Security Weaknesses in Bluetooth
CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Correlation Properties of the Bluetooth Combiner Generator
ICISC '99 Proceedings of the Second International Conference on Information Security and Cryptology
Analysis of the E0 Encryption System
SAC '01 Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography
BDD-Based Cryptanalysis of Keystream Generators
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Linear Cryptanalysis of Bluetooth Stream Cipher
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Proceedings of the 3rd international conference on Mobile systems, applications, and services
Uniform Framework for Cryptanalysis of the Bluetooth E₀ Cipher
SECURECOMM '05 Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks
Reducing the space complexity of BDD-Based attacks on keystream generators
FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
The conditional correlation attack: a practical attack on bluetooth encryption
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Extended BDD-based cryptanalysis of keystream generators
SAC'07 Proceedings of the 14th international conference on Selected areas in cryptography
Hi-index | 0.00 |
In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 223 (84MB RAM), and with a time complexity of 287. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.