1 / 31

Cryptanalysis using HMM

Cryptanalysis using HMM. Kenan Gençol presented in the course Speech Recognition using Hidden Markov Models instructed by Asst.Prof.Dr. Rıfat Edizkan Department of Electrical and Electronics Engineering, Osmangazi University. Agenda. Introduction Terminology

umika
Download Presentation

Cryptanalysis using HMM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cryptanalysis using HMM Kenan Gençol presented in the course Speech Recognition using Hidden Markov Models instructed by Asst.Prof.Dr. Rıfat Edizkan Department of Electrical and Electronics Engineering, Osmangazi University

  2. Agenda • Introduction • Terminology • Hidden Markov Model Cryptanalysis • Input Driven Hidden Markov Models (IDHMM) • Other applications

  3. Introduction • Cryptanalysis is the study of mathematical techniques for attempting to defeat cryptographic techniques, and, more generally, information security services.

  4. Terminology • Adversary is someone or something which tries to defeat the information security service being provided between the sender and receiver. • A randomized algorithm is an algorithm which employs a degree of randomness as part of its logic.

  5. Terminology: Side Channel Attack • In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem. • For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information which can be exploited to break the system. • Timing attack, power monitoring attack, TEMPEST(radiation monitoring) attack, acoustic attack etc.

  6. Terminology: Countermeasures • Because side channel attacks rely on emitted information (like electromagnetic radiation or sound) or on relationship information (as in timing and power attacks), the most reasonable methods of countering such attacks is to limit the release of such information or access to those relationships. • EM shields, power line filtering, jamming the emitted channel with noise (random delays)

  7. Countermeasures • designing the software so that it is isochronous -- so it runs in a constant amount of time, independent of secret values. (against timing attacks) • designing the software so that it is "PC-secure" in the "program counter security model". In a PC-secure program, the execution path does not depend on secret values. (against power and timing attacks)

  8. Hidden Markov Model Cryptanalysis • HMM attacks, a type of cryptanalysis based on modeling randomized side channel countermeasures as Hidden Markov Models (HMMs). • The idea behind randomized countermeasures is: Randomize side channel information, thus make it harder to analyze.

  9. The Binary Algorithm for ECC scalar multiplication • Adversary can distinguish between Addition+Doubling(AD) and doubling(D). • Adversary can distinguish between k(i)=0 and k(i)=1.

  10. The Randomized Binary Algorithm for ECC scalar multiplication: • Adversary can distinguish between Addition+Doubling(AD) and doubling(D). • No one-to-one correspondence between key and output.

  11. Probabilistic Finite State Machine

  12. HMM for Cryptanalysis: Motivation • Efficient inference algorithm are needed. • Side channel measurements may be noisy. • We need a model that handles inputs. • One trace is typically not enough.

  13. HMM for Cryptanalysis • The hidden states of the HMM represent the internal states of the countermeasures • The observable outputs represent observations of the side channel. • But, HMM is not directly applicable! • HMMs do not model inputs.HMM’s model processes as a sequence of states.

  14. HMM for Cryptanalysis • However, the internal operation of a randomized countermeasure both depends the current state as well as an input: the secret key. • Extend the notion of HMM’s to include the possibilty of inputs by introducing Input Driven Hidden Markov Models (IDHMM)

  15. Input Driven Hidden Markov Models

  16. Input Driven Hidden Markov Models

  17. Key Inference Problem for IDHMM (single trace)

  18. Key Inference Problem for IDHMM

  19. Key Inference Problem for IDHMM • What is the most likely sequence K1 K2 ...KNgiven the observed output? • Ideally, we want to compute • Inefficient! • Approximation: Infer each key bit separately • Use the approximated key bits to infer the entire key • Still hard to solve. Running time exponential in L, the number of traces.

  20. Belief Propagation • Introduce a new technique based on belief propagation • The key idea: separate L executions of an IDHMM on the same input into L executions of an IDMM where there are no assumptions about the input used in each execution • L copies of a single execution! • A single execution of an IDHMM runs O(|S|2.N) • L executions runs with O(|S|2.N.L)

  21. Finally... • We need to calculate the posterior distributions Pr[Kn|y]given a single trace of an IDHMM. • The goal is efficiently compute p(kn|y)for each n. • Calculate using forward-backward manner. • Running time O(|S|2.N)

  22. An Efficient Exact Inference Algorithm for a Single Execution of an IDHMM

  23. Performance Results • Two randomized side channel countermeasures OA1 and OA2 proposed by Oswald-Aigner: • Notice that HMM attacks works on noisy channel!

  24. Other applications of HMM CryptAnalysis • Fast dictionary attacks on human memorable passwords • Timing attacks on Secure Shell (SSH) • Substitution deciphering of compressed documents • Cryptanalysis of XOR plaintexts in stream ciphers

  25. References • C. Karlof and D. Wagner. Hidden Markov Model Cryptanalysis • Handbook of Applied Cryptography, Ch.1Overview of Cryptography,Menezes, CRC Press,1996. • http://www.wikipedia.org: Side channel attack, randomized algorithm.

  26. Thank You!

More Related