On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme

Thomas Eisenbarth, Timo Kasper, Amir Moradi, Christof Paar, Mahmoud Salmasizadeh, Mohammad T. Manzuri Shalmani


KeeLoq remote keyless entry systems are widely used for access control purposes such as garage openers or car door systems. We present the first successful differential power analysis attacks on numerous commercially available products employing KeeLoq code hopping. Our new techniques combine side-channel cryptanalysis with specific properties of the KeeLoq algorithm. They allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in few minutes. After extracting the manufacturer key once, with similar techniques, we demonstrate how to recover the secret key of a remote control and replicate it from a distance, just by eavesdropping on at most two messages. This key-cloning without physical access to the device has serious real-world security implications, as the technically challenging part can be outsourced to specialists. Finally, we mount a denial of service attack on a KeeLoq access control system. All proposed attacks have been verified on several commercial KeeLoq products.
Original languageEnglish
Title of host publicationAdvances in Cryptology -- CRYPTO 2008
EditorsDavid Wagner
Number of pages18
Place of PublicationBerlin, Heidelberg
PublisherSpringer Berlin Heidelberg
Publication date08.2008
ISBN (Print)978-3-540-85173-8
ISBN (Electronic)978-3-540-85174-5
Publication statusPublished - 08.2008
Event28th Annual International Cryptology Conference - Santa Barbara, United States
Duration: 17.08.200821.08.2008


Dive into the research topics of 'On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme'. Together they form a unique fingerprint.

Cite this