Advances in Cryptology – CRYPTO 2013

Volume 8042 of the series Lecture Notes in Computer Science pp 165-182

Real Time Cryptanalysis of Bluetooth Encryption with Condition Masking

(Extended Abstract)
  • Bin ZhangAffiliated withState Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences
  • , Chao XuAffiliated withInstitute of Software, Chinese Academy of Sciences
  • , Dengguo FengAffiliated withInstitute of Software, Chinese Academy of Sciences

* Final gross prices may vary according to local VAT.

Get Access


The Bluetooth standard authorized by IEEE 802.15.1 adopts the two-level E0 stream cipher to protect short range privacy in wireless networks. The best published attack on it at Crypto 2005 requires 238 on-line computations, 238 off-line computations and 233 memory (which amount to about 19-hour, 37-hour and 64GB storage in practice) to restore the original encryption key, given the first 24 bits of 223.8 frames. In this paper, we describe more threatening and real time attacks against two-level E0 based on condition masking, a new cryptanalytic technique that characterizes the conditional correlation attacks on stream ciphers. The idea is to carefully choose the condition to get better tradeoffs on the time/memory/data complexity curve. It is shown that if the first 24 bits of 222.7 frames is available, the secret key can be reliably found with 227 on-line computations, 221.1 off-line computations and 4MB memory. Our attacks have been fully implemented on one core of a single PC. It takes only a few seconds to restore the original encryption key. This is the best known-IV attack on the real Bluetooth encryption scheme so far.


Stream ciphers Correlation Condition masking Bluetooth two-level E0