predictive models for min entropy estimation
play

Predictive Models for Min-Entropy Estimation John Kelsey Kerry A. - PowerPoint PPT Presentation

Mar 17, 2023 •305 likes •645 views

Predictive Models for Min-Entropy Estimation John Kelsey Kerry A. McKay Meltem S onmez Turan National Institute of Standards and Technology meltem.turan@nist.gov September 15, 2015 Kelsey, McKay, Turan Predictive Models for Min-Entropy

  1. Predictive Models for Min-Entropy Estimation John Kelsey Kerry A. McKay Meltem S¨ onmez Turan National Institute of Standards and Technology meltem.turan@nist.gov September 15, 2015 Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  2. Overview Cryptographic random numbers and entropy NIST SP 800 90 Series - Recommendations on random number generation A framework to estimate entropy based on predictors Experimental results using simulated and real noise sources Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  3. Random Numbers in Cryptography We need random numbers for cryptography (e.g., secret keys, IVs, nonce, salts) Cryptographic PRNGs (based on hash functions, block ciphers etc.) generate strong random numbers for crypto applications. PRNGs need random seeds. Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  4. Entropy sources Entropy sources depend on physical events (e.g. thermal noise). The outputs of entropy sources are usually statistically weak, (e.g. correlated outputs). Entropy sources are fragile, sensitive to external factors (e.g. temperature). Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  5. Entropy sources Entropy sources depend on physical events (e.g. thermal noise). The outputs of entropy sources are usually statistically weak, (e.g. correlated outputs). Entropy sources are fragile, sensitive to external factors (e.g. temperature). How many bits are needed to be drawn from the entropy source to produce a good seed? Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  6. Low Entropy leads to weak keys! Heninger et al. (2012) performed the largest network survey of TLS and SSH servers. Collected 5.8 million unique certificates from 12.8 million TLS hosts and 6.2 million unique SSH host keys from 10.2 million hosts. Observed that 0.75% of TLS certificates share keys during key generation. Obtained RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts, DSA private keys for 1.03% of SSH hosts. Why? Using manufacturers-default keys, Low entropy during key generation. Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  7. Entropy Measure of the amount of information contained in a message. Different measurements of entropy: Shannon ( − � p i log p i ), Renyi ( 1 − α log( � p α 1 i )), Min-entropy ( − log max i p i ). Entropy estimation Plug-in estimators (maximum likelihood estimators), methods based on compression algorithms etc. Challenging, when underlying distribution is unknown, and the i.i.d. assumption cannot be made. Under/over estimation Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  8. NIST Special Publication 800-90 Series Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  9. Entropy Source Model used in SP 800-90B Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  10. Entropy Estimation - 90B Perspective In order to comply with Federal Information Processing Standard 140-2, designers/submitters first submit analysis of their noise source. Labs check the noise source specification, and then generate raw data from the noise source, and estimate entropy using the 90B estimators. For validation purposes, estimation process cannot be too complex, due to time and cost constraints, and the process cannot require expert knowledge. Any two validation labs must get the same result for same outputs. Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  11. NIST’s Entropy Estimation Suite Draft SP 800-90B (Aug.2012) includes five estimators for non-i.i.d. sources: Collision test (based on the mean time for a repeated sample value.) Partial collection test (based on the number of distinct sample values observed in segments of the outputs.) Markov test (models the noise source outputs as a first-order Markov model.) Compression test (based on how much the noise source outputs can be compressed.) Frequency test (based on the number of occurrences of the most-likely value. ) The final entropy estimate is the minimum of all the estimates. Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  12. Drawbacks of SP 800 90B Estimators Estimators do not always catch bad behavior e.g. Higher-order Markov models Prone to underestimate when there are many probability levels (e.g., discrete approximation of a normal distribution) Estimators may not work very well if the probability distribution changes over time Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  13. New Framework based on Predictors Predictors behave more like Initialize the predictor model an attacker, who observes source outputs and makes Predict the next output guesses based on previous observations. Observe the next output Predictor approach complements 90B suite Compare the prediction without significantly to the observed value lowering estimates Update the predictor model Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  14. Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker’s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker’s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  15. Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker’s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker’s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 Prediction 0 Correct Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  16. Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker’s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker’s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 Prediction 0 Correct 0 Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  17. Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker’s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker’s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 Prediction 0 1 Correct 0 Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  18. Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker’s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker’s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 Prediction 0 1 Correct 0 Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

  19. Global vs. Local Predictability Two ways to estimate probability of predicting the next value: Global predictability Proportion of correct guesses over a long sequence Captures attacker’s ability to guess next output, on average Local Predictability Probability of guessing correctly given the longest run of correct guesses over a long sequence Captures attacker’s ability to guess next output, should the entropy source fall into a predictable state Estimate min-entropy using the higher probability, with a 99% confidence interval approach. Raw data 1 0 Prediction 0 1 Correct 0 0 Kelsey, McKay, Turan Predictive Models for Min-Entropy Estimation - CHES 2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . .

Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . .

Predictive vs. . . . Remaining Problem: . . . Need for Formalization What Do We Mean by . . . Why the Best Predictive What Do We Mean by . . . Models Are Often Different Main Result: . . . Proof for Predictive Case from the Best Explanatory

900 views • 28 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) >= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
A gentle introduction to Maximum Entropy Models and their friends Mark Johnson Brown University

A gentle introduction to Maximum Entropy Models and their friends Mark Johnson Brown University

A gentle introduction to Maximum Entropy Models and their friends Mark Johnson Brown University November 2007 1 / 32 Outline What problems can MaxEnt solve? What are Maximum Entropy models? Learning Maximum Entropy models from data

607 views • 32 slides
Entropy & Hidden Markov Models Natural Language Processing CMSC 35100 April 22, 2003

Entropy & Hidden Markov Models Natural Language Processing CMSC 35100 April 22, 2003

Entropy & Hidden Markov Models Natural Language Processing CMSC 35100 April 22, 2003 Agenda Evaluating N-gram models Entropy & perplexity Cross-entropy, English Speech Recognition Hidden Markov Models

638 views • 31 slides
Eff Efficient Entr icient Entropy opy Est Estimation imation for for Mutua Mutual l

Eff Efficient Entr icient Entropy opy Est Estimation imation for for Mutua Mutual l

Efficient entropy estimation for MIA using B-splines Eff Efficient Entr icient Entropy opy Est Estimation imation for for Mutua Mutual l Information Information Analys Analysis is using using B-splines splines Alexandre VENELLI IML

871 views • 25 slides
Topic III.2: Maximum Entropy Models Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III.2: Maximum Entropy Models Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III.2: Maximum Entropy Models Discrete Topics in Data Mining Universitt des Saarlandes, Saarbrcken Winter Semester 2012/13 T III.2- 1 Topic III.2: Maximum Entropy Models 1. The Maximum Entropy Principle 1.1. Maximum Entropy

552 views • 30 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Mathematical Foundations of Infinite-Dimensional Statistical Models: 3.3 The Entropy Method and

Mathematical Foundations of Infinite-Dimensional Statistical Models: 3.3 The Entropy Method and

Mathematical Foundations of Infinite-Dimensional Statistical Models: 3.3 The Entropy Method and Talagrands Inequality(3.3.4 3.3.5) Seoul National University ga0408@snu.ac.kr Nov 15, 2018 1/20 Table of Contents 3.3 The Entropy

405 views • 21 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
The Model You Know: Generalizability and Predictive Power of Models of Choice Under Uncertainty

The Model You Know: Generalizability and Predictive Power of Models of Choice Under Uncertainty

The Model You Know: Generalizability and Predictive Power of Models of Choice Under Uncertainty B. Douglas Bernheim Christine Exley Jeffrey Naecker Charles Sprenger 1/24/2019 Motivation Two important features of models:

717 views • 26 slides
Bayesian parameter estimation in predictive engineering Damon McDougall Institute for

Bayesian parameter estimation in predictive engineering Damon McDougall Institute for

Bayesian parameter estimation in predictive engineering Damon McDougall Institute for Computational Engineering and Sciences, UT Austin 14th August 2014 1/27 Motivation Understand physical phenomena Observations of phenomena Mathematical

804 views • 49 slides
High-Fidelity Coupling of Predictive Plasma-Wall Models Goal: Develop a predictive model of the

High-Fidelity Coupling of Predictive Plasma-Wall Models Goal: Develop a predictive model of the

High-Fidelity Coupling of Predictive Plasma-Wall Models Goal: Develop a predictive model of the plasma-wall interaction Mitchell Walker Professor Georgia Institute of Technology Michael Keidar Julian Rimoli Professor Associate Professor

588 views • 4 slides
A comparison of algorithms for maximum entropy parameter estimation Robert Malouf

A comparison of algorithms for maximum entropy parameter estimation Robert Malouf

A comparison of algorithms for maximum entropy parameter estimation Robert Malouf Alfa-Informatica Rijksuniversiteit Groningen Postbus 716 9700AS Groningen The Netherlands malouf@let.rug.nl Draft of May 15, 2002 Abstract representations is

103 views • 9 slides
Two problems from neural data analysis: Sparse entropy estimation and efficient adaptive

Two problems from neural data analysis: Sparse entropy estimation and efficient adaptive

