Towards Security Limits in Side-Channel Attacks
|
|
- Derek Briggs
- 6 years ago
- Views:
Transcription
1 Towards Securty Lmts n Sde-Channel Attacks (Wth an Applcaton to Block Cphers) F.-X. Standaert, E. Peeters, C. Archambeau, and J.-J. Qusquater UCL Crypto Group, Place du Levant 3, B-348 Louvan-la-Neuve, Belgum {fstandae, peeters, archambeau, qusquater}@dce.ucl.ac.be Abstract. In ths paper, we consder a recently ntroduced framework that nvestgates physcally observable mplementatons from a theoretcal pont of vew. The model allows quantfyng the effect of practcally relevant leakage functons wth a combnaton of securty and nformaton theoretc metrcs. More specfcally, we apply our evaluaton methodology to an exemplary block cpher. We frst consder a Hammng weght leakage functon and evaluate the effcency of two commonly nvestgated countermeasures, namely nose addton and maskng. Then, we show that the proposed methodology allows capturng certan non-trval ntutons, e.g. about the respectve effectveness of these countermeasures. Fnally, we justfy the need of combned metrcs for the evaluaton, comparson and understandng of sde-channel attacks. Introducton In [4], a formal practce-orented model for the analyss of cryptographc prmtves aganst sde-channel attacks was ntroduced as a specalzaton of Mcal and Reyzn s physcally observable cryptography paradgm [8]. The model s based on an theoretcal framework n whch the effect of practcally relevant leakage functons s evaluated wth a combnaton of securty and nformaton theoretc measurements. A central objectve of the model was to provde a far evaluaton methodology for sde-channel attacks. Ths objectve s motvated by the fact that sde-channel attacks may take advantage of dfferent statstcal tools (e.g. dfference of means [5], correlaton [2], Bayesan classfcaton [], stochastc models [3]) and are therefore not straghtforward to compare. Addtonally to the comparsons of sde-channel attacks, a more theoretcal goal was the understandng of the underlyng mechansms of physcally observable cryptography. Specfcally, [4] suggests to combne the average success rate of a (well specfed) adversary wth some nformaton theoretc metrcs n order to capture the ntuton summarzed n Fgure. Namely, an nformaton theoretc metrc should measure the average amount of nformaton that s avalable n some physcal observatons whle a securty metrc measures how effcently an actual adversary can turn ths nformaton nto a successful key recovery. Franços-Xaver Standaert s a post doctoral researcher funded by the FNRS (Funds for Natonal Scentfc Research, Belgum). L. Goubn and M. Matsu (Eds.): CHES 26, LNCS 4249, pp. 3 45, 26. c Internatonal Assocaton for Cryptologc Research 26
2 Towards Securty Lmts n Sde-Channel Attacks 3 securty metrc strong mplementaton good leakage model and enough queres (lttle nformaton avalable, turned nto a successful attack) nsecure mplementaton (some nformaton avalable, turned nto a successful attack) secure mplementaton (lttle nformaton avalable, not exploted by the adversary) weak mplementaton bad leakage model or not enough queres (some nformaton s avalable, not well exploted by the adversary) nformaton theoretc metrc Fg.. Summary of sde-channel evaluaton crtera In ths paper, we consequently study the relevance of the suggested methodology, by the analyss of a practcal case. For ths purpose, we nvestgate an exemplary block cpher and consder a Hammng weght leakage functon n dfferent attack scenaros. Frst, we consder an unprotected mplementaton and evaluate the nformaton leakages resultng from varous number of Hammng weght queres. We dscuss how actual block cpher components compare to random oracles wth respect to sde-channel leakages. Then, we evaluate the securty of two commonly admtted countermeasures aganst sde-channel attacks,.e. nose addton and maskng. Through these experments, we show that the proposed evaluaton crtera allows capturng certan non-trval ntutons about the respectve effectveness of these countermeasures. Fnally, we provde some expermental valdatons of our analyss and dscuss the advantages of our combnaton of metrcs wth respect to other evaluaton technques. Importantly, n our theoretcal framework, sde-channel analyss can be vewed as a classfcaton problem. Our results consequently tend to estmate the securty lmts of sde-channel adversares wth two respects. Frst, because of our nformaton theoretc approach, we am to evaluate precsely the average amount of nformaton that s avalable n some physcal observatons. Second, because we consder (one of) the most effcent classfcaton test(s), namely Bayesan classfcaton, t s expected that the computed success rates also correspond to the best possble adversaral strategy. However, we menton that the best evaluaton and comparson metrcs to use n the context of sde-channel attacks are stll under dscusson. Our results ntend to show that both are useful, but other smlar metrcs should stll be nvestgated and compared. 2 Model Specfcatons In general, the model of computaton we consder n ths paper s the one ntally presented n [8] wth the specalzatons ntroduced n [4]. In ths secton,
3 32 F.-X. Standaert et al. we frst descrbe our target block cpher mplementaton. Then, we specfy the leakage functon, the adversaral context and adversaral strategy that we consder n ths work. Fnally, we provde the defntons of our securty and nformaton theoretc metrcs for the evaluaton of the attacks n the next sectons. Both the adversaral classfcatons and the metrcs were ntroduced and detaled n [4]. 2. Target Implementaton Our target block cpher mplementaton s represented n Fgure 2. For convenence, we only represent the combnaton of a btwse key addton and a layer of substtuton boxes. We make a dstncton between a sngle block and a multple block mplementaton. Ths dfference refers to the way the key guess s performed by the adversary. In a sngle block mplementaton (e.g. typcally, an 8-bt processor), the adversary s able to guess (and therefore explot) all the bts n the mplementaton. In a multple block mplementaton (e.g. typcally, a hardware mplementaton wth data processed n parallel), the adversary s only able to guess the bts at the output of one block of the target desgn. That s, the other blocks are producng what s frequently referred to as algorthmc nose. P n X S Y P n X S S S S Y 2-nput functon 2-nput functon Fg. 2. Sngle block and multple block cpher mplementaton 2.2 Leakage Functon Our results consder the example of a Hammng weght leakage functon. Specfcally, we assume a sde-channel adversary that s provded wth the (possbly nosy) Hammng weght leakages of the S-boxes outputs n Fgure 2,.e. W H (Y ). Wth respect to the classfcaton ntroduced n [4], perfect Hammng weghts correspond to non-profled leakage functons whle nosy Hammng weghts relate to the context of devce profled (stochastc) leakage functons. In the latter one, the leakage functon ncludes a characterzaton of the nose n the target devce. For ths purpose, we assume a Gaussan nose dstrbuton. We note also that our exemplary leakage functons are unvarate snce they only consder one leakng pont n the mplementatons, namely the S-boxes outputs.
4 Towards Securty Lmts n Sde-Channel Attacks Adversaral Context We consder a non-adaptve known plantext adversary that can perform an arbtrary number of sde-channel queres to the target mplementaton of Fgure 2 but cannot choose ts queres n functon of the prevously observed leakages. 2.4 Adversaral Strategy We consder a sde-channel key recovery adversary wth the followng (hard) strategy: gven some physcal observatons and a resultng classfcaton of key canddates, select the best classfed key only. 2.5 Securty Metrc: of the Adversary The success rate of a sde-channel key recovery attack can be wrtten as follows. Let S and O be two random varables n the dscrete domans S and O, respectvely denotng the target secret sgnals and the sde-channel observatons. Let O S g be an observaton generated by a secret sgnal S g. Let fnally C(L(S),O S g ) be the statstcal tool used by the adversary to compare an actual observaton of a devce wth ts predcton accordng to a leakage functon L. Ths statstcal tool could be a dfference of mean test, a correlaton test, a Bayesan classfcaton, or any other tool, possbly nspred from classcal cryptanalyss. For each observaton O S g, we defne the set of keys selected by the adversary as: M S g = {ŝ ŝ = argmax C[L(S) OS g ]} S Then, we defne the result of the attack wth the ndex matrx: I S g,s = M f S M S g, else. The success rate of the adversary for a secret sgnal S g s estmated as: S R (S g )= E I,S g, () O and the average success rate of the adversary s defned as: S R = E E I,S g (2) O In the followng, we wll only consder a Bayesan classfer,.e. an adversary that selects the keys such that P[S OS g ] s maxmum, snce t corresponds to (one of) the most effcent way(s) to perform a sde-channel key recovery. Fnally, t s nterestng to remark that one can use the complete ndex matrx to buld a confuson matrx C,S = E O I,S. The prevously defned average success rate smply corresponds to the averaged dagonal of ths matrx. In our followng examples, L s the Hammng weght functon.
