G J Khn Ciphertec cc p gjkuhn@global.co.za Contents Contents - PowerPoint PPT Presentation

AFRICACRYPT 2010 STIAS Stellenbosch Stellenbosch South Africa G J Kühn Ciphertec cc p gjkuhn@global.co.za

Contents Contents � Protex: First electronic crypto device in designed in South Africa designed in South Africa � Keeloq: A simple but effective secure remote entry device t t d i Africacrypt 2010 2

PROTEX CIPHER PROTEX CIPHER PROTEX CIPHER PROTEX CIPHER A rotor-inspired electronic cipher device A rotor-inspired electronic cipher device Africacrypt 2010 3

Rotor Cryptographic Machines Rotor Cryptographic Machines � The Protex cipher was based on rotor machine prototypes, such as machine prototypes, such as � Enigma � Tsec ‐ KL/7 � Typex Typex Africacrypt 2010 4

The Enigma machine was g used commercially from the early 1920’s, and was adopted by the militaries adopted by the militaries and governments of various countries . [Wikipedia] Africacrypt 2010 5

Rotor Disk Rotor Disk P A A B B C C P = Permutation embedded in D D E E E E rotor F F G G H H S ‐ 1 PS A A B B B B C C S = Single step cyclic D D permutation E E F F G G H H Africacrypt 2010 6

TSEC/KL ‐ 7 adopted by the US National Security Agency [Wikipedia] Africacrypt 2010 7

Typex ‐ British cipher machine in use from 1937 ‐ Based on the Enigma [Wikipedia] Africacrypt 2010 8

Concatenation of r Rotors Concatenation of r Rotors − − − = ⋅ ⋅ ⋅ i i i i i i i i � i i i i P P S P S S P S S P S S P S S P S S P S 1 1 1 1 2 2 2 2 r r 1 2 r where where P 1 , P 2 , …, P r are the rotor permutations S is a 1 ‐ step rotation operation S is a 1 step rotation operation ( ) σ = … is the state of the machine i i , , , r i 1 2 Africacrypt 2010 9

Reflection Disk P 1 P 2 P r A B B C Self ‐ inverse D permutation E F G H − − − − − − = = ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ ⋅ i i i i i 1 i i 1 i Q Q S S P S P S S S P S P S P P S S P S P S S P S S P S 1 1 2 2 2 2 1 1 1 2 r 2 1 − = 1 X P X r Q and P r are conjugate permutations with the same cycle structure Africacrypt 2010 10

Rotor Cycle Structure Properties Rotor Cycle Structure Properties � Advantage: � Encryption/ decryption operations are identical � Weakness: � A given letter is never encrypted into itself g yp � This is due to the turn ‐ around permutation being self ‐ inverse with no fixed points – all cycles are of order 2 � This represents a Shannon redundancy of 0.057 h Sh d d f bits/letter Africacrypt 2010 11

Re ‐ entry Re entry � The technique matches the alphabet size to th the number of contacts on the rotor b f t t th t KL 7: 26 : 36 : 26 KL ‐ 7: 26 : 36 : 26 P P 1 P P 2 Protex: 26 : 32 : 26 A A B B C C C C D D B → D → 1 → E → C E E F F 1 1 2 2 Africacrypt 2010 12

Protex Design Protex Design � 5 ‐ bit alphabet � 12 random permutations on 32 characters � One permutation is used as a reflector � The permutations are chosen such that P•S ≠ S•P p (Shannon product cipher condition) Africacrypt 2010 13

Protex Encryption/Decryption P t E ti /D ti + + + + + + + + + + P P P P P P P P 2 2 10 10 11 11 1 i 1 i 2 i 9 i 10 i 11 c c 1 c c 2 c c 9 c c 10 c 11 c P 12 Boolean Finite State Circuit Boolean Finite State Circuit P − 1 1 12 ‐ i 1 ‐ i 2 ‐ i 9 ‐ i 10 ‐ i 11 P − P − P − P − + + + 1 1 1 1 + + 1 2 10 11 P − Decryption uses as turn ‐ around permutation 1 12 Africacrypt 2010 14

Rotor Machine Categorisation R t M hi C t i ti Boolean Finite State Circuit KEY Complex mixing Output stream Input stream function Stream cipher with a dynamic key ‐ dependent mixing function i i f i Africacrypt 2010 15

Key Size Key Size � BFSC initial state : 11x5 = 55 bits � Counters initial states : 11x5 = 55 bits � Ordering of 12 permutations: 12! ≡ 28.8 bits � Total key size : 138.8 bits Africacrypt 2010 16

Re Entry Re ‐ Entry � Re ‐ entry on six 5 ‐ bit teleprinter control characters Re entry on six 5 bit teleprinter control characters No. of re ‐ Probability y entries t i 0 0.812500 1 0.157258 2 0.026210 Average = 0.22 3 0.003615 4 0.000387 5 0.000029 6 6 0.000001 0.000001 Africacrypt 2010 17

Implementation Implementation Ferrite core memory storing 12 permutations and th i i their inverses Permutations were optimised to ti i d t reduce the number of conductors of conductors threaded through aeach ferrite core Africacrypt 2010 18

