A Practical Attack on KeeLoq

KeeLoq is a lightweight block cipher with a 32-bit block size and a 64-bit key. Despite its short key size, it is used in remote keyless entry systems and other wireless authentication applications. For example, there are indications that authentication protocols based on KeeLoq are used, or were used by various car manufacturers in anti-theft mechanisms. This paper presents a practical key recovery attack against KeeLoq that requires 216 known plaintexts and has a time complexity of 244.5 KeeLoq encryptions. It is based on the principle of slide attacks and a novel approach to meet-in-the-middle attacks.We investigated the way KeeLoq is intended to be used in practice and conclude that our attack can be used to subvert the security of real systems. In some scenarios the adversary may even reveal the master secret used in an entire class of devices from attacking a single device. Our attack has been fully implemented. We have built a device that can obtain the data required for the attack in less than 100 minutes, and our software experiments show that, given the data, the key can be found in 7.8 days of calculations on 64 CPU cores.

[1]  Faculteit Ingenieurswetenschappen,et al.  Application Specificities of Array Antennas: Satellite Communication and Electromagnetic Side Channel Analysis , 2009 .

[2]  Gregory V. Bard,et al.  Algorithms for Solving Linear and Polynomial Systems of Equations over Finite Fields with Applications to Cryptanalysis , 2007 .

[3]  Alex Biryukov,et al.  Advanced Slide Attacks , 2000, EUROCRYPT.

[4]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[5]  Nicolas Courtois Self-similarity Attacks on Block Ciphers and Application to KeeLoq , 2012, Cryptography and Security.

[6]  Andrey Bogdanov,et al.  Linear Slide Attacks on the KeeLoq Block Cipher , 2007, Inscrypt.

[7]  N. Courtois,et al.  Periodic Ciphers with Small Blocks and Cryptanalysis of KeeLoq , 2008 .

[8]  Andrey Bogdanov Cryptanalysis of the KeeLoq block cipher , 2007, IACR Cryptol. ePrint Arch..

[9]  Christof Paar,et al.  Breaking KeeLoq in a Flash: On Extracting Keys at Lightning Speed , 2009, AFRICACRYPT.

[10]  Christof Paar,et al.  KeeLoq and Side-Channel Analysis-Evolution of an Attack , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[11]  Eli Biham,et al.  A Fast New DES Implementation in Software , 1997, FSE.

[12]  Christof Paar,et al.  Breaking Ciphers with COPACOBANA - A Cost-Optimized Parallel Code Breaker , 2006, CHES.

[13]  Dag Arne Osvik Speeding up Serpent , 2000, AES Candidate Conference.

[14]  Alex Biryukov,et al.  Analysis of a SHA-256 Variant , 2005, Selected Areas in Cryptography.

[15]  Andrey Bogdanov,et al.  Attacks on the Keeloq Block Cipher and Authentication Systems , 2007 .

[16]  Eli Biham,et al.  New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[17]  Soichi Furuya,et al.  Slide Attacks with a Known-Plaintext Cryptanalysis , 2001, ICISC.

[18]  No Sokal,et al.  CLASS-E - NEW CLASS OF HIGH-EFFICIENCY TUNED SINGLE-ENDED SWITCHING POWER AMPLIFIERS , 1975 .

[19]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[20]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.

[21]  Chris R. Burger Secure Learning RKE Systems Using KeeLoq Encoders , 1998 .

[22]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[23]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.