Cryptanalysis of Bluetooth Keystream Generator Two-Level E0

In this paper, we carefully study both distinguishing and keyrecovery attacks against Bluetooth two-level E0 given many short frames. Based on a flaw in the resynchronization of Bluetooth E0, we are able to fully exploit the largest bias of the finite state machine inside E0 for our attacks. Our key-recovery attack works with 2 simple operations given the first 24 bits of 2 frames. Compared with all existing attacks against two-level E0, this is the best one so far. 1 Background The short-range wireless technology Bluetooth uses the keystream generator E0 to produce the keystream for encryption. After the earlier results [10, 9, 6] of correlation (also called bias) properties inside the Finite State Machine (FSM) towards the one-level E0, most recently, [12] systematically studied the biases and proved two previously known large biases to be the only largest up to 26 consecutive bits of the FSM output sequences. Attacks against E0 mostly focus on one-level E0 only and the best attacks [12, 1, 5] work on one impractically long frame of keystream without exception. Nevertheless, a few attacks [15, 11, 7–9] apply to two-level E0; compared with feasible attack complexities on one-level E0, attack complexities on two-level E0 are extremely high and make the practical Bluetooth E0 unbroken. The main contribution of this paper is that first based on one of the two largest biases inside the FSM within one-level E0, we identify the bias at two-level E0 due to a resynchronization flaw in Bluetooth E0. Unlike the traditional approach to find the bias, the characterized bias does not involve the precomputation of the multiple polynomial with low weight. Second, to utilize the identified bias, we develop a novel attack to directly recover the original encryption key for two-level E0 without reconstructing the initial state of E0 at the second level. Our key-recovery attack works with 2 simple operations given the first 24 bits of 2 frames. Compared with all existing attacks [15, 11, 7–9] against two-level E0, this is the best so far. The rest of the paper is structured as follows. In Section 2 we review description of two-level E0. In Section 3 we study the attack against one-level E0. Then, we investigate the E0 resynchronization flaw, which allows to develop the basic attack of previous section into the distinguishing and key-recovery attacks against two-level E0 in Section 4; we further extend our key-recovery attack in Section 5. Finally, we conclude in Section 6. 2 Preliminaries 2.1 The Core of Bluetooth E0 To briefly outline, the core of E0 (both dashed boxes in Fig. 1) can be viewed as a nonlinear filtering generator. The filtering generator consists of four LFSRs ? supported in part by the National Competence Center in Research on Mobile Information and Communication Systems (NCCR-MICS), a center of the Swiss National Science Foundation under the grant number 5005-67322.