Abstract
KeeLoq is a lightweight cipher that is widely used in car locks. The fastest known attack on KeeLoq is a Slide-Determine attack by Bard, Courtois and Wagner with a complexity of 228 KeeLoq computations [11]. However this attack requires the knowledge of the whole code-book of 232 known plaintexts, which is totally unrealistic. The first attack on KeeLoq with a far more realistic requirement of 216 known plaintexts was proposed by Courtois, Bard and Wagner [10,11] and can be used to clone KeeLoq devices in practice. Later, Dunkelman et al. proposed another faster attack in this setting [2].
From the practitioner point of view, the question remains however what is the best attack in the weakest possible setting, when the attacker is given only two (or a bit more) known plaintexts (one does not suffice due to the key size being larger than block size). In this case, the fastest known attack on KeeLoq remains brute force, which is actually feasible and reportedly criminals implement this attack in FPGA to steal cars, see [7]. In this paper we show that there is a better attack. More precisely, we show that due to a self-similarity property of KeeLoq the exhaustive key search process can be substantially accelerated and the security of KeeLoq is strictly lower as soon as the adversary disposes of two chosen plaintexts. Then we get an attack faster then brute force.
Independently, these attacks can be improved by a factor of 2 with some storage. Due to the protocol used, our attacks are realistic and allow to clone a KeeLoq entry devices more easily than previously thought.
In this paper we introduce a new general and powerful attack on block ciphers, a self-similarity attack. It is strictly more general than sliding attacks. For KeeLoq, but also for DES, self-similarity allows to speed up the brute force attack on the cipher. Both in case of DES and KeeLoq brute force is the most realistic attack known, and it can be improved by a self similarity attack, at the price of a chosen plaintext attack. Only 2 chosen plaintexts are needed in all these attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Biham, E., Dunkelman, O., Indesteege, S., Keller, N., Preneel, B.: How to Steal Cars A Practical Attack on KeeLoq. Crypto 2007 rump session talk (2007), http://www.cosic.esat.kuleuven.be/keeloq/keeloq-rump.pdf
Biham, E., Dunkelman, O., Indesteege, S., Keller, N., Preneel, B.: How to Steal Cars A Practical Attack on KeeLoq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)
Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999)
Bogdanov, A.: Cryptanalysis of the KeeLoq block cipher, http://eprint.iacr.org/2007/055
Bogdanov, A.: Attacks on the KeeLoq Block Cipher and Authentication Systems. In: 3rd Conference on RFID Security, RFIDSec (2007)
Bogdanov, A.: Linear slide attacks on the keeLoq block cipher. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds.) Inscrypt 2007. LNCS, vol. 4990, pp. 66–80. Springer, Heidelberg (2008)
Keeloq wikipedia article (January 25, 2007), http://en.wikipedia.org/wiki/KeeLoq
Keeloq C source code by Ruptor, http://cryptolib.com/ciphers/
Courtois, N.: Examples of equations generated for experiments with algebraic cryptanalysis of KeeLoq, http://www.cryptosystem.net/aes/toyciphers.html
Courtois, N., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq, Older preprint with an incorrect specification of KeeLoq, eprint.iacr.org/2007/062/
Courtois, N.T., Bard, G.V., Wagner, D.: Algebraic and slide attacks on keeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008)
Courtois, N., Bard, G.V.: Random Permutation Statistics and An Improved Slide-Determine Attack on KeeLoq. In: Naccache, D. (ed.) Festschrift Quisquater. LNCS, vol. 6805, pp. 55–66. Springer, Heidelberg (2011)
Courtois, N., Bard, G.V., Bogdanov, A.: Periodic Ciphers with Small Blocks and Cryptanalysis of KeeLoq, vol. 41, pp. 167–188. Tatra Mountains Mathematic Publications (2008); Post-Proceedings of Tatracrypt 2007 Conference, The 7th Central European Conference on Cryptology, Smolenice, Slovakia (June 22-24, 2007)
Hellman, M.E., Merkle, R., Schroppel, R., Washington, L., Diffie, W., Pohlig, S., Schweitzer, P.: Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard, Technical report, Stanford University, U.S.A. (September 1976); Known also as Lexar Report, Lexar Corporation, Unpublished Report, 11611 San Vicente Blvd., Los Angeles (1976)
Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton
Microchip. An Introduction to KeeLoq Code Hopping (1996), http://ww1.microchip.com/downloads/en/AppNotes/91002a.pdf
Microchip. Hopping Code Decoder using a PIC16C56, AN642 (1998), http://www.keeloq.boom.ru/decryption.pdf
Microchip. Using KeeLoq to Validate Subsystem Compatibility, AN827 (2002), http://ww1.microchip.com/downloads/en/AppNotes/00827a.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Courtois, N.T. (2012). Self-similarity Attacks on Block Ciphers and Application to KeeLoq. In: Naccache, D. (eds) Cryptography and Security: From Theory to Applications. Lecture Notes in Computer Science, vol 6805. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28368-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-28368-0_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28367-3
Online ISBN: 978-3-642-28368-0
eBook Packages: Computer ScienceComputer Science (R0)