Dismantling the AUT64 Automotive Cipher

. AUT64 is a 64-bit automotive block cipher with a 120-bit secret key used in a number of security sensitive applications such as vehicle immobilisation and remote keyless entry systems. In this paper, we present for the ﬁrst time full details of AUT64 including a complete speciﬁcation and analysis of the block cipher, the associated authentication protocol, and its implementation in a widely-used vehicle immobiliser system that we have reverse engineered. Secondly, we reveal a number of cryptographic weaknesses in the block cipher design. Finally, we study the concrete use of AUT64 in a real immobiliser system, and pinpoint severe weaknesses in the key diversiﬁcation scheme employed by the vehicle manufacturer. We present two key-recovery attacks based on the cryptographic weaknesses that, combined with the implementation ﬂaws, break both the 8 and 24 round conﬁgurations of AUT64. Our attack on eight rounds requires only 512 plaintext-ciphertext pairs and, in the worst case, just 2 37 . 3 oﬄine encryptions. In most cases, the attack can be executed within milliseconds on a standard laptop. Our attack on 24 rounds requires 2 plaintext-ciphertext pairs and 2 48 . 3 encryptions to recover the 120-bit secret key in the worst case. We have strong indications that a large part of the key is kept constant across vehicles, which would enable an attack using a single communication with the transponder and negligible oﬄine computation.

Since 1995, it has been mandatory for vehicle manufacturers who wish to sell their vehicles inside the EU to fit them with an electronic immobiliser [Com95].It has been estimated that between 1995 and 2008, vehicle immobilisers have reduced the rate of vehicle theft by 40% [OV16].
Vehicle immobilisers are electronic devices which prevent the engine of a vehicle from starting when the corresponding transponder is not present.A transponder is a wireless authentication device, which is usually embedded into the plastic of a vehicle key.The immobiliser authenticates the transponder using an antenna mounted around the ignition barrel so that the immobiliser can communicate with the transpon-der when the vehicle key is inserted.When the driver starts the vehicle, the immobiliser authenticates the transponder before starting the engine, thus preventing hot-wiring.
In this paper, we reverse engineer a widely used vehicle immobiliser system based on the Atmel TK5561 transponder and the AUT64 cipher [Atm06].The TK5561 transponder is used in a number of Mazda, Ford and Proton vehicle keys, which are shown in Table 1.The TK5561 is based on a patented method of cryptographic authentication [BF03], which uses the AUT64 block cipher and a proprietary authentication protocol.
AUT64 is a 64-bit Feistel network block cipher with a 120-bit secret key.It is used in a number of automotive applications, which include the remote keyless entry system used by most Volkswagen Group vehicles sold between 2004 and 2009 [GOKP16].AUT64 is round-based and has been found in a number of different configurations, for example, the Volkswagen Group employs AUT64 with 12 rounds.The TK5561 transponder uses AUT64 with either 8 or 24 rounds, depending on a configuration bit set in the transponder's memory.

Contribution and Outline
The contribution made in this paper is threefold: First, we present the results of reverse engineering AUT64 from a Mazda immobiliser system.We reveal all details of the AUT64 block cipher and the associated TK5561 authentication protocol.Secondly, we present a complete analysis of AUT64, which includes extensive cryptanalysis of the block cipher as a cryptographic primitive in Section 4 and Section 5. We demonstrate the following cryptographic weaknesses in AUT64 • The AUT64 Feistel network compression function is cryptographically weak, as its output is highly predictable; • Input to the compression function can be precisely controlled by an attacker in the first round of encryption; • The AUT64 substitution-permutation network behaves non-randomly when its input is nibble-wise symmetric; • The cryptographically weak output from the first round of encryption can be identified by analysing small sets of ciphertexts; • The cipher has certain weak keys.
In Section 5.4 and Section 5.5, we identify a novel technique based on integral cryptanalysis that allows us to determine several elements of the secret key.We show that the eight round AUT64 has weaknesses which reduce its key size from 120 bits to no more than 57.5 bits in a chosen-plaintext setting.These results are of independent interest w.r.t. the cryptanalysis of Feistel ciphers with key-dependent permutations and S-Boxes.
Third, in our analysis of the implementation by a major vendor (Section 6), we identify the following weaknesses 1.The key management scheme reduces the permutation key size to just sixteen keys per automotive manufacturer, with one key being used per vehicle family; 2. 32 bits of the key are derived based on the transponder ID, using a manufacturer-wide key derivation function; 3. There are indications that a large part of the key is constant across different vehicles by the same manufacturer.Based on the cryptographic and implementational weaknesses of AUT64, which we summarise in Table 2, we present two attacks: Our first attack targets the full 24 round AUT64 implementation in the studied system.We show that the security of the system is no more than 2 48.3 bits; and likely much worse in practice, as we have indications that part of the key is constant for many vehicles.Our second attack makes use of the knowledge of 32 bits of the key to break eight rounds of AUT64 within milliseconds using a standard laptop.

Related Work
The need for transparency into the workings of cryptographic systems has been known since at least the late nineteenth century [Ker83].Still, there are many examples in the literature of proprietary cryptographic systems which have tried and failed to achieve security by obscurity.Some prominent examples include WEP [SIR02, SSVV14], GSM A5/1 [Gol97, BBK08, PPPM13], DSC for cordless telephones [NTW10,WTHH11], GMR for satellite phones [DHW + 12], E0 for Bluetooth [SW06] and CSS for digital rights management [Ste99].
Within the automotive industry, the pitfalls of proprietary cryptography have become apparent.Algorithms originating from the semiconductor industry and specifically marketed as automotive immobiliser and remote keyless entry solutions have been shown to be highly insecure [GOKP16].The first vehicle immobiliser to be broken was Texas Instruments Digital Signature Transponder (DST) in 2005 [BGS + 05].Since then, two other major cryptographic immobiliser solutions have been reverse engineered and proven to be insecure, namely Hitag2 [VGB12] and Megamos Crypto [VGE15].Remote keyless entry systems have received a similar treatment.KeeLoq [Bog08, EKM + 08] as well as VW Group systems [GOKP16] have been reverse engineered and subsequently found to be insecure.Francillion et al. [FDC10] found that remote key unlocking and vehicle start systems from eight different manufacturers were vulnerable to relay attacks.
AUT64 was first identified by Garcia et al. for its use in a popular Volkswagen Group remote keyless entry system [GOKP16].Volkwagen's implementation of AUT64 was undermined by the use of a fixed global master key and so only a peripheral overview of the cipher was given.In this paper we substantially expand upon this earlier work by reverse engineering, fully specifying and cryptanalysing the AUT64 cipher.

