Cryptanalysis of the Bluetooth E0 cipher using OBDD's

Yaniv Shaked; Avishai Wool

doi:10.1007/11836810_14

Cryptanalysis of the Bluetooth E₀ cipher using OBDD's

Yaniv Shaked^*, Avishai Wool

^*Corresponding author for this work

School of Electrical Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In this paper we analyze the E₀ cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E₀. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E₀ system. We describe, several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E₀ cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 2²³ (84MB RAM), and with a time complexity of 2⁸⁷. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E₀, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.

Original language	English
Title of host publication	Information Security - 9th International Conference, ISC 2006, Proceedings
Publisher	Springer Verlag
Pages	187-202
Number of pages	16
ISBN (Print)	3540383417, 9783540383413
DOIs	https://doi.org/10.1007/11836810_14
State	Published - 2006
Event	9th International Information Security Conference, ISC 2006 - Samos Island, Greece Duration: 30 Aug 2006 → 2 Sep 2006

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	4176 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	9th International Information Security Conference, ISC 2006
Country/Territory	Greece
City	Samos Island
Period	30/08/06 → 2/09/06

Keywords

BDD
Bluetooth
Cryptanalysis
Stream cipher

Access to Document

10.1007/11836810_14

Cite this

Shaked, Y., & Wool, A. (2006). Cryptanalysis of the Bluetooth E₀ cipher using OBDD's. In Information Security - 9th International Conference, ISC 2006, Proceedings (pp. 187-202). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4176 LNCS). Springer Verlag. https://doi.org/10.1007/11836810_14

@inproceedings{b6ffdf199cb54020b9722826016f014f,

title = "Cryptanalysis of the Bluetooth E0 cipher using OBDD's",

abstract = "In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe, several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 223 (84MB RAM), and with a time complexity of 287. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.",

keywords = "BDD, Bluetooth, Cryptanalysis, Stream cipher",

author = "Yaniv Shaked and Avishai Wool",

year = "2006",

doi = "10.1007/11836810_14",

language = "אנגלית",

isbn = "3540383417",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "187--202",

booktitle = "Information Security - 9th International Conference, ISC 2006, Proceedings",

note = "9th International Information Security Conference, ISC 2006 ; Conference date: 30-08-2006 Through 02-09-2006",

}

Shaked, Y & Wool, A 2006, Cryptanalysis of the Bluetooth E₀ cipher using OBDD's. in Information Security - 9th International Conference, ISC 2006, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4176 LNCS, Springer Verlag, pp. 187-202, 9th International Information Security Conference, ISC 2006, Samos Island, Greece, 30/08/06. https://doi.org/10.1007/11836810_14

Cryptanalysis of the Bluetooth E₀ cipher using OBDD's. / Shaked, Yaniv; Wool, Avishai.
Information Security - 9th International Conference, ISC 2006, Proceedings. Springer Verlag, 2006. p. 187-202 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4176 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Cryptanalysis of the Bluetooth E0 cipher using OBDD's

AU - Shaked, Yaniv

AU - Wool, Avishai

PY - 2006

Y1 - 2006

N2 - In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe, several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 223 (84MB RAM), and with a time complexity of 287. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.

AB - In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe, several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 223 (84MB RAM), and with a time complexity of 287. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.

KW - BDD

KW - Bluetooth

KW - Cryptanalysis

KW - Stream cipher

UR - http://www.scopus.com/inward/record.url?scp=33750239333&partnerID=8YFLogxK

U2 - 10.1007/11836810_14

DO - 10.1007/11836810_14

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:33750239333

SN - 3540383417

SN - 9783540383413

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 187

EP - 202

BT - Information Security - 9th International Conference, ISC 2006, Proceedings

PB - Springer Verlag

T2 - 9th International Information Security Conference, ISC 2006

Y2 - 30 August 2006 through 2 September 2006

ER -