Cube Cryptanalysis of Hitag2 Stream Cipher

Hitag2 is a lightweight LFSR-based stream cipher with a 48-bit key and a 48-bit internal state. As a more secure version of the Crypto-1 cipher which has been employed in many Mifare Classic RFID products, Hitag2 is used by many car manufacturers for unlocking car doors remotely. Until now, except the brute force attack, only one cryptanalysis on this cipher was released by Courtois, O’Neil and Quisquater, which broke Hitag2 by an SAT solver within several hours. However, little theoretical analysis and explanation were given in their work. In this paper, we show that there exist many low dimensional cubes of the initialization vectors such that the sums of the outputs of Hitag2 for the corresponding initialization vectors are linear expressions in secret key bits, and hence propose an efficient black- and white-box hybrid cube attack on Hitag2. Our attack experiments show that the cipher can be broken within one minute on a PC. The attack is composed of three phases: a black-box attack of extracting 32 bits of the secret key, a white-box attack to get several other key bits, and a brute force search for the remaining key bits.