Practical Cryptanalysis of Bluetooth Encryption with Condition Masking

In this paper, we study the security of a general two-level E0-like encryption model and its instance, the real-world Bluetooth encryption scheme. Both unconditional and conditional correlation properties of the two-level model are investigated in theory and a key-recovery framework based on condition masking, that studies how to choose the condition to get better tradeoffs on the time/memory/data complexity curve, is refined. A novel design criterion to resist the attack is proposed and analyzed. Inspired by these cryptanalytic principles, we describe more threatening and real time attacks on two-level E0. It is shown that only the latest four inputs going into the FSM play the most important role in determining the magnitude of the conditional correlation and the data complexity analysis of the previous practical attacks on two-level E0 are inaccuracy. A new decoding method to improve the data complexity is provided. In the known-IV scenario, if the first 24 bits of $$2^{24}$$224 frames are available, the secret key can be reliably found with $$2^{25}$$225 on-line computations, $$2^{21.1}$$221.1 off-line computations and 4 MB memory. Then, we convert the attack into a ciphertext-only attack, which needs the first 24 bits of $$2^{26}$$226 frames and all the complexities are under $$2^{26}$$226. This is the first practical ciphertext-only attack on the real Bluetooth encryption scheme so far. A countermeasure is suggested to strengthen the security of Bluetooth encryption in practical applications.

[1]  Serge Vaudenay,et al.  How Far Can We Go Beyond Linear Cryptanalysis? , 2004, ASIACRYPT.

[2]  Frederik Armknecht,et al.  Algebraic Attacks on Combiners with Memory , 2003, CRYPTO.

[3]  Bernhard Löhlein Attacks based on Conditional Correlations against the Nonlinear Filter Generator , 2003, IACR Cryptol. ePrint Arch..

[4]  Rainer A. Rueppel,et al.  Correlation Immunity and the Summation Generator , 1985, CRYPTO.

[5]  Thomas Johansson,et al.  Fast Correlation Attacks through Reconstruction of Linear Polynomials , 2000, CRYPTO.

[6]  James Bret Michael,et al.  Cube-Type Algebraic Attacks on Wireless Encryption Protocols , 2009, Computer.

[7]  R. Yarlagadda,et al.  Hadamard matrix analysis and synthesis: with applications to communications and signal/image processing , 1996 .

[8]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[9]  Nicolas Courtois Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[10]  Jovan Dj. Golic,et al.  Linear Cryptanalysis of Bluetooth Stream Cipher , 2002, EUROCRYPT.

[11]  Matthias Krause BDD-Based Cryptanalysis of Keystream Generators , 2002, EUROCRYPT.

[12]  Thomas Siegenthaler,et al.  Decrypting a Class of Stream Ciphers Using Ciphertext Only , 1985, IEEE Transactions on Computers.

[13]  Stefan Lucks,et al.  Analysis of the E0 Encryption System , 2001, Selected Areas in Cryptography.

[14]  Sangjin Lee,et al.  Conditional Correlation Attack on Nonlinear Filter Generators , 1996, ASIACRYPT.

[15]  Willi Meier,et al.  Fast correlation attacks on certain stream ciphers , 1989, Journal of Cryptology.

[16]  Scott R. Fluhrer Improved key recovery of level 1 of the Bluetooth Encryption System , 2002, IACR Cryptol. ePrint Arch..

[17]  Willi Meier,et al.  Correlation properties of combiners with memory in stream ciphers , 1991, Journal of Cryptology.

[18]  Jovan Dj. Golic,et al.  Correlation properties of a general binary combiner with memory , 1996, Journal of Cryptology.

[19]  Antoine Joux,et al.  Fast Correlation Attacks: An Algorithmic Point of View , 2002, EUROCRYPT.

[20]  Serge Vaudenay,et al.  Faster Correlation Attack on Bluetooth Keystream Generator E0 , 2004, CRYPTO.

[21]  Anne Canteaut,et al.  Improved Fast Correlation Attacks Using Parity-Check Equations of Weight 4 and 5 , 2000, EUROCRYPT.

[22]  Willi Meier,et al.  The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption , 2005, CRYPTO.

[23]  Avishai Wool,et al.  Cryptanalysis of the Bluetooth E0 Cipher Using OBDD's , 2006, ISC.

[24]  Thomas Johansson,et al.  Improved Fast Correlation Attacks on Stream Ciphers via Convolutional Codes , 1999, EUROCRYPT.

[25]  Serge Vaudenay,et al.  Cryptanalysis of an E0-like Combiner with Memory , 2008, Journal of Cryptology.

[26]  Yi Lu,et al.  Sampling with Walsh Transforms , 2015, ArXiv.

[27]  Yvo Desmedt,et al.  Walsh transforms and cryptographic applications in bias computing , 2015, Cryptography and Communications.

[28]  Bin Zhang,et al.  Real Time Cryptanalysis of Bluetooth Encryption with Condition Masking - (Extended Abstract) , 2013, CRYPTO.

[29]  Serge Vaudenay,et al.  Cryptanalysis of Bluetooth Keystream Generator Two-Level E0 , 2004, ASIACRYPT.