Deep analysis of KeeLoq algorithm

Deep analysis of KeeLoq algorithm

Please support the original, respect for the original, reproduced please indicate the source: Http://blog.csdn.net/kangweijian (from Kangweijian of the csdn blog)

1 KeeLoq Algorithm Introduction

1.1 KeeLoq Arithmetic rules

The core idea of the KEELOQ algorithm is to encrypt the 4byte plaintext with a 8byte key to get 4byte ciphertext or to decrypt the 4byte cipher with 8byte key, and restore the original 4byte plaintext. The KEELOQ algorithm calculation process needs to define a data register for storing 4byte plaintext y31~0 or 4byte ciphertext y31~0, and a key register for storing the 8byte key k63~0.

KEELOQ Data encryption process model as shown in Figure 1, first define a nonlinear table, the nonlinear table has a 5bits input code, 1bit output code. It takes 5bits:y31, Y26, Y20, Y9, y1 evenly in the data register and generates an output code through the NLF (nonlinear Logic Function) operation. The output code then generates 1bit encrypted data code with the Y16 and y0 in the data register and the K0 in the key register. Each generation of 1bit encrypted data code, key register and data register to shift, key register for loop shift, encrypted data code as the input of data register shift, repeat the above steps 528 times, to obtain 4byte output cipher text.

NLF (x4,x3,x2,x1,x0) =x4x3x2^x4x3x1^x4x2x0^x4x1x0^x4x2^x4x0^x3x2^x3x0^x2x1^x1x0^x1^x0

Figure 1 KeeLoq Encryption Model diagram

KeeLoq data decryption model as shown in Figure 2, the operation of the process is basically the same as that of the data encryption process, except that the data bits of the operation data are changed. The 5bits input code of nonlinear table is changed to take fixed 5bits:y30, y25, Y19, Y8 and y0 evenly from the data register. 1bit output code is generated after the output code and the data register in the Y31 and Y15, and the key register k15 to generate 1bit decrypted data code. After each output 1bit decryption data code, the key register and the data register are shifted separately, the key register for the loop shift, the decryption data code as the data register shift input, repeat the above steps 528 times, restore the plaintext of 4byte.

Figure 2 KeeLoq decryption Model diagram

1.2 KeeLoq Implementation Mechanism

Using the KeeLoq method to encode and decode the data, the communication process should be carried out strictly according to the following procedure. First, both the encoding and decoding ends require non-volatile storage space to store the 8byte key (for codec, programmable and not to be sent non-leaking), 3byte serial number (used to distinguish between different encoding ends), 2byte synchronization count value (for generating the coded scrolling effect, after each data transfer is completed, Its value is updated after 1), 1byte Identification code (low 1byte of the serial number), and 4byte Seed code (used to generate the key in Safe mode).

When the user has a key operation, the KEELOQ encoding end of the 1byte function keys, 1byte identification code, 2byte synchronization count values combined into 4byte plaintext, according to Figure 1 of the NLF operation rules are encrypted into 4byte cipher, plus 4byte fixed code (3byte serial number, 1byte function keys), combined into a set of 8byte encoded data sent. Due to each sending process, the synchronization count value since plus 1, so that each time the 4byte ciphertext sent is unique, irregular, and do not repeat, so called rolling code, can effectively prevent password capture and password copy. Since the coding combination of 8byte achieves 2^64=1.84*10^19, it can effectively prevent password scanning.

After the decoding end receives 8byte ciphertext data, first match the encoder end and the decoding segment of the 3byte serial number consistent, according to Figure 2 KeeLoq decoding operation rule to restore the 4byte plaintext. After the identification code and the function keys are correct, it is concluded that the synchronization count value is increased reasonably. After confirming the success, according to the function key definition, control the corresponding actuator action.

2 KeeLoq algorithm insufficiency and improvement

The security and insufficiency of 2.1 KeeLoq algorithm

The NLF operation rules of the KEELOQ algorithm make a very small input variation, which also results in a large output change, resulting in a coded scrolling effect. The cipher analyst can not observe the change of the analysis output by inputting the small change, so that the key can be cracked, so the KEELOQ algorithm has high security characteristics.

Although the KEELOQ algorithm was released in the 1980s, it was not until 2007 that Bogdanov attacked the KEELOQ algorithm for the first time, using a guessing-decision-and-swipe technique to complete the attack with a 252 complexity and a spatial complexity of 16GB. In 2008, Courtois and other people proposed 4 kinds of sliding-algebra attack methods, the main idea is to use KEELOQ algorithm continuous 64 circle function to form the permutation and ring structure and random permutation ring structure difference, first attack the first 16bits of the key, and then attack the remaining 48bits. The computational complexity is at least about O (2^43) encryption. In 2010, Rang Jianxiong and others proposed 3 different ways of using byte-oriented differential fault attacks, in which the most efficient method of attacking, recovering 1 bit key information averaged only 0. 707,617 errors, recovering a 8byte key requires only 46 errors.

