International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: Physical Cryptanalysis of KeeLoq Code Hopping Applications

Thomas Eisenbarth
Timo Kasper
Amir Moradi
Christof Paar
Mahmoud Salmasizadeh
Mohammad T. Manzuri Shalmani
Search ePrint
Search Google
Abstract: KeeLoq remote keyless entry systems are widely used for access control purposes such as garage door openers for car anti-theft systems. We present the first successful differential power analysis attacks on numerous commercially available products employing KeeLoq code hopping. Our new techniques combine side-channel cryptanalysis with specific properties of the KeeLoq algorithm. They allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in few minutes. Once knowing the manufacturer key, we demonstrate how to disclose the secret key of a remote control and replicate it from a distance, just by eavesdropping at most two messages. This key-cloning without physical access to the device has serious real-world security implications. Finally, we mount a denial-of-service attack on a KeeLoq access control system. All the proposed attacks have been verified on several commercial KeeLoq products.
  title={Physical Cryptanalysis of KeeLoq Code Hopping Applications},
  booktitle={IACR Eprint archive},
  keywords={secret-key cryptography / KeeLoq, side-channel attack, code hopping protocol},
  note={ 13938 received 2 Feb 2008, last revised 29 Feb 2008},
  author={Thomas Eisenbarth and Timo Kasper and Amir Moradi and Christof Paar and Mahmoud Salmasizadeh and Mohammad T. Manzuri Shalmani},