Two problems from neural data analysis: Sparse entropy estimation and efficient adaptive experimental design Liam Paninski Department of Statistics and Center for Theoretical Neuroscience Columbia University http://www.stat.columbia.edu/

702 views • 38 slides
How Better Are Predictive Robust Interval . . . Models: Analysis on the Analysis of the Problem

How Better Are Predictive Robust Interval . . . Models: Analysis on the Analysis of the Problem

Predictions Are Important Traditional Statistics . . . Predictive Approach Measurement . . . How Better Are Predictive Robust Interval . . . Models: Analysis on the Analysis of the Problem How Accurate Are . . . Practically Important

368 views • 22 slides
Controlling Systemic Inflammation Using Nonlinear Model Predictive Control with State Estimation

Controlling Systemic Inflammation Using Nonlinear Model Predictive Control with State Estimation

Controlling Systemic Inflammation Using Nonlinear Model Predictive Control with State Estimation Gregory Zitelli, Judy Day University of Tennessee, Knoxville July 2013 With generous support from the NSF, Award 1122462 Controlling Systemic

740 views • 44 slides
Relational Database Design Theory Informal guidelines for good relational designs

Relational Database Design Theory Informal guidelines for good relational designs

Relational Database Design Theory Informal guidelines for good relational designs Functional dependencies Normal forms and normalization 1NF, 2NF, 3NF BCNF, 4NF, 5NF Inference rules on functional dependencies Additional

433 views • 32 slides
Musings on IOT Tim Grance Jeff Voas Computer Security Division Information Technology

Musings on IOT Tim Grance Jeff Voas Computer Security Division Information Technology

Musings on IOT Tim Grance Jeff Voas Computer Security Division Information Technology Laboratory National Institute of Standards and Technology 2015 Agenda Four Horsemen of the Apocalypse, Cloud , Mobile , Big Data , Social What is

579 views • 40 slides
Implications of Big Data for Statistics Instruction 17 Nov 2013 Teaching Introductory Business

Implications of Big Data for Statistics Instruction 17 Nov 2013 Teaching Introductory Business

Implications of Big Data for Statistics Instruction 17 Nov 2013 Teaching Introductory Business Statistics Implications of Big Data to Undergraduates in an Era of Big Data for Statistics Instruction The integration of business, Big Data and Mark

392 views • 23 slides
Selective Review of Variables and Research Issues Gerri Barosso, RD, MPH, MS Technical Advisor

Selective Review of Variables and Research Issues Gerri Barosso, RD, MPH, MS Technical Advisor

Selective Review of Variables and Research Issues Gerri Barosso, RD, MPH, MS Technical Advisor University of Minnesota Overview Who Medicaid enrollees Provider information What Claims utilization information Identification

376 views • 20 slides
Regression 3: Logistic Regression Marco Baroni Practical Statistics in R Outline Logistic

Regression 3: Logistic Regression Marco Baroni Practical Statistics in R Outline Logistic

Regression 3: Logistic Regression Marco Baroni Practical Statistics in R Outline Logistic regression Logistic regression in R Outline Logistic regression Introduction The model Looking at and comparing fitted models Logistic regression in

1.09k views • 47 slides
Federated Wikis Andreas kre Solberg andreas@uninett.no Wikis in the beginning ...in the

Federated Wikis Andreas kre Solberg andreas@uninett.no Wikis in the beginning ...in the

Federated Wikis Andreas kre Solberg andreas@uninett.no Wikis in the beginning ...in the beginning wikis were wide open. Great ! - But then the spammers arrived. Password protected wikis Create yet another account , with yet another

764 views • 21 slides
New Features of Credit Default Swaps Chris Lamoureux March 25, 2013 Chris Lamoureux New

New Features of Credit Default Swaps Chris Lamoureux March 25, 2013 Chris Lamoureux New

Brief History Post-Crisis Standardization Credit Indices New Features of Credit Default Swaps Chris Lamoureux March 25, 2013 Chris Lamoureux New Features of Credit Default Swaps Brief History Post-Crisis Standardization Credit Indices

390 views • 20 slides
C AN YOUR S ERVICE S URVIVE ? C AN YOUR S ERVICE S URVIVE ? C AN YOUR S ERVICE S URVIVE ?

C AN YOUR S ERVICE S URVIVE ? C AN YOUR S ERVICE S URVIVE ? C AN YOUR S ERVICE S URVIVE ?

A MAZON S3: A RCHITECTING FOR R ESILIENCY IN THE F ACE OF R ESILIENCY IN THE F ACE OF F AILURES Jason McHugh C AN YOUR S ERVICE S URVIVE ? C AN YOUR S ERVICE S URVIVE ? C AN YOUR S ERVICE S URVIVE ? Datacenter loss of connectivity Flood

502 views • 39 slides

More recommend