Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous widespread passive entry and remote keyless entry systems as well as in various component identification applications. The KeeLoq algorithm has a 64-bit key and operates on 32-bit blocks. It is based on an NLFSR with a nonlinear feedback function of 5 variables. In this paper new key recovery attacks on KeeLoq are proposed. The first one has a complexity of about 2 50 . 6 KeeLoq encryptions. The second attack finds the key in 2 37 encryptions and works for the whole key space. In our attacks we use the techniques of guess-and-determine, slide, and linear attacks as well as cycle structure analysis. Both attacks need 2 32 known plaintext- ciphertext pairs. We also analyze the KeeLoq key management and authentication protocols applied in rolling- code and IFF access systems widely used in real-world applications. We demonstrate several practical vulnerabilities. Key words: KeeLoq, cryptanalysis, slide attacks, linear cryptanalysis, hopping codes, rolling codes 1 Introduction A number of NLFSR-based stream ciphers have been recently proposed (e.g. Achterbahn [9] and [8], Grain [10]) and successfully cryptanalyzed using linear [2] and nonlinear [12], [23] approximations of nonlinear feedback functions. KeeLoq is a block cipher based on an NLFSR with a nonlinear boolean feedback function of 5 variables. The algorithm uses a 64-bit key and operates on 32-bit blocks. Its architecture consists of two registers (a 32-bit text register and a 64-bit key register), which are rotated in each of 528 encryption cycles, and of a nonlinear function (NLF) providing nonlinear feedback. One bit of the key is added to the output of the NLF modulo 2 in each cycle. The light-weight architecture of the KeeLoq cipher allows for an extremely low-cost and efficient hardware implementation (about 700 GE and 528 clock cycles per block). This contributed to the pop- ularity of the KeeLoq cipher among designers of remote keyless entry systems, automotive and burglar alarm systems, automotive immobilizers, gate and garage door openers, identity tokens, component identification systems. For instance, the KeeLoq block cipher is used by such automotive OEMs as Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, VW, Jaguar [26] and in the HomeLink wire- less control systems to secure communication with garage door openers [11]. The KeeLoq technology supplied by Microchip Technology Inc. includes the KeeLoq cipher and a number of authentication protocols as well as key management schemes. Our description of KeeLoq is based on the newly published article [26], [15] and a number of the manufacturer’s documents [14], [16], [20], [21]. Our contribution. The contribution of the paper is many-fold. First, a new technique to perform recovery attacks on KeeLoq is proposed. Our direct attack recovers the key in 2 50 . 6 . Second, the techniques allow us to propose an extended attack of complexity 2 37 working for the whole key space. Then severe vulnerabilities of the KeeLoq protocols and key management systems are demonstrated.
Our cryptanalysis of the KeeLoq algorithm is based on the following weaknesses of the KeeLoq structure: The key schedule is self-similar, which allows us to mount a slide attack [4], [5], [3]. It is supported by the existence of an efficient linear approximation of the NLF used to recover a part of the key. Then the remainder of the key bits is obtained using other linear relations within KeeLoq. The key recovery complexity of our first attack is 2 50 . 6 . The attack requires 2 32 plaintext-ciphertext pairs and a memory of 2 32 32-bit words. Several computing devices can share the memory during the attack. All computations are perfectly parallelizable. The property inherited from the slide attacks [4], [5] is that the complexity of our attack is independent of the number of encryption cycles, which is as a rule not the case for linear or differential cryptanalysis, where the complexity often grows exponentially with the number of iterations. The second attack is an extension of our first attack by using the cycle structure analysis introduced in [7]. Our attack finds the key in 2 37 steps. It also requires 2 32 known plaintext-ciphertext pairs and a memory to hold 2 32 32-bit words. Additionally, 2 32 bits of memory are needed for exploring the cycle structure of the KeeLoq permutation. Our techniques work for all keys, unlike those in [7] which are applicable to 26% of all keys only. Our second attack is the best known attack on the KeeLoq block