Download Hidden Markov Model Cryptanalysis

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Lateral computing wikipedia , lookup

Computer simulation wikipedia , lookup

Cryptography wikipedia , lookup

General circulation model wikipedia , lookup

Generalized linear model wikipedia , lookup

Quantum key distribution wikipedia , lookup

Computational phylogenetics wikipedia , lookup

Computational complexity theory wikipedia , lookup

Randomness wikipedia , lookup

Operational transformation wikipedia , lookup

Simulated annealing wikipedia , lookup

Types of artificial neural networks wikipedia , lookup

Algorithm wikipedia , lookup

History of cryptography wikipedia , lookup

Hardware random number generator wikipedia , lookup

Cryptanalysis wikipedia , lookup

Algorithm characterizations wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Probabilistic context-free grammar wikipedia , lookup

Simplex algorithm wikipedia , lookup

Diffie–Hellman key exchange wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Time complexity wikipedia , lookup

Transcript 
Hidden Markov Model Cryptanalysis
Chris Karlof and David Wagner
The Context: Side Channels and
Countermeasures




The “Side Channel”: data gathered from the
operation of a crypto scheme’s
implementation
Example: measuring power fluctuations of
Pentium III processor when performing RSA
decryption (SPA, DPA)
Many processors draw different power for
adds and multiplies or other operations
Countermeasures: obscure the signature of
key-related operations
Randomized Countermeasures




Introduce random computations
Example: randomized projective coordinates
in Elliptic Curve computations
Projective coordinates (X,Y,Z) of P = (x,y) are
given by:
Before each execution of the scalar mult to
compute Q = dP, (X,Y,Z) are randomized with
a random 
for every ≠ 0 in the finite field
Coron, J.S.. “Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems”, 1999.
Attacks on Randomized Countermeasures


Existing attacks are specific to each
countermeasure
No general framework or model exists for all
randomized side channel countermeasures
Modeling Side-Channel Countermeasures


To attack a randomized countermeasure, it
would be great to model it first
One model for simple countermeasures:
Probabilistic Finite State Machine (PFSM)
Red lines
indicate
optional
state
transitions
From Oswald, E. and Aigner, M. “Randomized Addition-Subtraction Chains as a Countermeasure against Power
Attacks.” (2001)
Key Recovery/Inference Problem for PFSM
Need to assume PFSM is “faithful”
i.e. no ambiguity in state transitions
 For all si and sj  S, set of states in
PFSM, and  = S x S x I (input bit):
If  (si, sj, 0) > 0 then  (si, sj, 1) = 0

Key Recovery/Inference Problem for
PFSM

We want to infer the sequence of states
traversed in a given execution of state
machine M given


M and
Traces of the side channel, y = {y1, y2,…,
yN} (N = number of key bits i.e. number of
state transitions)
Solution to PFSM Inference Problem

Maximum Likelihood Decoding:
Input: trace y, PFSM M, state transition s, set of states S, Q =
random variable of execution of M
1. Calc Pr [Q = s|y] for each s  SN+1
2. Output q = argmax Pr[Q = s|y]


Running Time: Exponential
This paper presents how to transform
PFSM into HMM, which has poly-time
solution to its inference problem (using
Viterbi Algorithm)
Hidden Markov Models (HMMs)



Sequence of hidden, probabilistic states
(S)
Corresponding observable outputs (O)
Each state is independent of every
other (memoryless)
P (S1 = x1)
P (S2 = x2)
P (S3 = x3)
O1
O2
O3
HMMs: The Inference Problem



Definition: infer the values of the hidden
states given only the observable outputs
Viterbi algorithm solves the Inference
Problem efficiently: O(|S|2 * N)
Are we done, then?
Input-Driven Hidden Markov Models




HMMs do not model inputs
Inputs are present in crypto systems i.e.
secret keys
The Viterbi algorithm on HMMs does not
benefit from analysis of multiple traces of the
side channel
The paper presents IDHMMs and an
algorithm on IDHMMs that benefits from
multiple traces (useful in a noisy
environment)
Input-Driven Hidden Markov Models

IDHMMs extend HMMs by


Treating inputs as random variable Kn at
each step n
Add other random variables to capture
multiple execution/trace pairs



Ynr (list of R trace outputs) and
Qnr (R sequences of state transitions)
The solution to IDHMMs is a sequence
of random variables, not quantities {0,1}
Solution to I-D Hidden Markov Models


Can’t use Maximum Likelihood
Decoding: exponential
Can’t use Viterbi Alglorithm: (1) inputs
are present and (2) can’t leverage
multiple trace data
Solution to IDHMMs (cont.)


Tried variation on Viterbi -> also
exponential with R, number of traces
Belief Propagation: new technique:



Compute a separate inference of the key K
for each trace, Kr, for trace r
For the r +1 trace, use Pr [Kr | yr] posterior
distribution of keys as inputs
We “propagate” biases derived in prior
trace analyses to the following trace
analyses
Solution to IDHMMs (cont.)

Algorithm Progression:


Compute each r single-trace inference
using the r-1 key probability distribution as
input (r0 = Uniform distribution)
Best estimate of the key: for probability
distribution of keys KR ->

INFER(K11)
K11
If Pr [KiR = 1 | Y=y] > 0.5 then k = 1, else k = 0
INFER(K1
2)
K1
2
INFER(K1
r)
K1
r
k1 =1
k1 = 0
An Attack Experiment




The authors use two randomized
countermeasures as targets.
The countermeasures must be modeled in a
specific way to be attacked using the authors’
method
The authors transform the countermeasures’
models into compatible models (PFSMs)
They run their attack with errors introduced
into the traces. Pr [error] is assumed to be
known to attacker.
Attack Experiment


A PFSM for
randomized
exponentiation e.g.
15P = 16P - P =
2(2(2(2P))) - P
The transformation is
applied at any step of
the algorithm with
Pr[0.5]
Attacking Randomized Countermeasures


182 key bits must be minimally recovered to
be “successful.” Meet-in-the-middle search
for last 10 bits takes 238 work.
Error-less observations lead to key recovery
with less than 10 traces
Conclusion



Authors introduced HMM attacks for
randomized side channel
countermeasures modeled by PFSMs
Presented IDHMMs and efficient
approximate inference algorithm for
inputs (keys)
Demonstrated input inference algorithm
on two randomize countermeasures in
which keys could be recovered with less
than 10 traces
Related documents
Fitmaster HEKA FITMASTER features analysis and fitting routines for
Fitmaster HEKA FITMASTER features analysis and fitting routines for
jones, c - Computer Science
jones, c - Computer Science
TPS4e_Ch1_Intro
TPS4e_Ch1_Intro
Avian Influenza
Avian Influenza
chap16
chap16
Observation & Inference
Observation & Inference
Document
Document
Expert Systems - Watford Grammar School for Boys Intranet
Expert Systems - Watford Grammar School for Boys Intranet
General Concepts
General Concepts
Ex St 801 Statistical Methods
Ex St 801 Statistical Methods