5 34 F.-X. Standaert et al. 2.6 Informaton Theoretc Metrc: Condtonal Entropy In addton to the average success rate, [4] suggests the use of an nformaton theoretc metrc to evaluate the nformaton contaned n sde-channel observatons. We note (agan) that dfferent proposals could be used for such evaluaton purposes and ther comparson s a scope for further research. In the present paper, we selected the classcal noton of Shannon condtonal entropy and nvestgate how one can take advantage of the approach to understand and evaluate sde-channel attacks. Let P[S OS g ] be the probablty vector of the dfferent key canddates S gvenanobservatonos g generated by a correct key S g. Smlarly to the confuson matrx of the prevous secton, we defne a probablty matrx: P,S = E O P[S OS g ] and an entropy matrx H,S = E O log 2 P[S OS g ]. Then, we defne the average probablty of the correct key as: And the condtonal entropy: P[S g O ]=E P,S g (3) H[S g O ]=E H,S g (4) We note that ths defnton s equvalent to Shannon condtonal entropy 2.We smply used the prevous notaton because t s convenent to compute the probablty (or entropy) matrces. For example, t allows to detect a good leakage functon,.e. a leakage functon such that max S H,S = H,S g.inthefollowng, the leakages wll be quantfed as condtonal entropy reductons that corresponds to the mutual nformaton I[S g ; O ]=H[S g ] H[S g O ]. It s mportant to observe that the average success rate fundamentally descrbes an adversary. In general, t has to be computed for dfferent number of queres n order to evaluate how much observatons are requred to perform a successful attack. By contrast, the nformaton theoretc measurement says nothng about the actual securty of an mplementaton but characterzes the leakage functon, ndependently of the number of queres. 3 Investgaton of Sngle Leakages In ths secton, we analyze a stuaton where an adversary s provded wth the observaton of one sngle Hammng weght leakage. Frst, we evaluate sngle block mplementatons. Then, we dscuss multple block mplementatons and key guesses. Fnally, we evaluate the effect of nose addton n ths context. 2 Snce: H[S g O]= E O E H[S g O ] = O P[O ] S g P[S g O ] log 2 (P[S g O ]) = O P[O ] P[O S g] P[S g] S g log P[O ] 2 (P[S g O ]) = O S g P[O S g] P[S g] log 2 (P[S g O ]) = S g O P[O S g] P[S g] log 2 (P[S g O ]) = S g P[S g] O P[O S g] log 2 (P[S g O ]) = E H,
6 3. Sngle Block Implementatons Towards Securty Lmts n Sde-Channel Attacks 35 Let us assume the followng stuaton: we have an n-bt secret key S g and an adversary s provded wth the leakage correspondng to a computaton Y = f(s g,p )=S(P S g ). That s, t obtans an observaton OS g = W H (Y )and we assume a sngle block mplementaton as the one n the left part of Fgure 2. Therefore, the adversary can potentally observe the n + Hammng weghts of Y. Snce the Hammng weghts of a random value are dstrbuted as bnomals, one can easly evaluate the average success rate of the adversary as: S R = E E I,S g = O ( n n ) h 2 n ( n ) = n + h 2 n (5) h= Ths equaton means that on average, obtanng the Hammng weght of a secret n-bt value ncreases the success rate of a key-recovery adversary from 2 to n+ n 2. n Smlar evaluatons wll be performed for the condtonal entropy n Secton Multple Blocks and Key Guesses Let us now assume a stuaton smlar to the prevous one, but the adversary tres to target a multple block mplementaton. Therefore, t s provded wth the Hammng weght of an n-bt secret value of whch t can only guess b bts, typcally correspondng to one block of the mplementaton. Such a key guess stuaton can be analyzed by consderng the un-exploted bts as a source of algorthmc nose approxmated wth a Gaussan dstrbuton. Ths wll be done n the next secton. The qualty of ths estmaton wll then be demonstrated n Secton 5, by relaxng the Gaussan estmaton. 3.3 Nose Addton Nose s a central ssue n sde-channel attacks and more generally n any sgnal processng applcaton. In our specfc context, varous types of nose are usually consdered, ncludng physcal nose (.e. produced by the envronment), measurement nose (.e. caused by the samplng process and tools), model matchng nose (.e. meanng that the leakage functon used to attack does possbly not perfectly ft to real observatons) or algorthmc nose (.e. produced by the untargeted values n an mplementaton). All these dsturbances smlarly affect the effcency of a sde-channel attack and ther consequence s that the nformaton delvered by a sngle leakage pont s reduced. For ths reason, a usually accepted method to evaluate the effect of nose s to assume that there s an addtve effect between all the nose sources and ther overall effect can be quantfed by a Gaussan dstrbuton. We note that ths assumpton may not be perfectly verfed n practce and that better nose models may allow to mprove the effcency of sde-channel attacks. However, ths assumpton s reasonable n a number of contexts and partcularly convenent for a frst nvestgaton.