Although the KEELOQ algorithm has made many effective attacks since its release, it greatly reduces the computational time complexity, but also increases the computational space complexity and requires a certain number of known premises. In the actual password cracking process, the difficulty coefficient is high, so its security is sufficient to ensure that it is widely used in practical application.

Improvement of 2.2 KEELOQ algorithm

The KEELOQ encryption algorithm is a 4byte block cipher with a short key length of only 8byte. In order to further improve the security of KEELOQ algorithm, this paper has improved the encoding and decoding process and key management respectively, in view of the effective attack of the relevant literatures and the shortcomings of the algorithm.

Improvement of 2.2.1 encoding and decoding process

Firstly, the process of coding and decoding is based on the triple Data encryption algorithm (3des,triple-encryption algorithm), and a triple KEELOQ algorithm is proposed. That is, the use of three different keys to clear text, the first time to obtain ciphertext and the second time to obtain ciphertext for KEELOQ encryption, to generate the final cipher text. The decryption process is to first use the third key to decrypt the final ciphertext to get the second cipher, with the second key to decrypt the second cipher to get the first ciphertext, and finally use the first key to decrypt the first ciphertext to get the original plaintext. This process is a more secure variant of the KEELOQ algorithm by increasing the KEELOQ key length to increase the time complexity and computational complexity of the KEELOQ attack to further enhance its security.

Improvement of key management mechanism of 2.2.2 KeeLoq

Take Microchip's KEELOQ Key management mechanism as an example. Microchip defines a learning model to manage keys. The purpose of the learning mode is to pair the encoding end with the decoding end. In the learning process, first press the Learning button, decoding the cipher after decoding, the function keys and identification code is correct, the encoding end of the synchronization count value and serial number stored in their non-volatile storage space, so that the learning success. After the learning is successful, the encoding end can communicate with the decoding terminal normally.

Microchip has proposed three learning modes (Key management mechanisms) in total. The first type: Easy learning mode. Simple Learning mode cannot modify the key, and once the key is compromised, the consequences cannot be retrieved.

The second type: Standard learning mode. Standard learning mode in the learning process can simultaneously press all or more function buttons, then this mode will be the original key and the encoding end of the serial number through an algorithm to generate a new key, the decoding side after receiving ciphertext, through the original key decryption is incorrect, will try to use the original key + serial number to generate a new key to decrypt the text, Once the decryption is successful, the decoding side will change the key in its non-volatile storage space. It is clear that the standard learning model is much more secure than the simple learning model, where the difficulty of leaking the original key and serial number is significantly more difficult than simply leaking the original key.

The third type: safe learning mode. Safe Learning Mode has a seed code more than standard learning mode, the learning process is similar to the standard mode, except that the standard mode generates the XINMI key in the same way: the original key + serial number. The Safe learning mode is that the original key + seed code + serial number generates a new key through an algorithm.

Three learning modes, the security layer is higher than the first layer. The security of the simple learning mode depends entirely on the key is not lost, the standard learning mode security relies on the key and the serial number is not lost simultaneously, the security learning mode security relies on the key, the seed code and the serial number is not simultaneously lost. Of course, the algorithm that generates the XINMI key cannot be lost.

Speaking of which, we say that there are many kinds of improvements to the key management mechanism. For example, we can have a manual input seed code to send it in a fixed code, so that our QQ or Google account is stolen, directly manually change the password as comfortable. Or if you can't do it manually, we can make a random generator that randomly generates a seed code, so you don't have to worry about where the seed code will leak, because we don't know what the seed code will be. The improvement of key management mechanism depends on the application environment of KEELOQ algorithm. Everything is not perfect, but we can make even a little progress.

Attached KEELOQ algorithm source code

SOURCE One: keeloq.c (32-bit processor)

#include <iostream> #include <stdio.h>using namespace std;unsigned long long int serx=0xefcdab2143658709; unsigned long long int key=0xefcdab2143658709;unsigned int hope;unsigned int c=0;int nlf[2][2][2][2][2];int getbit (unsig Ned Long Long int source,int n) {unsigned long long int temp0= ((long long int) 1<<n) unsigned long long int temp1=so Urce&temp0;if (Temp1! = 0) {return 1;} return 0;} void Rrchope () {if (c!=0) {hope= (hope>>1) |0x80000000;} Else{hope= (hope>>1) &0x7fffffff;}} void Rlchope () {if (c!=0) {hope= (hope<<1) | |  Else{hope= (hope<<1) &0xFFFFFFFE;}} void CRYPT () {//key=serx;for (int i = 0; i < 528; i++) {int nlf=nlf[getbit (HOPE)][getbit (HOPE,)][getbit (HOPE, 20 )][getbit (HOPE, 9)][getbit (HOPE, 1)];int y16=getbit (HOPE, +); int y0=getbit (HOPE, 0); int k=getbit (key, i%64); int result =nlf^y16^y0^k;if (result!=0) {c=1;} else {c=0;} Rrchope ();}} void DECRYPT () {key=serx;for (int i = 528; I >0; i--) {int Nlf=nlf[getbit (HOPE, +)][getbit (HOPE,][getbit (HOPE)][getbit (HOPE, 8)][getbit (HOPE, 0)];int y15=getbit (HOPE, n); int y31=getbit (HOPE, +); int k= Getbit (Key, (i-1)%64); int result=nlf^y15^y31^k;if (result!=0) {c=1;} else {c=0;} printf ("Step%d:%x%x%x%x%x\n", I,hope,nlf,y15,y31,k,result); Rlchope ();}} int main () {nlf[0][0][0][0][0]=0; Nlf[0][0][0][0][1]=1; Nlf[0][0][0][1][0]=1; Nlf[0][0][0][1][1]=1; nlf[0][0][1][0][0]=0; Nlf[0][0][1][0][1]=1; nlf[0][0][1][1][0]=0; nlf[0][0][1][1][1]=0; nlf[0][1][0][0][0]=0; nlf[0][1][0][0][1]=0; Nlf[0][1][0][1][0]=1; nlf[0][1][0][1][1]=0; Nlf[0][1][1][0][0]=1; Nlf[0][1][1][0][1]=1; Nlf[0][1][1][1][0]=1; nlf[0][1][1][1][1]=0; nlf[1][0][0][0][0]=0; nlf[1][0][0][0][1]=0; Nlf[1][0][0][1][0]=1; Nlf[1][0][0][1][1]=1; Nlf[1][0][1][0][0]=1; nlf[1][0][1][0][1]=0; Nlf[1][0][1][1][0]=1; nlf[1][0][1][1][1]=0; nlf[1][1][0][0][0]=0; Nlf[1][1][0][0][1]=1; nlf[1][1][0][1][0]=0; Nlf[1][1][0][1][1]=1; Nlf[1][1][1][0][0]=1; Nlf[1][1][1][0][1]=1; nlf[1][1][1][1][0]=0; Nlf[1][1][1][1][1]=0;while (1) {scanf ("%x", &hope); CRYPT ();p rintf ("%x\n", HOPE);D ecrypt ();p rintf ("%x\n", HOPE);}              return 0;}

SOURCE Two: keeloq.h+keeloq.c (8-bit microcomputer)

unsigned char serx[]={0xef,0xcd,0xab,0x21,0x43,0x65,0x87,0x09};  unsigned char key[]={0x09,0x87,0x65,0x43,0x21,0xab,0xcd,0xef}; unsigned char nlf[2][2][2][2][2];  unsigned char getbit (unsigned char source[],int n); unsigned char * RRC (unsigned char source[],char c,char n); unsigned char * RLC (unsigned char source[],char c,char n); unsigned char * CRYPT (unsigned char *source); unsigned char *  DECRYPT (unsi gned char *source); void Init ();

#include <stdio.h> #include "KeeLoq.h"/***************************** * * @param source * @param n * @return Source Nth single digit * ******************************/unsigned char getbit (unsigned char source[],int n) {unsigned char temp0= (unsigned char) 1<< (n%8); unsigned char temp1=source[n/8]&temp0; if (temp1!=0) {return 1;} return 0;} /*********************** * * @param source[] * @param c carry flag bit * @param n Array length * @return The source array carries a right shift ***************** /unsigned char * RRC (unsigned char source[],char c,char n) {int i=0;unsigned char temp; for (i=n-1;i>=0;i--) {Temp  =source[i]; if (c!=0) {source[i]= (source[i]>>1) |0x80;} else{source[i]= (source[i]>>1) &0x7f;} if (temp&0x01!=0) {c=1;}  else{c=0;}} return source;} /********************************* * * @param source[] * @param c carry flag bit * @param n Array length * @return The source array carries a left shift ******* /unsigned char * RLC (unsigned char source[],char c,char n) {int i=0;unsigned char temp;for (i=0 ; i<n;i++) { Temp=source[i];if (c!=0) {source[i]= (source[i]<<1) |0x01;} else{source[i]= (source[i]<<1) &0xfe;} if ((temp&0x80)!=0) {c=1;} else{c=0;}} return source;} /************************************* * * @param source * @return Source plaintext after KeeLoq encrypted ciphertext **************************** /unsigned char * CRYPT (unsigned char *source) {int i=0;unsigned char c=0;unsigned char nlf,y16,y0,k,result; init (); for (i = 0; i < 528; i++) {nlf=nlf[getbit (source)][getbit (source, N)][getbit (source, 9)][getbit Bit (source, 1)]; Y16=getbit (source, +); Y0=getbit (source, 0); K=getbit (key, i%64); Result=nlf^y16^y0^k;if (result!=0) {c=1;} else {c=0;} SOURCE=RRC (source,c,4); }return Source;} /************************************* * * @param source * @return Source ciphertext after KeeLoq decrypted plaintext **************************** /unsigned char * DECRYPT (unsigned char *source) {int i=0;unsigned char c=0;unsigned char nlf,y15,y31,k,result;i NIT (); for (i = 528; I >0; i--) {nlf=nlf[getbit (sourCE,][getbit (source,][getbit)][getbit (source, 8)][getbit (source, 0)];y15=getbit (source, n); y31= Getbit (source, +); K=getbit (Key, (i-1)%64); Result=nlf^y15^y31^k;if (result!=0) {c=1;}  else {c=0;} SOURCE=RLC (source,c,4); }return Source;} /************************************* * * Initialize the value of the nonlinear logic function **************************************/void init () {NLF[0][0 ][0][0][0]=0; Nlf[0][0][0][0][1]=1; Nlf[0][0][0][1][0]=1; Nlf[0][0][0][1][1]=1; nlf[0][0][1][0][0]=0; Nlf[0][0][1][0][1]=1; nlf[0][0][1][1][0]=0; nlf[0][0][1][1][1]=0; nlf[0][1][0][0][0]=0; nlf[0][1][0][0][1]=0; Nlf[0][1][0][1][0]=1; nlf[0][1][0][1][1]=0; Nlf[0][1][1][0][0]=1; Nlf[0][1][1][0][1]=1; Nlf[0][1][1][1][0]=1; nlf[0][1][1][1][1]=0; nlf[1][0][0][0][0]=0; nlf[1][0][0][0][1]=0; Nlf[1][0][0][1][0]=1; Nlf[1][0][0][1][1]=1; Nlf[1][0][1][0][0]=1; nlf[1][0][1][0][1]=0; Nlf[1][0][1][1][0]=1; nlf[1][0][1][1][1]=0; nlf[1][1][0][0][0]=0; Nlf[1][1][0][0][1]=1; nlf[1][1][0][1][0]=0; Nlf[1][1][0][1][1]=1; Nlf[1][1][1][0][0]=1; Nlf[1][1][1][0][1]=1; nlf[1][1][1][1][0]=0; nlf[1][1][1][1][1]=0; } int main () {unsigned char source[4];unsigned char *p; scanf ("%c%c%c%c",&source[3],&source[2],& Source[1],&source[0]);  p=source;printf ("%x%x%x%x\n", p[3],p[2],p[1],p[0]);  P=crypt (P);p rintf ("%x%x%x\n", p[3],p[2],p[1],p[0]); P=decrypt (P);p rintf ("%x%x%x", p[3],p[2],p[1],p[0]); return 0;}

