Paper 2008/058

Physical Cryptanalysis of KeeLoq Code Hopping Applications

Thomas Eisenbarth, Timo Kasper, Amir Moradi, Christof Paar, Mahmoud Salmasizadeh, and Mohammad T. Manzuri Shalmani


KeeLoq remote keyless entry systems are widely used for access control purposes such as garage door openers for car anti-theft systems. We present the first successful differential power analysis attacks on numerous commercially available products employing KeeLoq code hopping. Our new techniques combine side-channel cryptanalysis with specific properties of the KeeLoq algorithm. They allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in few minutes. Once knowing the manufacturer key, we demonstrate how to disclose the secret key of a remote control and replicate it from a distance, just by eavesdropping at most two messages. This key-cloning without physical access to the device has serious real-world security implications. Finally, we mount a denial-of-service attack on a KeeLoq access control system. All the proposed attacks have been verified on several commercial KeeLoq products.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
KeeLoqside-channel attackcode hopping protocol
Contact author(s)
moradi @ crypto rub de
2008-02-29: revised
2008-02-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Thomas Eisenbarth and Timo Kasper and Amir Moradi and Christof Paar and Mahmoud Salmasizadeh and Mohammad T.  Manzuri Shalmani},
      title = {Physical Cryptanalysis of KeeLoq Code Hopping Applications},
      howpublished = {Cryptology ePrint Archive, Paper 2008/058},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.