[PPT] - A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 PowerPoint Presentation

SLIDE 1

Introduction Our Attacks Practice Conclusions

A Practical Attack on KeeLoq

Sebastiaan Indesteege1 Nathan Keller2 Orr Dunkelman1 Eli Biham3 Bart Preneel1

1Dept. ESAT/SCD-COSIC, K.U.Leuven, Belgium.

2Einstein Institute of Mathematics, Hebrew University, Israel. 3Computer Science Department, Technion, Israel.

Eurocrypt 2008

Sebastiaan Indesteege A Practical Attack on KeeLoq 1/ 21

SLIDE 2

Introduction Our Attacks Practice Conclusions

Outline

1 Introduction

Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq

2 Our Attacks on KeeLoq

Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack

3 Practice

Experimental Results Practical Applicability of the Attack

4 Conclusions

Sebastiaan Indesteege A Practical Attack on KeeLoq 2/ 21

SLIDE 3

Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks

Outline

1 Introduction

Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq

2 Our Attacks on KeeLoq

Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack

3 Practice

Experimental Results Practical Applicability of the Attack

4 Conclusions

Sebastiaan Indesteege A Practical Attack on KeeLoq 3/ 21

SLIDE 4

Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks

Introduction

What?

◮ Lightweight block cipher ◮ 32-bit block, 64-bit key ◮ Designed in 1980s ◮ Sold by Microchip Inc.

Where Is It Used?

◮ Remote keyless entry applications ◮ Car locks and alarms

Sebastiaan Indesteege A Practical Attack on KeeLoq 4/ 21

SLIDE 5

Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks

Description of the KeeLoq Block Cipher

k0 k63 + NLF y (i)

31 y (i) 26

y (i)

20

y (i)

16 y (i) 9

y (i)

1

y (i) ϕ(i) 528 rounds

Sebastiaan Indesteege A Practical Attack on KeeLoq 5/ 21

SLIDE 6

Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks

Previous Attacks on KeeLoq

Attack Type Data Time Memory Ref. Slide/Guess-and-Det. 232 KP 252 16 GB

[B07]

Slide/Guess-and-Det. 232 KP 250.6 16 GB

[B07b]

Slide/Cycle Structure 232 KP 239.4 16.5 GB

[CB07]

Slide/Cycle/G&D 232 KP (237) 16.5 GB

[B07b]

Slide/Fixed Points 232 KP 227 > 16 GB

[C+08]

Slide/Algebraic 216 KP 265.4 ?

[CB07, C+08]

Slide/Algebraic 216 KP 251.4 ?

[CB07, C+08]

DPA — DEMA

[E+08]

Sebastiaan Indesteege A Practical Attack on KeeLoq 6/ 21

SLIDE 7

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Outline

1 Introduction

Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq

2 Our Attacks on KeeLoq

Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack

3 Practice

Experimental Results Practical Applicability of the Attack

4 Conclusions

Sebastiaan Indesteege A Practical Attack on KeeLoq 7/ 21

SLIDE 8

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Determining Keybits in KeeLoq

k0 k63 + NLF y (i)

31 y (i) 26

y (i)

20

y (i)

16 y (i) 9

y (i)

1

y (i) ϕ(i)

◮ Given two KeeLoq states, 32 rounds or less apart, we

can find the key bits used in these rounds.

Bogdanov [B07]

Sebastiaan Indesteege A Practical Attack on KeeLoq 8/ 21

SLIDE 9

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Slide Attack

◮ Cipher with many identical “rounds” F(·)

P1 F F F . . . F C1 P2 P2 F F . . . F F C2 C1

◮ Slid pair P2 = F(P1), then also C2 = F(C1) ◮ Encrypting C1 and C2 yields another slid pair, . . . ◮ Use these pairs to attack F(·)

Sebastiaan Indesteege A Practical Attack on KeeLoq 9/ 21

SLIDE 10

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

16 rounds 16 rounds 16 rounds 16 rounds

Pi →

k0...15

→ Pj

k16...31 k32...47 k48...63 Expect a slid pair among 216 plaintexts (birthday paradox)

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 11

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

16 rounds 16 rounds 16 rounds 16 rounds 16 rounds 16 rounds 16 rounds 16 rounds

Pi →

k0...15

→ Cj

k0...15

Ci → → Pj

k16...31 k32...47 k48...63 528 rounds = 8 × 64 + 16 rounds

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 12

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi →

k0...15

→ Cj

k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 13

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

Guess 16 key bits: k0...15

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 14

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

Guess 16 LSB’s of P⋆

j : P⋆ j = X ⋆ i

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 15

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

For each plaintext j, determine k48...63

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 16

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj Table

216 tuples

P⋆

j , Y ⋆ i , k48...63

For each plaintext j, partially decrypt Yj to Y ⋆

j

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 17

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj Table

216 tuples

P⋆

j , Y ⋆ i , k48...63

For each plaintext i, determine k16...31

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 18

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj Table

216 tuples

P⋆

j , Y ⋆ i , k48...63

For each plaintext i, partially encrypt Ci to C ⋆

i

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 19

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj Table

216 tuples

P⋆

j , Y ⋆ i , k48...63

?

Find ±216 collision(s) between C ⋆

i and Y ⋆ j

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 20

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj Table

216 tuples

P⋆

j , Y ⋆ i , k48...63

?

Determine (and check) k32...47; ±1 collision survives

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 21

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj Table

216 tuples

P⋆

j , Y ⋆ i , k48...63

Verify key candidates using trial encryptions (±216 in total)

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 22

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

Basic Attack Scenario

Pi → → Cj

k0...15 k0...15

Ci → → Pj

k16...31 k32...47 k48...63

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj Table

216 tuples

P⋆

j , Y ⋆ i , k48...63

Complexity

Data 216 known plaintexts Memory ±2 MB for the table Time 245 KeeLoq encryptions

Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21

SLIDE 23

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

A Generalisation of the Attack

Why 16 rounds throughout the attack?

Sebastiaan Indesteege A Practical Attack on KeeLoq 11/ 21

SLIDE 24

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

A Generalisation of the Attack

Why 16 rounds throughout the attack? No reason! 16 rounds tp rounds tc rounds tp rounds tc rounds 16 rounds

Pi →

k0...15

→ Cj

k0...15

Ci → → Pj

ˆ k1 ˆ k2 ˆ k3

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

to bits

Sebastiaan Indesteege A Practical Attack on KeeLoq 11/ 21

SLIDE 25

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

A Generalisation of the Attack

Why 16 rounds throughout the attack? No reason! 16 rounds tp rounds tc rounds tp rounds tc rounds 16 rounds

Pi →

k0...15

→ Cj

k0...15

Ci → → Pj

ˆ k1 ˆ k2 ˆ k3

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

to bits

Sebastiaan Indesteege A Practical Attack on KeeLoq 11/ 21

SLIDE 26

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

A Generalisation of the Attack

Why 16 rounds throughout the attack? No reason! 16 rounds tp rounds tc rounds tp rounds tc rounds 16 rounds

Pi →

k0...15

→ Cj

k0...15

Ci → → Pj

ˆ k1 ˆ k2 ˆ k3

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

to bits

Generalisation

◮ Parameters tp and tc ◮ If to = tp, tc

◮ Guess extra bits, or ◮ Plaintext filtering

◮ Optimum?

◮ tp = tc = 15, to = 14 ◮ 244.5 KeeLoq encryptions Sebastiaan Indesteege A Practical Attack on KeeLoq 11/ 21

SLIDE 27

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

A Chosen Plaintext Attack

Pi →

k0...15

→ Cj

k0...15

Ci → → Pj

ˆ k1 ˆ k2 ˆ k3

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

Sebastiaan Indesteege A Practical Attack on KeeLoq 12/ 21

SLIDE 28

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

A Chosen Plaintext Attack

Pi →

k0...15

→ Cj

k0...15

Ci → → Pj

ˆ k1 ˆ k2 ˆ k3

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

← constant

Sebastiaan Indesteege A Practical Attack on KeeLoq 12/ 21

SLIDE 29

Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext

A Chosen Plaintext Attack

Pi →

k0...15

→ Cj

k0...15

Ci → → Pj

ˆ k1 ˆ k2 ˆ k3

Xi X ⋆

i

C ⋆

i

P⋆

j

Y ⋆

j

Yj

← constant

Chosen Plaintext Attack

◮ to > tc ◮ Keep LSB’s of plaintext constant → less guesses ◮ Optimum tp = 20, tc = 13, to = 17 ◮ Still 244.5 KeeLoq encryptions. . .

Sebastiaan Indesteege A Practical Attack on KeeLoq 12/ 21

SLIDE 30

Introduction Our Attacks Practice Conclusions Experiments Applicability

Outline

1 Introduction

Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq

2 Our Attacks on KeeLoq

Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack

3 Practice

Experimental Results Practical Applicability of the Attack

4 Conclusions

Sebastiaan Indesteege A Practical Attack on KeeLoq 13/ 21

SLIDE 31

Introduction Our Attacks Practice Conclusions Experiments Applicability

Implementation

◮ Fully implemented (C and x86 asm) and tested ◮ 128-way bitslicing, where possible. . .

