Strengthening the E0 Keystream Generator against Correlation Attacks and Algebraic Attacks

Stream ciphers are widely used for online-encryption of arbitrarily long data. An important class of stream ciphers are combiners with memory, with the E0 generator from the Bluetooth standard for wireless communication [2] being their most prominent example. E0 consists of 4 driving devices, a finite state machine (FSM) C with a 4 bit state, an output function f and a memory update function δ. At each clock, one keystream bit zt is produced from the output Xt ∈ {0, 1}4 of the driving devices and the current state Ct ∈ {0, 1}4 of the FSM according to zt = f(Ct, Xt), and the state of the FSM is updated to Ct+1 := δ(Ct, Xt). So far, the best publicly known attacks against combiners with memory are correlation attacks [4] and algebraic attacks [1]. Correlation attacks exploit linear equations L(Xt, . . . , Xt+r−1, zt, . . . , zt+r−1) = 0 that are true with some probability 12 + λ with λ 6= 0. Algebraic attacks use valid nonlinear equations of preferably low degree to describe the secret key by a system of equations. We show how to avert a special class of correlation attacks [3] that is currently the most effective against E0 and introduce a general design principle which guarantees that all valid equations have a degree not smaller than a certain lower bound. Combining these results, we construct a slightly modified version of E0 with significantly improved resistance against correlation attacks and algebraic attacks.