Cryptanalysis of the ``Kindle'' Cipher

Home , Cipher, Ciphertext, Cryptanalysis

Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ......

Cryptanalysis of the “Kindle” Cipher

Alex Biryukov, Gaëtan Leurent, Arnab Roy

University of Luxembourg

SAC 2012

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 1 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Cryptography: theory and practice

In theory In practice

▶ Random Oracle ▶ Algorithms ▶ ▶ Ideal Cipher AES ▶ SHA2 ▶ Perfect source of ▶ RSA randomness ▶ Modes of operation ▶ CBC ▶ OAEP ▶ ... ▶ . Random Number Generators ▶ Hardware RNG ▶ PRNG

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 2 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Cryptography in the real world

Several examples of ﬂaws in industrial cryptography: ▶ Bad random source ▶ SLL with 16bit entropy (Debian) ▶ ECDSA with ﬁxed k (Sony)

▶ Bad key size ▶ RSA512 (TI) ▶ Export restrictions... ▶ Bad mode of operation ▶ CBCMAC with the RC4 streamcipher (Microsoft) ▶ TEA with DaviesMeyer (Microsoft)

▶ Bad (proprietary) algorithm ▶ A5/1 (GSM) ▶ CSS (DVD forum) ▶ Crypto1 (MIFARE/NXP) ▶ KeeLoq (Microchip)

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 3 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Amazon Kindle

▶ Ebook reader by Amazon ▶ Most popular ebook reader (≈ 50% share)

▶ 4 generations, 7 devices ▶ Software reader for 7 OS, plus cloud reader ▶ Several million devices sold ▶ Amazon sells more ebooks than paper books

▶ Uses crypto for DRM (Digital Rights Management)

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 4 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Digital Rights Management

▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . ▶ Customer should read but not copy Charly DRM scheme

▶ Encipher media ▶ Bob Give player to users ▶ Hardware or software Alice ▶ Player contains the key

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 5 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Digital Rights Management

▶ Company sells media (music, video, ebook, game, ...) ▶ Wants to prevent sharing . ▶ Customer should read but not copy Charly DRM scheme

▶ Encipher media ▶ ? Bob Give player to users ▶ Hardware or software Alice ▶ Player contains the key

▶ Extract the key from the player, decipher media

Tamperproof hardware? Obfuscation? Whitebox crypto?

▶ No need to break the crypto! ▶ Pirates break once, copy...

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 6 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Digital Rights Management Legal User

▶ Can only use authorized player ▶ Collection lockedin . ▶ DRM can restrict user rights ▶ Lending, reselling, ... Charly ▶ No format shifting: ▶ play DVD on tablet ▶ read ebook w/ speech synth.

Bob Illegal User Alice ▶ Can still ﬁnd illegal copies ▶ Can do anything with the media

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 7 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... DRM on the Kindle

▶ Kindle ebooks use DRM ▶ Like any DRM system, it is bound to fail ▶ In practice, it is easy to extract the key (Google for details...)

Overview

▶ In this talk, we study the cipher used in this DRM system We don’t study the DRM system itself ▶ The DRM system uses a cipher called PC1

▶ It’s a really weak cipher...

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 8 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Outline

Introduction Cryptography in the real world Digital Rights Management The PC1 Cipher Description Weaknesses Known-plaintext key-recovery Collision detection Key recovery Ciphertext only key-recovery Bias with independent keys Recovering the plaintext

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 9 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... The PC1 Cipher ▶ Designed by Pukall in 1991 ▶ Posted on Usenet p π s 8 ▶ Kindle DRM based on PC1 8 16 ▶ Selfsynchronizing stream cipher No IV! w . ▶ k 128 햪향 8 × 16 햲향 16bit arithmetic: add, mult, xor

Main loop (햪향 and 햲향) σk σs 16 16 for 0 ≤ i < 8 do 16 w ← w ⊕ ki ⊕ (π × 257) 햿허헅햽 x ← 346 × w 8 σ w ← 20021 × w + 1 p c s ← s + x σ ← σ ⊕ w ⊕ s s ← 20021 × (s + (i+1 mod 8)) + x A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 10 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Weakness 1: T-functions Weakness This is a Tfunction p π s 8 ▶ Low bits of the output 8 16 depend only on the low bits of the input . w ▶ Add, mult, xor k 8 × 16 햪향 8 × 16 햲향

▶ Guess 8 × 9 bits of the key σk σs 16 16 ▶ Get 9 bits before the fold 16 ▶ Get 1 bit after the fold 햿허헅햽 ▶ Verify with known plaintext 8 σ p c ▶ Complexity: 272 some bytes of known plaintext A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 11 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Weakness 2: small state Weakness The state is very small p π s 8 s 16bit 8 16 π 8bit, keyindependent

. w k 8 × 16 햪향 8 × 16 햲향 ▶ Build a set of plaintexts xi‖y, xi’s with ﬁxed xorsum σk σs ▶ With high probability the 16 16 16 state collides after xi and xj 햿허헅햽 ▶ Same encryption of y 8 σ p c ▶ Complexity: 28 CP (distinguisher)

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 12 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Outline

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 13 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Collision detection Can we use state collisions in a knownplaintext attack?

How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf

▶ In a natural language text, some words will be repeated. ▶ With some probability (p ≈ 2−24), two instances of a repeated word begin with the same state. ▶ This gives a repetition in the ciphertext.

▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 14 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Collision detection Can we use state collisions in a knownplaintext attack?

How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf

▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.

How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf

▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.

How much wood could a woodchuck chuck gfecuhaupmaqcdlvtognfgdhisqghugbrfqvc if a woodchuck could chuck wood? ghxadiaphjjxicwpidkasqghugbqsjbf

▶ When we detect a repetition in the plaintext and ciphertext, we can assume that the state is colliding.

p π s ▶ Use state collisions to 8 8 16 test key guess ▶ Skip output part

. w k 8 × 16 햪향 8 × 16 햲향 Weakness This is a Tfunction

σk σs ▶ 16 16 Guess 8 × 1 bits of the key 16 ▶ Compute 1 bit of s, 햿허헅햽 check collisions in s 8 σ ▶ Repeat with 2nd bit, ... p c

p π s ▶ Use state collisions to 8 8 16 test key guess ▶ Skip output part

. w k 8 × 16 햪향 8 × 16 햲향 Weakness This is a Tfunction

σk σs ▶ 16 16 Guess 8 × 1 bits of the key 16 ▶ Compute 1 bit of s, 햿허헅햽 check collisions in s 8 σ ▶ Repeat with 2nd bit, ... p c

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 15 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Improving the Complexity ▶ Simpliﬁed state update: st+1 = wt + b × st + c 7 ▶ ∑ w ≜ i=0 (ai × wi) ′ ▶ keydep. Sbox 햪향 ∶ π → wπ p π s ▶ 8 Iterate the state update: t t 8 16 s = R (w0, ..., w255) linear Explicit with known πt

. ′ w ′ ▶ State collisions give linear k 햪향 햲향 t u 128 16 relations of wx: R = R ▶ Look for sparse relations ▶ For each (partial) key guess, compute wx  check relations ▶ Faster than computing s

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 16 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Experiments E-book of 336kB (with LZ77 compression) 32 2 . Experiments. . Median. 228

224

Key trials 220

216 . 6 7 8 16 32 64 128 Number of collisions Practical key-recovery attack Complexity ≈ 231 with ≈ 220 bytes of (low entropy) known plaintext Key trial costs less than 256 instead of full encryption . A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 17 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Outline

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 18 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Ciphertext Only Attack Main idea If the state (s, π) collides, then the output stream σ is the same. Note that s depend on the key, but π = ⨁ pi Consider two positions t, u and a random key:

⎧ 2−8 if πt ≠ πu t u ⎪ Pr [σ = σ ] ≈ ⎨ ′ K ⎪2−8 + Pr ￮st = st ￱ if πt = πu ⎩ ct ⊕ cu = σt ⊕ pt ⊕ σu ⊕ pu

▶ Consider several copies of a given text, encrypted with diﬀerent, unrelated keys (collusion). ▶ Look at the distribution of ct ⊕ cu: ▶ If ﬂat, πt ≠ πu ▶ If one peak, then πt = πu, and get pt ⊕ pu

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 19 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Ciphertext Only Attack Main idea If the state (s, π) collides, then the output stream σ is the same. Note that s depend on the key, but π = ⨁ pi Consider two positions t, u and a random key:

⎧ 2−8 if πt ≠ πu t u ⎪ Pr [c ⊕ c = X] ≈ ⎨ ′ K ⎪2−8 + Pr ￮st = st ￱ if πt = πu, X = pt ⊕ pu ⎩ ct ⊕ cu = σt ⊕ pt ⊕ σu ⊕ pu

1 There are similar bias with the low bits of σ:

1 + 1/4 . Probability. (exp.)

1 + 1/8

1 . 0 32 64 96 128 160 192 224 256 햻헂헍헋햾헏 (σu ⊕ σu)

Use bias in low bit of ct ⊕ cu: if πt = πu and X ≡ pt ⊕ pu mod 2, then

′ Pr ￮ct ⊕ cu ≡ X mod 2￱ ≈ 2−1 + Pr ￮st ≡ st mod 29￱ K

2 Use positions with t ≡ u mod 8 ▶ This gives a bias of 2−6 to 2−4 (cancellations in the state update)

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 20 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Clustering algorithm Finding relations

▶ Look at the distribution of ct ⊕ cu mod 2: ▶ If ﬂat, then πt ≠ πu ▶ If one peak, then πt = πu

▶ Use a clustering algorithm to recover πt: ▶ Initially, all positions are assigned a diﬀerent color. ▶ When πt = πu is detected, merge colors. ▶ Easier to detect bias with larger clusters t ▶ Combine the biases cti ⊕ c j

▶ At the end, 256 colors correspond to the 256 values of πt ▶ Recover the value of πt using some known plaintext. ▶ Recover p.

▶ Practical with 210 keys, and 217 data

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 21 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion ...... Conclusion Don’t use an untested cipher! Attacks on PC1 Complexity Data Ref. Dist. Chosen plaintext 216 216 Usenet Key rec. Known plaintext 272 24 Usenet Key rec. Known plaintext 231 220 New Key rec. Ciphertext only, 210 unrelated keys 235 217 per key New Attacks on PSCHF Complexity Ref. 2nd pre. with meaningful messages 224 New

Impact for the Kindle? Pirates can just extract the key... They don’t need to break the cipher to break the DRM scheme.

A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 22 / 22