Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner.

Slides:



Advertisements
Similar presentations
Bayesian Belief Propagation
Advertisements

CRT RSA Algorithm Protected Against Fault Attacks WISTP - 5/10/07 Arnaud BOSCHER Spansion EMEA Robert NACIRI Oberthur Card Systems Emmanuel PROUFF Oberthur.
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
Lecture 16 Hidden Markov Models. HMM Until now we only considered IID data. Some data are of sequential nature, i.e. have correlations have time. Example:
State Estimation and Kalman Filtering CS B659 Spring 2013 Kris Hauser.
Dynamic Bayesian Networks (DBNs)
Conditional Random Fields: Probabilistic Models for Segmenting and Labeling Sequence Data John Lafferty Andrew McCallum Fernando Pereira.
Belief Propagation by Jakob Metzler. Outline Motivation Pearl’s BP Algorithm Turbo Codes Generalized Belief Propagation Free Energies.
Hidden Markov Models Bonnie Dorr Christof Monz CMSC 723: Introduction to Computational Linguistics Lecture 5 October 6, 2004.
 CpG is a pair of nucleotides C and G, appearing successively, in this order, along one DNA strand.  CpG islands are particular short subsequences in.
Hidden Markov Models Ellen Walker Bioinformatics Hiram College, 2008.
Statistical NLP: Lecture 11
Hidden Markov Models Theory By Johan Walters (SR 2003)
Hidden Markov Models Fundamentals and applications to bioinformatics.
Lecture 15 Hidden Markov Models Dr. Jianjun Hu mleg.cse.sc.edu/edu/csce833 CSCE833 Machine Learning University of South Carolina Department of Computer.
GS 540 week 6. HMM basics Given a sequence, and state parameters: – Each possible path through the states has a certain probability of emitting the sequence.
Midterm Review. The Midterm Everything we have talked about so far Stuff from HW I won’t ask you to do as complicated calculations as the HW Don’t need.
PatReco: Hidden Markov Models Alexandros Potamianos Dept of ECE, Tech. Univ. of Crete Fall
Hidden Markov Model 11/28/07. Bayes Rule The posterior distribution Select k with the largest posterior distribution. Minimizes the average misclassification.
Hidden Markov Models Pairwise Alignments. Hidden Markov Models Finite state automata with multiple states as a convenient description of complex dynamic.
Session 6: Introduction to cryptanalysis part 2. Symmetric systems The sources of vulnerabilities regarding linearity in block ciphers are S-boxes. Example.
Lecture 5: Learning models using EM
Side-Channel Attacks on Smart Cards. Timing Analysis Cryptosystems take different amount of time to process different inputs. Performance optimisations.
Hidden Markov Models K 1 … 2. Outline Hidden Markov Models – Formalism The Three Basic Problems of HMMs Solutions Applications of HMMs for Automatic Speech.
Conditional Random Fields
Hidden Markov Models.
Hidden Markov Models David Meir Blei November 1, 1999.
Radu Muresan CODES+ISSS'04, September 8-10, 2004, Stockholm, Sweden1 Current Flattening in Software and Hardware for Security Applications Authors: R.
Dynamic Time Warping Applications and Derivation
CS 188: Artificial Intelligence Fall 2009 Lecture 19: Hidden Markov Models 11/3/2009 Dan Klein – UC Berkeley.
(Some issues in) Text Ranking. Recall General Framework Crawl – Use XML structure – Follow links to get new pages Retrieve relevant documents – Today.
CSCI 347 / CS 4206: Data Mining Module 04: Algorithms Topic 06: Regression.
Key-Stroke Timing and Timing Attack on SSH Yonit Shabtai and Michael Lustig supervisor: Yoram Yihyie Technion - Israel Institute of Technology Computer.
Graphical models for part of speech tagging
Issues of Security with the Oswald-Aigner Exponentiation Algorithm Colin D Walter Comodo Research Lab, Bradford, UK Colin D Walter.
