Handbook of Applied Cryptography
Handbook of Applied Cryptography
FSE '99 Proceedings of the 6th International Workshop on Fast Software Encryption
Linear Slide Attacks on the KeeLoq Block Cipher
Information Security and Cryptology
Algebraic and Slide Attacks on KeeLoq
Fast Software Encryption
EUROCRYPT'08 Proceedings of the theory and applications of cryptographic techniques 27th annual international conference on Advances in cryptology
Random permutation statistics and an improved slide-determine attack on keeloq
Cryptography and Security
| Hi-index | 0.00 |
KeeLoq is a lightweight cipher that is widely used in car locks. The fastest known attack on KeeLoq is a Slide-Determine attack by Bard, Courtois and Wagner with a complexity of 228 KeeLoq computations [11]. However this attack requires the knowledge of the whole code-book of 232 known plaintexts, which is totally unrealistic. The first attack on KeeLoq with a far more realistic requirement of 216 known plaintexts was proposed by Courtois, Bard and Wagner [10,11] and can be used to clone KeeLoq devices in practice. Later, Dunkelman et al. proposed another faster attack in this setting [2]. From the practitioner point of view, the question remains however what is the best attack in the weakest possible setting, when the attacker is given only two (or a bit more) known plaintexts (one does not suffice due to the key size being larger than block size). In this case, the fastest known attack on KeeLoq remains brute force, which is actually feasible and reportedly criminals implement this attack in FPGA to steal cars, see [7]. In this paper we show that there is a better attack. More precisely, we show that due to a self-similarity property of KeeLoq the exhaustive key search process can be substantially accelerated and the security of KeeLoq is strictly lower as soon as the adversary disposes of two chosen plaintexts. Then we get an attack faster then brute force. Independently, these attacks can be improved by a factor of 2 with some storage. Due to the protocol used, our attacks are realistic and allow to clone a KeeLoq entry devices more easily than previously thought. In this paper we introduce a new general and powerful attack on block ciphers, a self-similarity attack. It is strictly more general than sliding attacks. For KeeLoq, but also for DES, self-similarity allows to speed up the brute force attack on the cipher. Both in case of DES and KeeLoq brute force is the most realistic attack known, and it can be improved by a self similarity attack, at the price of a chosen plaintext attack. Only 2 chosen plaintexts are needed in all these attacks.