Cryptanalysis of the Bluetooth E0 cipher using OBDD's

Yaniv Shaked*, Avishai Wool

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe, several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 223 (84MB RAM), and with a time complexity of 287. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.

Original languageEnglish
Title of host publicationInformation Security - 9th International Conference, ISC 2006, Proceedings
PublisherSpringer Verlag
Number of pages16
ISBN (Print)3540383417, 9783540383413
StatePublished - 2006
Event9th International Information Security Conference, ISC 2006 - Samos Island, Greece
Duration: 30 Aug 20062 Sep 2006

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4176 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference9th International Information Security Conference, ISC 2006
CitySamos Island


  • BDD
  • Bluetooth
  • Cryptanalysis
  • Stream cipher


Dive into the research topics of 'Cryptanalysis of the Bluetooth E0 cipher using OBDD's'. Together they form a unique fingerprint.

Cite this