Cryptanalysis of the Bluetooth E0 Cipher Using OBDD's

In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 223 (84MB RAM), and with a time complexity of 287. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.

[1]  Willi Meier,et al.  The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption , 2005, CRYPTO.

[2]  Matthias Krause BDD-Based Cryptanalysis of Keystream Generators , 2002, EUROCRYPT.

[3]  Matthias Krause,et al.  Reducing the Space Complexity of BDD-Based Attacks on Keystream Generators , 2006, FSE.

[4]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[5]  JooSeok Song,et al.  Information Security and Cryptology - ICISC’99 , 1999, Lecture Notes in Computer Science.

[6]  Ingo Wegener,et al.  Branching Programs and Binary Decision Diagrams , 1987 .

[7]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[8]  Thomas Johansson,et al.  Some results on correlations in the Bluetooth stream cipher , 2000 .

[9]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[10]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[11]  Jean-Francis Michon,et al.  HFE and BDDs: A Practical Attempt at Cryptanalysis , 2004 .

[12]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[13]  Markus Jakobsson,et al.  Security Weaknesses in Bluetooth , 2001, CT-RSA.

[14]  Serge Vaudenay,et al.  Faster Correlation Attack on Bluetooth Keystream Generator E0 , 2004, CRYPTO.

[15]  Avishai Wool,et al.  Uniform Framework for Cryptanalysis of the Bluetooth E₀ Cipher , 2005, SecureComm.

[16]  Kaisa Nyberg,et al.  Correlation Properties of the Bluetooth Combiner Generator , 1999, ICISC.

[17]  Avishai Wool,et al.  Cracking the Bluetooth PIN , 2005, MobiSys '05.

[18]  Jovan Dj. Golic,et al.  Linear Cryptanalysis of Bluetooth Stream Cipher , 2002, EUROCRYPT.

[19]  Stefan Lucks,et al.  Analysis of the E0 Encryption System , 2001, Selected Areas in Cryptography.

[20]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.