Vous êtes sur la page 1sur 37

KeeLoq: an algebraic attack on a real-life cipher

Cahlen Humphreys
Department of Mathematical Sciences
Florida Atlantic University

4/6/2015

What is KeeLoq?

KeeLoq is a proprietary hardware-dedicated lightweight block cipher used


in wireless devices that unlock the doors and alarms in cars manufactured
by Chyrsler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volkswagen, etc.
[2]

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

2 / 37

Motivation

Courtois et al. 2008: multiple avenues of attack for Keeloq


combination of algebraic [3] and slide [4] attacks
algebraic attack realized with SAT solver
Here: implementation aspects of key recovery with SAT solver

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

3 / 37

KeeLoq History

Designed in the 1980s


Cryptographic Algorithm - Gideon Kuhn
Unidirectional command transfer protocol - Frederick Bruwer
Silicon implementation - Willem Smit

Sold to Microchip Technology Inc, 1995


10 million dollars plus (USD)

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

4 / 37

How is KeeLoq used?

Implementation is manufacturer specific.


Usually Challenge-response authentication
Bob requests to unlock car (clicking the unlock button).
Car sends Bob random number.
Bob uses his secret key to encrypt the random number, and sends it
back to the car.
Car uses same key to decrypt Bobs response.
If the random numbers match, the car unlocks.

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

5 / 37

KeeLoq Details

32-bit blocks for plaintext/ciphertext


64-bit keys
NOT a stream cipher, resembles NLFSR (non-linear feedback shift
register)
528 extremely simple rounds

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

6 / 37

Comparison of KeeLoq rounds with AES and DES

AES (Advanced Encryption Standard) [5]


10 rounds with 128-bit key
12 rounds with 192-bit key
14 rounds with 256-bit key

DES (Data Encryption Standard) [6]


16 rounds with 56-bit key

KeeLoq
528 rounds with 64-bit key

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

7 / 37

KeeLoq Structure
Strongly unbalanced Feistel construction
Round function - one bit of output
i.e., one bit of cipher text is produced each round
setting up system of equations easy

We define
Plaintext - P = [P0 , . . . , P31 ] {0, 1}32
Ciphertext - C = [C0 , . . . , C31 ] {0, 1}32
Secret Key - K = [k0 , . . . , k63 ] {0, 1}64
528 total rounds.
528 = 512 + 16 = 64 8 + 16

Encryption - periodic with period 64


since key is 64 bits

528 is not a multiple of 64 to prevent basic slide attacks


C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

8 / 37

KeyLoq Structure
Notation: Define f (n) (x) = f (f (. . . f ( x) . . . )).
| {z }
n times

rounds i, i + 64, i + 128, . . . - key register is the same


Let fk (x) be 64 rounds under some key k {0, 1}64
(8)

Ek (x) = gk (fk (x))


g (x) - 16 round final step
Ek (x) - all 528 rounds
The core of KeeLoq is non-linear function with algebraic normal form
given by:
NLF (a, b, c, d, e) = d eac aebc becd deadeaceabd abc

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

9 / 37

The core of KeeLoq


the non-linear function 3A5C742E [2]
NLF (a, b, c, d, e) equivalent to i th bit of hexidecimal number
i = 16a + 8b + 4c + 2d + e

3A5C 742E written in binary is


00111010010111000111010000101110

Example: 0, 0, 0, 0, 1
i = 16 0 + 8 0 + 4 0 + 2 0 + 1 = 1
So NLF (0, 0, 0, 0, 1) = 1 - second least significant bit

Example: 0, 1, 0, 0, 1
i = 16 0 + 8 1 + 4 0 + 2 0 + 1 = 8 + 1 = 9
So NLF (0, 1, 0, 0, 1) = 0 - the 9th bit of 3A5C742E in binary.
C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

10 / 37

How does the encryption work?

Initialize with the plaintext: L31 , . . . , L0 := P31 , . . . , P0 .


For i = 0, . . . , 528 1 do
Li+31 := ki

mod 64

Li Li+16 NLF (Li+31 , Li+26 , Li+20 , Li+9 , Li+1 )

The ciphertext is C31 , . . . , C0 := L528+31 , . . . , L528


C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

11 / 37

How do we decrypt?

