Practical Algebraic Attacks on the Hitag2 Stream Cipher

  • Nicolas T. Courtois
  • Sean O’Neil
  • Jean-Jacques Quisquater
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5735)


Hitag2 is a stream cipher that is widely used in RFID car locks in the automobile industry. It can be seen as a (much) more secure version of the [in]famous Crypto-1 cipher that is used in MiFare Classic RFID products [14,20,15]. Recently, a specification of Hitag2 was circulated on the Internet [29]. Is this cipher secure w.r.t. the recent algebraic attacks [8,17,1,25] that allowed to break with success several LFSR-based stream ciphers? After running some computer simulations we saw that the Algebraic Immunity [25] is at least 4 and we see no hope to get a very efficient attack of this type.

However, there are other algebraic attacks that rely on experimentation but nevertheless work. For example Faugère and Ars have discovered that many simple stream ciphers can be broken experimentally with Gröbner bases, given an extremely small quantity of keystream, see [17]. Similarly reduced-round versions of DES [9] and KeeLoq [11,12] were broken using SAT solvers, that actually seem to outperform Gröbner basis techniques. Thus, we have implemented a generic experimental algebraic attack with conversion and SAT solvers,[10,9]. As a result we are able to break Hitag2 quite easily, the full key can be recovered in a few hours on a PC. In addition, given the specific protocol in which Hitag2 cipher is used in cars, some of our attacks are practical.


RFID tags Hitag 2 algorithm MiFare Crypto-1 cipher stream ciphers algebraic cryptanalysis Boolean functions Gröbner bases SAT solvers 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Armknecht, F., Krause, M.: Algebraic Atacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–176. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Dunkelman, O., Indesteege, S., Keller, N., Preneel, B.: How to Steal Cars – A Practical Attack on KeeLoq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., Shamir, A.: Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Buchmann, J., Pychkine, A., Weinmann, R.-P.: Block Ciphers Sensitive to Gröbner Basis Attacks. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 313–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Cid, C., Murphy, S., Robshaw, M.J.B.: Small Scale Variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Courtois, N.: The security of hidden field equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Courtois, N., Bard, G.V.: Algebraic Cryptanalysis of the Data Encryption Standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007),, Also presented at ECRYPT workshop Tools for Cryptanalysis, Krakow, September 24-25 (2007)CrossRefGoogle Scholar
  10. 10.
    Bard, G.V., Courtois, N.T., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers,
  11. 11.
    Courtois, N., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008), CrossRefGoogle Scholar
  12. 12.
    Courtois, N., Bard, G.V., Bogdanov, A.: Periodic Ciphers with Small Blocks and Cryptanalysis of KeeLoq. In: Tatra Mountains Mathematic Publications, post-proceedings of Tatracrypt 2007 conference (2008) (to apperar)Google Scholar
  13. 13.
    Courtois, N., O’Neil, S.: Reverse-engineered Philips/NXP Hitag2 Cipher. Talk given at the Rump Session of Fast Sotware Encryption conference (FSE 2008), Lausanne, Switzerland, February 12 (2008),
  14. 14.
    Courtois, N., Nohl, K., O’Neil, S.: Algebraic Attacks on MiFare RFID Chips,
  15. 15.
    Courtois, N.T.: The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime. In: SECRYPT 2009, International Conference on Security and Cryptography, Milan, Italy, July 7-10 (2009)Google Scholar
  16. 16.
    Davio, M., Desmedt, Y., Fosseprez, M., Govaerts, R., Hulsbosch, J., Neutjens, P., Piret, P., Quisquater, J.-J., Vandewalle, J., Wouters, P.: Analytical Characteristics of the DES. In: Chaum, D. (ed.) Crypto 1983, pp. 171–202. Plenum Press, New York (1984)Google Scholar
  17. 17.
    Ars, G., Faugère, J.-C.: An Algebraic Cryptanalysis of Nonlinear Filter Generators using Gröbner Bases. INRIA research report,
  18. 18.
    Faugère, J.-C., Perret, L.: Algebraic Cryptanalysis of Curry and Flurry using Correlated Messages (September 2008),
  19. 19.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999), MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Philips Semiconductors Data Sheet, HT2 Transponder Family, Communication Protocol, Reader < = > HITAG2(R) Transponder, Product Specification, Version 2.1 (October 1997),
  22. 22.
    Hulsbosch, J.: Analyse van de zwakheden van het DES-algoritme door middel van formele codering. Master thesis, K. U. Leuven, Belgium (1982)Google Scholar
  23. 23.
    Jakobsen, T.: Cryptanalysis of Block Ciphers with Probabilistic Non-Linear Relations of Low Degree. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 212–222. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  24. 24.
    Massacci, F., Marraro, L.: Logical cryptanalysis as a SAT-problem: Encoding and analysis of the U.SS. Data Encryption Standard. Journal of Automated Reasoning 24, 165–203 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Meier, W., Pasalic, E., Carlet, C.: Algebraic Attacks and Decomposition of Boolean Functions. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 474–491. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    MiniSat 2.0. An open-source SAT solver package, by Niklas Eén, Niklas Sörensson,
  27. 27.
    Mironov, I., Zhang, L.: Applications of SAT Solvers to Cryptanalysis of Hash Functions. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 102–115. Springer, Heidelberg (2006), CrossRefGoogle Scholar
  28. 28.
    Murphy, S., Robshaw, M.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 1. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  29. 29.
    Hitag2 specification, reference implementation and test vectors,
  30. 30.
    Raddum, H., Semaev, I.: New Technique for Solving Sparse Equation Systems,
  31. 31.
    Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28 (1949); see in particular page 704Google Scholar
  32. 32.
    Schaumuller-Bichl, I.: Cryptanalysis of the Data Encryption Standard by the Method of Formal Coding. In: Beth, T. (ed.) EUROCRYPT 1982. LNCS, vol. 149, pp. 235–255. Springer, Heidelberg (1983)CrossRefGoogle Scholar
  33. 33.
    Transponder Table, a list of cars and transponders used in these cars. Each time the table says PH/CR, which means Philips transponder in crypto mode, we assumed that this car uses Hitag2,

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Nicolas T. Courtois
    • 1
  • Sean O’Neil
    • 2
  • Jean-Jacques Quisquater
    • 3
  1. 1.University College LondonUK
  2. 2.VEST CorporationFrance
  3. 3.Université Catholique de LouvainBelgium

Personalised recommendations