7 36 F.-X. Standaert et al. In our experments, we wll consequently assume that the leakage functon s affected by some Gaussan nose such that the physcal observatons are represented by a varable: OS g = W H (Y )+N(,σ 2 ). It s then possble to estmate the average success rate of the adversary and the condtonal entropy as follows: ( n n ) + h S R = E E I,S g = O 2 n P[O h] I,S g do, (6) H[S g O ]=E H,S g = h= ( n n ) h 2 n h= + P[O h] log 2 (P[S g O ]) do, (7) (o h) 2 exp where P[O = o W H (Y )=h] = σ 2σ 2 and the a posteror probablty P[S g O ] can be computed thanks to Bayes s formula: P[S g O ] = 2π P[O S g] P[S g] P[O ],wthp[o sg ]= S P[O S g S] P[S]. As an llustraton, the average success rate and the mutual nformaton are represented n Fgure 3 for an 8-bt value, n functon of the observaton sgnal-to-nose rato (SNR= log ( ε2 σ ), 2 where ε and σ respectvely denote the standard devaton of the sgnal and the nose emanated from the mplementaton) / Mutual Informaton [bt] 2.5. / SNR= log (ε 2 /σ 2 ) SNR= log (ε 2 /σ 2 ) Fg. 3. Average success rate and mutual nformaton n functon of the SNR Note that the average success rate starts at 9/256,.e. the nose-free value computed wth Equaton (5) and tends to /256 whch bascally means that very lttle nformaton can be retreved from the leakage. The fgures also shows the correlaton between the nformaton avalable and the resultng success rate. 4 Investgaton of Multple Leakages In the prevous secton, we analyzed a stuaton n whch an adversary performs one sngle query to a leakng mplementaton and evaluated the resultng average success rate and mutual nformaton. However, lookng at Fgure 3, t s clear that such a context nvolves lmted success rates, even n case of hgh SNRs. As
8 Towards Securty Lmts n Sde-Channel Attacks 37 a matter of fact, actual adversares would not only perform one sngle query to the target devce but multple ones, n order to ncrease ther success rates. Ths secton consequently studes the problem of multple leakages. For ths purpose, let us consder the followng stuaton: we have an n-bt secret key S g and an adversary s provded wth the leakages correspondng to two computatons Y = f(s g,p )andy 2 = f(s g,p 2 ). That s, t obtans W H (Y ) and W H (Y 2 ) and we would lke to evaluate the average predctablty of S g. The consequence of such an experment (llustrated n Fgure 4) s that the key Y f ( P, Y ) Y Y 2 f 2 2 ( P, Y ) 2 Fg. 4. Multple pont leakages wll be contaned n the ntersecton of two sets of canddates obtaned by nvertng the 2-nput functons Y = f(s g,p )andy 2 = f(s g,p 2 ). The am of our analyss s therefore to determne how the keys wthn ths ntersecton are dstrbuted. Importantly, and contrary to the sngle query context, ths analyss requres to characterze the cryptographc functons used n the target mplementaton, snce they wll determne how the ntersecton between the sets of canddates behaves. Therefore, we wll consder two possble models for these functons. 4. Assumng Random S-Boxes A frst (approxmated) soluton s to consder the functons f (P,Y )tobehave randomly. As a consequence, each observed Hammng weght leakage h = W H (Y ) wll gve rse to a unform lst of canddates for the key S g of sze n = ( ) n h, wthout any partcular dependences between these sets but the key. Let us denote the sze of the set contanng S g after the observaton of q leakages respectvely gvng rse to these unform lsts of n canddates by a random varable I q (n,n 2,...,n q ). From the probablty densty functon of I q (gven n appendx A), t s straghtforward to extend the sngle leakage analyss of Secton 3. to multple leakages. The average success rate can be expressed as: S R = n n... h = h 2= n h q= ( n h ) 2 n ( n h2 ) 2 n... ( n hq ) 2 n P[I q = ] (8)
9 38 F.-X. Standaert et al. 4.2 Usng Real Block Cpher Components In order to valdate the prevous theoretcal predctons of the average success rate, we performed the experments llustrated n Fgure 5. In the frst (upper) experment, we generated a number of plantexts, observed the outputs of the functon f =S(P S g ) through ts Hammng weghts W H (Y ), derved lsts of n canddates for Y correspondng to these Hammng weghts and went through the nverted functon f (P,Y ) to obtan lsts of key canddates. In the second (lower) experment, a smlar procedure s appled but the n key canddates were selected from random lsts (ncludng the correct key). As a matter of fact, the frst experment corresponds to a sde-channel attack aganst a real block cpher (we used the AES Rjndael S-box) whle the second experment emulates the prevous random S-box estmaton. We generated a large number (namely P P f Y WH(Y ) [Y,Y2,,Yn ] [S,S2,,Sn] f - [Kg KR,KR2,KR3,,KRN] R Y WH(Y ) n [ SR,SR2, SRn- ] Fg. 5. Multple leakages experments: real S-boxes and random S-boxes smulaton ) of observatons and, for these generated observatons, derved the expermental average success rate n the two prevous contexts. Addtonally, we compared these experments wth the theoretcal predctons of the prevous secton. The results of our analyss are pctured n Fgure 6, where we can observe that the real S-box gves rse to lower success rates (.e. to less nformaton) than a random functon. The reason of ths phenomenon s that actual S-boxes random S boxes theoretcal predctons zoom.84 real S boxes Number of Leakages Obtaned Number of Leakages Obtaned Fg. 6. Multple leakages expermental results
10 Towards Securty Lmts n Sde-Channel Attacks 39 gve rse to correlated lsts of key canddates and therefore to less ndependence between consecutve observatons, as already suggested n [2, ]. These experments suggestthat even f not perfectly correct, the assumpton that block cpher components are reasonably approxmated by random functons wth respect to sde-channel attacks s acceptable. We note that ths assumpton s better verfed for large bt szes snce large S-boxes better approxmate the behavor of a random functon than small ones. 5 Investgaton of Masked Implementatons The prevous sectons llustrated the evaluaton of smple sde-channel attacks based on a Hammng weght leakage functon thanks to the average success rate and mutual nformaton. However, due to the smplcty of the nvestgated contexts, these notons appeared to be closely correlated. Therefore t was not clear how one could need both crtera for our evaluaton purposes. In ths secton, we consequently study a more complex case, namely masked mplementatons and hgher-order sde-channel attacks. Ths example s of partcular nterest snce t allows us to emphasze the mportance of a combnaton of securty and nformaton theoretc metrcs for the physcal securty evaluaton process of an mplementaton. As a result of our analyss, we provde (non-trval) observatons about the respectve effectveness of maskng and algorthmc nose addton that can be easly turned nto desgn crtera for actual countermeasures. P S Y = S(P ) Q R S Q Fg. 7. st order boolean maskng The maskng technque (e.g. [4]) s one of the most popular ways to prevent block cpher mplementatons from Dfferental Power Analyss. However, recent results suggested that t s not as secure as ntally thought. Orgnally proposed by Messerges [7], second and hgher-order power analyss attacks can be successfully mplemented aganst varous knds of desgns and may not requre more hypotheses than a standard DPA [9]. In [2], an analyss of hgher-order maskng schemes s performed wth respect to the correlaton coeffcent. In the followng, we ntend to extend ths analyss to the (more powerful but less flexble) case of a Bayesan adversary, as ntroduced n []. For the purposes of our analyss, we wll use the masked mplementaton llustrated n Fgure 7 n whch the plantext P s ntally XORed wth a random
11 4 F.-X. Standaert et al. mask R. We use two S-boxes S and S such that: S(P R S g )=S(P S g ) Q, wth Q =S (P R S g,r ). Accordng to the notatons ntroduced n [], t s partcularly convenent to ntroduce the secret state of the mplementaton as Σ g = S(P S g ) and assume an adversary that obtans (possbly nosy) observatons: OΣ g = W H [Σ g Q ]+W H [Q ]+N(,σ 2 ). Smlarly to a frstorder sde-channel attack, the objectve of an adversary s then to determne the secret state Σ g (t drectly yelds the secret key S g ). Because of the maskng, Σ g s not drectly observable through sde-channel measurements but ts assocated PDFs do, snce these PDFs only depend on the Hammng weght of the secret state W H (Σ g ). As an llustraton, we provde the dfferent dscrete PDFs (over the random mask values) for a 4-bt masked desgn n Fgure 8, n functon of the secret state Σ g. We also depct the shapes of the dscrete PDFs correspondng to an unmasked secret state affected by four bts of algorthmc nose (.e. we add 4 random bts to the 4-bt target and the PDF s computed over these random bts). Smlar dstrbutons can be obtaned for any bt sze. In general, knowng the probablty dstrbutons of the secret state, the average success rate and condtonal entropy can be straghtforwardly derved: 6/6 6/6 6/6 6/6 4/6 /6 4/6 /6 2/6 2/6 4/6 8/6 4/6 8/6 8/ WH(S(P S g ))= (a) 4-bt masked value 6/6 4/6 4/6 6/6 4/6 4/6 6/6 4/6 4/6 6/6 4/6 4/6 6/6 4/6 4/6 /6 /6 /6 /6 /6 /6 /6 /6 /6 / W H (S(P S g ))= (b) 4-bt value and 4 nosy bts Fg. 8. Exemplary dscrete leakage PDFs S R = E Σg ( n n ) + h E I Σg,Σ g = OΣg 2 n P[O Σg h] I Σg,Σ g do, h= (9) H[S g O ]= E Σg ( n n ) + h H Σg,Σ g = 2 n P[O Σg h] log 2 (P[Σ g O Σg ]) do, h= () where P[O Σg = o W H (Σ g )=h] can be computed as n Secton 3.3, assumng that the O Σg are dstrbuted as a mxture of Gaussans. In the followng, we llustrate these metrcs n dfferent contexts. Frst, we consder 2 nd and 3 rd order maskng schemes for 8-bt S-boxes. Then, we consder unmasked mplementatons where 8 (resp. 6) random bts of algorthmc nose are added to the secret sgnal S g, correspondng to the 2 nd (resp. 3 rd )ordermaskbts.
12 Towards Securty Lmts n Sde-Channel Attacks Mutual Informaton [bt] bt value and 8 nosy bts 8 bt value 8 masked bts and one 8 bt mask Mutual Informaton [bt] bt value and 6 nosy bts 8 bt value 8 masked bts and two 8 bt masks SNR= log (ε 2 /σ 2 ) (a) 2 nd order maskng SNR= log (ε 2 /σ 2 ) (b) 3 rd order maskng Fg. 9. Mutual nformaton of 2 nd,3 rd order maskng and equvalent algorthmc nose The frst (and somewhat surprsng) concluson of our experments appears n Fgure 9. Namely, lookng at the mutual nformaton for hgh SNRs, the use of a n-bt mask s less resstant (.e. leads to lower leakages) than the addton of n random bts to the mplementaton. Fortunately, beyond a certan amount of nose the maskng appears to be a more effcent protecton. The reason of ths behavor appears clearly when observng the evoluton of the PDFs assocated to each secret state n functon of the SNR, pctured n Appendx B, Fgures 3 and 4. Clearly, the PDFs of the masked mplementaton are very dfferent wth small nose values (e.g. n Fgure 3.a, the probablty that an observaton belong to both PDFs s very small) but becomes almost dentcal when the nose ncreases, snce they are all dentcally centered (e.g. n Fgure 3.b). Conversely, the means of each PDF n the unmasked mplementatons stay dfferent whatever the nose level (e.g. n Fgure 4.b). Therefore the Bayesan classfcaton s easer than n the masked case when nose ncreases. These observatons confrm the usually accepted fact that effcent protectons aganst sde-channel attacks requre to combne dfferent countermeasures. A practcally mportant consequence of our results s the possblty to derve the exact desgn crtera (e.g. the requred amount of nose) to obtan an effcent maskng. It s also nterestng to observe that Fgure 9 confrms that algorthmc nose s ncely modeled by Gaussans. Indeed, e.g. for the 2 nd order case, the mutual nformaton of an 8-bt value wth 8 nosy bts for hgh SNRs exactly corresponds to the one of an unprotected 8-bt value wth SRN=. The second nterestng concluson s that the average success rate after one query (pctured n Fgure ) does not follow an dentcal trend. Namely, the masked mplementatons and ther equvalent nosy counterparts do not cross over at the same SRN. Ths stuaton typcally corresponds to the ntutve category of weak mplementatons n Fgure. That s, some nformaton s avalable but the number of queres s too low to turn t nto a successful attack. If our nformaton theoretc measurement s meanngful, hgher number of queres should therefore confrm the ntuton n Fgure 9.
13 42 F.-X. Standaert et al bt value and 8 nosy bts 8 bt value 8 masked bts and one 8 bt mask bt value 8 bt value and 6 nosy bts 8 masked bts and two 8 bt masks SNR= log (ε 2 /σ 2 ) (a) 2 nd order maskng SNR= log (ε 2 /σ 2 ) (b) 3 rd order maskng Fg.. Avg. success rate of 2 nd,3 rd order maskng and equvalent algorthmc nose Success rates wth hgher number of queres for a 3 rd order maskng scheme (and nosy equvalent) were smulated n Fgures, 2. In Fgure, a very hgh SNR=2 s consdered. As a consequence, we observe that the masks brng much less protecton than ther equvalent n random bts, although the ntal value (for one sngle query) suggests the opposte. Fgure 2 performs smlar experments for two SNRs that are just next to the crossng pont. It llustrates the same ntuton that the effcency of the key recovery when ncreasng the number of queres s actually dependent on the nformaton content n the observatons. Importantly, these experments llustrate a typcal context where the combnaton of securty and nformaton theoretc metrcs s meanngful. Whle the average success rate s the only possble metrc for the comparson of dfferent sde-channel attacks (snce t could be evaluated for dfferent statstcal tools), the nformaton theoretc metrc allows to nfer the behavor of an attack when ncreasng the number of queres. As an llustraton, the correlaton-based analyss performed n [2] only relates to one partcular (sub-optmal) statstcal tool and was not able to lead to the observatons llustrated n Fgure masked bts and two 8 bt masks 8 bt value and 6 nosy bts masked bts and two 8 bt masks 8 bt value and 6 nosy bts.2.. Zoom Number of Leakages Obtaned (a) Comparson Number of Leakages Obtaned (b) Zoom Fg.. Avg. success rate of an 8-bt 3 rd order maskng scheme wth nosy counterpart
14 Towards Securty Lmts n Sde-Channel Attacks bt value and 6 nosy bts 8 masked bts.9 and two 8 bt masks masked bts and two 8 bt masks bt value and 6 nosy bts Number of Leakages Obtaned (a) SNR= Number of Leakages Obtaned (b) SNR= Fg. 2. Avg. success rate of an 8-bt 3 rd order maskng scheme wth nosy counterpart 6 Concludng Remarks Ths paper dscusses the relevance of a recently ntroduced theoretcal framework for the analyss of cryptographc mplementatons aganst sde-channel attacks. By the nvestgaton of a number of mplementaton contexts, we llustrate the nterest of a combnaton of securty and nformaton theoretc metrcs for the evaluaton, comparson and understandng of sde-channel attacks. Specfcally, n a well defned adversaral context and strategy, the average success rate would allow the comparson of dfferent usually consdered sde-channel attacks (e.g. DPA, correlaton analyss, template attacks). By contrast, ndependently of the statstcal tools used by the adversary, an nformaton theoretc metrc provdes theoretcal nsghts about the behavor and effects of a partcular leakage functon that can possbly be turned nto practcal desgn crtera. References. S. Char, J.R. Rao, P. Rohatg, Template Attacks, CHES 22, LNCS, vol. 965, pp E. Brer, C. Claver, F. Olver, Correlaton Power Analyss wth a Leakage Model, CHES 24, LNCS, vol 356, pp J.-S. Coron, P. Kocher, D. Naccache, Statstcs and Secret Leakage, Fnancal Crypto 2, LNCS, vol. 972, pp L. Goubn, J. Patarn, DES and Dfferental Power Analyss, CHES 999, LNCS, vol. 77, pp P. Kocher, J. Jaffe, B. Jun, Dfferental Power Analyss, CRYPTO 999, LNCS, vol. 666, pp S. Mangard, Hardware Countermeasures aganst DPA - a Statstcal Analyss of ther Effectveness, CT-RSA 24, LNCS, vol. 2964, pp T.S. Messerges, Usng Second-Order Power Analyss to Attack DPA Resstant Software., CHES 2, LNCS, vol. 2523, pp S. Mcal, L. Reyzn, Physcally Observable Cryptography (extended abstract)., TCC 24, LNCS, vol. 295, pp
15 44 F.-X. Standaert et al. 9. E. Oswald, S. Mangard, C. Herbst, S. Tllch, Practcal Second-Order DPA Attacks for Masked Smart Card Implementatons of Block Cphers., CT-RSA 26, LNCS, vol. 386, pp E. Peeters, F.-X. Standaert, N. Donckers, J.-J. Qusquater, Improved Hgher-Order Sde-Channel Attacks wth FPGA Experments, CHES 25, LNCS, vol. 3659, pp E. Prouff, DPA Attacks and S-Boxes, FSE 25, LNCS, vol. 3557, pp K. Schramm, C. Paar, Hgher Order Maskng of the AES, CT-RSA 26, LNCS, vol. 386, W. Schndler, K. Lemke, C. Paar, A Stochastc Model for Dfferental Sde-Channel Cryptanalyss, CHES 25, LNCS, vol 3659, pp F.-X. Standaert, T.G. Malkn, M. Yung, A Formal Practce-Orented Model For The Analyss of Sde-Channel Attacks, Cryptology eprnt Archve, Report 26/39, 26, A Probablty Densty Functon of the Varable I q We take an teratve approach and frst consder the ntersecton after two leakages. Assumng that the leakages respectvely gve rse to unform lsts of n and n 2 canddates and the the key space has sze N =2 n, t yelds P[I 2 = n,n 2 ]= ( ) ) n N n ( n 2 ( N n 2 ), where the bnomals are taken among sets of N possble elements snce there s one fxed key that s not chosen unformly. Then, assumng the knowledge of the dstrbuton of I q (n,n 2,..., n q ) and an addtonal leakage that gves rse to a unform lst of n new canddates, we can derve the dstrbuton of I q+ as follows: P[I q+ = j I q,n new ]= P[I q+ = j I q =, n new ] P[I q = ], wth: P[I q+ = j I q =, n new ]= ( ) ( ) j N nnew j ( ) N. nnew B Addtonal Fgures 2.8 W H (Σ)=..9 W H (Σ)= W H (Σ)=.6 W H (Σ)= P[O Σ] P[O Σ] Observaton: O (a) SNR= Observaton: O (b) SNR= 6 Fg. 3. Leakages PDFs n functon of the nose: masked mplementaton
16 Towards Securty Lmts n Sde-Channel Attacks W H (Σ)= W H (Σ)=.8.7 W H (Σ)= W H (Σ)=.2.6 P[O Σ] P[O Σ] Observaton: O Observaton: O (a) SNR= (b) SNR= 6 Fg. 4. Leakages PDFs n functon of the nose: unmasked mplementaton
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module 3 LOSSY IMAGE COMPRESSION SYSTEMS Verson ECE IIT, Kharagpur Lesson 6 Theory of Quantzaton Verson ECE IIT, Kharagpur Instructonal Objectves At the end of ths lesson, the students should be able to:
More informationEcon107 Applied Econometrics Topic 3: Classical Model (Studenmund, Chapter 4)
I. Classcal Assumptons Econ7 Appled Econometrcs Topc 3: Classcal Model (Studenmund, Chapter 4) We have defned OLS and studed some algebrac propertes of OLS. In ths topc we wll study statstcal propertes
More information2E Pattern Recognition Solutions to Introduction to Pattern Recognition, Chapter 2: Bayesian pattern classification
E395 - Pattern Recognton Solutons to Introducton to Pattern Recognton, Chapter : Bayesan pattern classfcaton Preface Ths document s a soluton manual for selected exercses from Introducton to Pattern Recognton
More informationSimulated Power of the Discrete Cramér-von Mises Goodness-of-Fit Tests
Smulated of the Cramér-von Mses Goodness-of-Ft Tests Steele, M., Chaselng, J. and 3 Hurst, C. School of Mathematcal and Physcal Scences, James Cook Unversty, Australan School of Envronmental Studes, Grffth
More informationPsychology 282 Lecture #24 Outline Regression Diagnostics: Outliers
Psychology 282 Lecture #24 Outlne Regresson Dagnostcs: Outlers In an earler lecture we studed the statstcal assumptons underlyng the regresson model, ncludng the followng ponts: Formal statement of assumptons.
More informationComposite Hypotheses testing
Composte ypotheses testng In many hypothess testng problems there are many possble dstrbutons that can occur under each of the hypotheses. The output of the source s a set of parameters (ponts n a parameter
More informationA Robust Method for Calculating the Correlation Coefficient
A Robust Method for Calculatng the Correlaton Coeffcent E.B. Nven and C. V. Deutsch Relatonshps between prmary and secondary data are frequently quantfed usng the correlaton coeffcent; however, the tradtonal
More informationLecture 12: Classification
Lecture : Classfcaton g Dscrmnant functons g The optmal Bayes classfer g Quadratc classfers g Eucldean and Mahalanobs metrcs g K Nearest Neghbor Classfers Intellgent Sensor Systems Rcardo Guterrez-Osuna
More informationBayesian predictive Configural Frequency Analysis
Psychologcal Test and Assessment Modelng, Volume 54, 2012 (3), 285-292 Bayesan predctve Confgural Frequency Analyss Eduardo Gutérrez-Peña 1 Abstract Confgural Frequency Analyss s a method for cell-wse
More informationThe Gaussian classifier. Nuno Vasconcelos ECE Department, UCSD
he Gaussan classfer Nuno Vasconcelos ECE Department, UCSD Bayesan decson theory recall that we have state of the world X observatons g decson functon L[g,y] loss of predctng y wth g Bayes decson rule s
More informationIntroduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:
CE304, Sprng 2004 Lecture 4 Introducton to Vapor/Lqud Equlbrum, part 2 Raoult s Law: The smplest model that allows us do VLE calculatons s obtaned when we assume that the vapor phase s an deal gas, and
More informationComparison of Regression Lines
STATGRAPHICS Rev. 9/13/2013 Comparson of Regresson Lnes Summary... 1 Data Input... 3 Analyss Summary... 4 Plot of Ftted Model... 6 Condtonal Sums of Squares... 6 Analyss Optons... 7 Forecasts... 8 Confdence
More information/ n ) are compared. The logic is: if the two
STAT C141, Sprng 2005 Lecture 13 Two sample tests One sample tests: examples of goodness of ft tests, where we are testng whether our data supports predctons. Two sample tests: called as tests of ndependence
More informationKernel Methods and SVMs Extension
Kernel Methods and SVMs Extenson The purpose of ths document s to revew materal covered n Machne Learnng 1 Supervsed Learnng regardng support vector machnes (SVMs). Ths document also provdes a general
More informationChapter 11: Simple Linear Regression and Correlation
Chapter 11: Smple Lnear Regresson and Correlaton 11-1 Emprcal Models 11-2 Smple Lnear Regresson 11-3 Propertes of the Least Squares Estmators 11-4 Hypothess Test n Smple Lnear Regresson 11-4.1 Use of t-tests
More informationLinear Approximation with Regularization and Moving Least Squares
Lnear Approxmaton wth Regularzaton and Movng Least Squares Igor Grešovn May 007 Revson 4.6 (Revson : March 004). 5 4 3 0.5 3 3.5 4 Contents: Lnear Fttng...4. Weghted Least Squares n Functon Approxmaton...
More information3.1 Expectation of Functions of Several Random Variables. )' be a k-dimensional discrete or continuous random vector, with joint PMF p (, E X E X1 E X
Statstcs 1: Probablty Theory II 37 3 EPECTATION OF SEVERAL RANDOM VARIABLES As n Probablty Theory I, the nterest n most stuatons les not on the actual dstrbuton of a random vector, but rather on a number
More informationAppendix B: Resampling Algorithms
407 Appendx B: Resamplng Algorthms A common problem of all partcle flters s the degeneracy of weghts, whch conssts of the unbounded ncrease of the varance of the mportance weghts ω [ ] of the partcles
More informationANSWERS. Problem 1. and the moment generating function (mgf) by. defined for any real t. Use this to show that E( U) var( U)
Econ 413 Exam 13 H ANSWERS Settet er nndelt 9 deloppgaver, A,B,C, som alle anbefales å telle lkt for å gøre det ltt lettere å stå. Svar er gtt . Unfortunately, there s a prntng error n the hnt of
More informationMarkov Chain Monte Carlo Lecture 6
where (x 1,..., x N ) X N, N s called the populaton sze, f(x) f (x) for at least one {1, 2,..., N}, and those dfferent from f(x) are called the tral dstrbutons n terms of mportance samplng. Dfferent ways
More informationNegative Binomial Regression
STATGRAPHICS Rev. 9/16/2013 Negatve Bnomal Regresson Summary... 1 Data Input... 3 Statstcal Model... 3 Analyss Summary... 4 Analyss Optons... 7 Plot of Ftted Model... 8 Observed Versus Predcted... 10 Predctons...
More informationNotes on Frequency Estimation in Data Streams
Notes on Frequency Estmaton n Data Streams In (one of) the data streamng model(s), the data s a sequence of arrvals a 1, a 2,..., a m of the form a j = (, v) where s the dentty of the tem and belongs to
More informationTime-Varying Systems and Computations Lecture 6
Tme-Varyng Systems and Computatons Lecture 6 Klaus Depold 14. Januar 2014 The Kalman Flter The Kalman estmaton flter attempts to estmate the actual state of an unknown dscrete dynamcal system, gven nosy
More informationLecture Notes on Linear Regression
Lecture Notes on Lnear Regresson Feng L fl@sdueducn Shandong Unversty, Chna Lnear Regresson Problem In regresson problem, we am at predct a contnuous target value gven an nput feature vector We assume
More informationGlobal Sensitivity. Tuesday 20 th February, 2018
Global Senstvty Tuesday 2 th February, 28 ) Local Senstvty Most senstvty analyses [] are based on local estmates of senstvty, typcally by expandng the response n a Taylor seres about some specfc values
More informationChapter 13: Multiple Regression
Chapter 13: Multple Regresson 13.1 Developng the multple-regresson Model The general model can be descrbed as: It smplfes for two ndependent varables: The sample ft parameter b 0, b 1, and b are used to
More information4 Analysis of Variance (ANOVA) 5 ANOVA. 5.1 Introduction. 5.2 Fixed Effects ANOVA
4 Analyss of Varance (ANOVA) 5 ANOVA 51 Introducton ANOVA ANOVA s a way to estmate and test the means of multple populatons We wll start wth one-way ANOVA If the populatons ncluded n the study are selected
More informationJoint Statistical Meetings - Biopharmaceutical Section
Iteratve Ch-Square Test for Equvalence of Multple Treatment Groups Te-Hua Ng*, U.S. Food and Drug Admnstraton 1401 Rockvlle Pke, #200S, HFM-217, Rockvlle, MD 20852-1448 Key Words: Equvalence Testng; Actve
More informationCSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography
CSc 6974 and ECSE 6966 Math. Tech. for Vson, Graphcs and Robotcs Lecture 21, Aprl 17, 2006 Estmatng A Plane Homography Overvew We contnue wth a dscusson of the major ssues, usng estmaton of plane projectve
More informationDepartment of Statistics University of Toronto STA305H1S / 1004 HS Design and Analysis of Experiments Term Test - Winter Solution
Department of Statstcs Unversty of Toronto STA35HS / HS Desgn and Analyss of Experments Term Test - Wnter - Soluton February, Last Name: Frst Name: Student Number: Instructons: Tme: hours. Ads: a non-programmable
More informationThe Multiple Classical Linear Regression Model (CLRM): Specification and Assumptions. 1. Introduction
ECONOMICS 5* -- NOTE (Summary) ECON 5* -- NOTE The Multple Classcal Lnear Regresson Model (CLRM): Specfcaton and Assumptons. Introducton CLRM stands for the Classcal Lnear Regresson Model. The CLRM s also
More informationTemperature. Chapter Heat Engine
Chapter 3 Temperature In prevous chapters of these notes we ntroduced the Prncple of Maxmum ntropy as a technque for estmatng probablty dstrbutons consstent wth constrants. In Chapter 9 we dscussed the
More informationChapter 8 Indicator Variables
Chapter 8 Indcator Varables In general, e explanatory varables n any regresson analyss are assumed to be quanttatve n nature. For example, e varables lke temperature, dstance, age etc. are quanttatve n
More informationHomework Assignment 3 Due in class, Thursday October 15
Homework Assgnment 3 Due n class, Thursday October 15 SDS 383C Statstcal Modelng I 1 Rdge regresson and Lasso 1. Get the Prostrate cancer data from http://statweb.stanford.edu/~tbs/elemstatlearn/ datasets/prostate.data.
More informationUsing the estimated penetrances to determine the range of the underlying genetic model in casecontrol
Georgetown Unversty From the SelectedWorks of Mark J Meyer 8 Usng the estmated penetrances to determne the range of the underlyng genetc model n casecontrol desgn Mark J Meyer Neal Jeffres Gang Zheng Avalable
More informationProvable Security Signatures
Provable Securty Sgnatures UCL - Louvan-la-Neuve Wednesday, July 10th, 2002 LIENS-CNRS Ecole normale supéreure Summary Introducton Sgnature FD PSS Forkng Lemma Generc Model Concluson Provable Securty -
More informationLinear Regression Analysis: Terminology and Notation
ECON 35* -- Secton : Basc Concepts of Regresson Analyss (Page ) Lnear Regresson Analyss: Termnology and Notaton Consder the generc verson of the smple (two-varable) lnear regresson model. It s represented
More informationSpeeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem
H.K. Pathak et. al. / (IJCSE) Internatonal Journal on Computer Scence and Engneerng Speedng up Computaton of Scalar Multplcaton n Ellptc Curve Cryptosystem H. K. Pathak Manju Sangh S.o.S n Computer scence
More informationGeneralized Linear Methods
Generalzed Lnear Methods 1 Introducton In the Ensemble Methods the general dea s that usng a combnaton of several weak learner one could make a better learner. More formally, assume that we have a set
More informationStructure and Drive Paul A. Jensen Copyright July 20, 2003
Structure and Drve Paul A. Jensen Copyrght July 20, 2003 A system s made up of several operatons wth flow passng between them. The structure of the system descrbes the flow paths from nputs to outputs.
More informationUncertainty as the Overlap of Alternate Conditional Distributions
Uncertanty as the Overlap of Alternate Condtonal Dstrbutons Olena Babak and Clayton V. Deutsch Centre for Computatonal Geostatstcs Department of Cvl & Envronmental Engneerng Unversty of Alberta An mportant
More informationSee Book Chapter 11 2 nd Edition (Chapter 10 1 st Edition)
Count Data Models See Book Chapter 11 2 nd Edton (Chapter 10 1 st Edton) Count data consst of non-negatve nteger values Examples: number of drver route changes per week, the number of trp departure changes
More informationj) = 1 (note sigma notation) ii. Continuous random variable (e.g. Normal distribution) 1. density function: f ( x) 0 and f ( x) dx = 1
Random varables Measure of central tendences and varablty (means and varances) Jont densty functons and ndependence Measures of assocaton (covarance and correlaton) Interestng result Condtonal dstrbutons
More informationarxiv:cs.cv/ Jun 2000
Correlaton over Decomposed Sgnals: A Non-Lnear Approach to Fast and Effectve Sequences Comparson Lucano da Fontoura Costa arxv:cs.cv/0006040 28 Jun 2000 Cybernetc Vson Research Group IFSC Unversty of São
More informationComparison of the Population Variance Estimators. of 2-Parameter Exponential Distribution Based on. Multiple Criteria Decision Making Method
