Algebraic and Slide Attacks on KeeLoq

Abstract

KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc [8,9,33,34]. KeeLoq is inexpensive to implement and economical in gate count, yet according to Microchip [33] it should have “a level of security comparable to DES”.

In this paper we present several distinct attacks on KeeLoq, each of them is interesting for different reasons. First we show that when about 232 known plaintexts are available, KeeLoq is very weak and for example for 30% of all keys the full key can be recovered with complexity of 228 KeeLoq encryptions. Then we turn our attention to algebraic attacks with the major challenge of breaking KeeLoq given potentially a very small number of known plaintexts.

Our best “direct” algebraic attack can break up to 160 rounds of KeeLoq. Much better results are achieved in combination with slide attacks. Given about 216 known plaintexts, we present a slide-algebraic attack that uses a SAT solver with the complexity equivalent to about 253 KeeLoq encryptions. To the best of our knowledge, this is the first time that a full-round real-life block cipher is broken using an algebraic attack.