practical algebraic attacks on the hitag2 tm stream cipher
play

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. - PowerPoint PPT Presentation

Sep 24, 2023 •364 likes •995 views

Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Universit Catholique de Louvain, Belgium Algebraic

  1. Practical Algebraic Attacks on the HITAG2 TM Stream Cipher Nicolas T. Courtois 1 Sean O ’ Neil 2 Jean-Jacques Quisquater 3 1 - University College London, UK 2 - VEST Corporation, France 3 - Université Catholique de Louvain, Belgium

  2. Algebraic Attacks on Hitag 2 Cipher Disclaimer First of all, this pure crypto research: Spec of Algebraic the cipher => Attack. Not all attacks work on actual industrial systems due to the protocol subtleties. Moreover: one should not expect that every information found on the Internet is correct. One can expect some small glitches… 2 Courtois, O’Neil, Quisquater

  3. Algebraic Attacks on Hitag 2 Cipher Outline 1. Hitag2 cipher and products. 2. Discussion: open source vs. closed source crypto. 3. Algebraic attacks with SAT solvers. 4. Our results. 5. Industry impact, discussion. 3 Courtois, O’Neil, Quisquater

  4. Algebraic Attacks on Hitag 2 Cipher Hitag2 • A stream cipher used in car locks [e.g. BMW]: Philips Hitag2 family. • Also used in building access. – According to [Nohl, Plötz HAR’09] used in German government and army buildings… – But Hitag2 proximity cards are not available anymore in shops. They have been discontinued. Here we concentrate just on car locks. 4 Courtois, O’Neil, Quisquater

  5. Algebraic Attacks on Hitag 2 Cipher What ’ s Inside? 5 Courtois, O’Neil, Quisquater

  6. Algebraic Attacks on Hitag 2 Cipher Open Source vs. Closed Source Crypto 6 Courtois, O’Neil, Quisquater

  7. Algebraic Attacks on Hitag 2 Cipher Secrecy: Very frequently an obvious business decision. Creates entry barriers for competitors. • But also defends against hackers. • 7 Courtois, O’Neil, Quisquater

  8. Algebraic Attacks on Hitag 2 Cipher Kerckhoffs ’ principle: [1883] “ The system must remain secure should it fall in enemy hands …” 8 Courtois, O’Neil, Quisquater

  9. Algebraic Attacks on Hitag 2 Cipher *Remark: Smart Cards: They are already in ‘ enemy ’ hands - even more for RFID … 9 Courtois, O’Neil, Quisquater

  10. Algebraic Attacks on Hitag 2 Cipher Kerckhoffs ’ principle: [1883] Most of the time: incorrectly understood. No obligation to disclose. • Security when disclosed. • Better security when not disclosed??? 10 Courtois, O’Neil, Quisquater

  11. Algebraic Attacks on Hitag 2 Cipher Yes (1,2,3): 1. Military: layer the defences. 11 Courtois, O’Neil, Quisquater

  12. Algebraic Attacks on Hitag 2 Cipher Yes (2): 2) Basic economics: these 3 extra months (and not more � ) are simply worth a a lot of money. 12 Courtois, O’Neil, Quisquater

  13. Algebraic Attacks on Hitag 2 Cipher Yes (3): 3) Prevent the erosion of profitability / barriers for entry for competitors / “ inimitability ” 13 Courtois, O’Neil, Quisquater

  14. Algebraic Attacks on Hitag 2 Cipher Kerckhoffs principle is kind of WRONG in the world of smart cards Reasons: • side channel attacks are HARD and COSTLY to prevent when the algo is known • in some applications, for example Pay TV the system is broken immediately when the cryptographic algorithms are public. 14 Courtois, O’Neil, Quisquater

  15. Algebraic Attacks on Hitag 2 Cipher Kerckhoffs principle is kind of WRONG? Well OK, but then we need other means to evaluate evaluate evaluate evaluate crypto algorithms used by the industry. • [OLD] private consulting … • [NEW] TODAY: Automated Cryptanalysis Automated Cryptanalysis Automated Cryptanalysis Automated Cryptanalysis Spec of Try our the cipher => software 15 Courtois, O’Neil, Quisquater