Appled Mathematcal Scences, Vol. 7, 0, no. 47, 07-0 HIARI Ltd, www.m-hkar.com Comparson of the Populaton Varance Estmators of -Parameter Exponental Dstrbuton Based on Multple Crtera Decson Makng Method
More informationx = , so that calculated
Stat 4, secton Sngle Factor ANOVA notes by Tm Plachowsk n chapter 8 we conducted hypothess tests n whch we compared a sngle sample s mean or proporton to some hypotheszed value Chapter 9 expanded ths to
More informationSupplementary Notes for Chapter 9 Mixture Thermodynamics
Supplementary Notes for Chapter 9 Mxture Thermodynamcs Key ponts Nne major topcs of Chapter 9 are revewed below: 1. Notaton and operatonal equatons for mxtures 2. PVTN EOSs for mxtures 3. General effects
More informationBoostrapaggregating (Bagging)
Boostrapaggregatng (Baggng) An ensemble meta-algorthm desgned to mprove the stablty and accuracy of machne learnng algorthms Can be used n both regresson and classfcaton Reduces varance and helps to avod
More informationLecture 12: Discrete Laplacian
Lecture 12: Dscrete Laplacan Scrbe: Tanye Lu Our goal s to come up wth a dscrete verson of Laplacan operator for trangulated surfaces, so that we can use t n practce to solve related problems We are mostly
More informationCOMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS
Avalable onlne at http://sck.org J. Math. Comput. Sc. 3 (3), No., 6-3 ISSN: 97-537 COMPARISON OF SOME RELIABILITY CHARACTERISTICS BETWEEN REDUNDANT SYSTEMS REQUIRING SUPPORTING UNITS FOR THEIR OPERATIONS
More informationNUMERICAL DIFFERENTIATION
NUMERICAL DIFFERENTIATION 1 Introducton Dfferentaton s a method to compute the rate at whch a dependent output y changes wth respect to the change n the ndependent nput x. Ths rate of change s called the
More informationDr. Shalabh Department of Mathematics and Statistics Indian Institute of Technology Kanpur
Analyss of Varance and Desgn of Exerments-I MODULE III LECTURE - 2 EXPERIMENTAL DESIGN MODELS Dr. Shalabh Deartment of Mathematcs and Statstcs Indan Insttute of Technology Kanur 2 We consder the models
More informationNumerical Heat and Mass Transfer
Master degree n Mechancal Engneerng Numercal Heat and Mass Transfer 06-Fnte-Dfference Method (One-dmensonal, steady state heat conducton) Fausto Arpno f.arpno@uncas.t Introducton Why we use models and
More informationCredit Card Pricing and Impact of Adverse Selection
Credt Card Prcng and Impact of Adverse Selecton Bo Huang and Lyn C. Thomas Unversty of Southampton Contents Background Aucton model of credt card solctaton - Errors n probablty of beng Good - Errors n
More informationDifference Equations
Dfference Equatons c Jan Vrbk 1 Bascs Suppose a sequence of numbers, say a 0,a 1,a,a 3,... s defned by a certan general relatonshp between, say, three consecutve values of the sequence, e.g. a + +3a +1
More informationLecture 7: Boltzmann distribution & Thermodynamics of mixing
Prof. Tbbtt Lecture 7 etworks & Gels Lecture 7: Boltzmann dstrbuton & Thermodynamcs of mxng 1 Suggested readng Prof. Mark W. Tbbtt ETH Zürch 13 März 018 Molecular Drvng Forces Dll and Bromberg: Chapters
More informationUnivariate Side Channel Attacks and Leakage Modeling
Unvarate Sde Channel Attacks and Leakage Modelng Extended Verson Julen Doget Emmanuel Prouff Mattheu Rvan Franços-Xaver Standaert Abstract Dfferental power analyss s a powerful cryptanalytc technque that
More informationChapter 5 Multilevel Models
Chapter 5 Multlevel Models 5.1 Cross-sectonal multlevel models 5.1.1 Two-level models 5.1.2 Multple level models 5.1.3 Multple level modelng n other felds 5.2 Longtudnal multlevel models 5.2.1 Two-level
More informationA Bayes Algorithm for the Multitask Pattern Recognition Problem Direct Approach
A Bayes Algorthm for the Multtask Pattern Recognton Problem Drect Approach Edward Puchala Wroclaw Unversty of Technology, Char of Systems and Computer etworks, Wybrzeze Wyspanskego 7, 50-370 Wroclaw, Poland
More informationSTAT 511 FINAL EXAM NAME Spring 2001
STAT 5 FINAL EXAM NAME Sprng Instructons: Ths s a closed book exam. No notes or books are allowed. ou may use a calculator but you are not allowed to store notes or formulas n the calculator. Please wrte
More informationRegularized Discriminant Analysis for Face Recognition
1 Regularzed Dscrmnant Analyss for Face Recognton Itz Pma, Mayer Aladem Department of Electrcal and Computer Engneerng, Ben-Guron Unversty of the Negev P.O.Box 653, Beer-Sheva, 845, Israel. Abstract Ths
More informationChapter 6. Supplemental Text Material
Chapter 6. Supplemental Text Materal S6-. actor Effect Estmates are Least Squares Estmates We have gven heurstc or ntutve explanatons of how the estmates of the factor effects are obtaned n the textboo.
More informationComments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards
Comments on a secure dynamc ID-based remote user authentcaton scheme for multserver envronment usng smart cards Debao He chool of Mathematcs tatstcs Wuhan nversty Wuhan People s Republc of Chna Emal: hedebao@63com
More informationLecture 3: Shannon s Theorem
CSE 533: Error-Correctng Codes (Autumn 006 Lecture 3: Shannon s Theorem October 9, 006 Lecturer: Venkatesan Guruswam Scrbe: Wdad Machmouch 1 Communcaton Model The communcaton model we are usng conssts
More informationLINEAR REGRESSION ANALYSIS. MODULE IX Lecture Multicollinearity
LINEAR REGRESSION ANALYSIS MODULE IX Lecture - 30 Multcollnearty Dr. Shalabh Department of Mathematcs and Statstcs Indan Insttute of Technology Kanpur 2 Remedes for multcollnearty Varous technques have
More informationCryptanalysis of pairing-free certificateless authenticated key agreement protocol
Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen
More informationLecture 10 Support Vector Machines II
Lecture 10 Support Vector Machnes II 22 February 2016 Taylor B. Arnold Yale Statstcs STAT 365/665 1/28 Notes: Problem 3 s posted and due ths upcomng Frday There was an early bug n the fake-test data; fxed
More informationMore metrics on cartesian products
More metrcs on cartesan products If (X, d ) are metrc spaces for 1 n, then n Secton II4 of the lecture notes we defned three metrcs on X whose underlyng topologes are the product topology The purpose of
More informationTransfer Functions. Convenient representation of a linear, dynamic model. A transfer function (TF) relates one input and one output: ( ) system
Transfer Functons Convenent representaton of a lnear, dynamc model. A transfer functon (TF) relates one nput and one output: x t X s y t system Y s The followng termnology s used: x y nput output forcng
More informationLossy Compression. Compromise accuracy of reconstruction for increased compression.
