Skip to main content
Springer Nature Link
Log in

Cube Cryptanalysis of Hitag2 Stream Cipher

  • Conference paper
Cryptology and Network Security (CANS 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7092))

Included in the following conference series:

Abstract

Hitag2 is a lightweight LFSR-based stream cipher with a 48-bit key and a 48-bit internal state. As a more secure version of the Crypto-1 cipher which has been employed in many Mifare Classic RFID products, Hitag2 is used by many car manufacturers for unlocking car doors remotely. Until now, except the brute force attack, only one cryptanalysis on this cipher was released by Courtois, O’Neil and Quisquater, which broke Hitag2 by an SAT solver within several hours. However, little theoretical analysis and explanation were given in their work. In this paper, we show that there exist many low dimensional cubes of the initialization vectors such that the sums of the outputs of Hitag2 for the corresponding initialization vectors are linear expressions in secret key bits, and hence propose an efficient black- and white-box hybrid cube attack on Hitag2. Our attack experiments show that the cipher can be broken within one minute on a PC. The attack is composed of three phases: a black-box attack of extracting 32 bits of the secret key, a white-box attack to get several other key bits, and a brute force search for the remaining key bits.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Aumasson, J.-P., Dinur, I., Meier, W., Shamir, A.: Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 1–22. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  2. Bogdanov, A.: Attacks on the KeeLoq Block Cipher and Authentication System. In: RFIDSec 2007 (2007)

    Google Scholar 

  3. Bedi, S., Pillai, R.: Cube Attacks on Trivium. IACR Cryptology ePrint Archive, 15 (2009)

    Google Scholar 

  4. Biham, E., Dunkelman, O., Indesteege, S., Keller, N., Preneel, B.: How to Steal Cars – A Practical Attack on KeeLoq. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 1–18. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  5. Courtois, N.: The Dark Side of Security by Obscurity and Cloning MiFare Classic Rail and Building Passes Anywhere, Anytime. In: SECRYPT 2009: International Conference on Security and Cryptography, Milan, Italy, July 7-10 (2009)

    Google Scholar 

  6. Courtois, N.T., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 97–115. Springer, Heidelberg (2008), http://eprint.iacr.org/2007/062

    Chapter  Google Scholar 

  7. Courtois, N., Meier, W.: Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  8. Courtois, N., Nohl, K., O’Neil, S.: Algebraic Attacks on MiFare RFID Chips, http://www.nicolascourtois.com/papers/mifare_rump_ec08.pdf

  9. Courtois, N., Nohl, K., O’Neil, S.: Algebraic Attacks on the Crypto-1 Stream Cipher in MiFare Classic and Oyster Cards. Short paper, http://eprint.iacr.org/2008/166

  10. Courtois, N.T., O’Neil, S., Quisquater, J.-J.: Practical Algebraic Attacks on the Hitag2 Stream Cipher. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 167–176. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  11. Dinur, I., Shamir, A.: Cube Attacks on Tweakable Black Box Polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  12. de Koning Gans, G., Hoepman, J.-H., Garcia, F.D.: A Practical Attack on the MIFARE Classic. In: Grimaud, G., Standaert, F.-X. (eds.) CARDIS 2008. LNCS, vol. 5189, pp. 267–282. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  13. Garcia, F.D., de Koning Gans, G., Muijrers, R., van Rossum, P., Verdult, R., Schreur, R.W., Jacobs, B.: Dismantling MIFARE Classic. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 97–114. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  14. Lai, X.: Higher Order Derivatives and Differential Cryptanalysis. Communications and Cryptography: Two Sides of One Tapestry, 227 (1994)

    Google Scholar 

  15. Nohl, K.: Cryptanalysis of Crypto-1. Short paper, http://www.cs.virginia.edu/kn5f/Mifare.Cryptanalysis.htm

  16. Nohl, K., Evans, D., Starbug, S., Plötz, H.: Reverse-engineering a cryptographic RFID tag. In: USENIX Security 2008 (2008)

    Google Scholar 

  17. Philips Semiconductors Corporation: Philips Semiconductors Data Sheet, HT2 Transponder Family, Communication Protocol, Reader, HITAG2(R) Transponder, Product Specification, Version 2.1, http://www.phreaker.ru/showthread.php?p=226

  18. Saarinen, M.: Chosen-IV statistical attacks on eStream ciphers. In: SECRYPT 2006, pp. 260–266. INSTICC Press (2006)

    Google Scholar 

  19. Vielhaber, M.: Breaking ONE.TRIVIUM by AIDA and Algebraic IV Differential Attack. IACR Cryptology ePrint Archive, 413 (2007)

    Google Scholar 

  20. Vielhaber, M.: AIDA Breaks (BIVIUM A and B) in 1 Minute Dual Core CPU Time. IACR Cryptology ePrint Archive, 402 (2009)

    Google Scholar 

  21. Wiener, I.: Hitag2 specification, reference implementation and test vectors, http://cryptolib.com/ciphers/hitag2

  22. Transponder Table, a list of cars and transponders used in these cars, http://www.keeloq.boom.ru/table.pdf

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory of Information Security, Graduate School of Chinese Academy of Sciences, Beijing, 100049, China

    Siwei Sun, Lei Hu & Yonghong Xie

  2. Faculty of Mathematics and Computer Science, Hubei University, Wuhan, 430062, China

    Xiangyong Zeng

Authors
  1. Siwei Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lei Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yonghong Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xiangyong Zeng
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. The State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, 100190, Beijing, China

    Dongdai Lin

  2. Computer Science Department, University of California, 92697-3435, Irvine, CA, USA

    Gene Tsudik

  3. Shandong University, China

    Xiaoyun Wang

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sun, S., Hu, L., Xie, Y., Zeng, X. (2011). Cube Cryptanalysis of Hitag2 Stream Cipher. In: Lin, D., Tsudik, G., Wang, X. (eds) Cryptology and Network Security. CANS 2011. Lecture Notes in Computer Science, vol 7092. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25513-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-25513-7_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-25512-0

  • Online ISBN: 978-3-642-25513-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics