Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University College of London, UK 2 - University of Maryland, US
KeeLoq and Algebraic Cryptanalysis KeeLoq Block cipher used to unlock doors and the alarm in Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc… 2 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis How Much Worth is KeeLoq • Designed in the 80's by Willem Smit. • In 1995 sold to Microchip Inc for more than 10 Million of US$. ?? 3 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis Algebraic Cryptanalysis [Shannon] Breaking a « good » cipher should require: “as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type” [Shannon, 1949] 4 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis KeeLoq Encryption Block Cipher •Highly unbalanced Feistel •528 rounds •32-bit block / state •64-bit key •1 bit updated / round •1 key bit / round only ! Sliding property: periodic cipher with period 64. 5 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis Algebraic Attacks on KeeLoq We have found MANY attacks. One is particularly simple: 6 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis KeeLoq and Sliding Classical Sliding Attack [Grossman-Tuckerman 1977]: • Take 2 n/2 known plaintexts (here n=32, easy !) • We have a “slid pair” (P i ,P j ) s.t. 64 64 64 64 16 rounds rounds rounds rounds r P i P j C i 64 64 64 64 16 rounds rounds rounds rounds r P j C i C j Classical sliding fails – because of the “odd” 16 rounds: 7 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis Classical Sliding – Not Easy Classical Sliding Attack [Grossman - Tuckerman 1977]: Classical Sliding Attack [Grossman- -Tuckerman 1977]: Tuckerman 1977]: Classical Sliding Attack [Grossman n/2 known plaintexts (here n/2 • Take 2 known plaintexts (here n=32 , easy !) • Take 2 2 n/2 known plaintexts (here n=32 n=32, easy !) , easy !) • Take • We have a “ slid pair ” (P , P ) . • We have a “ “slid pair slid pair” ” (P (P i ,P P j ). . • We have a i , j ) i j 512 528 64 64 64 64 16 rounds rounds rounds rounds r P i P j C i 464 528 64 64 64 64 16 rounds rounds rounds rounds r P j C i C j HARD - Problem: What’s the values here ? 8 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis Algebraic Sliding Answer [our attack]: 512 528 64 64 64 64 16 rounds rounds rounds rounds r P i P j C i 464 528 64 64 64 64 16 rounds rounds rounds rounds r P j C i C j We don’t care !!!!! 9 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis Algebraic Attack: We are able to use C i ,C j directly ! Merge 2 systems of equations: 0 16 512 528 64 64 64 64 16 32 32 bits bits rounds rounds rounds rounds r P i P j C i ignore all these ! 464 528 64 64 64 64 16 32 32 bits bits rounds rounds rounds rounds r P j C i C j common 64-bit key 10 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis System of Equations 64-bit key. Two pairs on 32 bits. Just enough information. Attack: • Write an MQ system. • Gröbner Bases methods – miserably fail. • Convert to a SAT problem • [Cf. Courtois, Jefferson, Bard eprint/2007/024/]. • Solve it. • Takes 2.3 seconds on a PC with MiniSat 2.0. 11 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis Attack Summary: Given about 2 16 KP. We try all 2 32 pairs (P i ,P j ). • If OK, it takes 2.3 seconds to find the 64-bit key. • If no result - early abort. Total attack complexity about 2 64 CPU clocks which is about 2 53 KeeLoq encryptions. KeeLoq is badly broken. Practical attack, tested and implemented. 12 Courtois, Bard, 2007
KeeLoq and Algebraic Cryptanalysis Other Attacks Our fastest attack: about 2 37 KeeLoq encryptions, but more KP, see: See eprint.iacr.org/2007/062/ 13 Courtois, Bard, 2007
Recommend
More recommend