Technical Background
In this section we introduce our notation and the cryptographic definitions which are necessary to describe AUT64.

Notation
Our notation conventions are as follows: when our operands are bytes or nibbles we make use of the operations ∧, ∨, ⊕, and which are bitwise AND, OR, XOR, left-shift and right-shift, respectively.We use to mean concatenation and we use the term symmetric byte to refer to a byte b of the form n n where n ∈ F 4 2 .When describing byte strings or look up tables, we use square brackets to specify the index.We use the functions msb m and lsb m which return the m most and least significant bits, respectively.When our operand is a single byte we use the functions un and ln to mean msb 4 and lsb 4 , respectively.
Where M is some set we use m R ← − M to denote the assignment to m an element in M chosen uniformly at random.

Chosen Plaintext Attack
Security against Chosen Plaintext Attack (CPA) is a standard notion when analysing the security of a cipher.CPA defines an interaction between an adversary and a black-box encryption oracle.The adversary may submit arbitrary messages to the oracle and receive back their encryption.The goal of the attacker is to weaken the security of the cipher used by the oracle.

Block Ciphers
K is the key space, M is the message space and C is the ciphertext space.Then, a block cipher is defined as a pair of efficiently computable algorithms E = (E, D), where E :

Unbalanced Feistel Networks
A Feistel network is a general method of transforming a function F into a permutation P .Feistel networks are round-based.In each round, they apply a Feistel function F to a subset of the block size n.The first Feistel network was proposed in the design of Feistel's Lucifer cipher [Sor84].Lucifer and its descendants, notably the Data Encryption Standard (DES) [DES77] and RC5 [Riv95], are now classified as balanced Feistel networks.For an in-depth review and taxonomy of Feistel networks we refer the reader to [SK96].
Unbalanced Feistel Networks (UFN) are a generalisation of the balanced Feistel network concept shown in Figure 1.A UFN construction relaxes the constraint that the conventionally named left and right halves of the round input must be of equal size, instead they can be independently of any size and are referred to as the target and source blocks.
Generalising yet further, for a construction to be classified as a Feistel network, the only requirement is that one part of the block being encrypted influences the encryption of another part of the block [SK96].
Where s and t are the bit-lengths of the source and target blocks respectively and s > t Definition 1 We define a fully generalised UFN (GUFN) round to be where R is a reversible function and F is reversible in the sense that In the context of GUFN we introduce the term cycle length which is the number of rounds after which every bit in the state has appeared in both the target and source blocks.A balanced Feistel network has a cycle length of two.

AUT64
In this section, we present full details of the AUT64 block cipher and the associated TK5561 transponder authentication protocol.The public literature on AUT64 is scant.The cipher is closed source and proprietary, so the only information widely available is from a patent application [BF03] and the product datasheet [TEM98].To address this problem, we reverse-engineered the complete AUT64 block cipher and its implementation, which we publish here in full detail.
AUT64 was first identified as a proprietary block cipher used in most Volkswagen Group remote keyless entry systems between approximately 2004 and 2009 [GOKP16].In this paper, we present AUT64 as used by the Atmel TK5561, which is an automotive transponder package for the Atmel e5561 cryptographic IDentification IC (IDIC) [TEM98].The e5561 uses the AUT64 block cipher and a proprietary authentication protocol to provide a method of authentication for vehicle immobiliser systems.AUT64 is remarkable from a cryptographic design perspective for the fact that, in addition to having a GUFN structure, its symmetric 120-bit key defines a substitution and a permutation from which the cipher's security properties are derived.
In more detail, AUT64 is a 64-bit GUFN block cipher with a key size of 120 bits.In the TK5561, it has either 8 or 24 rounds, depending on the configuration.The AUT64 key space is the triplet of all 32-bit binary strings, all eight-element permutations and all sixteen-element permutations K = F 32 2 , P 8 , P 16 .The 120 bit key size is the sum of the 32, 24 and 64 bits occupied by the F 32 2 , P 8 and P 16 key parts respectively.

Reverse Engineering AUT64
We reverse engineered AUT64 from the Mazda "Module 142" immobiliser system.Concretely, we recovered the firmware from the Motorola MC68HC05B6 microcontroller used in this immobiliser box using a standard programmer.Then, we loaded the firmware binary into the IDA Pro disassembler to perform our analysis.We were able to locate all of the important cryptographic subroutines and reconstruct the AUT64 algorithm and protocol.We implemented a software version of AUT64 and the authentication protocol in both Python and C to develop, test and evaluate our attacks.We verified our findings against the available e5561 documentation and an implementation that we created for VW remote keyless entry systems [GOKP16].We found that the immobiliser system uses 24 rounds of AUT64 and the TK5561 authentication protocol.After identifying AUT64 and the TK5561 authentication protocol in the firmware, we were able to locate the permutation and S-Box key parts.
1.The permutation key part k σ (page 6 in the transponder's memory) is located in the first 32 bits of the microcontroller's programmable read-only memory (PROM) starting at the address 0x0800.The k σ we recovered is a cyclic permutation with no fixed points; 2. The substitution key part k τ (page 8 and 7 in the transponder's memory) is located in the 64 bits which immediately follow the permutation key part.It is bijective, as expected, but otherwise unremarkable.
We found that the 32-bit compression function key k G (page 5 in the transponder's memory) is not stored on the vehicle immobiliser box, instead the base station computes k G as a function of the transponder's ID (IDcode) that is transmitted at the beginning of the authentication protocol.This is further detailed in Section 6.2.