  16. Algebraic Attacks on Hitag 2 Cipher Silicon Hacking 16 Courtois, O’Neil, Quisquater

  17. Algebraic Attacks on Hitag 2 Cipher Tarnovsky Lab [Freelance Silicon Hacker] Only a few thousands of dollars worth of equipment 17 Courtois, O’Neil, Quisquater

  18. Algebraic Attacks on Hitag 2 Cipher Clear and Present Danger Reverse engineering is NOT that hard. No need for a FIB device (Focused Ion Beam, 0.5 M € ). A few thousand dollars microscope +software. 18 Courtois, O’Neil, Quisquater

  19. Algebraic Attacks on Hitag 2 Cipher Silicon Hacking => Wikipedia TM 19 Courtois, O’Neil, Quisquater

  20. Algebraic Attacks on Hitag 2 Cipher 20 Courtois, O’Neil, Quisquater

  21. Algebraic Attacks on Hitag 2 Cipher Crypto-1 is VERY WEAK • Crypto 1 Has regular LFSR taps =>Broken in 0.05 seconds. [de Koning Gans et al, Esorics 2008] 21 Courtois, O’Neil, Quisquater

  22. Algebraic Attacks on Hitag 2 Cipher much better: • Crypto 1 Has regular LFSR taps • Crypto 1 Has regular LFSR taps Crypto 1 Has regular LFSR taps • =>Broken in 0.05 seconds . =>Broken in 0.05 seconds. . =>Broken in 0.05 seconds [de Koning Gans et al, Esorics 2008] [de Koning Gans Koning Gans et al, et al, Esorics Esorics 2008] 2008] [de • Hitag 2 has IRREGULAR taps. Not so easy. • State of the art: Inversion attacks: – [Ross Anderson: Searching for the Optimum Correlation Attack, In FSE’94] – Our present work is a sort of automated inversion attack where human insights into how to invert the augmented filter function are replaced by the [clever] SAT solver software… 22 Courtois, O’Neil, Quisquater

  23. Algebraic Attacks on Hitag 2 Cipher 23 Courtois, O’Neil, Quisquater

  24. Algebraic Attacks on Hitag 2 Cipher Silicon Hacking => Wikipedia A Cryptanalyst can start working … 24 Courtois, O’Neil, Quisquater

  25. Algebraic Attacks on Hitag 2 Cipher Circuit High-Level View of Hitag2 25 Courtois, O’Neil, Quisquater

  26. Algebraic Attacks on Hitag 2 Cipher Exhaustive Key Search • 48 bits, about 4 years on 1 CPU. • But only hours/days with more expensive devices such as FPGA/Copacobana etc… 26 Courtois, O’Neil, Quisquater

  27. Algebraic Attacks on Hitag 2 Cipher Algebraic Cryptanalysis 27 Courtois, O’Neil, Quisquater

  28. Algebraic Attacks on Hitag 2 Cipher Algebraic Cryptanalysis [Shannon] Breaking a « good » cipher should require: “as much work as solving a system of simultaneous equations in a large number of unknowns of a complex type” [Shannon, 1949] 28 Courtois, O’Neil, Quisquater

  29. Algebraic Attacks on Hitag 2 Cipher Algebraic Cryptanalysis: An Emerging Technology XSL Gartner ’ s Technology Hype Cycle AES 29 Courtois, O’Neil, Quisquater

  30. Algebraic Attacks on Hitag 2 Cipher Strong or Weak? High Algebraic Immunity. • Does NOT help. • Many “direct” algebraic attacks exist. – First mention of such attack: Ars-Faugère in their INRIA report: • Experimental attacks with a very small quantity of keystream. – Now we have a portfolio of techniques… We can break “any cipher”, if not too complex… 30 Courtois, O’Neil, Quisquater

  31. Algebraic Attacks on Hitag 2 Cipher “direct” algebraic attacks Our fastest attacks use algebraic equations + conversion + SAT solvers • [cf. recent attacks on DES and KeeLoq by Courtois and Bard 2007-08] 31 Courtois, O’Neil, Quisquater