SOURCE Three: Keeloqcrypt.java

Import Java.util.scanner;public class Keeloqcrypt {/** * @param args */private static long Serx=0xefcdab2143658709l;priva   Te Static long key=0xefcdab2143658709l; private static int Nlf[][][][][]=new int[2][2][2][2][2];/********* * Constructor */keeloqcrypt () {nlf[0][0][0][0][0]=0; Nlf[0][0][0][0][1]=1; Nlf[0][0][0][1][0]=1; Nlf[0][0][0][1][1]=1; nlf[0][0][1][0][0]=0; Nlf[0][0][1][0][1]=1; nlf[0][0][1][1][0]=0; nlf[0][0][1][1][1]=0; nlf[0][1][0][0][0]=0; nlf[0][1][0][0][1]=0; Nlf[0][1][0][1][0]=1; nlf[0][1][0][1][1]=0; Nlf[0][1][1][0][0]=1; Nlf[0][1][1][0][1]=1; Nlf[0][1][1][1][0]=1; nlf[0][1][1][1][1]=0; nlf[1][0][0][0][0]=0; nlf[1][0][0][0][1]=0; Nlf[1][0][0][1][0]=1; Nlf[1][0][0][1][1]=1; Nlf[1][0][1][0][0]=1; nlf[1][0][1][0][1]=0; Nlf[1][0][1][1][0]=1; nlf[1][0][1][1][1]=0; nlf[1][1][0][0][0]=0; Nlf[1][1][0][0][1]=1; nlf[1][1][0][1][0]=0; Nlf[1][1][0][1][1]=1; Nlf[1][1][1][0][0]=1; Nlf[1][1][1][0][1]=1; nlf[1][1][1][1][0]=0; nlf[1][1][1][1][1]=0; }/***************** * * @param source * @param n * @return the nth single digit of source */private static int getbit (long source,int N) {long temp0= (long) 1<<n); Long temp1=source&temp0;if (Temp1! = 0) {return 1;} return 0;} /**************** * * @param soucre * @param c * @return with carry-right shift */private static int RRC (int soucre,int c) {if (c!=0) {Soucre = (soucre>>1) |0x80000000;} Else{soucre= (soucre>>1) &0x7fffffff;} return soucre;} /******************** * * @param source * @param c * @return carrying carry left */private static int RLC (int source, int c) {if (c!=0) {s Ource= (source<<1) | Else{source= (source<<1) &0xFFFFFFFE;}  return source;}  /******************** * * @param source * @param key * @return Source passes the key key for KEELOQ encrypted data */private static int CRYPT (int Source, long Key) {long mkey=key;int c;for (int i = 0; i < 528; i++) {int nlf=nlf[getbit (source, *)][getbit (source, (source,][getbit)][getbit (source, 9)][getbit (source, 1)];int y16=getbit (source, +); int y0=getbit (source, 0); int K=getbit (Mkey, i%64); int result=nlf^y16^y0^k;if (result!=0) {C=1;} else {c=0;} SOURCE=RRC (source,c);} return source;} /********************************* * * @param source * @param key * @return Source passes the key key for KeeLoq decrypted data */private static int DECRYPT (int source, long key) {long mkey=key;int c;for (int i = 528; I >0; i--) {int nlf=nlf[getbit (source,.)][g Etbit (source,][getbit)][getbit (source, 8)][getbit (source, 0)];int y15=getbit (source, n); int y31= Getbit (source, +); int K=getbit (Mkey, (i-1)%64); int result=nlf^y15^y31^k;if (result!=0) {c=1;} else {c=0;} SOURCE=RLC (source,c);} return source;} public static void Main (string[] args) {//TODO auto-generated method stubnlf[0][0][0][0][0]=0; Nlf[0][0][0][0][1]=1; Nlf[0][0][0][1][0]=1; Nlf[0][0][0][1][1]=1; nlf[0][0][1][0][0]=0; Nlf[0][0][1][0][1]=1; nlf[0][0][1][1][0]=0; nlf[0][0][1][1][1]=0; nlf[0][1][0][0][0]=0; nlf[0][1][0][0][1]=0; Nlf[0][1][0][1][0]=1; nlf[0][1][0][1][1]=0; Nlf[0][1][1][0][0]=1; Nlf[0][1][1][0][1]=1; Nlf[0][1][1][1][0]=1; nlf[0][1][1][1][1]=0; nlf[1][0][0][0][0]=0; nlf[1][0][0][0][1]=0; Nlf[1][0][0][1][0]=1; Nlf[1][0][0][1][1]=1; Nlf[1][0][1][0][0]=1; nlf[1][0][1][0][1]=0; Nlf[1][0][1][1][0]=1; nlf[1][0][1][1][1]=0; nlf[1][1][0][0][0]=0; Nlf[1][1][0][0][1]=1; nlf[1][1][0][1][0]=0; Nlf[1][1][0][1][1]=1; Nlf[1][1][1][0][0]=1; Nlf[1][1][1][0][1]=1; nlf[1][1][1][1][0]=0; nlf[1][1][1][1][1]=0; Scanner mscanner=new Scanner (system.in); int Hope=mscanner.nextint (16); System.out.printf ("%x\n", CRYPT (Hope,key)); System.out.printf ("%x\n", DECRYPT (CRYPT (Hope,key), key)); System.out.printf ("%x\n", Getbit (hope,1)); }}

Please support the original, respect for the original, reproduced please indicate the source: Http://blog.csdn.net/kangweijian (from Kangweijian of the csdn blog)

by 2015.2.4 Night

Deep analysis of KeeLoq algorithm