Abstract
Hitag2 is a lightweight LFSR-based stream cipher with a 48-bit key and a 48-bit internal state. As a more secure version of the Crypto-1 cipher which has been employed in many Mifare Classic RFID products, Hitag2 is used by many car manufacturers for unlocking car doors remotely. Until now, except the brute force attack, only one cryptanalysis on this cipher was released by Courtois, O’Neil and Quisquater, which broke Hitag2 by an SAT solver within several hours. However, little theoretical analysis and explanation were given in their work. In this paper, we show that there exist many low dimensional cubes of the initialization vectors such that the sums of the outputs of Hitag2 for the corresponding initialization vectors are linear expressions in secret key bits, and hence propose an efficient black- and white-box hybrid cube attack on Hitag2. Our attack experiments show that the cipher can be broken within one minute on a PC. The attack is composed of three phases: a black-box attack of extracting 32 bits of the secret key, a white-box attack to get several other key bits, and a brute force search for the remaining key bits.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009)
Bogdanov, A.: Attacks on the KeeLoq Block Cipher and Authentication System. In: RFIDSec 2007 (2007)
Bedi, S., Pillai, R.: Cube Attacks on Trivium. IACR Cryptology ePrint Archive, 15 (2009)
Biham, E., Dunkelman, O., Indesteege, S., Keller, N., Preneel, B.: How to Steal Cars – A Practical Attack on KeeLoq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)
Courtois, N.: The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime. In: SECRYPT 2009: International Conference on Security and Cryptography, Milan, Italy, July 7-10 (2009)
Courtois, N.T., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008), http://eprint.iacr.org/2007/062
Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)
Courtois, N., Nohl, K., O’Neil, S.: Algebraic Attacks on MiFare RFID Chips, http://www.nicolascourtois.com/papers/mifare_rump_ec08.pdf
Courtois, N., Nohl, K., O’Neil, S.: Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards. Short paper, http://eprint.iacr.org/2008/166
Courtois, N.T., O’Neil, S., Quisquater, J.-J.: Practical Algebraic Attacks on the Hitag2 Stream Cipher. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 167–176. Springer, Heidelberg (2009)
Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)
de Koning Gans, G., Hoepman, J.-H., Garcia, F.D.: A Practical Attack on the MIFARE Classic. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 267–282. Springer, Heidelberg (2008)
Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)
Lai, X.: Higher Order Derivatives and Differential Cryptanalysis. Communications and Cryptography: Two Sides of One Tapestry, 227 (1994)
Nohl, K.: Cryptanalysis of Crypto-1. Short paper, http://www.cs.virginia.edu/kn5f/Mifare.Cryptanalysis.htm
Nohl, K., Evans, D., Starbug, S., Plötz, H.: Reverse-engineering a cryptographic RFID tag. In: USENIX Security 2008 (2008)
Philips Semiconductors Corporation: Philips Semiconductors Data Sheet, HT2 Transponder Family, Communication Protocol, Reader, HITAG2(R) Transponder, Product Specification, Version 2.1, http://www.phreaker.ru/showthread.php?p=226
Saarinen, M.: Chosen-IV statistical attacks on eStream ciphers. In: SECRYPT 2006, pp. 260–266. INSTICC Press (2006)
Vielhaber, M.: Breaking ONE.TRIVIUM by AIDA and Algebraic IV Differential Attack. IACR Cryptology ePrint Archive, 413 (2007)
Vielhaber, M.: AIDA Breaks (BIVIUM A and B) in 1 Minute Dual Core CPU Time. IACR Cryptology ePrint Archive, 402 (2009)
Wiener, I.: Hitag2 specification, reference implementation and test vectors, http://cryptolib.com/ciphers/hitag2
Transponder Table, a list of cars and transponders used in these cars, http://www.keeloq.boom.ru/table.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sun, S., Hu, L., Xie, Y., Zeng, X. (2011). Cube Cryptanalysis of Hitag2 Stream Cipher. In: Lin, D., Tsudik, G., Wang, X. (eds) Cryptology and Network Security. CANS 2011. Lecture Notes in Computer Science, vol 7092. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25513-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-25513-7_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25512-0
Online ISBN: 978-3-642-25513-7
eBook Packages: Computer ScienceComputer Science (R0)