  32. Algebraic Attacks on Hitag 2 Cipher Our Attacks …AC can break “any cipher”, if not too complex… Remark: • Other attacks can be faster. • However, this method is more generally applicable: • we can also break many modified versions of Hitag2 • and this without any human intervention ! 32 Courtois, O’Neil, Quisquater

  33. Algebraic Attacks on Hitag 2 Cipher Algebraic Cryptanalysis Step 1. Write a system of Multivariate Quadratic equations [MQ] Step 2. Solve it. 33 Courtois, O’Neil, Quisquater

  34. Algebraic Attacks on Hitag 2 Cipher Step 1 – Write Quadratic Equations Method? Follow Closely a gate-efficient implementation of the cipher. x z xy+1=z y This process can be fully automated. Better implementation (less NAND gates) => better attack � 34 Courtois, O’Neil, Quisquater

  35. Algebraic Attacks on Hitag 2 Cipher Step 2: Solve it. Theory: NP-hard problem… Practice: hopefully solvable…. 35 Courtois, O’Neil, Quisquater

  36. Algebraic Attacks on Hitag 2 Cipher ANF-to-CNF method - The Outsider [Courtois, Bard, Jefferson] Before we did try, we actually never believed it could work… � � � Convert MQ to a SAT problem. (both are NP-hard problems) 36 Courtois, O’Neil, Quisquater

  37. Algebraic Attacks on Hitag 2 Cipher *ANF-to-CNF – Main Idea Principle 1: each monomial = one dummy variable. d+1 clauses for each degree d monomial 37 Courtois, O’Neil, Quisquater

  38. Algebraic Attacks on Hitag 2 Cipher *Also Principle 2: Handling XORs – Not obvious. Long XORs known to be hard problems for SAT solvers. • Split longer XORs in several shorter with more dummy variables. • About 4 h clauses for a XOR of size h. 38 Courtois, O’Neil, Quisquater

  39. Algebraic Attacks on Hitag 2 Cipher *ANF-to-CNF This description is enough to produce a working version. Space for non-trivial optimisations. See: Gregory V. Bard, Nicolas T. Courtois and Chris Jefferson: “Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers”. eprint.iacr.org/2007/024 39 Courtois, O’Neil, Quisquater

Recommend

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with

Distinguishing Attacks on the Stream Cipher Py (Roo) Speaker: Souradyuti Paul (work jointly with B.Preneel and G. Sekar) Computer Security and Industrial Cryptography (COSIC) Department of Electrical Engineering-ESAT Katholieke Universiteit

655 views • 16 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel

Differential-Linear Attacks against the Stream Cipher Phelix Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC Overview 1. Introduction to Helix and Phelix 2. Description of Phelix 3. Differential propagation of

790 views • 28 slides
The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J.

The Salsa20 stream cipher Salsa20: additive stream cipher, expanding key and nonce D. J. Bernstein into long stream of bytes Thanks to: to add to plaintext. University of Illinois at Chicago Key : 16 or 32 bytes. NSF CCR9983950 Same

714 views • 43 slides
Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and

Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and

Algebraic attacks and decomposition of Boolean functions Willi Meier 1 and Enes Pasalic 2 and Claude Carlet 2 1 FH Aargau, Switzerland 2 INRIA, Rocquencourt, France Overview Algebraic attacks in general ... and on LFSR-based stream

316 views • 27 slides
Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J.

Comparison of Cipher implementations from cipher authors 256-bit stream ciphers D. J. Bernstein Timing tools Thanks to: (De Canni` ere) University of Illinois at Chicago Denmark Technical University

602 views • 13 slides
Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University

Algebraic and Slide Attacks on KeeLoq Nicolas T. Courtois 1 Gregory V. Bard 2 1 - University College of London, UK 2 - University of Maryland, US KeeLoq and Algebraic Cryptanalysis KeeLoq Block cipher used to unlock doors and the alarm in

171 views • 13 slides
Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

Summary We present a new stream cipher Spritz (generating a pseudo-random stream of

S PRITZ A SPONGY RC4- LIKE STREAM CIPHER AND HASH FUNCTION Ronald L. Rivest 1 Jacob C. N. Schuldt 2 1 Vannevar Bush Professor of EECS MIT CSAIL Cambridge, MA 02139 rivest@mit.edu 2 Research Institute for Secure Systems AIST, Japan

