Paper 2008/166

Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards

Nicolas T. Courtois, Karsten Nohl, and Sean O'Neil


MiFare Crypto 1 is a lightweight stream cipher used in London's Oyster card, Netherland's OV-Chipcard, US Boston's CharlieCard, and in numerous wireless access control and ticketing systems worldwide. Recently, researchers have been able to recover this algorithm by reverse engineering. We have examined MiFare from the point of view of the so called "algebraic attacks". We can recover the full 48-bit key of MiFare algorithm in 200 seconds on a PC, given 1 known IV (from one single encryption). The security of this cipher is therefore close to zero. This is particularly shocking, given the fact that, according to the Dutch press, 1 billion of MiFare Classic chips are used worldwide, including in many governmental security systems.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Mifare Crypto 1 algorithmstream ciphersalgebraic cryptanalysisBoolean functionsGröbner basesSAT solvers
Contact author(s)
n courtois @ ucl ac uk
2008-04-14: revised
2008-04-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nicolas T.  Courtois and Karsten Nohl and Sean O'Neil},
      title = {Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards},
      howpublished = {Cryptology ePrint Archive, Paper 2008/166},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.