论文信息 - A Practical Attack on KeeLoq

A Practical Attack on KeeLoq

KeeLoq is a lightweight block cipher with a 32-bit block size and a 64-bit key. Despite its short key size, it is widely used in remote keyless entry systems and other wireless authentication applications. For example, authentication protocols based on KeeLoq are supposedly used by various car manufacturers in anti-theft mechanisms. This paper presents a practical key recovery attack against KeeLoq that requires 216 known plaintexts and has a time complexity of 244.5 KeeLoq encryptions. It is based on the slide attack and a novel approach to meet-in-the-middle attacks. The fully implemented attack requires 65 minutes to obtain the required data and 7.8 days of calculations on 64 CPU cores. A variant which requires 216 chosen plaintexts needs only 3.4 days on 64 CPU cores. Using only 10 000 euro, an attacker can purchase a cluster of 50 dual core computers that will find the secret key in about two days. We investigated the way KeeLoq is intended to be used in practice and conclude that our attack can be used to subvert the security of real systems. An attacker can acquire chosen plaintexts in practice, and one of the two suggested key derivation schemes for KeeLoq allows to recover the master secret from a single key.

Eli Biham | Bart Preneel | Orr Dunkelman | Nathan Keller | Sebastiaan Indesteege

[1] Alex Biryukov,et al. Slide Attacks , 1999, FSE.

[2] Christof Paar,et al. Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker , 2006, CHES.

[3] Eli Biham,et al. New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[4] Andrey Bogdanov,et al. Attacks on the Keeloq Block Cipher and Authentication Systems , 2007 .

[5] Andrey Bogdanov. Cryptanalysis of the KeeLoq block cipher , 2007, IACR Cryptol. ePrint Arch..

[6] Alex Biryukov,et al. Advanced Slide Attacks , 2000, EUROCRYPT.

[7] Soichi Furuya,et al. Slide Attacks with a Known-Plaintext Cryptanalysis , 2001, ICISC.

[8] Martin E. Hellman,et al. A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[9] Gregory V. Bard,et al. Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[10] Alex Biryukov,et al. Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.