◮ Not during collision verification

Impact?

◮ Collision verification is more expensive ◮ Optimal tp, tc change ◮ CP becomes much faster than KP in practice!

Sebastiaan Indesteege A Practical Attack on KeeLoq 14/ 21

SLIDE 32

Introduction Our Attacks Practice Conclusions Experiments Applicability

Experimental Results

Experiments on one core of an AMD Athlon 64 X2 4200+∗

Known plaintext attack

◮ 216×10.97 minutes, i.e., ±500 CPU days ◮ 288 times faster than [CB07]

Chosen plaintext attack

◮ 216×4.79 minutes, i.e., ±218 CPU days ◮ 661 times faster than [CB07]

∗Average from 500 experiments. Standard deviation < 2 s.

Sebastiaan Indesteege A Practical Attack on KeeLoq 15/ 21

SLIDE 33

Introduction Our Attacks Practice Conclusions Experiments Applicability

Practical Applicability of the Attack

Authentication protocols

Authentication protocols based

n KeeLoq, used e.g. in cars.

“KeeLoq Rolling Codes”

◮ One-pass authentication protocol using a synchronised

16-bit counter.

◮ Not interesting for our attack

Sebastiaan Indesteege A Practical Attack on KeeLoq 16/ 21

SLIDE 34

Introduction Our Attacks Practice Conclusions Experiments Applicability

Practical Applicability of the Attack

Authentication protocols (continued)

“KeeLoq Identify Friend or Foe” (IFF) protocol

◮ Simple challenge-response authentication protocol.

challenge Ek(challenge)

◮ Challenges are not authenticated! ◮ Chosen plaintext ability! ◮ Gathering 216 CP takes ±65 minutes

Sebastiaan Indesteege A Practical Attack on KeeLoq 17/ 21

SLIDE 35

Introduction Our Attacks Practice Conclusions Experiments Applicability

Practical Applicability of the Attack

Key derivation

In KeeLoq, all secret keys are derived from a master key, using one of four ways:

Derivation function

◮ XOR, or ◮ KeeLoq Decryption

Use of a seed-value

◮ “Normal Learning”, or ◮ “Secure Learning” ◮ XOR-based: k = pad(ID, seed) ⊕ kmaster ◮ Find one secret key, find the master key!

Sebastiaan Indesteege A Practical Attack on KeeLoq 18/ 21

SLIDE 36

Introduction Our Attacks Practice Conclusions

Outline

1 Introduction

Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq

2 Our Attacks on KeeLoq

Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack

3 Practice

Experimental Results Practical Applicability of the Attack

4 Conclusions

Sebastiaan Indesteege A Practical Attack on KeeLoq 19/ 21

SLIDE 37

Introduction Our Attacks Practice Conclusions

Conclusions

◮ KeeLoq is badly broken

◮ Practical Slide/MitM attack using 216 KP or CP ◮ IFF protocol gives chosen plaintext ability ◮ XOR-based key derivation is obviously flawed

◮ Soon, cryptographers will all drive expensive cars†

Attack Type Data Time Practice Memory Slide/MitM 216 KP 244.5 500 CPU days ±3 MB Slide/MitM 216 CP 244.5 218 CPU days ±2 MB

†Not all conclusions are to be taken too seriously. . .

Sebastiaan Indesteege A Practical Attack on KeeLoq 20/ 21

SLIDE 38

References

[B07] Andrey Bogdanov Cryptanalysis of the KeeLoq block cipher Cryptology ePrint Archive, Report 2007/055 [B07b] Andrey Bogdanov Attacks on the KeeLoq Block Cipher and Authentication Systems 3rd Conference on RFID Security 2007 [CB07] Nicolas T. Courtois and Gregory V. Bard Algebraic and Slide Attacks on KeeLoq Cryptology ePrint Archive, Report 2007/062 [C+08] Nicolas T. Courtois, Gregory V. Bard and David Wagner Algebraic and Slide Attacks on KeeLoq Proceedings of Fast Software Encryption 2008 [E+08] Thomas Eisenbarth, Timo Kasper, Amir Moradi, Christof Paar, Mahmoud Salmasizadeh and Mohammad T. Manzuri Shalmani Physical Cryptanalysis of KeeLoq Code Hopping Applications Cryptology ePrint Archive, Report 2008/058 Sebastiaan Indesteege A Practical Attack on KeeLoq 21/ 21