Cipher
This section describes the AUT64 cipher in detail.We start by defining the high-level Feistel network, followed by the key specification and then finally describe the full key-dependent structure.
x 0 x 1 x 2 x 4 x 3 x 5 x 6 x 7 R: Byte permutation σ byte x' 0 x' 1 x' 2 x' 4 x' 3 x' 5 x' 6 x' 7 x'' 7 x' 0 x' 1 x' 2 x' 4 x' 3 x' 5 x' 6 F (a) One round of AUT64.The seventh byte of the state x 7 is changed in each round.Definition 2 (AUT64 cipher state) We define an AUT64 cipher state X as an element in F 64 2 where X is composed of eight bytes x 0 , . . ., x 7 , each an element in F 8 2 .
AUT64 is a GUFN where the source block is the cipher state X and the target block is the byte x 7 ∈ X.
The byte permutation R and Feistel function F are both key-dependent.

Definition 3 (AUT64 key specification) We define an AUT64 key as a triplet
2 is a 32-bit word from which round keys are derived; 2. k σ is an 8-element permutation which defines both the byte permutation σ byte and the Feistel function bit permutation σ bit ; 3. k τ is a 16-element permutation which defines the 4×4 bijective S-Box τ in the Feistel function.
Each round of AUT64, shown in Figure 3a, comprises two components In each round of AUT64, the state is permuted R : X → X and then the Feistel function F : X → X is applied.The structure of AUT64 necessitates that, for each bit in the state to appear in both the target and source blocks, it must be applied for a minimum of eight rounds.We can therefore determine that the byte permutation should have a cycle length of eight.If the permutation had any fixed points, then plaintext bits would appear unchanged in the ciphertext.In the remainder of this paper, we assume that the key generation algorithm indeed only chooses permutations with a cycle length of eight.
The TK5561 patent [BF03] specifies a key generation procedure which aligns with the way the AUT64 key is composed.There are three parts 1.The compression function key part k G is a random bit string generated by means of the DES block cipher which is seeded by the automotive manufacturer.No further information is given in the patent; 2. The permutation key part k σ is termed the "family key".Each automotive manufacturer is allocated twelve bits, and then selects from sixteen possibilities for the remaining twelve bits; 3. The substitution key part k τ is termed the "user key".The key is generated using a proprietary method not specified.The patent claims that a repeat will only occur after 20.9 × 10 12 user keys have been generated.We can conclude from this claim that the entire 4×4 S-Box space is utilised.

Definition 4 (AUT64 Feistel function) The AUT64 Feistel function F is constructed from the following four components
1.A compression function G(X ) = g which maps a permuted input state X ∈ F 64 2 to an output byte g ∈ F 8 2 ; 2. A substitution operation S S(g) = τ un(g) τ ln(g) which comprises two identical 4×4 S-Boxes τ applied independently to the upper and lower nibble output of G;

A permutation operation σ bit S(g)
which applies the same transposition as σ byte but bitwise to the output of S(g);

The substitution operation applied to the output of the bitwise permutation operation
x 7 = S σ bit S(g) The final three operations form a Substitution-Permutation Network (SPN).
In the following, we outline the AUT64 round key scheduling mechanism.A unique round key is derived from the compression function key part k G in each round.The key schedule is derived and applied within the compression function as shown in Figure 4. AUT64 round keys are a tuple of permutations of the compression function key.The AUT64 key schedule divides k G into eight nibbles.Two key schedule tables T U and T L (see Figure 7c in the appendix) prescribe a permutation for each round and are applied to k G to derive a round key for the upper and lower nibbles in the input state, respectively.Definition 5 (AUT64 round keys) When r is the round number and i the byte index in the permuted round state X , we define which return the lower and upper round key nibble, respectively.
The key schedule tables T U and T L introduced in Definition 5 have the following specifications • They are non-identical key-independent look up tables which define the nibble-wise key schedule for each round of AUT64.Each table comprises 8 × N elements, where N is the number of AUT64 rounds; • Both tables are divided into blocks of 8 × N , which correspond to the AUT64 cycle length.XORing the two tables together reveals a constant difference between the corresponding round key nibbles in each 8 × N block; • The two tables can be merged nibble-wise to yield a 16 × N round key schedule.
Assembling the key schedule in this way reveals that there are no repeated round keys.

Definition 6 (AUT64 compression function) The AUT64 compression function G takes as input the key part k G , the permuted block state X and the round number r. G outputs the concatenation of two internal variables which are calculated as follows
The compression function look up table T offset (Figure 7b in the appendix) has the following properties • It contains 256 elements, is key-independent and is best conceptualised as a 16 × 16 array of nibble values.The compression function selects elements from the table using a round key nibble to select a column and a state nibble to select a row; • The first row and first column contain only the value zero.With reference to Definition 6, this means that for any nibble in the input state X with the value zero, T offset will always return zero.Similarly if a round key nibble has the value zero, then T offset will always return zero regardless of the relevant input state nibble value.

Authentication Protocol
This section describes the TK5561 authentication protocol.Authentication takes place between a vehicle immobiliser box B and a transponder key T. The design goals of the protocol stated in the product patent are to provide a method for authentication and to prevent known and chosen plaintext cryptographic attacks [BF03].The proprietary nonce encryption algorithm C k G is a Linear Feedback Shift Register (LFSR) based stream cipher, which is seeded with the 32-bit part k G of the complete AUT64 key XORed with a constant.More precisely, the challenge encryption algorithm has a 32-bit internal state Z ∈ F 32 2 that is seeded such that: For each bit in the keystream, the algorithm computes a byte derived from the LFSR state: The LFSR shifts right, and the rightmost bit of Z is fed back into Z from the left into bit position 0. The keystream is read from the LFSR state Z at bit 0. Each time the challenge algorithm is applied 64 bits of keystream are generated by the challenge algorithm LFSR.The keystream is then XORed with the session nonce X to produce the challenge value Y .
In the remainder of this paper, we first point out a series of cryptographic weaknesses in the design of AUT64, that apply when the algorithm is used as a normal block cipher.Then, in Section 6 we focus on a concrete implementation and present a full attack on the respective usage of AUT64 within the immobiliser.

