Cryptanalysis using HMM Kenan Gençol presented in the course Speech Recognition using Hidden Markov Models instructed by Asst.Prof.Dr. Rıfat Edizkan Department of Electrical and Electronics Engineering, Osmangazi University Agenda Introduction Terminology Hidden Markov Model Cryptanalysis Input Driven Hidden Markov Models (IDHMM) Other applications Introduction Cryptanalysis is the study of mathematical techniques for attempting to defeat cryptographic techniques, and, more generally, information security services. Terminology Adversary is someone or something which tries to defeat the information security service being provided between the sender and receiver. A randomized algorithm is an algorithm which employs a degree of randomness as part of its logic. Terminology: Side Channel Attack In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem. For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information which can be exploited to break the system. Timing attack, power monitoring attack, TEMPEST(radiation monitoring) attack, acoustic attack etc. Terminology: Countermeasures Because side channel attacks rely on emitted information (like electromagnetic radiation or sound) or on relationship information (as in timing and power attacks), the most reasonable methods of countering such attacks is to limit the release of such information or access to those relationships. EM shields, power line filtering, jamming the emitted channel with noise (random delays) Countermeasures designing the software so that it is isochronous - so it runs in a constant amount of time, independent of secret values. (against timing attacks) designing the software so that it is "PC-secure" in the "program counter security model". In a PC-secure program, the execution path does not depend on secret values. (against power and timing attacks) Hidden Markov Model Cryptanalysis HMM attacks, a type of cryptanalysis based on modeling randomized side channel countermeasures as Hidden Markov Models (HMMs). The idea behind randomized countermeasures is: Randomize side channel information, thus make it harder to analyze. The Binary Algorithm for ECC scalar multiplication Adversary can distinguish between Addition+Doubling(AD) and doubling(D). Adversary can distinguish between k(i)=0 and k(i)=1. The Randomized Binary Algorithm for ECC scalar multiplication: Adversary can distinguish between Addition+Doubling(AD) and doubling(D). No one-to-one correspondence between key and output. Probabilistic Finite State Machine HMM for Cryptanalysis: Motivation Efficient inference algorithm are needed. Side channel measurements may be noisy. We need a model that handles inputs. One trace is typically not enough. HMM for Cryptanalysis The hidden states of the HMM represent the internal states of the countermeasures The observable outputs represent observations of the side channel. But, HMM is not directly applicable! HMMs do not model inputs.HMM’s model processes as a sequence of states. HMM for Cryptanalysis However, the internal operation of a randomized countermeasure both depends the current state as well as an input: the secret key. Extend the notion of HMM’s to include the possibilty of inputs by introducing Input Driven Hidden Markov Models (IDHMM) Input Driven Hidden Markov Models Input Driven Hidden Markov Models Key Inference Problem for IDHMM (single trace) Key Inference Problem for IDHMM Key Inference Problem for IDHMM What is the most likely sequence K1 K2 ...KN given the observed output? Ideally, we want to compute Inefficient! Approximation: Infer each key bit separately Use the approximated key bits to infer the entire key Still hard to solve. Running time exponential in L, the number of traces. Belief Propagation Introduce a new technique based on belief propagation The key idea: separate L executions of an IDHMM on the same input into L executions of an IDMM where there are no assumptions about the input used in each execution L copies of a single execution! A single execution of an IDHMM runs O(|S|2.N) L executions runs with O(|S|2.N.L) Finally... We need to calculate the posterior distributions Pr[Kn|y] given a single trace of an IDHMM. The goal is efficiently compute p(kn|y) for each n. Calculate using forward-backward manner. Running time O(|S|2.N) An Efficient Exact Inference Algorithm for a Single Execution of an IDHMM Performance Results Two randomized side channel countermeasures OA1 and OA2 proposed by Oswald-Aigner: Notice that HMM attacks works on noisy channel! Other applications of HMM CryptAnalysis Fast dictionary attacks on human memorable passwords Timing attacks on Secure Shell (SSH) Substitution deciphering of compressed documents Cryptanalysis of XOR plaintexts in stream ciphers References C. Karlof and D. Wagner. Hidden Markov Model Cryptanalysis Handbook of Applied Cryptography, Ch.1 Overview of Cryptography,Menezes, CRC Press,1996. http://www.wikipedia.org: Side channel attack, randomized algorithm. Thank You!