Skip to main content
SpringerLink
Log in

Practical Algebraic Attacks on the Hitag2 Stream Cipher

  • Conference paper
Information Security (ISC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5735))

Included in the following conference series:

Abstract

Hitag2 is a stream cipher that is widely used in RFID car locks in the automobile industry. It can be seen as a (much) more secure version of the [in]famous Crypto-1 cipher that is used in MiFare Classic RFID products [14,20,15]. Recently, a specification of Hitag2 was circulated on the Internet [29]. Is this cipher secure w.r.t. the recent algebraic attacks [8,17,1,25] that allowed to break with success several LFSR-based stream ciphers? After running some computer simulations we saw that the Algebraic Immunity [25] is at least 4 and we see no hope to get a very efficient attack of this type.

However, there are other algebraic attacks that rely on experimentation but nevertheless work. For example Faugère and Ars have discovered that many simple stream ciphers can be broken experimentally with Gröbner bases, given an extremely small quantity of keystream, see [17]. Similarly reduced-round versions of DES [9] and KeeLoq [11,12] were broken using SAT solvers, that actually seem to outperform Gröbner basis techniques. Thus, we have implemented a generic experimental algebraic attack with conversion and SAT solvers,[10,9]. As a result we are able to break Hitag2 quite easily, the full key can be recovered in a few hours on a PC. In addition, given the specific protocol in which Hitag2 cipher is used in cars, some of our attacks are practical.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Armknecht, F., Krause, M.: Algebraic Atacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–176. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  2. Biham, E., Dunkelman, O., Indesteege, S., Keller, N., Preneel, B.: How to Steal Cars – A Practical Attack on KeeLoq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  3. Biryukov, A., Shamir, A.: Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  4. Buchmann, J., Pychkine, A., Weinmann, R.-P.: Block Ciphers Sensitive to Gröbner Basis Attacks. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 313–331. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Cid, C., Murphy, S., Robshaw, M.J.B.: Small Scale Variants of the AES. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 145–162. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  6. Courtois, N.: The security of hidden field equations (HFE). In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 266–281. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  7. Courtois, N., Pieprzyk, J.: Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  8. Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  9. Courtois, N., Bard, G.V.: Algebraic Cryptanalysis of the Data Encryption Standard. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 152–169. Springer, Heidelberg (2007), http://eprint.iacr.org/2006/402/ , Also presented at ECRYPT workshop Tools for Cryptanalysis, Krakow, September 24-25 (2007)

    Chapter  Google Scholar 

  10. Bard, G.V., Courtois, N.T., Jefferson, C.: Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials over GF(2) via SAT-Solvers, http://eprint.iacr.org/2007/024/

  11. Courtois, N., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008), http://eprint.iacr.org/2007/062/

    Chapter  Google Scholar 

  12. Courtois, N., Bard, G.V., Bogdanov, A.: Periodic Ciphers with Small Blocks and Cryptanalysis of KeeLoq. In: Tatra Mountains Mathematic Publications, post-proceedings of Tatracrypt 2007 conference (2008) (to apperar)

    Google Scholar 

  13. Courtois, N., O’Neil, S.: Reverse-engineered Philips/NXP Hitag2 Cipher. Talk given at the Rump Session of Fast Sotware Encryption conference (FSE 2008), Lausanne, Switzerland, February 12 (2008), http://fse2008rump.cr.yp.to/00564f75b2f39604dc204d838da01e7a.pdf

  14. Courtois, N., Nohl, K., O’Neil, S.: Algebraic Attacks on MiFare RFID Chips, http://www.nicolascourtois.com/papers/mifare_rump_ec08.pdf

  15. Courtois, N.T.: The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime. In: SECRYPT 2009, International Conference on Security and Cryptography, Milan, Italy, July 7-10 (2009)

    Google Scholar 

  16. Davio, M., Desmedt, Y., Fosseprez, M., Govaerts, R., Hulsbosch, J., Neutjens, P., Piret, P., Quisquater, J.-J., Vandewalle, J., Wouters, P.: Analytical Characteristics of the DES. In: Chaum, D. (ed.) Crypto 1983, pp. 171–202. Plenum Press, New York (1984)

