Cryptanalysis of Bluetooth Keystream Generator Two-Level E0

Lu, Yi; Vaudenay, Serge

doi:10.1007/978-3-540-30539-2_34

Cited by 30 publications

(19 citation statements)

References 12 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Compared with all existing attacks [13,14,16,20,24,29] on two-level E0, our attack is clearly the fastest and only practical resynchronization attack 6 so far. Note that the resynchronization attacks on one-level E0 were well studied in [3,14,24] to be much more efficient.…”

Section: Introductionmentioning

confidence: 90%

“…In order to review the reinitialization flaw discovered in [24], we first introduce some notations. Define the binary vector γ = (γ 0 , γ 1 , .…”

Section: Review On Bluetooth Two-level E0mentioning

confidence: 99%

“…The attack exploits the resynchronization flaw recently detected in [24]. Whereas in [24], this flaw is used for a traditional distinguisher based on results [12,16,17,23] of ordinary correlations, our conditional correlation attack relies on the systematic investigation of correlations conditioned on the inputs to the FSM in E0. These correlations extend a specific conditional correlation found in [23], which relates to one of the largest known biases in E0 as proved in [23].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption

Meier²,

Vaudenay

2005

Advances in Cryptology – CRYPTO 2005

Self Cite

View full text Add to dashboard Cite

Abstract. Motivated by the security of the nonlinear filter generator, the concept of correlation was previously extended to the conditional correlation, that studied the linear correlation of the inputs conditioned on a given (short) output pattern of some specific nonlinear function. Based on the conditional correlations, conditional correlation attacks were shown to be successful and efficient against the nonlinear filter generator. In this paper, we further generalize the concept of conditional correlations by assigning it with a different meaning, i.e. the correlation of the output of an arbitrary function conditioned on the unknown (partial) input which is uniformly distributed. Based on this generalized conditional correlation, a general statistical model is studied for dedicated key-recovery distinguishers. It is shown that the generalized conditional correlation is no smaller than the unconditional correlation. Consequently, our distinguisher improves on the traditional one (in the worst case it degrades into the traditional one). In particular, the distinguisher may be successful even if no ordinary correlation exists. As an application, a conditional correlation attack is developed and optimized against Bluetooth two-level E0. The attack is based on a recently detected flaw in the resynchronization of E0, as well as the investigation of conditional correlations in the Finite State Machine (FSM) governing the keystream output of E0. Our best attack finds the original encryption key for two-level E0 using the first 24 bits of 2 23.8 frames and with 2 38 computations. This is clearly the fastest and only practical known-plaintext attack on Bluetooth encryption compared with all existing attacks. Current experiments confirm our analysis.

show abstract

Section: Introductionmentioning

confidence: 90%

“…In order to review the reinitialization flaw discovered in [24], we first introduce some notations. Define the binary vector γ = (γ 0 , γ 1 , .…”

Section: Review On Bluetooth Two-level E0mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption

Meier²,

Vaudenay

2005

Advances in Cryptology – CRYPTO 2005

Self Cite

View full text Add to dashboard Cite

show abstract

“…For the minimum number of 132 available keystream bits the attack needs 2 84 polynomial time operations. The best currently known longkeystream attacks against E 0 are algebraic attacks [1] and correlation attacks [12,11]. These attacks all need a large amount of keystream (2 28 to 2 39 in the case of correlation attacks), and even in terms of time and memory requirements, [11] is the only feasible attack among them.…”

Section: Applicationsmentioning

confidence: 99%

“…For each r ∈ {0, 1, 2}, a register cell q N r , N r ∈ { nr 2 − 1, nr 2 }, is selected in LFSR R r as input for the clock control. The GSM standard uses the parameters (n 0 , n 1 , n 2 ) = (19,22,23) and (N 0 , N 1 , N 2 ) = (11,12,13).…”

Section: Applicationsmentioning

confidence: 99%

Reducing the Space Complexity of BDD-Based Attacks on Keystream Generators

Krause

Stegemann

2006

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. The main application of stream ciphers is online-encryption of arbitrarily long data, for example when transmitting speech data between a Bluetooth headset and a mobile GSM phone or between the phone and a GSM base station. Many practically used and intensively discussed stream ciphers such as the E0 generator used in Bluetooth and the GSM cipher A5/1 consist of a small number of linear feedback shift registers (LFSRs) that transform a secret key x ∈ {0, 1} n into an output keystream of arbitrary length. In 2002, Krause proposed a Binary Decision Diagram (BDD) based attack on this type of ciphers, which in the case of E0 is the best short-keystream attack known so far. However, BDD-attacks generally require a large amount of memory. In this paper, we show how to substantially reduce the memory consumption by divide-and-conquer strategies and present the first comprehensive experimental results for the BDD-attack on reduced versions of E0, A5/1 and the self-shrinking generator.

show abstract

Bluetooth Security

Gillet¹

2009

Wireless and Mobile Network Security

View full text Add to dashboard Cite

Cryptanalysis of Bluetooth Keystream Generator Two-Level E0

Cited by 30 publications

References 12 publications

The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption

The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption

Reducing the Space Complexity of BDD-Based Attacks on Keystream Generators

Bluetooth Security

Contact Info

Product

Resources

About