Initialize with the ciphertext: L528+31 , . . . , L528 := C31 , . . . , C0 .


For i = 528, . . . , 1 do
Li1 := ki1

mod 64 Li+31 Li+15 NLF (Li+30 , Li+25 , Li+19 , Li+8 , Li+0 )

The plaintext is P31 , . . . , P0 := L31 , . . . , L0


C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

12 / 37

The codebook

Code Book - set of all 232 pairs (P, C) where E (K, P) = C.


Whole KeyLoq Code Book small enough to fit on one computer.
Question: We do we care about recovering the key then?

Master key
Code Book can contain noise (transmission or human error).
Key recovery could be only way to know which messages are genuine

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

13 / 37

Direct Algebraic Attacks on KeeLoq

Algebraic Attack - recover the key by solving a system of multivariate


equations.
Few algebraic attacks are really efficient on block ciphers (e.g., DES
can be broken for up to 6 rounds).
What we need:
A small quantity of known, chosen, or random plaintexts.
The corresonding ciphertext.
KeeLoq - attacked up to 160 rounds directly:
(P,C) - plaintext and ciphertext
32 fixed key bits (i.e., hints).
Less fixed key bits require more (P,C) pairs.

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

14 / 37

How do we setup the system of equations?

y = NLF (a, b, c, d, e)
= d e ac ae bc be cd de ade ace abd abc
Then we can write
Li+32 = ki

mod 64

Li Li+16 Li+9 Li+1

Li+31 Li+20 i Li+26 Li+20 Li+26 Li+1 Li+20 Li+9


Li+9 Li+1 i Li+9 i Li+20 i Li+9 i Li+20
i = Li+31 Li+26
i = Li+31 Li+1

Repeat this 160 times


C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

15 / 37

How do we setup the system of equations?

Total: 160 rounds.


3 160 = 480 equations.

Add (P, C) , then 2 32 = 64 more.


Add 32 bits from the key.
End up with 480 + 64 + 32 = 576 equations.
We know 96 since P, C and k0 , . . . , k31 are known.

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

16 / 37

How do we setup the system of equations?

We solve this system with a SAT solver:


A SAT solver is a program that automatically decides whether a
propositional logic formula is satisfiable. If it is satisfiable, a SAT
solver will produce an example of a truth assignment that satisfies the
formula.
Our system:
576 equations over GF(2)
Boolean Polynomials
Can use SAT solver to solve system. (miniSAT - open source)

Note: miniSAT stops when the first solution has been reached.

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

17 / 37

Setting up the attack

Initialize with the plaintext: L31 , . . . , L0 := P31 , . . . , P0 .


For i = 0, . . . , 528 1 do
Li+31 := ki

mod 64

Li Li+16 NLF (Li+31 , Li+26 , Li+20 , Li+9 , Li+1 )

The ciphertext is C31 , . . . , C0 := L528+31 , . . . , L528


# t h i s i s a t y p i c a l r o u n d f u n c t i o n , w h e r e newb i s o u r new
# b i t we append t o t h e end o f t h e p l a i n t e x t .
def encryptionround (p , k , r ) :
f o r i i n range (0 , r ) :
newb = ( i n t ( k [ 0 ] ) + i n t ( p [ 0 ] ) + i n t ( p [ 1 6 ] ) \
+ core ( int (p [31]) , int (p [26]) , int (p [20]) , int (p [ 9 ] ) , int (p [ 1 ] ) ) ) % 2;
s h i f t p ( p , newb ) ;
shiftk (k );

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

18 / 37

Setting up the attack

Initialize with the ciphertext: L528+31 , . . . , L528 := C31 , . . . , C0 .


For i = 528, . . . , 1 do
Li1 := ki1

mod 64 Li+31 Li+15 NLF (Li+30 , Li+25 , Li+19 , Li+8 , Li+0 )

The plaintext is P31 , . . . , P0 := L31 , . . . , L0


# i n a s i m i l a r f a s h i o n , t h i s i s how we d e c r y p t .
n o t e we h a v e t o u s e
# t h e o t h e r s h i f t f u n c t i o n s b e c a u s e we r e s h i f t i n g t h e k e y s and
# p l a i n t e x t t h e o t h e r way .
def decryptround (p , k , r ) :
f o r i i n range (0 , r ) :
newb = ( i n t ( k [ 3 1 ] ) + i n t ( p [ 3 1 ] ) + i n t ( p [ 1 5 ] ) \
+ core ( int (p [30]) , int (p [25]) , int (p [19]) , int (p [ 8 ] ) , int (p [ 0 ] ) ) ) % 2;
s h i f t p d ( p , newb ) ;
shiftkd (k );

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

19 / 37

Example for 160 rounds

We define our plaintext and key


P=01100010100101110000101011100011
K=00110100110111111001011000011100
00011101100111001000001101110100
c a h l e n @ l o c a l h o s t : / Dropbox / KeeLoq$ . / KeeLoq160 . py
P l a i n t e x t : 01100010100101110000101011100011
Key : 0 0 1 1 0 1 0 0 1 1 0 1 1 1 1 1 1 0 0 1 0 1 1 0 0 0 0 1 1 1 0 0 0 0 0 1 1 1 0 1 1 0 0 1 1 1 0 0 1 0 0 0 0 0 1 1 0 1 1 1 0 1 0 0
C i p h e r t e x t : 01101000110010010100101001111001
Decrypted : 01100010100101110000101011100011

C = 01101000110010010100101001111001

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

20 / 37

Setting up the attack


We have now:
P - plaintext
C - corresponding ciphertext
Under K - verify attack worked
Not so little problem:
Our system of equations - ANF (Algebraic Normal Form)
miniSAT only takes DIMACS CNF form (Conjunctive Normal Form)
CNF - In Boolean logic, a formula is in conjunctive normal form (CNF) or
clausal normal form if it is a conjunction of clauses, where a clause is a
disjunction of literals; otherwise put, it is an AND of ORs. As a normal
form, it is useful in automated theorem proving.

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

21 / 37

How to convert from ANF to DIMACS CNF


Example: Write a = b c in CNF form. Note that this is equivalent to
a b c = 0. Note now that
a = 0,
a = 1,
a = 0,
a = 1,

b
b
b
b

= 0,
= 1,
= 1,
= 0,

c
c
c
c

=0
=0
=1
=1

are solutions. Then,


a
a
a
a
|

C. Humphreys (FAU)

b c
1
2
3 0
1 2 3 0
b c

b c
1 2 3 0
b c
1 2 3 0
{z
}
{z
}
|
CNF

DIMACS

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

22 / 37

How to convert form ANF to CNF


XOR, OR, AND build upon each other
Doing this by hand is not feasible
Code for this is very extensive

Sage implementation (open source mathematics software)


Skeleton sage code:
# Define Boolean pol yn om ia l r i n g
s a g e : B. <[ v a r i a b l e s h e r e ]> = B o o l e a n P o l y n o m i a l R i n g ( )
# I m p o r t CNFEndoder and DIMACS e n c o d e r (DIMACS CNF i s j u s t a s i m p l i f i e d
s a g e : from s a g e . s a t . c o n v e r t e r s . p o l y b o r i i m p o r t CNFEncoder
s a g e : from s a g e . s a t . s o l v e r s . d i m a c s i m p o r t DIMACS
# Temporary f i l e t o s t o r e CNF
sage : fn = tmp filename ()
s a g e : s o l v e r = DIMACS( f i l e n a m e=f n )
s a g e : e = CNFEncoder ( s o l v e r , B)
# Converge t a k e s p l a c e here
sage : e ( [ system of e q u a t i o n s here ] )
sage :
= solver . write ()
# P r i n t CNF i n DIMACS form
s a g e : p r i n t open ( f n ) . r e a d ( )

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

v e r s i o n o f CNF)

4/6/2015

23 / 37

Sage Output

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

24 / 37

Dentermining key from SAT solver

Sage maps monomials to SAT variables.


sage: e.monomial(L189)=574
sage: e.monomial(L190)=575
sage: e.monomial(L191)=576
We care about:
K 0, . . . , K 63 (our key)
Sage maps K 0 1, . . . , K 63 64
In miniSAT results we only look for 1, . . . , 64

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

25 / 37

Using miniSAT
We feed DIMAC CNF into miniSAT:

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

26 / 37

Using miniSAT

Hopefully this is what we end up seeing!


