Hidden Markov Model Cryptanalysis - Home

advertisement
Cryptanalysis using HMM
Kenan Gençol
presented in the course
Speech Recognition using Hidden Markov Models
instructed by
Asst.Prof.Dr. Rıfat Edizkan
Department of Electrical and Electronics Engineering,
Osmangazi University
Agenda





Introduction
Terminology
Hidden Markov Model Cryptanalysis
Input Driven Hidden Markov Models
(IDHMM)
Other applications
Introduction

Cryptanalysis is the study of
mathematical techniques for attempting to
defeat cryptographic techniques, and,
more generally, information security
services.
Terminology


Adversary is someone or something
which tries to defeat the information
security service being provided between
the sender and receiver.
A randomized algorithm is an algorithm
which employs a degree of randomness as
part of its logic.
Terminology: Side Channel Attack



In cryptography, a side channel attack is any
attack based on information gained from the
physical implementation of a cryptosystem.
For example, timing information, power
consumption, electromagnetic leaks or even
sound can provide an extra source of
information which can be exploited to break the
system.
Timing attack, power monitoring attack,
TEMPEST(radiation monitoring) attack, acoustic
attack etc.
Terminology: Countermeasures


Because side channel attacks rely on emitted
information (like electromagnetic radiation or
sound) or on relationship information (as in
timing and power attacks), the most reasonable
methods of countering such attacks is to limit
the release of such information or access to
those relationships.
EM shields, power line filtering, jamming the
emitted channel with noise (random delays)
Countermeasures


designing the software so that it is isochronous - so it runs in a constant amount of time,
independent of secret values. (against timing
attacks)
designing the software so that it is "PC-secure"
in the "program counter security model". In a
PC-secure program, the execution path does not
depend on secret values. (against power and
timing attacks)
Hidden Markov Model Cryptanalysis


HMM attacks, a type of cryptanalysis
based on modeling randomized side
channel countermeasures as Hidden
Markov Models (HMMs).
The idea behind randomized
countermeasures is: Randomize side
channel information, thus make it harder
to analyze.
The Binary Algorithm for ECC scalar
multiplication


Adversary can distinguish between Addition+Doubling(AD) and
doubling(D).
Adversary can distinguish between k(i)=0 and k(i)=1.
The Randomized Binary Algorithm
for ECC scalar multiplication:


Adversary can distinguish between Addition+Doubling(AD) and
doubling(D).
No one-to-one correspondence between key and output.
Probabilistic Finite State Machine
HMM for Cryptanalysis:
Motivation




Efficient inference algorithm are needed.
Side channel measurements may be noisy.
We need a model that handles inputs.
One trace is typically not enough.
HMM for Cryptanalysis




The hidden states of the HMM represent
the internal states of the countermeasures
The observable outputs represent
observations of the side channel.
But, HMM is not directly applicable!
HMMs do not model inputs.HMM’s model
processes as a sequence of states.
HMM for Cryptanalysis


However, the internal operation of a
randomized countermeasure both depends
the current state as well as an input: the
secret key.
Extend the notion of HMM’s to include the
possibilty of inputs by introducing Input
Driven Hidden Markov Models (IDHMM)
Input Driven Hidden Markov Models
Input Driven Hidden Markov Models
Key Inference Problem for IDHMM
(single trace)
Key Inference Problem for IDHMM
Key Inference Problem for IDHMM


What is the most likely sequence K1 K2 ...KN given the observed output?
Ideally, we want to compute

Inefficient!
Approximation: Infer each key bit separately

Use the approximated key bits to infer the entire key


Still hard to solve. Running time exponential in L, the number of traces.
Belief Propagation





Introduce a new technique based on belief
propagation
The key idea: separate L executions of an
IDHMM on the same input into L executions of
an IDMM where there are no assumptions about
the input used in each execution
L copies of a single execution!
A single execution of an IDHMM runs O(|S|2.N)
L executions runs with O(|S|2.N.L)
Finally...




We need to calculate the posterior
distributions Pr[Kn|y] given a single trace
of an IDHMM.
The goal is efficiently compute p(kn|y) for
each n.
Calculate using forward-backward manner.
Running time O(|S|2.N)
An Efficient Exact Inference
Algorithm for a Single Execution of
an IDHMM
Performance Results


Two randomized side channel
countermeasures OA1 and OA2 proposed
by Oswald-Aigner:
Notice that HMM attacks works on noisy
channel!
Other applications of HMM
CryptAnalysis




Fast dictionary attacks on human
memorable passwords
Timing attacks on Secure Shell (SSH)
Substitution deciphering of compressed
documents
Cryptanalysis of XOR plaintexts in stream
ciphers
References

C. Karlof and D. Wagner. Hidden Markov
Model Cryptanalysis


Handbook of Applied Cryptography, Ch.1
Overview of Cryptography,Menezes, CRC
Press,1996.
http://www.wikipedia.org: Side channel
attack, randomized algorithm.
Thank You!
Download