Académique Documents
Professionnel Documents
Culture Documents
Cahlen Humphreys
Department of Mathematical Sciences
Florida Atlantic University
4/6/2015
What is KeeLoq?
C. Humphreys (FAU)
4/6/2015
2 / 37
Motivation
C. Humphreys (FAU)
4/6/2015
3 / 37
KeeLoq History
C. Humphreys (FAU)
4/6/2015
4 / 37
C. Humphreys (FAU)
4/6/2015
5 / 37
KeeLoq Details
C. Humphreys (FAU)
4/6/2015
6 / 37
KeeLoq
528 rounds with 64-bit key
C. Humphreys (FAU)
4/6/2015
7 / 37
KeeLoq Structure
Strongly unbalanced Feistel construction
Round function - one bit of output
i.e., one bit of cipher text is produced each round
setting up system of equations easy
We define
Plaintext - P = [P0 , . . . , P31 ] {0, 1}32
Ciphertext - C = [C0 , . . . , C31 ] {0, 1}32
Secret Key - K = [k0 , . . . , k63 ] {0, 1}64
528 total rounds.
528 = 512 + 16 = 64 8 + 16
4/6/2015
8 / 37
KeyLoq Structure
Notation: Define f (n) (x) = f (f (. . . f ( x) . . . )).
| {z }
n times
C. Humphreys (FAU)
4/6/2015
9 / 37
Example: 0, 0, 0, 0, 1
i = 16 0 + 8 0 + 4 0 + 2 0 + 1 = 1
So NLF (0, 0, 0, 0, 1) = 1 - second least significant bit
Example: 0, 1, 0, 0, 1
i = 16 0 + 8 1 + 4 0 + 2 0 + 1 = 8 + 1 = 9
So NLF (0, 1, 0, 0, 1) = 0 - the 9th bit of 3A5C742E in binary.
C. Humphreys (FAU)
4/6/2015
10 / 37
mod 64
4/6/2015
11 / 37
How do we decrypt?
4/6/2015
12 / 37
The codebook
Master key
Code Book can contain noise (transmission or human error).
Key recovery could be only way to know which messages are genuine
C. Humphreys (FAU)
4/6/2015
13 / 37
C. Humphreys (FAU)
4/6/2015
14 / 37
y = NLF (a, b, c, d, e)
= d e ac ae bc be cd de ade ace abd abc
Then we can write
Li+32 = ki
mod 64
4/6/2015
15 / 37
C. Humphreys (FAU)
4/6/2015
16 / 37
Note: miniSAT stops when the first solution has been reached.
C. Humphreys (FAU)
4/6/2015
17 / 37
mod 64
C. Humphreys (FAU)
4/6/2015
18 / 37
C. Humphreys (FAU)
4/6/2015
19 / 37
C = 01101000110010010100101001111001
C. Humphreys (FAU)
4/6/2015
20 / 37
C. Humphreys (FAU)
4/6/2015
21 / 37
b
b
b
b
= 0,
= 1,
= 1,
= 0,
c
c
c
c
=0
=0
=1
=1
C. Humphreys (FAU)
b c
1
2
3 0
1 2 3 0
b c
b c
1 2 3 0
b c
1 2 3 0
{z
}
{z
}
|
CNF
DIMACS
4/6/2015
22 / 37
C. Humphreys (FAU)
v e r s i o n o f CNF)
4/6/2015
23 / 37
Sage Output
C. Humphreys (FAU)
4/6/2015
24 / 37
C. Humphreys (FAU)
4/6/2015
25 / 37
Using miniSAT
We feed DIMAC CNF into miniSAT:
C. Humphreys (FAU)
4/6/2015
26 / 37
Using miniSAT
4/6/2015
27 / 37
Recall K 0, . . . , K 63 1, . . . , 64.
1 = K 0 = 0
2 = K 1 = 0
3 = K 2 = 1
and so on.
C. Humphreys (FAU)
4/6/2015
28 / 37
Parse results:
C. Humphreys (FAU)
4/6/2015
29 / 37
C. Humphreys (FAU)
4/6/2015
30 / 37
C. Humphreys (FAU)
4/6/2015
31 / 37
Another attempt
Add another pair (P, C) from same K:
4/6/2015
32 / 37
Further questions
Why does the time for miniSAT vary so much when solving a system,
even when given more information?
How can we determine if the system is overdefined or underdefined
without the results from miniSAT? (i.e., exactly how much
information do we have to fix and give to miniSAT in order to recover
the key?)
Is there a better/faster way to convert ANF to CNF other than Sage?
C. Humphreys (FAU)
4/6/2015
33 / 37
Conclusions
KeeLoq probably wasnt worth the $10, 000, 000, but its certainly
better than nothing.
SAT solvers can be a very effective tool in the cryptographic arena.
One person that noticed and took action is Dr. Mate Soos who works
for Security Research Labs. He developed an opensource tool called
CryptoMiniSat which puts the features of miniSAT, PrecoSAT, and
Glucose all into one program. Long term goals are to be an efficient
sequential, parallel and distributed solver. (In addition, hes a really
nice dude.) http://www.msoos.org/cryptominisat2/
C. Humphreys (FAU)
4/6/2015
34 / 37
References I
[1] N.T. Courtois, G.V. Bard, D. Wagner, Algebraic and slide attacks on
KeeLoq, in Proceedings of Fast Software Encryption 2008. Lecture
Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008), pp.
97115
[2] KeeLoq wikipedia article. On 25 January 2007 the specification given
here was incorrect and was updaded since. See
http://en.wikipedia.org/wiki/KeeLoq
C. Humphreys (FAU)
4/6/2015
35 / 37
References II
[4] Biryukov,Alex., Wagner, David., (May 2000). Advanced Slide Attacks
(PDF/PostScript). Advances in Cryptology, Proceedings of
EUROCRYPT 2000. Bruges: Springer-Verlag. pp. pp.589606.
Retrieved 2007-09-03.
[5] J. Daemen, V. Rijmen, The design of Rijndael, AES. The Advanced
Encryption Standarad, Springer-Verlag. ISBN 3-540-42580-2
[6] Ehrsam, et al, Product block cipher system for data security. United
States Patent 3,962,539, June 8, 1976.
[7] Courtois, Nicolas., Bard, Gregory., Jefferson, Chris, Efficient Methods
for Conversion and Solution of Sparse Systems of Low-Degree
Multivariate Polynomials over GF(2) via SAT-Solvers. Available at
http://eprint.iacr.org/2007/024/.
C. Humphreys (FAU)
4/6/2015
36 / 37
Thank You
C. Humphreys (FAU)
4/6/2015
37 / 37