Abstract
We study both distinguishing and key-recovery attacksagainst E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite state machine output sequences up to 26 bits for E0 and allows us to verify the two known correlations to be the largest for the first time. Second, we apply the concept of convolution to the analysis of the distinguisher based on all correlations, and propose an efficient distinguisher due to the linear dependency of the largest correlations. Last, we propose a novel maximum likelihood decoding algorithm based on fast Walsh transform to recover the closest codeword for any linear code of dimension L and length n. It requires time O(n+L· 2L) and memory min (n,2L). This can speed up many attacks such as fast correlation attacks. We apply it to E0, and our best key-recovery attack works in 239 time given 239 consecutive bits after O(237) precomputation. This is the best known attack against E0 so far.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Armknecht, F., Krause, M.: Algebraic Attacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–175. Springer, Heidelberg (2003)
Baignères, T.: A Generalization of Linear Cryptanalysis, Diploma Thesis, EPFL (2003)
BluetoothTM, Bluetooth Specification, version 1.2, pp. 903-948, (November 2003), available at ccbluetooth.org
Canteaut, A., Chabaud, F.: A New Algorithm for Finding Minimum-weight Words in a Linear Code: Application to Primitive Narrow-sense BCH Codes of Length 511, INRIA, technical report, No. 2685 (1995)
Canteaut, A., Trabbia, M.: Improved Fast Correlation Attacks Using Parity-check Equations of Weight 4 and 5. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 573–588. Springer, Heidelberg (2000)
Chepyzhov, V., Johansson, T., Smeets, B.: A Simple Algorithm for Fast Correlation Attacks on Stream Ciphers. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 181–195. Springer, Heidelberg (2001)
Chose, P., Joux, A., Mitton, M.: Fast Correlation Attacks: An Algorithmic Point of View. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002)
Courtois, N.T.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)
Ekdahl, P., Johansson, T.: Some Results on Correlations in the Bluetooth Stream Cipher. In: Proceedings of the 10th Joint Conference on Communications and Coding, Austria (2000)
Ekdahl, P.: On LFSR Based Stream Ciphers (Analysis and Design), Ph.D. Thesis, Lund Univ. (November 2003)
Fluhrer, S., Lucks, S.: Analysis of the E0 Encryption System. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 38–38. Springer, Heidelberg (2001)
Golić, J.D.: Correlation Properties of a General Binary Combiner with Memory. Journal of Cryptology 9, 111–126 (1996)
Golić, J.D., Bagini, V., Morgari, G.: Linear Cryptanalysis of Bluetooth Stream Cipher. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 238–255. Springer, Heidelberg (2002)
Hermelin, M., Nyberg, K.: Correlation Properties of the Bluetooth Combiner. In: Song, J.S. (ed.) ICISC 1999. LNCS, vol. 1787, pp. 17–29. Springer, Heidelberg (2000)
Jakobsson, M., Wetzel, S.: Security Weakness in Bluetooth. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 176–191. Springer, Heidelberg (2001)
Johansson, T., Jonsson, F.: Improved Fast Correlation Attacks on Stream Ciphers via Convolutional Codes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 181–197. Springer, Heidelberg (1999)
Krause, M.: BDD-Based Cryptanalysis of Keystream Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 222–237. Springer, Heidelberg (2002)
Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications, Cambridge (1986)
MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error-correcting Codes. North- Holland, Amsterdam (1996)
Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)
Meier, W., Staffelbach, O.: Fast Correlation Attacks on Certain Stream Ciphers. Journal of Cryptology 1, 159–176 (1989)
Meier, W., Staffelbach, O.: Correlation Properties of Combiners with Memory in Stream Ciphers. Journal of Cryptology 5, 67–86 (1992)
Menezes, J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC, Boca Raton (1996)
Penzhorn, W.: Correlation Attacks on Stream Ciphers: Computing Low Weight Parity Checks based on Error Correcting Codes. In: Gollmann, D. (ed.) FSE 1996. LNCS, vol. 1039, pp. 159–172. Springer, Heidelberg (1996)
Rueppel, R.A.: Correlation Immunity and the Summation Generator. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 260–272. Springer, Heidelberg (1986)
Saarinen, M.: Re: Bluetooth and E0, Posted at sci.crypt.research (02/09/2000)
Siegenthaler, T.: Correlation-Immunity of Nonlinear Combining Functions for Cryptographic Applications. IEEE Transactions on Information Theory 30, 776–780 (1984)
Vaudenay, S.: An Experiment on DES - Statistical Cryptanalysis. In: Proceedings of the 3rd ACM Conferences on Computer Security, pp. 139–147 (1996)
Wagner, D.: A Generalized Birthday Problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002)
Yarlagadda, R.K., Hershey, J.E.: Hadamard Matrix Analysis and Synthesis with Applications to Communications and Signal/Image Processing, pp. 17–22. Kluwer Academic, Dordrecht (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lu, Y., Vaudenay, S. (2004). Faster Correlation Attack on Bluetooth Keystream Generator E0. In: Franklin, M. (eds) Advances in Cryptology – CRYPTO 2004. CRYPTO 2004. Lecture Notes in Computer Science, vol 3152. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-28628-8_25
Download citation
DOI: https://doi.org/10.1007/978-3-540-28628-8_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22668-0
Online ISBN: 978-3-540-28628-8
eBook Packages: Springer Book Archive