Breaking KeeLoq in a Flash: On Extracting Keys at Lightning Speed

Markus Kasper, Timo Kasper, Amir Moradi, Chris­tof Paar

2nd International Conference on Cryptology in Africa, Progress in Cryptology - AFRICACRYPT 2009, Gammarth, Tunisia, 21-25 Juni, 2009.


We present the first simple power analysis (SPA) of software implementations of KeeLoq. Our attack drastically reduces the efforts required for a complete break of remote keyless entry (RKE) systems based on KeeLoq. We analyze implementations of KeeLoq on microcontrollers and exploit timing vulnerabilities to develop an attack that allows for a practical key recovery within seconds of computation time, thereby significantly outperforming all existing attacks: Only one single measurement of a section of a KeeLoq decryption is sufficient to extract the 64 bit master key of commercial products, without the prior knowledge of neither plaintext nor ciphertext. We further introduce techniques for effectively realizing an automatic SPA and a method for circumventing a simple countermeasure, that can also be applied for analyzing other implementations of cryptography on microcontrollers.

[DOI] [pdf] [bib]