cipher working for the whole key space. We also show how the cryptanalytic attacks on the KeeLoq block cipher apply to the KeeLoq hopping codes and IFF (Identify Friend or Foe) systems supplied by Microchip which are based on this algorithm. It is demonstrated that the attacks pose a real threat for a number of applied key management schemes: After attacking one instance of KeeLoq using attacks presented in this paper, one can reduce the effective key length of all other KeeLoq systems of the same series to 32, 48, or 60 bits depending on the key management scheme applied. In some attack models, the attacker is even able to retrieve the individual encryption key instantly. The paper is organized as follows. Section 2 describes the KeeLoq algorithm. In Section 3 our basic sliding linear key recovery attack on KeeLoq and its extension with a reduced complexity are presented. In Section 4 we discuss the impact of attacks on the KeeLoq algorithm with respect to the standard KeeLoq real-word applications supplied by Microchip. We conclude in Section 5. 2 Description of the KeeLoq Algorithm KeeLoq is a block cipher with a 64-bit key which operates on 32-bit words [26], [15]. Its design is based on a nonlinear feedback shift register (NLFSR) of length 32 bits with a nonlinear feedback function of 5 variables. The feedback depends linearly on two other register bits and on the next key bit taken from the rotated key register of length 64 bits. Let V n = GF(2) n be the set of all n -bit words and Y ( i ) = ( y ( i ) 31 , . . . , y ( i ) 0 ) ∈ V 32 , y ( i ) ∈ GF(2), j describe the state of the text register in cycle i for j = 0 , . . . , 31 and i = 0 , 1 , . . . Let also K ( i ) = ( k ( i ) 63 , . . . , k ( i ) 0 ) ∈ V 64 , k ( i ) ∈ GF(2), denote the state of the key register in cycle i for j = 0 , . . . , 63 j and i = 0 , 1 , . . . Then each cycle of encryption can be described using the following algorithm (see Figure 1): Compute the feedback bit: ϕ = NLF ( y ( i ) 31 , y ( i ) 26 , y ( i ) 20 , y ( i ) 9 , y ( i ) 1 ) ⊕ y ( i ) 16 ⊕ y ( i ) ⊕ k ( i ) 0 0 Rotate text and insert feedback: R ( i +1) = ( ϕ, y ( i ) 31 , . . . , y ( i ) 1 ) Rotate key: K ( i +1) = ( k ( i ) 0 , k ( i ) 63 , . . . , k ( i ) 1 ). For encryption the key register is filled with the 64 key bits K = ( k 63 , . . . k 0 ) ∈ V 64 , k j ∈ GF(2), j = 0 , . . . , 63, in the straightforward way: K (0) = K . If X = ( x 31 , . . . , x 0 ) ∈ V 32 , x j ∈ GF(2), j = 0 , . . . , 31, is a block of plaintext, the initial state of the text register is Y (0) = ( x 31 , . . . , x 0 ). The output of the algorithm is the ciphertext Z = ( z 31 , . . . , z 0 ) = Y (528) ∈ V 32 , z j ∈ GF(2), j = 0 , . . . , 31. For decryption the key register is filled in the same way: K (0) = K = ( k 63 , . . . k 0 ) ∈ V 64 . But the decryption procedure complements the encryption. One decryption cycle can be defined by the following sequence of operations:
Fig. 1. The i -th KeeLoq encryption cycle Compute the feedback bit: ϕ = NLF ( y ( i ) 30 , y ( i ) 25 , y ( i ) 19 , y ( i ) 8 , y ( i ) 0 ) ⊕ y ( i ) 15 ⊕ y ( i ) 31 ⊕ k ( i ) 15 Rotate text and insert feedback: R ( i +1) = ( y ( i ) 30 , . . . , y ( i ) 0 , ϕ ) Rotate key: K ( i +1) = ( k ( i ) 62 , . . . , k ( i ) 0 , k ( i ) 63 ). The ciphertext and plaintext are input/output in a similar way: The ciphertext is input into the text register before decryption, Y (0) = Z , and the plaintext can be read out after 528 decryption cycles, Y (528) = X . The NLF is a boolean function of 5 variables and is of degree 3. In the specification [15] the NLF is assigned using a table. This corresponds to the following ANF: NLF ( x 4 , x 3 , x 2 , x 1 , x 0 ) = x 0 ⊕ x 1 ⊕ x 0 x 1 ⊕ x 1 x 2 ⊕ x 2 x 3 ⊕ x 0 x 4 ⊕ x 0 x 3 ⊕ x 2 x 4 ⊕ (1) x 0 x 1 x 4 ⊕ x 0 x 2 x 4 ⊕ x 1 x 3 x 4 ⊕ x 2 x 3 x 4 . The NLF is balanced and its correlation immunity order is 1, cor( NLF ) = 1 [24], [25]. This means that the NLF is 1-resilient [6], which is the maximum for a function of 5 variables with deg( NLF ) = 3 due to Siegenthaler’s inequality [24]: deg( NLF ) + cor( NLF ) ≤ 4 . Fig. 2. Round structure of KeeLoq encryption The KeeLoq algorithm has the following round structure. We define a KeeLoq round as the per- mutation F ( K ) : V 32 → V 32 depending on the key K ∈ V 64 . A KeeLoq quarter round is defined as the permutation F ′ ( K ′ ) : V 32 → V 32 depending on the subkey K ′ = ( k 15 , . . . , k 0 ) ∈ V 16 . Then the whole KeeLoq encryption mapping consists of successively computing 8 full round permutations
Recommend
More recommend