TY - JOUR
T1 - A practical attack on KeeLoq
AU - Aerts, Wim
AU - Biham, Eli
AU - De Moitié, Dieter
AU - De Mulder, Elke
AU - Dunkelman, Orr
AU - Indesteege, Sebastiaan
AU - Keller, Nathan
AU - Preneel, Bart
AU - Vandenbosch, Guy A.E.
AU - Verbauwhede, Ingrid
PY - 2012/1
Y1 - 2012/1
N2 - KeeLoq is a lightweight block cipher with a 32-bit block size and a 64-bit key. Despite its short key size, it is used in remote keyless entry systems and other wireless authentication applications. For example, there are indications that authentication protocols based on KeeLoq are used, or were used by various car manufacturers in anti-theft mechanisms. This paper presents a practical key recovery attack against KeeLoq that requires 2 16 known plaintexts and has a time complexity of 2 44.5 KeeLoq encryptions. It is based on the principle of slide attacks and a novel approach to meet-in-the-middle attacks. We investigated the way KeeLoq is intended to be used in practice and conclude that our attack can be used to subvert the security of real systems. In some scenarios the adversary may even reveal the master secret used in an entire class of devices from attacking a single device. Our attack has been fully implemented. We have built a device that can obtain the data required for the attack in less than 100 minutes, and our software experiments show that, given the data, the key can be found in 7.8 days of calculations on 64 CPU cores.
AB - KeeLoq is a lightweight block cipher with a 32-bit block size and a 64-bit key. Despite its short key size, it is used in remote keyless entry systems and other wireless authentication applications. For example, there are indications that authentication protocols based on KeeLoq are used, or were used by various car manufacturers in anti-theft mechanisms. This paper presents a practical key recovery attack against KeeLoq that requires 2 16 known plaintexts and has a time complexity of 2 44.5 KeeLoq encryptions. It is based on the principle of slide attacks and a novel approach to meet-in-the-middle attacks. We investigated the way KeeLoq is intended to be used in practice and conclude that our attack can be used to subvert the security of real systems. In some scenarios the adversary may even reveal the master secret used in an entire class of devices from attacking a single device. Our attack has been fully implemented. We have built a device that can obtain the data required for the attack in less than 100 minutes, and our software experiments show that, given the data, the key can be found in 7.8 days of calculations on 64 CPU cores.
KW - Block ciphers
KW - Cryptanalysis
KW - KeeLoq
KW - Meet-in-the-middle attacks
KW - Slide attacks
UR - http://www.scopus.com/inward/record.url?scp=84855425107&partnerID=8YFLogxK
U2 - 10.1007/s00145-010-9091-9
DO - 10.1007/s00145-010-9091-9
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???
AN - SCOPUS:84855425107
SN - 0933-2790
VL - 25
SP - 136
EP - 157
JO - Journal of Cryptology
JF - Journal of Cryptology
IS - 1
ER -