematic empirical study to investigate the effectiveness of STFTbased CPA and WSTbased CPA in nonprofiled attacks scenario. The performance of WST/STFTbased CPA is evaluated under different parameter values in a finegrain manner. According to the analysis result, we provide empirical suggestions for parameter selections in nonprofiled attacks scenario. In this section, we mainly focus on PCCWST/STFTbased CPA attacks.
A finegrain analysis on parameter settings for WSTbased CPA attacks
To assess the performance of WSTCPA attacks on DPA Contest V4, AES_HD, ASCAD and AES_RD datasets, we select the bestperformance parametersettings, and then systematically compare their performance with various \(\{J,Q\}\) on four public datasets.
FigureÂ 13 and Fig.Â 14 plot success rate results of WSTbaed CPA with various \(\{J,Q\}\) parameters on DPA Contest V4 dataset. From Figs.Â 13 and 14, we can learn that the parameter J plays a more important role in the scenario of improving WSTbased CPA attacks. With a suitable parameter J, the adversary can efficiently improve the performance of WSTbased CPA attacks even though the parameter Q is not properly selected. In the context of analyzing DPA Contest V4 dataset or similar implementations, the adversary can achieve a more efficient nonprofiled attack when the variable parameters \(\{J,Q\}\) satisfy: \(J=1\) and \(Q\in \{3,4,5,6\}\).
In the context of analyzing AES_HD dataset, the performances of WSTbased CPA with various \(\{J,Q\}\) are very analogous to WSTbased CPA against DPA Contest V4 dataset. The parameter J also plays a more important role in the scenario of improving WSTbased CPA attacks, as depicted in Figs.Â 15 and 16. The AES key of AES_HD dataset is successfully recovered within 4000 traces when the parameter J is set to 2. We recommend setting parameters \(\{J,Q\}\) to \(\{2,6\}\) when analyzing AES_HD dataset or similar implementations for significant improvement of the performance of original CPA attacks.
To analyze ASCAD dataset, the original traces are preprocessed with window compression method. The number of sampling points is reduced to 70. To make WST work, we modify the value range of parameter J (\(J\in \{1,2,3\}\)). FiguresÂ 17 and 18 plot the performance of WSTbased CPA with various \(\{J,Q\}\) against ASCAD dataset. As expected, the adversary can efficiently enhance nonprofiled attacks when the parameter J is properly selected. The adversary can achieve the best performance when the parameters \(\{J,Q\}\) satisfy: \(J=1\) and \(Q\in \{2,3\}\).
In the context of analyzing AES_RD dataset, the adversary can efficiently break random delay countermeasures when the parameters \(\{J,Q\}\) satisfy: \(J\in [4,8]\) and \(Q\in [5,8]\) as shown in Figs.Â 19 and 20. The proposed framework can achieve a more robust attack performance when the adversary adopts larger parameters \(\{J,Q\}\).
A finegrain analysis on parameter settings for STFTbased CPA attacks
To assess the performance of STFTCPA attacks on DPA Contest V4, AES_HD and ASCAD, we select the bestperformance frequencycomponents, and then systematically compare their performance with various \(\{std,window\}\) on three public datasets, where std denotes the size of standard deviation and window represents the size of gaussian window used in STFT.
FiguresÂ 21 and 22 plot success rate results of STFTbased CPA with various parameters \(\{std,window\}\) on DPA Contest V4 dataset. From Figs.Â 21 and 22, we can learn that the size of window and std play important roles in the scenario of STFTbased CPA attacks. With a smallersize window and a largersize std, the performance of original CPA attacks can be significantly improved. The proposed attack framework achieves a satisfactory improvement when the parameters \(\{std,window\}\) satisfy: \(std\in \{8,16\}\) and \(window\in \{0.01L,0.02L\}\).
Similar to the analysis of DPA Contest V4 dataset, the adversary can efficiently improve the performance of CPA attacks on AES_HD dataset with a smallersize window and a largersize std, as shown in Figs.Â 23 and 24. The adversary can achieve the best performance when the parameters \(\{window,std\}\) satisfy: \(std=16\) and \(window\in \{0.01L,0.02L\}\). Similar to the analysis of DPA Contest V4 and AES_HD datasets, using a smallersize window allows adversaries to extract the secret key of ASCAD dataset with fewer traces (See Figs.Â 25 and 26). Our method significantly enhances CPA attacks on ASCAD dataset when the \(\{std,window\}\) are designed as follows: \(std\in \{2,4,8,16\}\) and \(window=0.01L\). Through these three comparative experiment results, we can conclude that STFTbased CPA attacks tend to achieve a more robust nonprofiled attacks when the length of window becomes smaller. To enhance the performance of nonprofiled attacks, we recommend setting the parameter window as follows: \(window\in \{0.01L,0.02L\}\) when performing STFTbased CPA attacks.
Conclusions
We present a systematic research about the impact of \(\{J,Q\}\) and \(\{std,window\}\) on the performance of WST/STFTbased CPA attacks in nonprofiled attacks scenario. Through the practical experiments, we obtain following important and interesting findings:

In the case of WSTbased CPA attacks, the parameter J plays a more important role in enhancing CPA attacks. Using a smallersize parameter \(J(J\in \{1,2\})\), the performance of original CPA attacks can be significantly enhanced with the proposed method ("A practical framework for frequencybased CPA attack" section) when the target does not adopt random delay countermeasures. When analyzing random delay countermeasures, adversaries can adopt largersize parametersettings \(\{J,Q\}(J\in \{7,8\},Q\in \{5,6\})\) to efficiently break randomdelay countermeasures.

In the scenario of STFTbased CPA attacks, we find that the smallersize parameter window allows adversaries to achieve a successful CPA attack with fewer traces. The proposed attack framework ("A practical framework for frequencybased CPA attack" section) achieves a satisfactory performanceimprovement when the size of window is set to \(\{0.01L,0.02L\}\).
Discussions
Related works
Through former experiment results, it can be inferred that using our proposed attack framework and grid research method, WST/STFTbased CPA attacks can significantly enhance the performance of original CPA attacks with suitable parameters. Currently, there are two categories of related works in sidechannel attacks domain: (1) Applying preprocessing technique to improve the performance of SCA; (2) Applying hyperparameterssearch method for Deep Learning based SideChannel Analysis (DLSCA).
Applying preprocessing technique to improve the performance of SCA. Preprocessing the physical signals is the first important step in the case of improving the quality of collected data. The adversary can efficiently extract the secret key with quite limited traces if the quality of collected data is significantly improved. In theory, the preprocessing method is not limited to specific platform or cryptographic implementations. It can be applied to any kind of cryptographic implementation. Many researchers have considered applying preprocessing method to improve the performance of SCA. For instance, Bruneau etÂ al. (2015) applied PCA in processing the original traces. They showed that PCA can efficiently enhance nonprofiled attacks if the principal components are properly selected. Merino Del Pozo and Standaert (2015) adopted Singular Spectrum Analysis method to improve the quality of the collected signals. They showed that their proposed method can improve the SNR by 250% in the context of analyzing softwarebased unprotected/masked implementations of AES. However, these kinds of methods require expertknowledge to some extents. The adversary needs to carefully select the components to enhance the quality of the collected traces. Besides, they did not deeply investigate whether their method can efficiently work in the case of analyzing randomdelay countermeasures. To further optimize the performance of CPA attacks, Maghrebi and Prouff (2018) designed a practical IndependentComponent Analysis (ICA) based framework to enhance the performance of CPA attacks. Compared with the previous work (Merino Del Pozo and Standaert 2015), their method allows reducing the number of data from 6000 to 2000 in the case of analyzing softwarebased unprotected implementation of AES. Compared with previous works (Merino Del Pozo and Standaert 2015; Bruneau etÂ al. 2015), their method does not require dedicated parameters selection. However, their method requires adversaries to collect two traces for each hypothesis intermediate value at least. Unlike their method, our method does not have this kind of limitation. In addition to improving the SNR of the collected data, some researchers considered applying dataaugmentation techniques (e.g. SMOTE (Picek etÂ al. 2019), adding gaussian noise (Kim etÂ al. 2019)) to further optimize DLSCA. They showed that the performance of SCA can be significantly enhanced by adding synthetic data to the original collected data in profile stages. However, these methods (Picek etÂ al. 2019; Kim etÂ al. 2019) are only limited to profiled attacks scenario. Compared with their works, our method theoretically can be also applied to profiled attacks scenario. Currently, there exist some similar works that consider applying frequencybased CPA method to enhance SCA. Typical examples include applying DFT (Zhang etÂ al. 2020; Gebotys etÂ al. 2005), STFT (Belgarric etÂ al. 2014) and Wavelet transform (Debande etÂ al. 2012; Udvarhelyi etÂ al. 2021; Destouet etÂ al. 2021) to improve the performance of CPA attacks. The authors (Zhang etÂ al. 2020; Gebotys etÂ al. 2005) showed that FFT has appealing technical potential in the case of improving the performance of SCA. However, in this paper, we discover that FFTbased CPA does not have amazing performance as original works say (Zhang etÂ al. 2020; Gebotys etÂ al. 2005). It makes the performance of original CPA even worse when attacking DPA Contest V4, AES_HD and ASCAD datasets. In general, FFTbased preprocessing method is not very mature when analyzing different cryptographic implementations. Different from previous works (Debande etÂ al. 2012; Udvarhelyi etÂ al. 2021; Destouet etÂ al. 2021; Belgarric etÂ al. 2014), our WSTbased CPA method does not require any expertknowledge dependency. An adversary, who has no prior knowledge about the WST/STFT and cryptographic implementations, can obtain suitable parameters for WST/STFT with the proposed framework. Compared with original CPA attacks, our method allows reducing the number of traces by 50â€“95% in the case of attacking different kinds of cryptographic implementations ("Experiment results" section). Our approach provides a convenient and effective solution to enhance nonprofiled CPA attacks when the collected data is insufficient, which certainly deserves more indepth researches.
Applying hyperparameterssearch method for DLSCA. In DLSCA, selecting suitable hyperparameters, such as loss function, neural parameters and network architecture, is vital for constructing a robust profiled model. With suitable hyperparameters and sufficient training data, the adversary can successfully extract the secret key with quite limited data. In recent years, some researchers have introduced hyperparameterssearch methods to SCA domain to enhance the performance of DLSCA. For instance, Perin and Picek (2021) adopted grid search method to select the optimizers for DLSCA. Wu etÂ al. (2020) applied random search with Bayesian optimizations to design neural network architecture for DLSCA. On the basis of the research (Wu etÂ al. 2020), Rijsdijk etÂ al. (2021) adopted reinforcement learning to achieve hyperparameters tuning for DLSCA. These works adopted success rate, guess entropy, loss value and the size of neural network model as main evaluation metrics to select suitable parameters iteratively. Unlike these researches, we adopt grid search as the main method and apply it in nonprofiled attacks scenario. We adopt PCC, SNR and DOP as main evaluation metrics to select hyperparameters for WST/STFTCPA attacks.
Discussions and future directions
Advantages of the attack method we presented. With our proposed attack framework, WST/STFTbased CPA can achieve significant performance improvements when the attack data is insufficient. The practical attack results ("Experiment results" section) prove that our work provides a convenient and effective approach to enhance nonprofiled attacks when the collected data is insufficient. The presented method is applicable to other symmetric ciphers, such as Midori (Banik etÂ al. 2015), GIFT (Banik etÂ al. 2017) and Pyjmask (Goudarzi etÂ al. 2020). In practice, the adversary can firstly apply our method to select suitable parameters for WST/STFTbased CPA when analyzing the firstbyte secret key. Then he can directly apply STFT/WSTbased CPA with suitable parameters to extract other secret key bytes to accelerate nonprofiled attacks. In addition, he can also directly use our recommended parameters setting ("A finegrain analysis on parameter settings for frequencybased CPA attacks" section) to enhance WST/STFTCPA when the cryptographic implementation or platform is similar to the analyzed dataset ("Public datasets" section).
Future prospects. We plan to investigate the performance of our proposed method in the case of analyzing protected implementations of lightweight block ciphers in our future research. We want to explore whether the proposed method can efficiently work in the case of analyzing other important block ciphers. In addition, it would be also valuable to design new random delay countermeasures to efficiently resist WST/STFTbased CPA attacks. The experiment results ("Experiment results" section) show that our method can efficiently break random delay countermeasures without any alignment. Designers need to ensure the sampling points in the frequencydomain are also misaligned when implementing random delay countermeasures. Designing a reliable random delay countermeasure to resist timedomain based SCA and our proposed method is also an interesting and meaningful task for future works.
Limitations of the attack method. Though former practical experiment results show that our approach has great technical potential in enhancing nonprofiled CPA attacks, the method has some limitations that need improvements in the future:

Bring extra timeoverhead. The attack framework requires extra preprocessing steps. The adversary needs to iteratively search the suitable parameters, which certainly brings additional timeoverhead. Compared with our proposed method, original CPA does not require hyperparameters selection and can directly extract the secret key. Hence, our method currently is not practicable in realistic when the collected traces are sufficient. Optimization of parameter search process will be the focus of future works.

Require searching parameters manually. In this work, we adopt gridsearch as main parameterssearching methods to search parameters for WST/STFTbased CPA. We need to manually define the ranges for finite sets, such as J and Q used in WSTbased CPA attacks, prior to the attack. In DLSCA, the adversary has considered applying reinforcement learning to achieve intelligent parameters tuning (Rijsdijk etÂ al. 2021), which provides a living case for our research. However, in this paper, we do not consider how to achieve intelligent parameters tuning for WST/STFTbased CPA attacks.

The theoretical interpretability issue of the frequency domain analysis method itself is not effectively solved. Through the practical experiment results ("Experiment results" and "A finegrain analysis on parameter settings for frequencybased CPA attacks" sections), it can be inferred that WST/STFTCPA achieves different improvement levels according to different cryptographic implementations. Theoretically, the occurrence of significant technical effects has correlation with some physical characteristics of the analyzed information leakages. However, we do not conduct indepth researches on the mechanism cognition and principle demonstration of the attack method from the theoretical level. We leave those challenging tasks for future works.
Future improvements. To achieve intelligent parameters tuning for WST/STFTbased CPA attacks, evaluators can consider applying a more advanced parameterssearching method (e.g. reinforcement learning) to WST/STFTbased CPA attacks. Evaluators can combine random searching and Bayesian Optimization (He etÂ al. 2021) to further optimize the parameter search process. In addition, it would be valuable to give corresponding feasible and powerful explanations from some perspectives of signal characteristics. Moreover, designing more reliable evaluation metrics is helpful for enhancing the practicality of our proposed method.
Future directions. In addition to the above limitations, there are several challenging and interesting works left uncompleted in our research:

Applying the attack framework to analyze machinelearning algorithms. In this paper, we focus on AES blockcipher. The physical security of other important algorithms such as machinelearning (ML) algorithms are not deeply investigated. Recently, physical evaluations of machine learning algorithms have become a hot topic in SCA community. Many interesting studies have been conducted to investigate the physical security of ML models, such as extracting the IEEE754 floating points of CNN/MLP (Batina etÂ al. 2019) models, extracting the integer weight parameters of Binarized Neural Networks (BNN) (YliMayry etÂ al. 2021) and Bonsai (Jap etÂ al. 2020). It would be interesting to study whether the proposed method is suitable for further enhancing CPA in the case of analyzing IEEE754 floating points or quantized ML models.

Extending the proposed method to high securitylevel commercial crypto products. In our work, we conduct practical attacks on four datasets to assess the effectiveness of our approach. We do not consider whether our approach can be applied to analyze high securitylevel commercial crypto products. In recent years, some hardware vendors have considered designing countermeasures for commercial crypto products to resist various physical attacks. For instance, Xilinx Zynq Ultracale+ (ZU+) Encryption Engine adopts proprietary countermeasures to resist SCA (Hettwer etÂ al. 2021). In this case, adversaries need to extract the secret key within limited data. The previous work (Hettwer etÂ al. 2021) shows that ZU+ platform can successfully resist original nonprofiled attacks. However, if adversaries adopt our attack framework or more advanced parameter tuning method (Rijsdijk etÂ al. 2021), the secret key might be successfully recovered with limited traces. Hence, it would be meaningful to investigate if our method is applicable for analyzing this kind of high securitylevel commercial crypto products.

Building a generic framework to scientifically compare various preprocess methods. This paper mainly compares the performance of our method with some popular preprocess methods, such as PCA (Bruneau etÂ al. 2015), NMF (Yang etÂ al. 2017), Ensemble method with WST (Destouet etÂ al. 2021), Lowpassfilter and Moving Average (Provided by Riscure (2021)). The other complex preprocess methods, such as wavelet transform (WT), Kalman filter (KF) and Singular Spectrum Analysis (SSA) are not considered, as they are mainly heuristic methods and usually require dedicated parameters selection. Empirically select parameters may make the performance of those preprocess methods (WT, KF and SSA) unstable. Sometimes it might make the performance of original attacks even worse. Hence, it is necessary to build a generic framework to comprehensively and scientifically compare the performance of various preprocess methods. The practical attack results show that our framework can provide suitable parameters selection for WST/STFTCPA attacks. It would be interesting to investigate whether our framework ("A practical framework for frequencybased CPA attack" section) is able to enhance other complex preprocess methods.
The above interesting tasks and unexploitable areas are left for future works.
Conclusions
We propose a practical framework to provide suitable parameters for WSTbased SCA and STFTbased SCA. With the suitable parameters, the performance of WST/STFTbased CPA can be significantly improved. The performance of the designed attack framework is assessed by practical experiments on four public datasets, including DPA Contest V4, AES_HD, AES_RD and ASCAD datasets. Compared with original nonprofiled attacks, the proposed method can reduce the number of data by 50â€“95%. In general, the proposed attack framework provides a straightforward and effective solution to enhance CPA in the case of insufficient data, which certainly deserves morein depth researches.
Availability of data and materials
Not applicable.
Abbreviations
 AES:

Advanced encryption standard
 AESCTR:

Advanced encryption standard counter mode
 BNN Binarized:

Neural Networks
 CNN:

Convolutional Neural Networks
 CPA:

Correlation power analysis
 CTR_DRBG:

Counter deterministic random byte generator
 DAC:

Design automation conference
 DFT:

Discrete fourier transform
 DL:

Deep learning
 DLSCA:

Deep learning based sidechannel analysis
 DOP:

Absolutedifferencesofpearson correlation coefficient
 DPA:

Differential power analysis
 EM:

Electromagnetic radiation
 FFT:

Fast fourier transform
 FIPS:

Federal information processing standards
 GE:

Guess entropy
 HD:

Hamming distance
 HW:

Hamming weight
 ICA:

Independentcomponent analysis
 IEC:

International electro technical commission
 ISO:

International organization for standardization
 KF:

Kalman filter
 MIA:

Mutual information analysis
 ML:

Machine learning
 MLP:

Multilayer perceptron
 NIST:

National institute of standards and technology
 NMF:

Nonnegative matrix factorization
 PCA:

Principal component analysis
 PCC:

Pearson correlation coefficient
 RSA:

Rivest Shamir Adleman
 SA:

Stochastic attack
 SCA:

Sidechannel analysis
 SMOTE:

Synthetic minority oversampling technique
 SNR:

Signaltonoise ratio
 SR:

Success rate
 SSA:

Singular spectrum analysis
 STFT:

Shorttime fourier transform
 TA:

Template attack
 USIM:

Universal subscriber identity module
 WST:

Wavelet scatter transform
 WT:

Wavelet transform
 ZU+:

Zynq ultracale+
References
AES_HD (2018) The AES_HD database  Unprotected hardwarebased implementation of AES. https://github.com/AESHD/AES_HD_Dataset
AES_RD (2017) The AES_RD database  Trace sets with random delays. https://github.com/ikizhvatov/randomdelaystraces
Akkar ML, Giraud C (2001) An implementation of des and aes, secure against some attacks. In: KoÃ§ Ã‡K, Naccache D, Paar C (eds) Cryptographic hardware and embedded systemsâ€”CHES 2001. Springer, Berlin, Heidelberg, pp 309â€“318
Allen J (1977) Short term spectral analysis, synthesis, and modification by discrete fourier transform. IEEE Trans Acoust Speech Signal Process 25(3):235â€“238. https://doi.org/10.1109/TASSP.1977.1162950
AndÃ©n J, Mallat S (2013) Deep scattering spectrum. IEEE Trans Signal Process. https://doi.org/10.1109/TSP.2014.2326991
Andreux M, Angles T, Exarchakis G, Leonarduzzi R, Rochette G, Thiry L, Zarka J, Mallat S, AndÃ©n J, Belilovsky E, Bruna J, Lostanlen V, Chaudhary M, Hirn MJ, Oyallon E, Zhang S, Cella C, Eickenberg M (2020) Kymatio: Scattering transforms in python. J Mach Learn Res 21:60â€“1606
ASCAD (2018) The ASCAD database  Firstorder boolean masked AES implementation on an ATMEGA8515. https://github.com/ANSSIFR/ASCAD
Banik S, Bogdanov A, Isobe T, Shibutani K, Hiwatari H, Akishita T, Regazzoni F (2015) Midori: A block cipher for low energy. In: Iwata T, Cheon JH (eds) Advances in cryptologyâ€”ASIACRYPT 2015. Springer, Berlin, Heidelberg, pp 411â€“436
Banik S, Pandey SK, Peyrin T, Sasaki Y, Sim SM, Todo Y (2017) Gift: A small present. In: Fischer W, Homma N (eds) Cryptographic hardware and embedded systemsâ€”CHES 2017. Springer, Cham, pp 321â€“345
Barker E, Kelsey J (2015) Recommendations for random number generation using deterministic random bit generators. NIST SP 80090A Rev. 1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80090Ar1.pdf
Batina L, Bhasin S, Jap D, Picek S (2019) CSI NN: Reverse engineering of neural network architectures through electromagnetic side channel. In: 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, pp 515â€“532
Belgarric P, Bhasin S, Bruneau N, Danger JL, Debande N, Guilley S, Heuser A, Najm Z, Rioul O (2014) Timefrequency analysis for secondorder attacks. In: Francillon A, Rohatgi P (eds) Smart card research and advanced applications. Springer, Cham, pp 108â€“122
Benadjila R, Prouff E, Strullu R, Cagli E, Dumas C (2020) Deep learning for sidechannel analysis and introduction to ASCAD database. J Cryptogr Eng 10(2):163â€“188. https://doi.org/10.1007/s13389019002208
Brier E, Clavier C, Olivier F (2004) Correlation power analysis with a leakage model. In: Joye M, Quisquater JJ (eds) Cryptographic hardware and embedded systemsâ€”CHES 2004. Springer, Berlin, Heidelberg, pp 16â€“29
Bruneau N, Guilley S, Heuser A, Marion D, Rioul O (2015) Less is more. In: GÃ¼neysu T, Handschuh H (eds) Cryptographic hardware and embedded systemsâ€”CHES 2015. Springer, Berlin, Heidelberg, pp 22â€“41
Bubberman W, Karayalcin S, Meester M, Braakman O, Picek S (2020) Sidechannel Analysis Toolbox. https://github.com/AISyLab/sidechannelanalysistoolbox/blob/master/sca/analysis/snr.py
Cagli E, Dumas C, Prouff E (2017) Convolutional neural networks with data augmentation against jitterbased countermeasures. In: Fischer W, Homma N (eds) Cryptographic hardware and embedded systemsâ€”CHES 2017. Springer, Cham, pp 45â€“68
Chari S, Rao JR, Rohatgi P (2003) Template attacks. In: Kaliski BS, KoÃ§ Ã§K, Paar C, (eds) Cryptographic Hardware and Embedded Systemsâ€”CHES 2002. Springer, Berlin, pp 13â€“28
Coron JS, Kizhvatov I (2010) Analysis and improvement of the random delay countermeasure of ches 2009. In: Mangard S, Standaert FX (eds) Cryptographic hardware and embedded systems, CHES 2010. Springer, Berlin, Heidelberg, pp 95â€“109
Debande N, Souissi Y, Aabid M, Guilley S, Danger JL (2012) Wavelet transform based preprocessing for side channel analysis, pp 32â€“38. https://doi.org/10.1109/MICROW.2012.15
Destouet G, Dumas C, Frassati A, Perrier V (2021) Wavelet scattering transform and ensemble methods for sidechannel analysis. In: Bertoni GM, Regazzoni F (eds) Constructive sidechannel analysis and secure design. Springer, Cham, pp 71â€“89
DPA_Contest_v4 (2014) TELECOM ParisTech SEN research group. DPA Contest (4th edition). http://www.DPAcontest.org/v4/
FabianÂ Pedregosa AG, GaelÂ Varoquaux, Michel V (2020) HalvingGridSearchCV. https://scikitlearn.org/stable/modules/generated/sklearn.model_selection.HalvingGridSearchCV.html
FIPS_1403 (2020) FIPS Publication 1403. The National Institute of Standards and Technology. https://csrc.nist.gov/publications/detail/fips/140/3/final
Gandolfi K, Mourtel C, Olivier F (2001) Electromagnetic analysis: concrete results. In: KoÃ§ Ã‡K, Naccache D, Paar C (eds) Cryptographic hardware and embedded systemsâ€”CHES 2001. Springer, Berlin, Heidelberg, pp 251â€“261
Gebotys CH, Ho S, Tiu CC (2005) Em analysis of rijndael and ecc on a wireless javabased pda. In: Rao JR, Sunar B (eds) Cryptographic hardware and embedded systemsâ€”CHES 2005. Springer, Berlin, Heidelberg, pp 250â€“264
Gierlichs B, Batina L, Tuyls P, Preneel B (2008) Mutual information analysis. In: Oswald E, Rohatgi P (eds) Cryptographic hardware and embedded systemsâ€”CHES 2008. Springer, Berlin, Heidelberg, pp 426â€“442
Goubin L, Patarin J (1999) Des and differential power analysis the duplication method. In: KoÃ§ Ã‡K, Paar C (eds) Cryptographic hardware and embedded systems. Springer, Berlin, pp 158â€“172
Goudarzi D, Jean J, KÃ¶lbl S, Peyrin T, Rivain M, Sasaki Y, Sim SM (2020) Pyjamask: Block cipher and authenticated encryption with highly efficient masked implementation. IACR Trans Symmetric Cryptol 2020(S1):31â€“59. https://doi.org/10.13154/tosc.v2020.iS1.3159
He X, Zhao K, Chu X (2021) Automl: A survey of the stateoftheart. Knowl Based Syst 212:106622. https://doi.org/10.1016/j.knosys.2020.106622
Hettwer B, Leger S, Fennes D, Gehrer S, GÃ¼neysu T (2021) Sidechannel analysis of the xilinx zynq ultrascale+ encryption engine. IACR Trans Cryptogr Hardw Embed Syst 1:279â€“304. https://doi.org/10.46586/tches.v2021.i1.279304
ISO/IEC17825 (2016) Testing methods for the mitigation of noninvasive attack classes against cryptographic modules. ISO/IEC 178252016. International Organization for Standardization. https://www.iso.org/standard/60612.html
Jap D, YliMÃ¤yry V, Ito A, Ueno R, Bhasin S, Homma N (2020) Practical sidechannel based model extraction attack on treebased machine learning algorithm. In: Zhou J, Conti M, Ahmed CM, Au MH, Batina L, Li Z, Lin J, Losiouk E, Luo B, Majumdar S, Meng W, Ochoa M, Picek S, Portokalidis G, Wang C, Zhang K (eds) Applied cryptography and network security workshops. Springer, Cham, pp 93â€“105
Jin C, Zhou Y, Qiu X, Feng Q, Zhang Q (2022) Breaking realworld COTS USIM cards with unknown sidechannel countermeasures. Comput Secur 113:102531. https://doi.org/10.1016/j.cose.2021.102531
Kim TH, Kim C, Park I (2012) Side channel analysis attacks using AM demodulation on commercial smart cards with SEED. J Syst Softw 85(12):2899â€“2908. https://doi.org/10.1016/j.jss.2012.06.063
Kim J, Picek S, Heuser A, Bhasin S, Hanjalic A (2019) Make some noise unleashing the power of convolutional neural networks for profiled sidechannel analysis. IACR Trans Cryptogr Hardw Embed Syst 3:148â€“179. https://doi.org/10.13154/tches.v2019.i3.148179
Kocher PC (1996) Timing attacks on implementations of diffiehellman, rsa, dss, and other systems. In: Koblitz N (ed) Advances in cryptologyâ€”CRYPTO â€™96. Springer, Berlin, Heidelberg, pp 104â€“113
Lerman L, Poussier R, Bontempi G, Markowitch O, Standaert FX (2015) Template attacks vs. machine learning revisited and the curse of dimensionality in sidechannel analysis. In: Mangard S, Poschmann AY (eds) Constructive sidechannel analysis and secure design. Springer, Cham, pp 20â€“33
Liu J, Yu Y, Standaert FX, Guo Z, Gu D, Sun W, Ge Y, Xie X (2015) Small tweaks do not help: differential power analysis of milenage implementations in 3g/4g usim cards. In: Pernul G, Ryan P, Weippl E (eds) Computer securityâ€“ESORICS 2015. Springer, Cham, pp 468â€“480
Maghrebi H, Prouff E (2018) On the use of independent component analysis to denoise sidechannel measurements. In: Fan J, Gierlichs B (eds) Constructive sidechannel analysis and secure design. Springer, Cham, pp 61â€“81
Maghrebi H, Portigliatti T, Prouff E (2016) Breaking cryptographic implementations using deep learning techniques. In: Carlet C, Hasan MA, Saraswat V (eds) Security, privacy, and applied cryptography engineering. Springer, Cham, pp 3â€“26
Mangard S, Oswald E, Popp T (2007). Power analysis attacks: revealing the secrets of smart cards. https://doi.org/10.1007/9780387381626
Merino Del Pozo S, Standaert FX (2015) Blind source separation from single measurements using singular spectrum analysis. In: GÃ¼neysu T, Handschuh H (eds) Cryptographic hardware and embedded systemsâ€” CHES 2015. Springer, Berlin, Heidelberg, pp 42â€“59
Nassar M, Souissi Y, Guilley S, Danger JL (2012) Rsm: a small and fast countermeasure for aes, secure against 1st and 2ndorder zerooffset scas. https://doi.org/10.1109/DATE.2012.6176671
Numpy (2022) numpy 1.22.4The fundamental package for array computing with Python. https://pypi.org/project/numpy/
Perin G, Picek S (2021) On the influence of optimizers in deep learningbased sidechannel analysis. In: Dunkelman O, Jacobson MJ Jr, Oâ€™Flynn C (eds) Selected areas in cryptography. Springer, Cham, pp 615â€“636
Picek S, Heuser A, Jovic A, Bhasin S, Regazzoni F (2019) The curse of class imbalance and conflicting metrics with machine learning for sidechannel evaluations. IACR Trans Cryptogr Hardw Embed Syst 1:209â€“237. https://doi.org/10.13154/tches.v2019.i1.209237
Pontes FJ, Amorim GF, Balestrassi PP, Paiva AP, Ferreira JR (2016) Design of experiments and focused grid search for neural network parameter optimization. Neurocomputing 186:22â€“34. https://doi.org/10.1016/j.neucom.2015.12.061
Rijsdijk J, Wu L, Perin G, Picek S (2021) Reinforcement learning for hyperparameter tuning in deep learningbased sidechannel analysis. IACR Trans Cryptogr Hardw Embed Syst 2021(3):677â€“707. https://doi.org/10.46586/tches.v2021.i3.677707
Riscure (2021) Inspector side channel analysis. https://getquote.riscure.com/en/inspectorsidechannelanalysis.html
Rivain M, Prouff E, Doget J (2009) Higherorder masking and shuffling for software implementations of block ciphers. In: Clavier C, Gaj K (eds) Cryptographic hardware and embedded systemsâ€”CHES 2009. Springer, Berlin, Heidelberg, pp 171â€“188
Schindler W, Lemke K, Paar C (2005) A stochastic model for differential side channel cryptanalysis. In: Rao JR, Sunar B (eds) Cryptographic hardware and embedded systemsâ€“CHES 2005. Springer, Berlin, pp 30â€“46
Scipy (2022) scipy 1.8.1SciPy: Scientific Library for Python. https://pypi.org/project/scipy/
Standaert FX, Malkin TG, Yung M (2009) A unified framework for the analysis of sidechannel key recovery attacks. In: Joux A (ed) Advances in cryptology  EUROCRYPT 2009. Springer, Berlin, Heidelberg, pp 443â€“461
Timon B (2019) Nonprofiled deep learningbased sidechannel attacks with sensitivity analysis. IACR Trans Cryptogr Hardw Embed Syst 2019(2):107â€“131. https://doi.org/10.13154/tches.v2019.i2.107131
Udvarhelyi B, van Wassenhove A, Bronchain O, Standaert FX (2021) On the security of offtheshelf microcontrollers: hardware is not enough. In: Liardet PY, Mentens N (eds) Smart card research and advanced applications. Springer, Cham, pp 103â€“118
VeyratCharvillon N, Medwed M, Kerckhof S, Standaert FX (2012) Shuffling against sidechannel attacks: a comprehensive study with cautionary note. In: Wang X, Sako K (eds) Advances in cryptology  ASIACRYPT 2012. Springer, Berlin, Heidelberg, pp 740â€“757
Wu L, Picek S (2020) Remove some noise: on preprocessing of sidechannel measurements with autoencoders. IACR Trans Cryptogr Hardw Embed Syst 4:389â€“415. https://doi.org/10.13154/tches.v2020.i4.389415
Wu L, Perin G, Picek S (2020) I choose you: automated hyperparameter tuning for deep learningbased sidechannel analysis. IACR Cryptol ePrint Arch
Yang W, Zhou Y, Cao Y, Zhang H, Zhang Q, Wang H (2017) Multichannel fusion attacks. IEEE Trans Inf Forensics Secur 12(8):1757â€“1771. https://doi.org/10.1109/TIFS.2017.2672521
Yang G, Li H, Ming J, Zhou Y (2020) Cdae: towards empowering denoising in sidechannel analysis. In: Zhou J, Luo X, Shen Q, Xu Z (eds) Information and communications security. Springer, Cham, pp 269â€“286
YliMayry V, Ito A, Homma N, Bhasin S, Jap D (2021) Extraction of binarized neural network architecture and secret parameters using sidechannel information, pp. 1â€“5. https://doi.org/10.1109/ISCAS51556.2021.9401626
Zhang F, Shao B, Xu G, Yang B, Yang Z, Qin Z, Ren K (2020) From homogeneous to heterogeneous: Leveraging deep learning based power analysis across devices. pp 1â€“6. https://doi.org/10.1109/DAC18072.2020.9218693
Acknowledgements
Not applicable.
Funding
This work is supported in part by National Key R&D Program of China (No. 2022YFB3103800), National Natural Science Foundation of China (No.U1936209, No.62002353, No.62202231 and No.62202230), China Postdoctoral Science Foundation (No.2021M701726), Jiangsu Funding Program for Excellent Postdoctoral Talent (No.2022ZB270) and Yunnan Provincial Major Science and Technology Special Plan Projects (No.202103AA080015).
Author information
Authors and Affiliations
Contributions
CJ completed the main work of the paper and drafted the manuscript. YZ participated in problem discussions and improvements of the manuscript. All authors read and approved the final manuscript.
Author's information
Chengbin Jin (Email: jinchengbin@iie.ac.cn) is with Institute of Information Engineering, Chinese Academy of Sciences, and School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China.
Yongbin Zhou (Email:Â zhouyongbin@njust.edu.cn) is the corresponding author of this paper. He is currently a Fulltime Professor with the School of Cyber Science and Engineering, Nanjing University of Science and Technology. He is also an Adjunct Professor with Institute of Information Engineering, Chinese Academy of Sciences. His main research interests include theories and technologies of network and information security.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Jin, C., Zhou, Y. Enhancing nonprofiled sidechannel attacks by timefrequency analysis. Cybersecurity 6, 15 (2023). https://doi.org/10.1186/s4240002300149w
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s4240002300149w