Lossy Compresson Compromse accuracy of reconstructon for ncreased compresson. The reconstructon s usually vsbly ndstngushable from the orgnal mage. Typcally, one can get up to 0:1 compresson wth almost
More informationLecture 3 Stat102, Spring 2007
Lecture 3 Stat0, Sprng 007 Chapter 3. 3.: Introducton to regresson analyss Lnear regresson as a descrptve technque The least-squares equatons Chapter 3.3 Samplng dstrbuton of b 0, b. Contnued n net lecture
More informationEEE 241: Linear Systems
EEE : Lnear Systems Summary #: Backpropagaton BACKPROPAGATION The perceptron rule as well as the Wdrow Hoff learnng were desgned to tran sngle layer networks. They suffer from the same dsadvantage: they
More informationPower law and dimension of the maximum value for belief distribution with the max Deng entropy
Power law and dmenson of the maxmum value for belef dstrbuton wth the max Deng entropy Bngy Kang a, a College of Informaton Engneerng, Northwest A&F Unversty, Yanglng, Shaanx, 712100, Chna. Abstract Deng
More informationUncertainty in measurements of power and energy on power networks
Uncertanty n measurements of power and energy on power networks E. Manov, N. Kolev Department of Measurement and Instrumentaton, Techncal Unversty Sofa, bul. Klment Ohrdsk No8, bl., 000 Sofa, Bulgara Tel./fax:
More informationDiscussion of Extensions of the Gauss-Markov Theorem to the Case of Stochastic Regression Coefficients Ed Stanek
Dscusson of Extensons of the Gauss-arkov Theorem to the Case of Stochastc Regresson Coeffcents Ed Stanek Introducton Pfeffermann (984 dscusses extensons to the Gauss-arkov Theorem n settngs where regresson
More informationConvergence of random processes
DS-GA 12 Lecture notes 6 Fall 216 Convergence of random processes 1 Introducton In these notes we study convergence of dscrete random processes. Ths allows to characterze phenomena such as the law of large
More informationSecond Order Analysis
Second Order Analyss In the prevous classes we looked at a method that determnes the load correspondng to a state of bfurcaton equlbrum of a perfect frame by egenvalye analyss The system was assumed to
More informationLow Complexity Soft-Input Soft-Output Hamming Decoder
Low Complexty Soft-Input Soft-Output Hammng Der Benjamn Müller, Martn Holters, Udo Zölzer Helmut Schmdt Unversty Unversty of the Federal Armed Forces Department of Sgnal Processng and Communcatons Holstenhofweg
More informationTracking with Kalman Filter
Trackng wth Kalman Flter Scott T. Acton Vrgna Image and Vdeo Analyss (VIVA), Charles L. Brown Department of Electrcal and Computer Engneerng Department of Bomedcal Engneerng Unversty of Vrgna, Charlottesvlle,
More informationOpen Systems: Chemical Potential and Partial Molar Quantities Chemical Potential
Open Systems: Chemcal Potental and Partal Molar Quanttes Chemcal Potental For closed systems, we have derved the followng relatonshps: du = TdS pdv dh = TdS + Vdp da = SdT pdv dg = VdP SdT For open systems,
More informationOnline Appendix to: Axiomatization and measurement of Quasi-hyperbolic Discounting
Onlne Appendx to: Axomatzaton and measurement of Quas-hyperbolc Dscountng José Lus Montel Olea Tomasz Strzaleck 1 Sample Selecton As dscussed before our ntal sample conssts of two groups of subjects. Group
More informationInductance Calculation for Conductors of Arbitrary Shape
CRYO/02/028 Aprl 5, 2002 Inductance Calculaton for Conductors of Arbtrary Shape L. Bottura Dstrbuton: Internal Summary In ths note we descrbe a method for the numercal calculaton of nductances among conductors
More informationPop-Click Noise Detection Using Inter-Frame Correlation for Improved Portable Auditory Sensing
Advanced Scence and Technology Letters, pp.164-168 http://dx.do.org/10.14257/astl.2013 Pop-Clc Nose Detecton Usng Inter-Frame Correlaton for Improved Portable Audtory Sensng Dong Yun Lee, Kwang Myung Jeon,
More informationMAXIMUM A POSTERIORI TRANSDUCTION
MAXIMUM A POSTERIORI TRANSDUCTION LI-WEI WANG, JU-FU FENG School of Mathematcal Scences, Peng Unversty, Bejng, 0087, Chna Center for Informaton Scences, Peng Unversty, Bejng, 0087, Chna E-MIAL: {wanglw,
More informationCHAPTER 4 SPEECH ENHANCEMENT USING MULTI-BAND WIENER FILTER. In real environmental conditions the speech signal may be
55 CHAPTER 4 SPEECH ENHANCEMENT USING MULTI-BAND WIENER FILTER 4.1 Introducton In real envronmental condtons the speech sgnal may be supermposed by the envronmental nterference. In general, the spectrum
More informationLearning from Data 1 Naive Bayes
Learnng from Data 1 Nave Bayes Davd Barber dbarber@anc.ed.ac.uk course page : http://anc.ed.ac.uk/ dbarber/lfd1/lfd1.html c Davd Barber 2001, 2002 1 Learnng from Data 1 : c Davd Barber 2001,2002 2 1 Why
More informationComputation of Higher Order Moments from Two Multinomial Overdispersion Likelihood Models
Computaton of Hgher Order Moments from Two Multnomal Overdsperson Lkelhood Models BY J. T. NEWCOMER, N. K. NEERCHAL Department of Mathematcs and Statstcs, Unversty of Maryland, Baltmore County, Baltmore,
More informationGrover s Algorithm + Quantum Zeno Effect + Vaidman
Grover s Algorthm + Quantum Zeno Effect + Vadman CS 294-2 Bomb 10/12/04 Fall 2004 Lecture 11 Grover s algorthm Recall that Grover s algorthm for searchng over a space of sze wors as follows: consder the
More informationA Hybrid Variational Iteration Method for Blasius Equation
Avalable at http://pvamu.edu/aam Appl. Appl. Math. ISSN: 1932-9466 Vol. 10, Issue 1 (June 2015), pp. 223-229 Applcatons and Appled Mathematcs: An Internatonal Journal (AAM) A Hybrd Varatonal Iteraton Method
More informationSupporting Information
Supportng Informaton The neural network f n Eq. 1 s gven by: f x l = ReLU W atom x l + b atom, 2 where ReLU s the element-wse rectfed lnear unt, 21.e., ReLUx = max0, x, W atom R d d s the weght matrx to
More informationQuantum and Classical Information Theory with Disentropy
Quantum and Classcal Informaton Theory wth Dsentropy R V Ramos rubensramos@ufcbr Lab of Quantum Informaton Technology, Department of Telenformatc Engneerng Federal Unversty of Ceara - DETI/UFC, CP 6007
More informationPHYS 705: Classical Mechanics. Calculus of Variations II
1 PHYS 705: Classcal Mechancs Calculus of Varatons II 2 Calculus of Varatons: Generalzaton (no constrant yet) Suppose now that F depends on several dependent varables : We need to fnd such that has a statonary
More informationSuppose that there s a measured wndow of data fff k () ; :::; ff k g of a sze w, measured dscretely wth varable dscretzaton step. It s convenent to pl
RECURSIVE SPLINE INTERPOLATION METHOD FOR REAL TIME ENGINE CONTROL APPLICATIONS A. Stotsky Volvo Car Corporaton Engne Desgn and Development Dept. 97542, HA1N, SE- 405 31 Gothenburg Sweden. Emal: astotsky@volvocars.com
More informationChapter 5. Solution of System of Linear Equations. Module No. 6. Solution of Inconsistent and Ill Conditioned Systems
Numercal Analyss by Dr. Anta Pal Assstant Professor Department of Mathematcs Natonal Insttute of Technology Durgapur Durgapur-713209 emal: anta.bue@gmal.com 1 . Chapter 5 Soluton of System of Lnear Equatons
More informationONE DIMENSIONAL TRIANGULAR FIN EXPERIMENT. Technical Advisor: Dr. D.C. Look, Jr. Version: 11/03/00
ONE IMENSIONAL TRIANGULAR FIN EXPERIMENT Techncal Advsor: r..c. Look, Jr. Verson: /3/ 7. GENERAL OJECTIVES a) To understand a one-dmensonal epermental appromaton. b) To understand the art of epermental
More informationx i1 =1 for all i (the constant ).
Chapter 5 The Multple Regresson Model Consder an economc model where the dependent varable s a functon of K explanatory varables. The economc model has the form: y = f ( x,x,..., ) xk Approxmate ths by
More informationAPPROXIMATE PRICES OF BASKET AND ASIAN OPTIONS DUPONT OLIVIER. Premia 14
APPROXIMAE PRICES OF BASKE AND ASIAN OPIONS DUPON OLIVIER Prema 14 Contents Introducton 1 1. Framewor 1 1.1. Baset optons 1.. Asan optons. Computng the prce 3. Lower bound 3.1. Closed formula for the prce
More informationProblem Set 9 Solutions
Desgn and Analyss of Algorthms May 4, 2015 Massachusetts Insttute of Technology 6.046J/18.410J Profs. Erk Demane, Srn Devadas, and Nancy Lynch Problem Set 9 Solutons Problem Set 9 Solutons Ths problem
More informationStatistical Evaluation of WATFLOOD
tatstcal Evaluaton of WATFLD By: Angela MacLean, Dept. of Cvl & Envronmental Engneerng, Unversty of Waterloo, n. ctober, 005 The statstcs program assocated wth WATFLD uses spl.csv fle that s produced wth
More informationLecture 17 : Stochastic Processes II
: Stochastc Processes II 1 Contnuous-tme stochastc process So far we have studed dscrete-tme stochastc processes. We studed the concept of Makov chans and martngales, tme seres analyss, and regresson analyss
More information