    Google Scholar 

  17. Ars, G., Faugère, J.-C.: An Algebraic Cryptanalysis of Nonlinear Filter Generators using Gröbner Bases. INRIA research report, https://hal.ccsd.cnrs.fr/

  18. Faugère, J.-C., Perret, L.: Algebraic Cryptanalysis of Curry and Flurry using Correlated Messages (September 2008), http://eprint.iacr.org/2008/402

  19. Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). Journal of Pure and Applied Algebra 139, 61–88 (1999), http://www.elsevier.com/locate/jpaa

    Article  MathSciNet  MATH  Google Scholar 

  20. Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  21. Philips Semiconductors Data Sheet, HT2 Transponder Family, Communication Protocol, Reader < = > HITAG2(R) Transponder, Product Specification, Version 2.1 (October 1997), http://www.phreaker.ru/showthread.php?p=226

  22. Hulsbosch, J.: Analyse van de zwakheden van het DES-algoritme door middel van formele codering. Master thesis, K. U. Leuven, Belgium (1982)

    Google Scholar 

  23. Jakobsen, T.: Cryptanalysis of Block Ciphers with Probabilistic Non-Linear Relations of Low Degree. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 212–222. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  24. Massacci, F., Marraro, L.: Logical cryptanalysis as a SAT-problem: Encoding and analysis of the U.SS. Data Encryption Standard. Journal of Automated Reasoning 24, 165–203 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  25. Meier, W., Pasalic, E., Carlet, C.: Algebraic Attacks and Decomposition of Boolean Functions. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 474–491. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  26. MiniSat 2.0. An open-source SAT solver package, by Niklas Eén, Niklas Sörensson, http://www.cs.chalmers.se/Cs/Research/FormalMethods/MiniSat/

  27. Mironov, I., Zhang, L.: Applications of SAT Solvers to Cryptanalysis of Hash Functions. In: Biere, A., Gomes, C.P. (eds.) SAT 2006. LNCS, vol. 4121, pp. 102–115. Springer, Heidelberg (2006), http://eprint.iacr.org/2006/254

    Chapter  Google Scholar 

  28. Murphy, S., Robshaw, M.: Essential Algebraic Structure within the AES. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, p. 1. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  29. Hitag2 specification, reference implementation and test vectors, http://cryptolib.com/ciphers/hitag2/

  30. Raddum, H., Semaev, I.: New Technique for Solving Sparse Equation Systems, http://eprint.iacr.org/2006/475/

  31. Shannon, C.E.: Communication theory of secrecy systems. Bell System Technical Journal 28 (1949); see in particular page 704

    Google Scholar 

  32. Schaumuller-Bichl, I.: Cryptanalysis of the Data Encryption Standard by the Method of Formal Coding. In: Beth, T. (ed.) EUROCRYPT 1982. LNCS, vol. 149, pp. 235–255. Springer, Heidelberg (1983)

    Chapter  Google Scholar 

  33. Transponder Table, a list of cars and transponders used in these cars. Each time the table says PH/CR, which means Philips transponder in crypto mode, we assumed that this car uses Hitag2, http://www.keeloq.boom.ru/table.pdf

Download references

Author information

Authors and Affiliations

  1. University College London, UK

    Nicolas T. Courtois

  2. VEST Corporation, France

    Sean O’Neil

  3. Université Catholique de Louvain, Belgium

    Jean-Jacques Quisquater

Authors
  1. Nicolas T. Courtois
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sean O’Neil
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Jacques Quisquater
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Tecnologie dell’ Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, (CR), Italy

    Pierangela Samarati

  2. Computer Science Department, Google Inc. and Columbia University, Room 464, S.W. Mudd Building, 10027, New York, NY, USA

    Moti Yung

  3. Information Security Group, Pisa Research Area, Istituto di Informatica e Telematica - IIT Consiglio Nazionale delle Ricerche - C.N.R., Via. G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

  4. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, (CR), Italy

    Claudio A. Ardagna

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Courtois, N.T., O’Neil, S., Quisquater, JJ. (2009). Practical Algebraic Attacks on the Hitag2 Stream Cipher. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04474-8_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04473-1

  • Online ISBN: 978-3-642-04474-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation