Faster Correlation Attack on Bluetooth Keystream Generator E0

Lu, Yi; Vaudenay, Serge

doi:10.1007/978-3-540-28628-8_25

Cited by 62 publications

(57 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As time/data tradeoff, we might also expect to have some other linearly independent biases to be large enough so that the time is decreased at somewhat reasonably increasing cost of data/memory complexities. Nonetheless, using the computation formula of [12], we find none such bias that leads to the data complexity of less than 2 50 .…”

Section: 3mentioning

confidence: 83%

“…Our starting point would be the bias inside the FSM, which was discovered by [9,6] and further proved in [12] to be the the largest bias up to 26-bit output …”

Section: The Bias Inside the Fsmmentioning

confidence: 99%

“…where D def = D ⊗4 with ⊗ representing the regular convolutional product (see [12]), and D is the distribution of …”

Section: A Partial Key-recovery Attackmentioning

confidence: 99%

“…After the earlier results [10,9,6] of correlation (also called bias) properties inside the Finite State Machine (FSM) towards the one-level E0, most recently, [12] systematically studied the biases and proved two previously known large biases to be the only largest up to 26 consecutive bits of the FSM output sequences. Attacks against E0 mostly focus on one-level E0 only and the best attacks [12,1,5] work on one impractically long frame of keystream without exception. Nevertheless, a few attacks [15,11,[7][8][9] apply to two-level E0; compared with feasible attack complexities on one-level E0, attack complexities on two-level E0 are extremely high and make the practical Bluetooth E0 unbroken.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Cryptanalysis of Bluetooth Keystream Generator Two-Level E0

Vaudenay

2004

Advances in Cryptology - ASIACRYPT 2004

Self Cite

View full text Add to dashboard Cite

Abstract. In this paper, we carefully study both distinguishing and key-recovery attacks against Bluetooth two-level E0 given many short frames. Based on a flaw in the resynchronization of Bluetooth E0, we are able to fully exploit the largest bias of the finite state machine inside E0 for our attacks. Our key-recovery attack works with 2 40 simple operations given the first 24 bits of 2 35 frames. Compared with all existing attacks against two-level E0, this is the best one so far. BackgroundThe short-range wireless technology Bluetooth uses the keystream generator E0 to produce the keystream for encryption. After the earlier results [10, 9, 6] of correlation (also called bias) properties inside the Finite State Machine (FSM) towards the one-level E0, most recently, [12] systematically studied the biases and proved two previously known large biases to be the only largest up to 26 consecutive bits of the FSM output sequences. Attacks against E0 mostly focus on one-level E0 only and the best attacks [12, 1, 5] work on one impractically long frame of keystream without exception. Nevertheless, a few attacks [15,11,[7][8][9] apply to two-level E0; compared with feasible attack complexities on one-level E0, attack complexities on two-level E0 are extremely high and make the practical Bluetooth E0 unbroken.The main contribution of this paper is that first based on one of the two largest biases inside the FSM within one-level E0, we identify the bias at twolevel E0 due to a resynchronization flaw in Bluetooth E0. Unlike the traditional approach to find the bias, the characterized bias does not involve the precomputation of the multiple polynomial with low weight. Second, to utilize the identified bias, we develop a novel attack to directly recover the original encryption key for two-level E0 without reconstructing the initial state of E0 at the second level. Our key-recovery attack works with 2 40 simple operations given the first 24 bits of 2 35 frames. Compared with all existing attacks [15,11,[7][8][9] against two-level E0, this is the best so far.

show abstract

Section: 3mentioning

confidence: 83%

“…Our starting point would be the bias inside the FSM, which was discovered by [9,6] and further proved in [12] to be the the largest bias up to 26-bit output …”

Section: The Bias Inside the Fsmmentioning

confidence: 99%

“…where D def = D ⊗4 with ⊗ representing the regular convolutional product (see [12]), and D is the distribution of …”

Section: A Partial Key-recovery Attackmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Cryptanalysis of Bluetooth Keystream Generator Two-Level E0

Vaudenay

2004

Advances in Cryptology - ASIACRYPT 2004

Self Cite

View full text Add to dashboard Cite

show abstract

“…Similar attacks can be mounted for instance against combiners with memory, as shown in [27]. A nice example of such attacks is the recent cryptanalysis of E0 presented by Lu and Vaudenay [28], [29].…”

Section: Lfsr-based Generators With Memorymentioning

confidence: 99%

Fast correlation attacks against stream ciphers and related open problems

Canteaut

2005

IEEE Information Theory Workshop on Theory and Practice in Information-Theoretic Security, 2005.

View full text Add to dashboard Cite

show abstract

A survey of lightweight stream ciphers for embedded systems

Manifavas

Hatzivasilis

Fysarakis

et al. 2015

Security Comm. Networks

View full text Add to dashboard Cite

Pervasive computing constitutes a growing trend, aiming to embed smart devices into everyday objects. The limited resources of these devices and the ever‐present need for lower production costs, lead to the research and development of lightweight cryptographic mechanisms. Block ciphers, the main symmetric key cryptosystems, perform well in this field. Nevertheless, stream ciphers are also relevant in ubiquitous computing applications, as they can be used to secure the communication in applications where the plaintext length is either unknown or continuous, like network streams. This paper provides the latest survey of stream ciphers for embedded systems. Lightweight implementations of stream ciphers in embedded hardware and software are examined as well as relevant authenticated encryption schemes. Their speed and simplicity enable compact and low‐power implementations, allow them to excel in applications pertaining to resource‐constrained devices. The outcomes of the International Organization for Standardization/International Electrotechnical Commission 29192‐3 standard and the cryptographic competitions eSTREAM and Competition for Authenticated Encryption: Security, Applicability, and Robustness are summarized along with the latest results in the field. However, cryptanalysis has proven many of these schemes are actually insecure. From the 31 designs that are examined, only six of them have been found to be secure by independent cryptanalysis. A constrained benchmark analysis is performed on low‐cost embedded hardware and software platforms. The most appropriate and secure solutions are then mapped in different types of applications. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

Faster Correlation Attack on Bluetooth Keystream Generator E0

Cited by 62 publications

References 24 publications

Cryptanalysis of Bluetooth Keystream Generator Two-Level E0

Cryptanalysis of Bluetooth Keystream Generator Two-Level E0

Fast correlation attacks against stream ciphers and related open problems

A survey of lightweight stream ciphers for embedded systems

Contact Info

Product

Resources

About