S Box S ‐ Box Laboratory model S ‐ Box showing 5 planes corresponding to the 5 ‐ bit words di h bi d Africacrypt 2010 19

Patch Panel Patch Panel Patch panel to select a rearrangement of the rearrangement of the 12! permutations Africacrypt 2010 20

Attacks on Protex Attacks on Protex � Cryptanalysis depends critically on the properties of the BFSC � Advance of the counters are irregular Ad f th t i l � Side ‐ channel attacks: � Timing attacks � Timing attacks � Re ‐ entry � Propagation of carry bit p g y � Power analysis � Power surges due to switching of magnetic ferrite cores Africacrypt 2010 21

Benefit of Hindsight Benefit of Hindsight � The reflector structure of rotor machines offers no cryptographic advantage yp g p g � Input ‐ output permutations conjugate to a fixed permutation decreases entropy p py � Re ‐ entry is a serious weakness, making the cipher vulnerable to a timing attack cipher vulnerable to a timing attack Africacrypt 2010 22

KEELOQ CIPHER KEELOQ CIPHER KEELOQ CIPHER KEELOQ CIPHER The travails of a 32-bit block cipher The travails of a 32-bit block cipher Africacrypt 2010 23

KEELOQ KEELOQ � Designed at Nanoteq in the 1980’s � Purpose: To provide increased security for remote keyless entry systems � Applications: car door, garage door openers, etc. � Constraints � 32 ‐ bit radio transmission � low power � low component count p Africacrypt 2010 24

Protocol Protocol � A block cipher to encrypt the state of a counter � Key length: Initially 32 bits, but later increased to 64 bits increased to 64 bits � Block length limited to 32 bits due to transmitter constraints transmitter constraints Africacrypt 2010 25

Design Design � No nxn S ‐ boxes, as these would be too expensive in component count p p � Eventually it was decided to insert a single 5x1 S ‐ box 5x1 S box � An elementary key schedule to save components components � Circulating shift register Africacrypt 2010 26

Keeloq Encryption Keeloq Encryption 31 30 ‐‐‐‐ 26 ‐‐‐‐ 20 ‐‐‐‐ 16 ‐‐‐‐ 9 ‐‐‐‐ 1 0 4 3 2 1 0 NLF (3A5C742E) (3A5C742E) 63 64 ‐ bit key shift register 0 Africacrypt 2010 27

Keeloq Decryption Keeloq Decryption 31 30 ‐‐‐‐ 25 ‐‐‐‐ 19 ‐‐‐‐ 15 ‐‐‐‐ 8 ‐‐‐‐ 1 0 4 3 2 1 0 NLF (3A5C742E) (3A5C742E) 63 64 ‐ bit key shift register 15 0 Africacrypt 2010 28

Number of Steps (Rounds) Number of Steps (Rounds) � Number of shift register steps: 528 � This was decided on as follows � Good SAC properties from plaintext to ciphertext � Each key bit should be active at least 8 times � The 528 steps comprises 8¼ cycles of the key register � The ¼ cycle was introduced as a “nuisance” impediment to cryptanalysis Africacrypt 2010 29

Tap Points on the Shift Register Tap Points on the Shift Register � Latency: 1 clock period � Latency: 1 clock period � Minimised to enhance diffusion of bit changes in encryption/decryption yp / yp Africacrypt 2010 30

The Non ‐ Linear Function (NLF) � Properties � 5 ‐ bit Boolean function � 0 ‐ 1 balanced � Algebraic degree : 3 g g 3 � Minimum distance to affine set : 8 � Correlation immunity : 1 y � Function resiliency : 1 Africacrypt 2010 31

Attacks on Keeloq Attacks on Keeloq Data Tim Mem Reference Attack e 2 63 Exhaustive search 2 KP Small 2 42.7 Time ‐ memory trade ‐ off 2 CP 100 TB Hellman 2 16 KP 2 51.4 Slide/algebraic ? [Co, Ba, Wa] 2 32 KP 32 KP 2 37 37 Slid / Slide/guess and d 16 GB 6 GB B Bogdanov d determine 2 32 KP 2 39.4 Slide/cycle structure Slide/cycle structure 2 KP 2 16.5 GB [Co, Ba] 16.5 GB [Co, Ba] 2 32 KP 2 27 Slide/fixed points >16 GB [Co, Ba, Wa] ≈ 2 MB Slide/meet ‐ in ‐ the ‐ middle 2 16 KP 2 45 [In, Ke, …] Africacrypt 2010 32

Exhaustive Sear Exhaustive Search Exhaustive Sear Exhaustive Search ch ch Africacrypt 2010 33

Exhaustive Search Exhaustive Search � Computational Complexity = 2 63 p p y � Time: 2 weeks using FPGA circuits Most significant half Most significant half Criterion Criterion Number of Number of (MSH) ciphertexts MAC = f (counter) MSH* Satisfies MAC 2 Fixed ID (known) MSH Equals ID 2 Fixed ID (unknown) MSH differential 3 ≤ 64 Random bits 16 ‐ bit counter mode * MSH = most significant half of counter MSH = most significant half of counter Africacrypt 2010 34