Cryptology ePrint Archive: Report 2008/058

Physical Cryptanalysis of KeeLoq Code Hopping Applications

Thomas Eisenbarth and Timo Kasper and Amir Moradi and Christof Paar and Mahmoud Salmasizadeh and Mohammad T. Manzuri Shalmani

Abstract: KeeLoq remote keyless entry systems are widely used for access control purposes such as garage door openers for car anti-theft systems. We present the first successful differential power analysis attacks on numerous commercially available products employing KeeLoq code hopping. Our new techniques combine side-channel cryptanalysis with specific properties of the KeeLoq algorithm. They allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in few minutes. Once knowing the manufacturer key, we demonstrate how to disclose the secret key of a remote control and replicate it from a distance, just by eavesdropping at most two messages. This key-cloning without physical access to the device has serious real-world security implications. Finally, we mount a denial-of-service attack on a KeeLoq access control system. All the proposed attacks have been verified on several commercial KeeLoq products.

Category / Keywords: secret-key cryptography / KeeLoq, side-channel attack, code hopping protocol

Date: received 2 Feb 2008, last revised 29 Feb 2008

Contact author: moradi at crypto rub de

Available format(s): PDF | BibTeX Citation

Version: 20080229:193714 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]