C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

27 / 37

Extracting the key

miniSAT results output file snippet:

Recall K 0, . . . , K 63 1, . . . , 64.
1 = K 0 = 0
2 = K 1 = 0
3 = K 2 = 1
and so on.

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

28 / 37

Extracting the key

Parse results:

Confirmation: Key fully recovered!

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

29 / 37

Interesting SAT data

Taking away key bit hints:


Does not affect satisfiability of the system
System could end up being underdefined
Multiple solutions
miniSAT returns first solution in output file
recovered key may not be correct

No apparent affect on time to solve


Does not speed up or slow down, time varies wildly

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

30 / 37

Interesting SAT data


Hardware: Intel Core i5-2430M CPU @ 2.40GHz x 4, 8GB RAM

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

31 / 37

Another attempt
Add another pair (P, C) from same K:

Result: Correct key recovered each time.


C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

32 / 37

Further questions

Why does the time for miniSAT vary so much when solving a system,
even when given more information?
How can we determine if the system is overdefined or underdefined
without the results from miniSAT? (i.e., exactly how much
information do we have to fix and give to miniSAT in order to recover
the key?)
Is there a better/faster way to convert ANF to CNF other than Sage?

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

33 / 37

Conclusions

KeeLoq probably wasnt worth the $10, 000, 000, but its certainly
better than nothing.
SAT solvers can be a very effective tool in the cryptographic arena.
One person that noticed and took action is Dr. Mate Soos who works
for Security Research Labs. He developed an opensource tool called
CryptoMiniSat which puts the features of miniSAT, PrecoSAT, and
Glucose all into one program. Long term goals are to be an efficient
sequential, parallel and distributed solver. (In addition, hes a really
nice dude.) http://www.msoos.org/cryptominisat2/

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

34 / 37

References I

[1] N.T. Courtois, G.V. Bard, D. Wagner, Algebraic and slide attacks on
KeeLoq, in Proceedings of Fast Software Encryption 2008. Lecture
Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008), pp.
97115
[2] KeeLoq wikipedia article. On 25 January 2007 the specification given
here was incorrect and was updaded since. See
http://en.wikipedia.org/wiki/KeeLoq

[3] Limniotis, K. (2013). Algebraic attacks on stream ciphers: Recent


developments and new results. Journal
of Applied Mathematics and Bioinformatics, 3(1), 57-81. Retrieved from
http://ezproxy.fau.edu/login?url=http://search.proquest.com/docview/14

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

35 / 37

References II
[4] Biryukov,Alex., Wagner, David., (May 2000). Advanced Slide Attacks
(PDF/PostScript). Advances in Cryptology, Proceedings of
EUROCRYPT 2000. Bruges: Springer-Verlag. pp. pp.589606.
Retrieved 2007-09-03.
[5] J. Daemen, V. Rijmen, The design of Rijndael, AES. The Advanced
Encryption Standarad, Springer-Verlag. ISBN 3-540-42580-2
[6] Ehrsam, et al, Product block cipher system for data security. United
States Patent 3,962,539, June 8, 1976.
[7] Courtois, Nicolas., Bard, Gregory., Jefferson, Chris, Efficient Methods
for Conversion and Solution of Sparse Systems of Low-Degree
Multivariate Polynomials over GF(2) via SAT-Solvers. Available at
http://eprint.iacr.org/2007/024/.

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

36 / 37

Thank You

Special thanks to:


Department of Mathematical at Florida Atlantic University
Dr. Rainer Steinwandt
End.

C. Humphreys (FAU)

KeeLoq: an algebraic attack on a real-life cipher

4/6/2015

37 / 37

Vous aimerez peut-être aussi