AUT6Weak Keys
In this section, we analyse AUT64 and identify a number of weak keys.We define a weak key to be any AUT64 key which makes the cipher behave in an undesirable way.The AUT64 documentation states that a key is 120 bits long.A more in-depth analysis (see Section 3.2) reveals that whilst the key occupies 120 bits, it only has approximately 91.5 bits of entropy.This discrepancy arises because only 32 bits of the key define a bit string k G .The remaining 88 bits define a bijective 4×4 S-Box k τ and an 8-element permutation k σ .Bijective S-Boxes and permutations both express an arrangement of discrete elements with no repetitions.The condition that no two elements can have the same value is the source of reduced entropy in the key space.

Permutation Key Size
In this section we show that the permutation key part k σ size is reduced as a consequence of the AUT64 Feistel structure.
The cycle length of AUT64 is determined by the byte permutation σ byte .In order for each bit of the plaintext to influence each bit in the ciphertext we require that each byte must be moved to x 7 and the Feistel function applied.The byte permutation must therefore be circular (cyclic with no fixed points) and this reduces the entropy of the permutation key part.The number of n bit cyclic permutations is (n − 1)! therefore the reduced σ byte key size is (8 − 1)! ≈ 2 12.3 bits.
Any known permutation elements, such as those revealed by bytes which are unchanged from the plaintext due to non-cyclic permutation keys, or by the observation that all of the bytes are changed, further reduce the key size of k σ .If k σ is cyclic and n elements become known, the remaining key size is

Compression Function Weak Keys
We analysed the AUT64 compression function G and identified a set of weak keys.We know from Definition 6 that the output of G is an XOR sum of values from the lookup table T offset .For any input state nibble with the value zero, T offset always returns zero.Similarly, if a round key nibble has the value zero, then T offset always returns zero, regardless of the relevant state nibble.
If AUT64 is used in an application which requires decryption, then the compression function key part k G can never contain any key nibbles with the value zero.Decryption requires that the original plaintext can be recovered from the ciphertext and its intermediate states.This is only possible when the T offset column index can be determined.Any k G nibble with the value zero will select the first row of T offset and output the value zero for all column indices selected by the corresponding state nibble.Since the round output does not encode the column index, the round input cannot be decrypted and AUT64 is no longer bijective.
More generally, if k G contains nibbles with the value zero, then the security of AUT64 is reduced and the compression function behaves non-injectively.In the most extreme case where all of the nibbles in k G are zero, G(X ) is reduced to the constant zero.Removing the keys in k G which contain zero nibbles reduces the key size |k G | to 15 8 ≈ 2 31.3 .
If AUT64 is used for eight rounds, then the compression function key nibbles k G3 and k G6 are of particular significance to the security of the cipher.It is possible to determine whether either key nibble has the value zero and whether they have the same value by a chosen plaintext attack on the block cipher.
A chosen plaintext attack for determining if k G3 = 0, k G6 = 0 and k G3 = k G6 is as follows 7. To determine if k G3 = k G6 , compare the two sets of ciphertexts.Check whether there is a pair of ciphertexts which both contain a byte at the same position such that the lower nibble, in the lower nibble ciphertext set, is equal to the upper nibble, in the upper nibble ciphertext set.
If a weak key is revealed in this attack, it reduces the key size of k G by either four or eight bits, depending on whether one or both key nibbles have the value zero.If neither key nibble has the value zero but they are determined to be equal, the key size is reduced by approximately four bits.

AUT64 Cryptanalysis
In this section, we present our cryptanalysis of AUT64.We identify a number of weaknesses and derive corresponding attacks.Typically, a block cipher would be attacked by applying linear [Mat94] or differential cryptanalysis [BS91].The key-dependence of the permutation and S-Box used in AUT64 led us to seek alternative cryptanalytic techniques which provide more general attacks independent of the key.Our cryptanalysis is predominantly applicable to the eight round AUT64 configuration, and treats AUT64 as a general block cipher in a chosen-plaintext setting.

Permutation Weakness
In this section, we present four weaknesses of the AUT64 block cipher, which we use to determine an element of the permutation key part k σ .We present a sixteen chosen plaintext attack which reduces the cyclic permutation key-part to a size of |k σ | = (7 − 1)! ≈ 2 9.5 .The four weaknesses which we use to reduce the security of AUT64 are 1.The compression function G is cryptographically weak.Careful manipulation of its input can cause outputs which are highly distinguishable; 2. In the first round of AUT64, input to the compression function can be tightly controlled by an attacker; 3. The SPN which takes the output of the compression function and completes the Feistel function F has a cryptographic weakness; 4. After eight rounds of AUT64, the output from the first round Feistel function is a byte in the ciphertext.
We present a sixteen chosen plaintext attack which reveals one element of the permutation key-part.The chosen plaintexts for this attack are the set of plaintexts such that each plaintext contains eight identical and symmetric bytes P = (n n) 8 : n ∈ {0, . . ., 15} Each plaintext P in P manipulates the compression function G such that it always outputs a symmetric byte in the first round.For each plaintext P n ∈ P the attack works as follows 1.The byte permutation σ byte has no effect since all of the bytes in the plaintext have the same value.This allows the input to the compression function to be carefully controlled.
2. The unchanged plaintext is input to the compression function G k G (P n ) which unconditionally outputs a symmetric byte p n p n .This property holds because the compression function yields an XOR sum of values derived from each byte in the input (see Definition 6).If all the input bytes have the same value, the output becomes the XOR sum of up to eight values from a single column in T offset .Since the key schedule (Definition 5) prescribes permutations of the same underlying key k G in each round, the nibble-wise XOR sums output by G will have the same final value.The order in which the terms in the sum are added will differ, but the set of terms and the final value will always be equal.
3. The symmetric byte p n p n is input to the SPN which completes the AUT64 Feistel function F (see Definition 4).
The Feistel function output byte does not generally retain the nibble-wise symmetry of p n p n because the bitwise permutation σ bit , on average, removes the symmetry.There are however at least two σ bit inputs in which the symmetry property is unconditionally preserved.When the input is either 0x00 or 0xFF, σ bit has no effect because all the input bits are equal.
We exploit the property that bytes x 0 . . .x 6 are fixed during each round, under this condition the compression function G is bijective with respect to the seventh byte x 7 .Each of the sixteen chosen plaintexts in P cause G to output a symmetric byte, and since we require decryption and therefore to be able to determine a unique seventh input byte in each round, we know that P causes all possible sixteen symmetric bytes p n p n to be input to the SPN.
Since the substitution operation T is also bijective, it is guaranteed that both 0x00 and 0xFF are input to σ bit .When the set of chosen plaintexts P is encrypted, the outputs of the Feistel function in the first round will always contain at least two symmetric bytes.
Once all sixteen chosen plaintexts have been encrypted, the first round of AUT64 can be distinguished by identifying the byte index which contains the symmetric bytes from the first round in the set of ciphertexts C, as follows 1. Define lists C i of ciphertext bytes for each of the eight byte indices i ∈ {0, . . ., 7}; 2. From each ciphertext C n ∈ C add the byte at the index i corresponding to the list C i ; 3. Count the number of symmetric bytes in each list.
The output from the first round of AUT64 is the list index which contains the greatest number of symmetric bytes.The list corresponding to the first round always contains at least two symmetric bytes (and often more).We analyse the key-dependent distribution of symmetric bytes output under this attack in Section 5.2.Identifying the first round permutation element reduces the permutation key entropy from |k σ | = 7! ≈ 2 12.3 to (7 − 1)! ≈ 2 9.5 .

Compression Function Symmetric Bytes
Now, we identify and exploit a cryptographic weakness of the compression function and the Feistel function when handling symmetric bytes to reduce the total AUT64 security to no more than |K| ≈ 2 76.9 .For a class of weak keys, we show that the security is reduced to just 2 44.7 .
When the set of symmetric byte chosen plaintexts P from Section 5.1 is encrypted with AUT64, the symmetric compression function G k G output bytes in the first round belong to an equivalence class.There are sixteen different equivalence classes.Each key can be classified by the XOR sum of its nibbles The G k G output sets which characterise each equivalence class can be read from k offset .The compression function classifier k G class selects a row from the table and the chosen plaintext nibble value selects a column.Analysis of the compression function output in the first round under chosen plaintexts P reveals two distributions 1.A degenerate distribution where all elements in the output have the same value.
When k G class = 0, the XOR sum of T offset values is also equal to zero.One in every sixteen keys in k G has this weakness and reduces the key size accordingly to (1 16 × 2 32 ) = 2 28 .If we only include non-weak k G keys (see Section 4.2), then the key size is further reduced to approximately ( 1 16 × 15 8 ) ≈ 2 27.3 ; 2. A uniform distribution, where there is one of each element in the output, is the most likely outcome.This reduces the compression function key size for non-weak keys to ( 15 16 × 15 8 ) ≈ 2 31.2 .The compression function output distribution is preserved by the SPN which follows G and completes the Feistel function F (see Figure 3b).Analysis of the Feistel function output in the first round reveals information about the substitution key part k σ .There are two different ciphertext byte list C i distributions to consider 1.A degenerate byte distribution; all output bytes have the same value: 2. A uniform distribution, in which there are sixteen different output bytes, at least two of which are symmetric.
When C i is a uniform distribution and contains exactly two symmetric bytes, they reveal the substitutions of the values 0x0 and 0xF.These values are unaffected by any σ bit permutation and guarantee that the output of the Feistel function is a symmetric byte.We analysed all possible circular permutation key values k σ applied to the set of all sixteen symmetric bytes which may be output by G k G under P. We found the following distinguisher on the permutation key part k σ 1 : 46%, 42%, 11% and 1% of k σ keys yield exactly two, four, eight and sixteen symmetric bytes, respectively, at the output of the compression function G.
The best case for an attacker is that P yields sixteen symmetric bytes in C i .This outcome reduces |k σ | to 48 ≈ 2 5.6 , |k τ | to 15 × 16 ≈ 2 7.9 (16 possibilities for each class in k F class ) and |k G | to ≈ 2 31.2 .For weak k σ , the resulting effective key size for eight round AUT64 is 44.7 .Sometimes C i may not be readily identifiable by counting symmetric byte elements.This is usually because one or more other lists in C also contain an unusual number of symmetric bytes.For this case, we have developed a second technique.
First, divide each list in C into an upper and lower nibble list and then test them for equality.The first round list is distinguishable by an identical set of values in the upper and lower nibble lists.
There is one final exception, which is in the case that k G is weak such that G k G is not bijective (see Section 4.1).If G k G is not bijective, then the first round can be distinguished using a 256 chosen plaintext attack based on integral cryptanalysis as detailed in Section 5.4.

