Abstract
KeeLoq is a lightweight block cipher with a 32-bit block size and a 64-bit key. Despite its short key size, it is used in remote keyless entry systems and other wireless authentication applications. For example, there are indications that authentication protocols based on KeeLoq are used, or were used by various car manufacturers in anti-theft mechanisms. This paper presents a practical key recovery attack against KeeLoq that requires 216 known plaintexts and has a time complexity of 244.5 KeeLoq encryptions. It is based on the principle of slide attacks and a novel approach to meet-in-the-middle attacks.
We investigated the way KeeLoq is intended to be used in practice and conclude that our attack can be used to subvert the security of real systems. In some scenarios the adversary may even reveal the master secret used in an entire class of devices from attacking a single device. Our attack has been fully implemented. We have built a device that can obtain the data required for the attack in less than 100 minutes, and our software experiments show that, given the data, the key can be found in 7.8 days of calculations on 64 CPU cores.
Article PDF
Similar content being viewed by others
References
W. Aerts, Application specificities of array antennas: satellite communication and electromagnetic side channel analysis, Ph.D. thesis, K.U. Leuven (2009)
G. Bard, Algorithms for solving linear and polynomial systems of equations over finite fields with applications to cryptanalysis, Ph.D. thesis, Department of Mathematics, University of Maryland, College Park (2007)
E. Biham, New types of cryptanalytic attacks using related keys. J. Cryptol. 1(4), 229–246 (1994)
E. Biham, A fast new DES implementation in software, in Proceedings of Fast Software Encryption’97. Lecture Notes in Computer Science, vol. 1267 (Springer, Berlin, 1997), pp. 260–272
A. Biryukov, S. Mukhopadhyay, P. Sarkar, Improved time-memory tradeoffs with multiple data, in Proceedings of Selected Areas in Cryptography 2005. Lecture Notes in Computer Science, vol. 3897 (Springer, Berlin, 2006), pp. 245–260
A. Biryukov, D. Wagner, Slide attacks, in Proceedings of Fast Software Encryption’99. Lecture Notes in Computer Science, vol. 1636 (Springer, Berlin, 1999), pp. 245–259
A. Biryukov, D. Wagner, Advanced slide attacks, in Advances in Cryptology, Proceedings of EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 586–606
A. Bogdanov, Cryptanalysis of the KeeLoq block cipher, Cryptology ePrint Archive, Report 2007/055, 16 February 2007, http://eprint.iacr.org/2007/055/
A. Bogdanov, Attacks on the KeeLoq block cipher and authentication systems, in 3rd Conference on RFID Security 2007 (RFIDSec 2007), available online at http://rfidsec07.etsit.uma.es/slides/papers/paper-22.pdf
A. Bogdanov, Linear slide attacks on the KeeLoq block cipher, in Proceedings of Inscrypt 2007. Lecture Notes in Computer Science, vol. 4990 (Springer, Berlin, 2008), pp. 66–80
N.T. Courtois, G.V. Bard, Algebraic and slide attacks on KeeLoq, Cryptology ePrint Archive, Report 2007/062, 8 May 2007, http://eprint.iacr.org/2007/062/
N.T. Courtois, personal communication, 31 May 2007
N.T. Courtois, G.V. Bard, D. Wagner, Algebraic and slide attacks on KeeLoq, in Proceedings of Fast Software Encryption 2008. Lecture Notes in Computer Science, vol. 5086 (Springer, Berlin, 2008), pp. 97–115
N.T. Courtois, G.V. Bard, A. Bogdanov, Periodic ciphers with small blocks and cryptanalysis of KeeLoq. Tatra Mt. Math. Publ. 41, 167–188 (2008)
N.T. Courtois, Self-similarity attacks on block ciphers and application to KeeLoq. International Workshop on Coding and Cryptography (WCC 2009) (2009)
T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, M.T. Manzuri Shalmani, On the power of power analysis in the real world: a complete break of the KeeLoq code hopping scheme, in Advances in Cryptology, Proceedings of CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin, 2008), pp. 203–220
S. Furuya, Slide attacks with a known-plaintext cryptanalysis, in Proceedings of Information and Communication Security 2001. Lecture Notes in Computer Science, vol. 2288 (Springer, Berlin, 2002), pp. 214–225
M.E. Hellman, A cryptanalytic time-memory trade-off. IEEE Trans. Inform. Theory 26, 401–406 (1980)
M. Kasper, T. Kasper, A. Moradi, C. Paar, Breaking KeeLoq in a flash: on extracting keys at lightning speed, in Proceedings of AFRICACRYPT 2009. Lecture Notes in Computer Science, vol. 5580 (Springer, Berlin, 2009), pp. 403–420
S. Kumar, C. Paar, J. Pelzl, G. Pfeiffer, M. Schimmler, Breaking ciphers with COPACOBANA—a cost-optimized parallel code breaker, in Proceedings of Cryptographic Hardware and Embedded Systems 2006. Lecture Notes in Computer Science, vol. 4249 (Springer, Berlin, 2006), pp. 101–118
Microchip Technology Inc. KeeLoq® authentication products, http://www.microchip.com/keeloq/
Microchip Technology Inc., HCS410 KeeLoq® code hopping encoder and transponder data sheet, http://ww1.microchip.com/downloads/en/DeviceDoc/40158e.pdf
Microchip Technology Inc., AN642: code hopping decoder using a PIC16C56, http://www.keeloq.boom.ru/decryption.pdf
Microchip Technology Inc., TB001: secure learning RKE systems using KeeLoq encoders, http://ww1.microchip.com/downloads/en/AppNotes/91000a.pdf
D.A. Osvik, Speeding up serpent, in The Third Advanced Encryption Standard Candidate Conference (2000), pp. 317–329
C. Paar, T. Eisenbarth, M. Kasper, T. Kasper, A. Moradi, KeeLoq and side-channel analysis-evolution of an attack, in Fault Diagnosis and Tolerance in Cryptography (FDTC 2009) (2009), pp. 65–69
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by K.G. Paterson
Rights and permissions
About this article
Cite this article
Aerts, W., Biham, E., De Moitié, D. et al. A Practical Attack on KeeLoq. J Cryptol 25, 136–157 (2012). https://doi.org/10.1007/s00145-010-9091-9
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-010-9091-9