603 views • 37 slides
Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for

Algebraic Attacks on Stream Ciphers Trial Lecture Rune Steinsmo degrd Centre for Quantifiable Quality of Service in Communication Systems Centre of Excellence NTNU, Norway NTNU, Trondheim, 2012-04-23 www.q2s.ntnu.no Rune Steinsmo

716 views • 49 slides
Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology

T-79.514 Special Course on Cryptology November 25 th , 2004 Algebraic Attacks and Stream Ciphers Mikko Kiviharju Helsinki University of Technology mkivihar@cc.hut.fi T-79.514 Special Course on Cryptology Mikko Kiviharju 1 Overview

493 views • 28 slides
PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m

PRF , Block Ciphers MAC Lecture 6 One-time CPA-secure RECALL SKE with a Stream-Cipher m (stream) Enc One-time Encryption with a stream-cipher: SC K Generate a one-time pad from a short seed Can share just the seed as the key Mask

1.33k views • 102 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we

Stream Cipher One-time pad secure, however key as long as message Obtain efficient cipher if we replace key with sequence which behaves as sequence of random numbers Algorithms which produce pseudo-random strings are called pseudo-random

367 views • 19 slides
T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher

T-79.159 Cryptography and Data Security Lecture 4: 4.1 Stream ciphers 4.2 Block cipher confidentiality modes of operation Kaufman et al: Ch 4 Stallings: Ch 6, Ch 3 1 Stream ciphers Stream ciphers are generally faster than block

535 views • 12 slides
ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20

ChaCha20 and Poly1305 Cipher Suites for TLS Adam Langley Wan-Teh Chang Outline ChaCha20 stream cipher Poly1305 authenticator ChaCha20+Poly1305 AEAD construction TLS cipher suites Performance ChaCha20 stream cipher

648 views • 12 slides
On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key

Introduction Related-Key Attacks Chosen-Key Attacks Conclusion On the Provable Security of the Iterated Even-Mansour Cipher against Related-Key and Chosen-Key Attacks Benot Cogliati 1 and Yannick Seurin 2 1 Versailles University, France 2

1.23k views • 94 slides
Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated

Experimentally Verifying a Complex Algebraic Attack on the Grain-128 Cipher Using Dedicated Reconfigurable Hardware SHARCS 2012 Washington D.C. Itai Dinur 1 , Tim Gneysu 2 , Christof Paar 2 , Adi Shamir 1 , and Ralf Zimmermann 2 1

754 views • 58 slides
Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for

Attacks on the KeeLoq Block Cipher and Authentication Systems Andrey Bogdanov Chair for Communication Security Ruhr University Bochum, Germany abogdanov@crypto.rub.de www.crypto.rub.de Abstract. KeeLoq is a block cipher used in numerous

143 views • 13 slides
Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade

Stream Ciphers Stream Ciphers 1 Stream Ciphers Generalization of one-time pad Trade provable security for practicality Stream cipher is initialized with short key Key is stretched into long keystream Keystream is used like

512 views • 35 slides
Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia

Linear Cryptanalysis of Stream Ciphers T-79.514 Special Course on Cryptology Seminar talk Emilia K asper 1 Overview Basic concept of correlation attacks on stream ciphers A correlation attack on the GSM cipher A5/1 A correlation

256 views • 22 slides
An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant

An Improved Cryptanalysis of Lightweight Stream Cipher Grain-v1 Miodrag J. Mihaljevi 1 , Nishant Sinha 2 , Sugata Gangopadhyay 2 , Subhamoy Maitra 3 , Goutam Paul 3 and Kanta Matsuura 4 1 Mathematical Institute, Serbian Academy of Sciences and

809 views • 49 slides
Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB

Lightweight S Stream C Cipher Scheme f for R Resource- Constrained I IoT D Devices WIMOB 2019 October 21st 23rd, 2019 Casa Convalescncia, Barcelona, Spain Authors: Hassan Noura, Raphal Couturier, CongDuc Pham and Ali Chehab

149 views • 13 slides

More recommend