Compression Function Divide-and-Conquer
In this section, we present a second weakness in the AUT64 compression function, which is caused by the way the function uses its key part k G .We present a 32 chosen plaintext attack which exploits this weakness to reduce the AUT64 key size to no more than 2 57.7 .In each round, G outputs two nibblewise XOR sums of values g u g l from the lookup table T offset (see Definition 6).The key usage of G and the properties of T offset can be exploited to perform a divide-and-conquer attack on the compression function key part k G .We present a chosen plaintext attack which causes the output of the Feistel function in the first round to be dependent on only one nibble in k G 1. Identify the ciphertext byte position corresponding to the first round r 0 by performing the sixteen chosen plaintext attack described in Section 5.1; 2. Generate the set of sixteen chosen plaintexts defined nibblewise such that each plaintext contains fifteen nibbles with the value zero and a 4-bit counter value 3. Submit the chosen plaintexts to the oracle and record the corresponding ciphertext bytes at position r 0 in the list C r0 ; 4. Exhaustively search the reduced key space.For each possible k τ , k σ and each k G3 nibble value, encrypt offline the set of chosen plaintexts P. For each plaintext encrypted under each key, test whether the ciphertext byte at position r 0 matches the corresponding reference value in C r0 .Once all sixteen ciphertext bytes match those produced by the oracle, the correct K G3 nibble, as well as the k σ and k τ key parts have been identified; 5.The remaining seven k G key nibbles can be efficiently determined by supplying additional chosen plaintexts to the oracle that cause outputs dependent on the remaining key nibbles.Since k σ and k τ are known, each key nibble will only require sixteen chosen plaintexts and up to sixteen offline encryptions.
This attack requires 32 chosen plaintexts and reduces the security of AUT64 to (16! × 6! × 15) + (16 × 7) ≈ 2 57.7 encryptions.The security is the product of the k τ , k σ and k G3 key sizes and sixteen offline encryptions.Most keys will fail to match even the first byte in the reference set C r0 and so the plaintext encryptions for each key can be reduced to an average of one offline encryption. 2 57.7 encryptions is considerably less security than the AUT64 ideal key entropy of 91.5 bits, and is within the reach of specialised setups for exhaustive key search [GKN + 08].The attack can be performed offline once the initial 32 chosen plaintexts have been encrypted.

Integral Cryptanalysis
Next, we show how the weaknesses we identified in Section 5.1 can be generalised to perform a divide-and-conquer chosen plaintext attack using techniques from integral cryptanalysis to reveal an element from the permutation key part k σ .Concretely, we identify a 256 chosen plaintext attack which reduces the cyclic permutation key size from |k σ | = 7! ≈ 2 15.3 to (8 − 3)! ≈ 2 6.9 .
Integral cryptanalysis is a technique with similarities to differential cryptanalysis.It is particularly effective against block ciphers which use only bijective components [KW02].Where differential cryptanalysis typically considers plaintext-ciphertext pairs with a constant XOR difference, integral cryptanalysis uses sets of chosen plaintexts and their corresponding encryptions with a constant difference over the entire sets.Eight round AUT64 is vulnerable to integral cryptanalysis where the plaintexts are constructed adaptively depending on the cipher behaviour.We propose the following method for distinguishing the second round byte index of AUT64 using integral cryptanalysis 1. Generate a set of 256 plaintexts such that in each plaintext, seven bytes have the value 0x00 and the eighth byte, placed at the byte index corresponding to the first round, is an 8-bit counter which has a unique value in each plaintext 2. Encrypt all of the plaintexts and store the corresponding set of ciphertexts C; 3. Build C from C by taking each byte in each ciphertext and adding it into a set C i ∈ C according to its byte index i; 4. Compute the XOR sum over each set in C This method identifies two list integrals C isum with the value zero.One corresponds to (and confirms) the first round byte index, the second identifies the byte index position, which corresponds to the second round of encryption.An intuition for why this attack works is to consider that because AUT64 is bijective, each round must be bijective; therefore it is necessary for each plaintext in P to encrypt to a unique ciphertext byte in the first round.If this were not the case, then the original plaintext could never be recovered from the intermediate state caused by the output of the first round.The method we propose causes the output from the first two rounds to each be a permutation of the set of all possible byte values.For each plaintext P n ∈ P the attack works as follows 1.The byte permutation σ byte applied to P n yields a transposed plaintext P n of the same form: seven bytes with value 0x00 and one unique counter byte.Since it has been placed at the byte index which corresponds to the first round, the counter is always moved to byte position seven in P n ; 2. Where j is the byte counter, the Feistel function F applied to the transposed plaintext yields an encrypted intermediate state 3. The byte permutation is applied to the intermediate state X and the encrypted byte from the first round j is transposed to a byte index position determined by the permutation key part k σ ; 4. The Feistel function is applied to the permuted intermediate state.Each permuted intermediate state σ byte (X ) has seven bytes with value 0x00 and one, at an unknown index, with the encrypted counter value j ; 5. The output from the second round of encryption F K σ byte (X ) is written to the cipher state and then encryption continues for another six rounds.
After eight rounds of AUT64, each ciphertext contains a byte from the first round round j and another from the second round j .In both rounds, the input to the compression function has only one non-zero byte.We can be certain that the output ciphertext byte lists C r0 , C r1 ∈ C both contain the entire uniform set of all 256 byte values.The integral XOR sums C r0 sum and C r1 sum are zero, and the first and second byte indices are identified.In Figure 8 in the appendix we show the histogram representation of this attack.
This weakness reduces the permutation key part by one additional known permutation element.Applying this attack, its prior in Section 5.1, and determining that k σ is cyclic (see Section 4.1) requires a total of 272 chosen plaintexts and reduces the cyclic permutation key size from |k σ | = 7! ≈ 2 12.3 to (7 − 2)! ≈ 2 6.9 .

