Abstract. We study both distinguishing and key-recovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite state machine output sequences up to 26 bits for E0 and allows us to verify the two known correlations to be the largest for the first time. Second, we apply the concept of convolution to the analysis of the distinguisher based on all correlations, and propose an efficient distinguisher due to the linear dependency of the largest correlations. Last, we propose a novel maximum likelihood decoding algorithm based on fast Walsh transform to recover the closest codeword for any linear code of dimension L and length n. It requires time O(n + L · 2 L ) and memory min(n, 2 L ). This can speed up many attacks such as fast correlation attacks. We apply it to E0, and our best key-recovery attack works in 2 39 time given 2 39 consecutive bits after O(2 37 ) precomputation. This is the best known attack against E0 so far.
BackgroundCorrelation properties play an important role in the security of nonlinear LFSRbased combination generators in stream ciphers. As name implies, the word correlation in stream ciphers is frequently referred to as the intrinsic relation between the keystream and a subset of the LFSR subsequences. The earliest studies dated back to [21,25,27] in the 80's and the concept of correlation immunity was proposed as a security criterion. In the 90's Meier-Staffelbach [22] analyzed correlation properties of combiners with one memory bit, followed by Golić [12] focusing on correlation properties of a general combiner with m-bit memory. Recently, a series of fast correlation attacks sprang up, to name but a few [5-7, 16, 24]. Thereupon we dedicate this paper to the generalized correlation attacks against E0, a combiner with 4-bit memory used in the short-range wireless technology Bluetooth. Prior to our work, existed various attacks [1, 8, 10, 11, 13-15, 17, 26] against E0. The best key-recovery attacks are algebraic attacks [1,8], whose basic approach is to use the polynomial canceling all memory bits and involving only key bits, instead of considering the multiple polynomial to cancel the key bits in the distinguishing attack; besides, [9,13,14] discussed correlations of E0. In [14], Hermelin-Nyberg for the first time presented a rough computation method to compute the correlation (called bias for our purpose), but neither did they formalize the computation systematically, nor did they attempt to find a larger correlation. In [9,13], two larger correlations for a short sequence of up to 6 bits were exposed. However, due to the limit of the computation method, no one was certain about the existence of a larger correlation for a longer sequence, which is critical to the security of E0.