Introduction Our Attacks Practice Conclusions A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3 Bart Preneel 1 1 Dept. ESAT/SCD-COSIC, K.U.Leuven, Belgium. 2 Einstein Institute of Mathematics, Hebrew University, Israel. 3 Computer Science Department, Technion, Israel. Eurocrypt 2008 Sebastiaan Indesteege A Practical Attack on KeeLoq 1/ 21
Introduction Our Attacks Practice Conclusions Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 2/ 21
Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 3/ 21
Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Introduction What? ◮ Lightweight block cipher ◮ 32-bit block, 64-bit key ◮ Designed in 1980s ◮ Sold by Microchip Inc. Where Is It Used? ◮ Remote keyless entry applications ◮ Car locks and alarms Sebastiaan Indesteege A Practical Attack on KeeLoq 4/ 21
Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Description of the KeeLoq Block Cipher y ( i ) 31 y ( i ) y ( i ) y ( i ) 16 y ( i ) y ( i ) y ( i ) 528 rounds 26 20 9 1 0 ϕ ( i ) NLF + k 63 k 0 Sebastiaan Indesteege A Practical Attack on KeeLoq 5/ 21
Introduction Our Attacks Practice Conclusions KeeLoq Previous Attacks Previous Attacks on KeeLoq Attack Type Data Time Memory Ref. 2 32 KP 2 52 Slide/Guess-and-Det. 16 GB [B07] 2 32 KP 2 50 . 6 Slide/Guess-and-Det. 16 GB [B07b] 2 32 KP 2 39 . 4 Slide/Cycle Structure 16 . 5 GB [CB07] 2 32 KP (2 37 ) Slide/Cycle/G&D 16 . 5 GB [B07b] 2 32 KP 2 27 Slide/Fixed Points > 16 GB [C+08] 2 16 KP 2 65 . 4 Slide/Algebraic ? [CB07, C+08] 2 16 KP 2 51 . 4 Slide/Algebraic ? [CB07, C+08] DPA — DEMA - - - [E+08] Sebastiaan Indesteege A Practical Attack on KeeLoq 6/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Outline 1 Introduction Description of the KeeLoq Block Cipher Previous Attacks on KeeLoq 2 Our Attacks on KeeLoq Preliminaries Basic Attack Scenario A Generalisation of the Attack A Chosen Plaintext Attack 3 Practice Experimental Results Practical Applicability of the Attack 4 Conclusions Sebastiaan Indesteege A Practical Attack on KeeLoq 7/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Determining Keybits in KeeLoq y ( i ) 31 y ( i ) y ( i ) y ( i ) 16 y ( i ) y ( i ) y ( i ) 26 20 9 1 0 ϕ ( i ) NLF + k 63 k 0 ◮ Given two KeeLoq states, 32 rounds or less apart, we can find the key bits used in these rounds. Bogdanov [B07] Sebastiaan Indesteege A Practical Attack on KeeLoq 8/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Slide Attack ◮ Cipher with many identical “rounds” F ( · ) P 2 . . . P 1 C 1 F F F F . . . P 2 C 2 F F F F C 1 ◮ Slid pair P 2 = F ( P 1 ), then also C 2 = F ( C 1 ) ◮ Encrypting C 1 and C 2 yields another slid pair , . . . ◮ Use these pairs to attack F ( · ) Sebastiaan Indesteege A Practical Attack on KeeLoq 9/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario 16 rounds 16 rounds 16 rounds 16 rounds → P j P i → k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 Expect a slid pair among 2 16 plaintexts (birthday paradox) Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario 16 rounds 16 rounds 16 rounds 16 rounds → P j P i → k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 16 rounds 16 rounds 16 rounds 16 rounds → C j C i → 528 rounds = 8 × 64 + 16 rounds Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Guess 16 key bits: k 0 ... 15 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Guess 16 LSB’s of P ⋆ j : P ⋆ j = X ⋆ i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario P ⋆ X ⋆ → P j P i → X i j i k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext j , determine k 48 ... 63 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext j , partially decrypt Y j to Y ⋆ j Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext i , determine k 16 ... 31 Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i For each plaintext i , partially encrypt C i to C ⋆ i Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → ? j i Find ± 2 16 collision(s) between C ⋆ i and Y ⋆ j Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 ? k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Determine (and check ) k 32 ... 47 ; ± 1 collision survives Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → j i Verify key candidates using trial encryptions ( ± 2 16 in total) Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext Basic Attack Scenario Table P ⋆ 2 16 tuples X ⋆ → P j P i → X i j i � � P ⋆ j , Y ⋆ i , k 48 ... 63 k 0 ... 15 k 16 ... 31 k 32 ... 47 k 48 ... 63 k 0 ... 15 Y ⋆ C ⋆ Y j → C j C i → Complexity j i Data 2 16 known plaintexts Memory ± 2 MB for the table Time 2 45 KeeLoq encryptions Sebastiaan Indesteege A Practical Attack on KeeLoq 10/ 21
Introduction Our Attacks Practice Conclusions Preliminaries Basic Generalisation Chosen Plaintext A Generalisation of the Attack Why 16 rounds throughout the attack? Sebastiaan Indesteege A Practical Attack on KeeLoq 11/ 21
Recommend
More recommend