Extending the Integral Cryptanalytic Method
Finally, we generalise the integral cryptanalytic method from Section 5.4 and determine its limitations.We present a chosen plaintext attack for determining the third and fourth round permutation key parts and show that the permutation key size |k σ | is reduced to just six possible keys.Permutation elements of an AUT64 key can be iteratively identified by adaptively formulating chosen plaintext attacks which propagate an integral sum distinguisher into a target round.
The type of chosen plaintexts necessary for identifying the third round are those with six 0x00 bytes and two counters n, m placed at the byte positions corresponding to round one and two, respectively.For example, if round one and two are at byte indices zero and seven respectively P nm = (n (0x00) 6 m) : n, m ∈ {0, . . ., 255} From the set of 2 16 plaintexts P nm the ones which determine the third round are the subset which result in intermediate states such that the encrypted output bytes corresponding to rounds one and two are equivalent: n = m .
A general method for building the set of plaintexts P ⊂ P nm which cause the integral sum C r2 sum = 0 is to exhaustively encrypt the set of plaintexts P nm .Check each ciphertext for equality at the byte indices belonging to rounds one and two.When n = m , add the corresponding plaintext to the attack set P.
For each chosen plaintext P n ∈ P, the internal state after two rounds of encryption is two equal encrypted counter bytes and six bytes with the value 0x00.The bijective Feistel function property determines that under these conditions, the third round will always output a unique ciphertext byte for each unique encrypted counter pair.Now, we compute the XOR sum over each ciphertext byte-index list C i ∈ C .The lists corresponding to the indices of rounds one, two and three all have an XOR sum of zero.Subtracting the known indices of the first and second rounds uniquely identifies the permutation element corresponding to the third round of encryption.
Continuing our attack, the fourth round can be identified by applying the same method, but placing three byte counters in the exhaustive set of plaintexts at the indices corresponding to rounds one, two and three.Encrypt all 2 24 plaintexts and test for equality of the three encrypted counter values.Add the plaintexts which meet the ciphertext equality condition into a chosen plaintext set P, which is then used to identify the fourth round by computing the corresponding ciphertext byte index list sums.
The limitation of this weakness is that the number of chosen plaintext encryptions grows exponentially in the number of permutation elements which are determined.It is not efficient to continue the attack beyond identifying the first two rounds.The most optimal strategy is to use the weakness of Section 5.4 to reduce the permutation key size to 120 keys using 272 chosen plaintexts, and to search the remaining keys offline.

More than Eight Rounds
The cryptographic weaknesses we have presented are all dependent on an adversary being able to distinguish the output of the Feistel function in the first round.If AUT64 is implemented with more than eight rounds, then this property is negated.A ninth round of AUT64 will always overwrite the byte output by the first round.
In general, we are able to distinguish 16 − N rounds from N round AUT64 by the application of the attacks in Section 5.4.The VW remote keyless entry system uses a twelve round implementation of AUT64.Our methods are therefore able to distinguish 16 − 2 = 4 permutation key parts in this implementation.Attacking twelve rounds of AUT64 requires resolving uncertainty as to which byte indices the counters corresponding to the positions of the first four rounds need to be placed.
To distinguish the fifth round, four simultaneous counter positions must be identified from eight possible locations.Therefore in twelve round AUT64, 8 4 × 2 32 ≈ 2 38.1 chosen plaintexts are required to distinguish the output of the fifth round.This attack reduces |k σ | from 7! ≈ 2 12.3 to 4! × 2! ≈ 2 3.6 .

Attacking a Concrete System using AUT64
In this section, we present our results for attacks on the implementation of AUT64 in a real immobiliser system.We first outline the utilised scheme for key derivation, and present a corresponding attack that breaks AUT64 in the 24 round setting (as configured by the vendor).We also outline a very fast attack on 8-round AUT64 when k G is known.

Weaknesses in Key Derivation Scheme
Based on our reverse engineering, we found that the immobiliser box derives the 32-bit key part k G as a function of the (public) IDCode of the transponder.More precisely, let ID 0 , ID 1 , ID 2 , ID 3 represent the four bytes of IDCode (page 1 in the transponder's memory).
Definition 8 (k G key derivation) Further, let u = (ID 0 ∧ 0xE) 1, T D be a 32 byte key-independent look up table.Then k G is defined bytewise as follows 7a in the appendix.The use of a key derivation function means that an adversary can trivially recover k G with a single communication to the transponder (to obtain the IDCode).The remaining task is thus to determine the permutation and the S-Box.

Attacking a 24-Round AUT64 Implementation
The studied immobiliser systems uses AUT64 in the 24-round configuration.To recover k τ and k σ , we first obtain k G based on capturing the transponder's IDCode.The anticipated remaining key size is |K| = 16! × 7! ≈ 2 56.5 (assuming all 4×4 S-Boxes and all cyclic permutations are possible), which is already in the range of dedicated brute force devices such as [GKN + 08].However, a property of the key management scheme specified in the AUT64 patent is that it leaves only sixteen possible permutation keys (the so-called "family key") per vehicle manufacturer.That means that by reading k σ from two different immobiliser boxes and identifying the constant part (this is a one-time process), the remaining AUT64 key space is only |K| = 16! × 16 ≈ 2 48.3 .
Further, we have indications that the studied system actually uses a constant k τ and k σ for a range of vehicles.More precisely, we recovered k τ and k σ from two different immobiliser boxes and obtained the same values.If this assumption can be confirmed, it implies that the full key of the transponder can be recovered solely by using the knowledge of IDCode (to derive k G ) and the manufacturer-wide values k τ and k σ , without requiring further cryptanalysis.We leave the confirmation of this conjecture for future work.

Attacking Eight Round AUT64
Finally, we give an example for exploiting the cryptographic weaknesses of Section 5 in a practical setting.We assume that (i) AUT64 is used with 8 rounds, (ii) k G can be predicted (e.g. if the derivation function described above is used), and (iii) that we obtain all 8 output bytes.Note that in the TK5561 protocol, we obtain the XOR of the two 32-bit halves, while the patent specifies this reduction to 4 byte as optional.We leave the extension of the following attack to the case when only the XOR is available for future work.
Under the above conditions, our method breaks eight rounds of AUT64 within milliseconds using a standard laptop: First, we use k G and the cipher weaknesses we identified in Section 5.1 to build a model of the Feistel function SPN 1. Determine the byte index corresponding to the first round of encryption by using the integral cryptanalytic method in Section 5.4.The first set of chosen plaintexts is Placing the byte counter n at byte index seven in the plaintext list ensures that only the first round is identified since for all cyclic permutations the seventh byte is moved in each round.Calculate C 1r 0 ∈ C 1 , where r 0 is the byte index corresponding to the output from the first round.
2. Use C 1r 0 and the corresponding counter value list to build a model of the unknown SPN part of the Feistel function F .The model is a 256 element lookup table which represents the same function as the key-defined SPN.
3. To reduce the combinatorial burden of the next step, use r 0 derived in step 1 to produce a second set of chosen plaintexts Calculate C 2r 0 and C 2r 1 where r 0 , r 1 are the byte indices in the ciphertext corresponding to the output from the first and second rounds respectively.Define the set of ciphertexts for this step as C 2 .
4. Use the adaptive divide-and-conquer techniques we present later in this section to reduce the remaining key space.
We now discuss our techniques for rapidly determining the remaining key parts k τ and k σ using the SPN model.The permutation key part k σ can be determined efficiently by using the SPN model to calculate the expected round outputs for the next unknown round index.For example, to determine the byte index corresponding to the third round we propose the following method 1. Use the ciphertext byte lists C 2r 0 , C 2r 1 corresponding to the first and second rounds to generate all of the possible internal cipher states X 2 which could be input to the third round.There will be no more than 7 2 = 21 possible permutations; 2. For each potential internal state X ∈ X 2 , compute the compression function G and apply its output to the SPN model.The correct permutation will yield a set of bytes which match those found in the ciphertext byte index list C 2r 2 corresponding to the output of round three.
This method of determining k σ can be used to determine permutation elements beyond the third round by computing the possible permutations of the relevant known round index ciphertext bytes.After the first four round indices have been determined using this attack, the most efficient solution is to exhaustively search the remaining six possible keys.
For the final part of this attack, we propose a method based on the weakness identified in Section 5.2 and prior knowledge of k σ , which efficiently determines the substitution key part.The list of output ciphertext bytes from the first round C 2r 0 contains two or more symmetric bytes.Since we have a model of the SPN and we have determined the internal permutation, we can use these symmetric bytes to determine a large number of elements in k τ .The very worst case for an adversary is that the remaining |k τ | = 2 × 14! ≈ 2 37.3 .On average, ten or more of the elements will be revealed and the remaining substitution key part can be exhaustively found in milliseconds.Experimentally, we found that the majority of AUT64 keys are broken within milliseconds using this method on a standard Intel i7 laptop.

Conclusions
In this paper, we identify significant weaknesses in the AUT64 automotive block cipher and its associated immobiliser protocol.We present a number of cryptographic AUT64 weaknesses which we combine into attacks on both eight and twenty four round implementations.Despite AUT64 having a 120-bit key, we show that in certain implementations, eight round AUT64 can be broken within milliseconds using a standard laptop, with an absolute worst case complexity of 2 37.3 .Also, in a concrete immobiliser system, the security of 24 round AUT64 is no more than 48.3 bits due to the use of a key derivation function that determines part of the key based on the transponder ID.We also have strong indications that the studied system makes use of manufacturer-wide keys, which reduces the attack time to a single communication with the transponder and negligible computation.

Figure 1 :
Figure 1: Example of a conventional (Balanced) Feistel construction, where i is the round number.
b) The AUT64 Feistel function F .
4. H(Y ) returns the Hamming weight of Y .The TK5561 authentication protocol shown in Figure5has four parts: 1.The transponder key T initiates the protocol by sending the pre-shared public value IDcode by which the vehicle immobiliser box B determines which symmetric AUT64 key K to use for the remainder of the protocol.One immobiliser box may have the keys for several different transponder keys; 2. The vehicle immobiliser box B generates the nonce X R ← − M and then computes the challenge by applying the proprietary challenge algorithm Y = C k G (X).The resulting challenge Y is sent to the transponder key T ; 3. The transponder key T receives the challenge and then recovers the original nonce by applying the response algorithm X = R k G (Y ).The transponder key confirms to the immobiliser box B that it has received the correct challenge by transmitting the Hamming weight of the challenge H(Y ); 4. The vehicle immobiliser box B and the transponder key T both compute the AUT64 encryption of the nonce E K (X) and then XOR together the top and bottom halves of the ciphertext.The transponder sends the 32-bit result back to the immobiliser.If the values match, the vehicle ignition is enabled.

1.
Submit the plaintext (0x00) 8 to the oracle and record the corresponding ciphertext c ref = E K (0x00) 8 ; 2. Generate a set of eight plaintexts to determine if k G3 = 0.Each plaintext should contain seven bytes with the value 0x00 and one byte with a constant nibble value n in the lower position of the byte 0x0n.The non-zero byte should be in a different byte position for each plaintext; 3. Submit the eight plaintexts to the oracle.Compare each resulting ciphertext to c ref ; 4. If one of the ciphertexts matches the encryption of the first plaintext then k G3 = 0; 5. Repeat the test for k G6 = 0. Generate another eight plaintexts but place the constant nibble value n in the upper position of the non-zero byte 0xn0; 6.If one of the ciphertexts matches the encryption of the first plaintext then k G6 = 0.
T offset compression function look up table.

Figure 8 :
Figure 8: Histograms demonstrating the integral cryptanalytic technique which we apply in Section 5.4.Each histogram represents the cyphertext byte values which are output at a specific byte index over a set of adversarially chosen plaintexts.Ciphertext byte indices 3, 4, 5 and 6 are shown along the y-axis.The x-axis is composed from left-to-right showing the symmetric byte values, the lower nibble values, the upper nibble values and finally the complete byte values.This method of presenting the ciphertexts allows the permutation key part to be divide and conquered.In this case byte indices 4 and 5 are exposed by their uniform byte distributions as originating from the first two rounds of encryption.

Table 2 :
How each weakness reduces the claimed key space