A Practical Attack on KeeLoq

Aerts, Wim; Biham, Eli; Moitie, Dieter De; Mulder, Elke De; Dunkelman, Orr; Indesteege, Sebastiaan; Keller, Nathan; Preneel, Bart; Vandenbosch, Guy A. E.; Verbauwhede, Ingrid

doi:10.1007/s00145-010-9091-9

Cited by 24 publications

(12 citation statements)

References 14 publications

(58 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our practical implementation recovers the full 64-bit secret key from 30 captured authentication frames in about 2 − 6 days using 200 CPU cores. Table 6 shows the comparison of the attack on the Atmel CryptoMemory cipher presented in this paper and that on another proprietary cipher KeeLoq in [1]. One can again conclude that such proprietary ciphers fail to provide enough security even from a practical point of view.…”

Section: Discussionmentioning

confidence: 83%

Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF

Biryukov

Kizhvatov

Zhang

2011

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. SecureMemory (SM), CryptoMemory (CM) and CryptoRF (CR) are the Atmel chip families with wide applications in practice. They implement a proprietary stream cipher, which we call the Atmel cipher, to provide authenticity, confidentiality and integrity. At CCS'2010, it was shown that given 1 keystream frame, the secret key in SM protected by the simple version of the cipher can be recovered in 2 39.4 cipher ticks and if 2640 keystream frames are available, the secret key in CM guarded by the more complex version of the cipher can be restored in 2 58 cipher ticks. In this paper, we show much more efficient and practical attacks on both versions of the Atmel cipher. The idea is to dynamically reconstruct the internal state of the underlying register by exploiting the different diffusion speeds of the different cells. For SM, we can recover the secret key in 2 29.8 cipher ticks given 1 keystream frame; for CM, we can recover the secret key in 2 50 cipher ticks with around 24 frames. Practical implementation of the full attack confirms our results.

show abstract

Section: Discussionmentioning

confidence: 83%

Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF

Biryukov

Kizhvatov

Zhang

2011

Applied Cryptography and Network Security

View full text Add to dashboard Cite

show abstract

“…1. For each of the D plaintext-ciphertext pairs (P i , C i ): 7 Thus, we do not exploit the actual fixed-point in a strong way (such as in [1]), but merely some fixed linear relation between X i 1 andX i 3 .…”

Section: Our Generalized Multibridge Attack On 4-round Iterated Even-mentioning

confidence: 99%

“…Furthermore, for all such variants 3 we obtain a complete tradeoff curve of DT = 2 2n in the known plaintext attack model. 1 We define security in the computational model, which calculates the time complexity according to the number of operations that the attacker performs. This model is different from the information theoretical model (used, for example, in [4]), which only considers the number of queries to the internal permutations of the primitive.…”

Section: Introductionmentioning

confidence: 99%

Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys

Dinur

Dunkelman

Keller

et al. 2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The iterated Even-Mansour (EM) scheme is a generalization of the original 1-round construction proposed in 1991, and can use one key, two keys, or completely independent keys. In this paper, we methodically analyze the security of all the possible iterated Even-Mansour schemes with two n-bit keys and up to four rounds, and show that none of them provides more than n-bit security. Our attacks are based on a new cryptanalytic technique called multibridge which splits the cipher to different parts in a novel way, such that they can be analyzed independently, exploiting its self-similarity properties. After the analysis of the parts, the key suggestions are efficiently joined using a meet-in-themiddle procedure. As a demonstration of the multibridge technique, we devise a new attack on 4 steps of the LED-128 block cipher, reducing the time complexity of the best known attack on this scheme from 2 96 to 2 64 . Furthermore, we show that our technique can be used as a generic key-recovery tool, when combined with some statistical distinguishers (like those recently constructed in reflection cryptanalysis of GOST and PRINCE).

show abstract

“…For systems with a higher level of mathematical security, several examples of real-world side-channel attacks have demonstrated a huge attack potential: The 112-bit secret key of the Mifare DESfire MF3ICD40 smartcard (based on the 3DES cipher) can be extracted with Electro-Magnetic (EM)-based Side Channel Analysis (SCA) [16]. Likewise, the mathematical weaknesses found in the proprietary remote keyless entry system KeeLoq [1,4] are insufficient for a practical attack. However, a side-channel attack yielding the master key of the system allows to duplicate remote controls by one-time eavesdropping from several hundred meters [8].…”

Section: Related Workmentioning

confidence: 99%

When Reverse-Engineering Meets Side-Channel Analysis – Digital Lockpicking in Practice

Oswald

Strobel

Schellenberg

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In the past years, various electronic access control systems have been found to be insecure. In consequence, attacks have emerged that permit unauthorized access to secured objects. One of the few remaining, allegedly secure digital locking systems-the system 3060 manufactured and marketed by SimonsVoss-is employed in numerous objects worldwide. Following the trend to analyze the susceptibility of real-world products towards implementation attacks, we illustrate our approach to understand the unknown embedded system and its components. Detailed investigations are performed in a step-by-step process, including the analysis of the communication between transponder and lock, reverse-engineering of the hardware, bypassing the read-out protection of a microcontroller, and reverse-engineering the extracted program code. Piecing all parts together, the security mechanisms of the system can be completely circumvented by means of implementation attacks. We present an EM side-channel attack for extracting the secret system key from a door lock. This ultimately gives access to all doors of an entire installation. Our technique targets a proprietary function (used in combination with a DES for key derivation), probably originally implemented as an obscurity-based countermeasure to prevent attacks.

show abstract

A Practical Attack on KeeLoq

Cited by 24 publications

References 14 publications

Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF

Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF

Cryptanalysis of Iterated Even-Mansour Schemes with Two Keys

When Reverse-Engineering Meets Side-Channel Analysis – Digital Lockpicking in Practice

Contact Info

Product

Resources

About