Cryptanalysis of the bluetooth E0 cipher ssing OBDD's

Authors:
Yaniv Shaked;Avishai Wool
Affiliations:
School of Electrical Engineering Systems, Tel Aviv University, Ramat Aviv, Israel;School of Electrical Engineering Systems, Tel Aviv University, Ramat Aviv, Israel
Venue:
ISC'06 Proceedings of the 9th international conference on Information Security
Year:
2006

Citing 9
Cited 1

Security Weaknesses in Bluetooth

CT-RSA 2001 Proceedings of the 2001 Conference on Topics in Cryptology: The Cryptographer's Track at RSA
Correlation Properties of the Bluetooth Combiner Generator

ICISC '99 Proceedings of the Second International Conference on Information Security and Cryptology
Analysis of the E0 Encryption System

SAC '01 Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography
BDD-Based Cryptanalysis of Keystream Generators

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Linear Cryptanalysis of Bluetooth Stream Cipher

EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Cracking the Bluetooth PIN

Proceedings of the 3rd international conference on Mobile systems, applications, and services
Uniform Framework for Cryptanalysis of the Bluetooth E₀ Cipher

SECURECOMM '05 Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks
Reducing the space complexity of BDD-Based attacks on keystream generators

FSE'06 Proceedings of the 13th international conference on Fast Software Encryption
The conditional correlation attack: a practical attack on bluetooth encryption

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology

Extended BDD-based cryptanalysis of keystream generators

SAC'07 Proceedings of the 14th international conference on Selected areas in cryptography

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 223 (84MB RAM), and with a time complexity of 287. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.