Self-similarity Attacks on Block Ciphers and Application to KeeLoq.
In: Naccache, D, (ed.)
KeeLoq is a lightweight cipher that is widely used in car locks. The fastest known attack on KeeLoq is a Slide-Determine attack by Bard, Courtois and Wagner with a complexity of 2p28 KeeLoq computations. However this attack requires the knowledge of the whole code-book of 2p32 known plaintexts, which is totally unrealistic. The first attack on KeeLoq with a far more realistic requirement of 2p16 known plaintexts was proposed by Courtois, Bard and Wagner [FSE 2008] and can be used to clone KeeLoq devices in practice. Later, Dunkelman et al. proposed another faster attack in this setting. From the practitioner point of view, the question remains however what is the best attack in the weakest possible setting, when the attacker is given only two (or a bit more) known plaintexts (one does not suffice due to the key size being larger than block size). In this case, the fastest known attack on KeeLoq remains brute force, which is actually feasible and reportedly criminals implement this attack in FPGA to steal cars. In this paper we show that there is a better attack. More precisely, we show that due to a self-similarity property of KeeLoq the exhaustive key search process can be substantially accelerated and the security of KeeLoq is strictly lower as soon as the adversary disposes of two chosen plaintexts. Then we get an attack faster then brute force. Independently, these attacks can be improved by a factor of 2 with some storage. Due to the protocol used, our attacks are realistic and allow to clone a KeeLoq entry devices more easily than previously thought. In this paper we introduce a new general and powerful attack on block ciphers, a self-similarity attack. It is strictly more general than sliding attacks. For KeeLoq, but also for DES, self-similarity allows to speed up the brute force attack on the cipher. Both in case of DES and KeeLoq brute force is the most realistic attack known, and it can be improved by a self similarity attack, at the price of a chosen plaintext attack. Only 2 chosen plaintexts are needed in all these attacks.
|Title:||Self-similarity Attacks on Block Ciphers and Application to KeeLoq|
|Additional information:||in press, to appear in late 2011|
|UCL classification:||UCL > School of BEAMS
UCL > School of BEAMS > Faculty of Engineering Science
Archive Staff Only