9th IMA Conference on Cryptography & Coding Dec 2003 More Detail for a Combined Timing and Power Attack against Implementations of RSA Werner Schindler.
Hidden Markov Models Yves Moreau Katholieke Universiteit Leuven.
Advanced Information Security 6 SIDE CHANNEL ATTACKS Dr. Turki F. Al-Somani 2015.
Data Mining Practical Machine Learning Tools and Techniques Chapter 4: Algorithms: The Basic Methods Section 4.6: Linear Models Rodney Nielsen Many of.
Sandrine AGAGLIATE, FTFC Power Consumption Analysis and Cryptography S. Agagliate Canal+Technologies P. Guillot Canal+Technologies O. Orcières Thalès.
ECE 8443 – Pattern Recognition ECE 8423 – Adaptive Signal Processing Objectives: ML and Simple Regression Bias of the ML Estimate Variance of the ML Estimate.
Exploiting the Order of Multiplier Operands: A Low-Cost Approach for HCCA Resistance Poulami Das and Debapriya Basu Roy under the supervision of Dr. Debdeep.
ECE 8443 – Pattern Recognition ECE 8527 – Introduction to Machine Learning and Pattern Recognition Objectives: Reestimation Equations Continuous Distributions.
ECE 8443 – Pattern Recognition ECE 8527 – Introduction to Machine Learning and Pattern Recognition Objectives: Reestimation Equations Continuous Distributions.
Simultaneously Learning and Filtering Juan F. Mancilla-Caceres CS498EA - Fall 2011 Some slides from Connecting Learning and Logic, Eyal Amir 2006.
Kouichi Itoh, Tetsuya Izu and Masahiko Takenaka Workshop on Cryptographic Hardware and Embedded Systems (CHES 2002) August, 2002 Address-bit Differential.
Hidden Markov Models 1 2 K … 1 2 K … 1 2 K … … … … 1 2 K … x1x1 x2x2 x3x3 xKxK 2 1 K 2.
A paper by: Paul Kocher, Joshua Jaffe, and Benjamin Jun Presentation by: Michelle Dickson.
CS Statistical Machine learning Lecture 24
1 CONTEXT DEPENDENT CLASSIFICATION  Remember: Bayes rule  Here: The class to which a feature vector belongs depends on:  Its own value  The values.
Hidden Markovian Model. Some Definitions Finite automation is defined by a set of states, and a set of transitions between states that are taken based.
Algorithms in Computational Biology11Department of Mathematics & Computer Science Algorithms in Computational Biology Markov Chains and Hidden Markov Model.
MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference.
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter formerly: (Manchester, UK)
Markov Chain Monte Carlo for LDA C. Andrieu, N. D. Freitas, and A. Doucet, An Introduction to MCMC for Machine Learning, R. M. Neal, Probabilistic.
M IST : An Efficient, Randomized Exponentiation Algorithm for Resisting Power Analysis Colin D. Walter (Manchester, UK)
John Lafferty Andrew McCallum Fernando Pereira
Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,
Discriminative Training and Machine Learning Approaches Machine Learning Lab, Dept. of CSIE, NCKU Chih-Pin Liao.
CS Statistical Machine learning Lecture 25 Yuan (Alan) Qi Purdue CS Nov
Definition of the Hidden Markov Model A Seminar Speech Recognition presentation A Seminar Speech Recognition presentation October 24 th 2002 Pieter Bas.
Graphical Models for Segmenting and Labeling Sequence Data Manoj Kumar Chinnakotla NLP-AI Seminar.
Spectral Algorithms for Learning HMMs and Tree HMMs for Epigenetics Data Kevin C. Chen Rutgers University joint work with Jimin Song (Rutgers/Palentir),
CS498-EA Reasoning in AI Lecture #23 Instructor: Eyal Amir Fall Semester 2011.
Learning Deep Generative Models by Ruslan Salakhutdinov
Advanced Information Security 6 Side Channel Attacks
Hidden Markov Models Part 2: Algorithms
CONTEXT DEPENDENT CLASSIFICATION
LECTURE 15: REESTIMATION, EM AND MIXTURES
CSCI 5582 Artificial Intelligence
Presentation transcript:

Hidden Markov Model Cryptanalysis Chris Karlof and David Wagner

The Context: Side Channels and Countermeasures The “Side Channel”: data gathered from the operation of a crypto scheme’s implementation Example: measuring power fluctuations of Pentium III processor when performing RSA decryption (SPA, DPA) Many processors draw different power for adds and multiplies or other operations Countermeasures: obscure the signature of key-related operations

Randomized Countermeasures Introduce random computations Example: randomized projective coordinates in Elliptic Curve computations Projective coordinates (X,Y,Z) of P = (x,y) are given by: Before each execution of the scalar mult to compute Q = dP, (X,Y,Z) are randomized with a random for every ≠ 0 in the finite field Coron, J.S.. “Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems”, 1999.

Attacks on Randomized Countermeasures Existing attacks are specific to each countermeasure No general framework or model exists for all randomized side channel countermeasures

Modeling Side-Channel Countermeasures To attack a randomized countermeasure, it would be great to model it first One model for simple countermeasures: Probabilistic Finite State Machine (PFSM) From Oswald, E. and Aigner, M. “Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks.” (2001) Red lines indicate optional state transitions

Key Recovery/Inference Problem for PFSM Need to assume PFSM is “faithful” i.e. no ambiguity in state transitions For all s i and s j  S, set of states in PFSM, and  = S x S x I (input bit): If  (s i, s j, 0) > 0 then  (s i, s j, 1) = 0

Key Recovery/Inference Problem for PFSM We want to infer the sequence of states traversed in a given execution of state machine M given M and Traces of the side channel, y = {y 1, y 2,…, y N } (N = number of key bits i.e. number of state transitions)

Solution to PFSM Inference Problem Maximum Likelihood Decoding: Input: trace y, PFSM M, state transition s, set of states S, Q = random variable of execution of M 1.Calc Pr [Q = s|y] for each s  S N+1 2.Output q = argmax Pr[Q = s|y] Running Time: Exponential This paper presents how to transform PFSM into HMM, which has poly-time solution to its inference problem (using Viterbi Algorithm)

Hidden Markov Models (HMMs) Sequence of hidden, probabilistic states (S) Corresponding observable outputs (O) Each state is independent of every other (memoryless) P (S 1 = x 1 ) O1O2O3 P (S 2 = x 2 )P (S 3 = x 3 )

HMMs: The Inference Problem Definition: infer the values of the hidden states given only the observable outputs Viterbi algorithm solves the Inference Problem efficiently: O(|S| 2 * N) Are we done, then?

Input-Driven Hidden Markov Models HMMs do not model inputs Inputs are present in crypto systems i.e. secret keys The Viterbi algorithm on HMMs does not benefit from analysis of multiple traces of the side channel The paper presents IDHMMs and an algorithm on IDHMMs that benefits from multiple traces (useful in a noisy environment)

Input-Driven Hidden Markov Models IDHMMs extend HMMs by Treating inputs as random variable K n at each step n Add other random variables to capture multiple execution/trace pairs Y n r (list of R trace outputs) and Q n r (R sequences of state transitions) The solution to IDHMMs is a sequence of random variables, not quantities {0,1}

Solution to I-D Hidden Markov Models Can’t use Maximum Likelihood Decoding: exponential Can’t use Viterbi Alglorithm: (1) inputs are present and (2) can’t leverage multiple trace data

Solution to IDHMMs (cont.) Tried variation on Viterbi -> also exponential with R, number of traces Belief Propagation: new technique: Compute a separate inference of the key K for each trace, K r, for trace r For the r +1 trace, use Pr [K r | y r ] posterior distribution of keys as inputs We “propagate” biases derived in prior trace analyses to the following trace analyses

Solution to IDHMMs (cont.) Algorithm Progression: Compute each r single-trace inference using the r-1 key probability distribution as input (r 0 = Uniform distribution) Best estimate of the key: for probability distribution of keys K R -> If Pr [K i R = 1 | Y=y] > 0.5 then k = 1, else k = 0 INFER(K 1 1 ) K11K11 INFER(K 1 2 )INFER(K 1 r ) K12K12 K1rK1r k 1 =1 k 1 = 0

An Attack Experiment The authors use two randomized countermeasures as targets. The countermeasures must be modeled in a specific way to be attacked using the authors’ method The authors transform the countermeasures’ models into compatible models (PFSMs) They run their attack with errors introduced into the traces. Pr [error] is assumed to be known to attacker.

Attack Experiment A PFSM for randomized exponentiation e.g. 15P = 16P - P = 2(2(2(2P))) - P The transformation is applied at any step of the algorithm with Pr[0.5]

Attacking Randomized Countermeasures 182 key bits must be minimally recovered to be “successful.” Meet-in-the-middle search for last 10 bits takes 2 38 work. Error-less observations lead to key recovery with less than 10 traces

Conclusion Authors introduced HMM attacks for randomized side channel countermeasures modeled by PFSMs Presented IDHMMs and efficient approximate inference algorithm for inputs (keys) Demonstrated input inference algorithm on two randomize countermeasures in which keys could be recovered with less than 10 traces