The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption

  • Yi Lu
  • Willi Meier
  • Serge Vaudenay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3621)


Motivated by the security of the nonlinear filter generator, the concept of correlation was previously extended to the conditional correlation, that studied the linear correlation of the inputs conditioned on a given (short) output pattern of some specific nonlinear function. Based on the conditional correlations, conditional correlation attacks were shown to be successful and efficient against the nonlinear filter generator. In this paper, we further generalize the concept of conditional correlations by assigning it with a different meaning, i.e. the correlation of the output of an arbitrary function conditioned on the unknown (partial) input which is uniformly distributed. Based on this generalized conditional correlation, a general statistical model is studied for dedicated key-recovery distinguishers. It is shown that the generalized conditional correlation is no smaller than the unconditional correlation. Consequently, our distinguisher improves on the traditional one (in the worst case it degrades into the traditional one). In particular, the distinguisher may be successful even if no ordinary correlation exists. As an application, a conditional correlation attack is developed and optimized against Bluetooth two-level E0. The attack is based on a recently detected flaw in the resynchronization of E0, as well as the investigation of conditional correlations in the Finite State Machine (FSM) governing the keystream output of E0. Our best attack finds the original encryption key for two-level E0 using the first 24 bits of 223.8 frames and with 238 computations. This is clearly the fastest and only practical known-plaintext attack on Bluetooth encryption compared with all existing attacks. Current experiments confirm our analysis.


Stream Ciphers Correlation Bluetooth E0 


  1. 1.
    Anderson, R.: Searching for the Optimum Correlation Attack. In: Preneel, B. (ed.) Fast Software Encryption 1994. LNCS, vol. 1008, pp. 137–143. Springer, Heidelberg (1994)Google Scholar
  2. 2.
    Armknecht, F., Krause, M.: Algebraic Attacks on Combiners with Memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–175. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Armknecht, F., Lano, J., Preneel, B.: Extending the resynchronization attack. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 19–38. Springer, Heidelberg (2004), extended version available at CrossRefGoogle Scholar
  4. 4.
    Armknecht, F., Meier, W.: Fault Attacks on Combiners with Memory (submitted)Google Scholar
  5. 5.
    Baignères, T., Junod, P., Vaudenay, S.: How Far Can We Go Beyond Linear Cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    \(\text{Bluetooth}^\text{TM}\), Bluetooth Specification, version 1.2, pp. 903–948 (November 2003), available at
  7. 7.
    Canteaut, A., Trabbia, M.: Improved Fast Correlation Attacks Using Parity-check Equations of Weight 4 and 5. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 573–588. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  8. 8.
    Chepyzhov, V.V., Johansson, T., Smeets, B.: A simple algorithm for fast correlation attacks on stream ciphers. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 181–195. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Chose, P., Joux, A., Mitton, M.: Fast Correlation Attacks: An Algorithmic Point of View. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Courtois, N.T.: Fast Algebraic Attacks on Stream Ciphers with Linear Feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley, Chichester (1991)zbMATHCrossRefGoogle Scholar
  12. 12.
    Ekdahl, P., Johansson, T.: Some Results on Correlations in the Bluetooth Stream Cipher. In: Proceedings of the 10th Joint Conference on Communications and Coding, Austria (2000)Google Scholar
  13. 13.
    Fluhrer, S.R., Lucks, S.: Analysis of the E0 Encryption System. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 38–48. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Fluhre, S.: Improved Key Recovery of Level 1 of the Bluetooth Encryption System, available at
  15. 15.
    Golić, J.D.: Correlation Properties of a General Binary Combiner with Memory. Journal of Cryptology 9, 111–126 (1996)zbMATHCrossRefGoogle Scholar
  16. 16.
    Golić, J.D., Bagini, V., Morgari, G.: Linear cryptanalysis of bluetooth stream cipher. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 238–255. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  17. 17.
    Hermelin, M., Nyberg, K.: Correlation Properties of the Bluetooth Combiner. In: Song, J. (ed.) Information Security and Cryptology - ICISC 1999. LNCS, vol. 1787, pp. 17–29. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  18. 18.
    Johansson, T., Jönsson, F.: Improved Fast Correlation Attacks on Stream Ciphers via Convolutional Codes. In: Wiener, M. (ed.) Advances in Cryptology - CRYPTO 1999. LNCS, vol. 1666, pp. 181–197. Springer, Heidelberg (1999)Google Scholar
  19. 19.
    Johansson, T., Jönsson, F.: Fast Correlation Attacks through Reconstruction of Linear Polynomials. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 300–315. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    Krause, M.: BDD-Based Cryptanalysis of Keystream Generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 222–237. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. 21.
    Lee, S., Chee, S., Park, S., Park, S.: Conditional Correlation Attack on Nonlinear Filter Generators. In: Kim, K., Matsumoto, T. (eds.) Advances in Cryptology - ASIACRYPT 1996. LNCS, vol. 1163, pp. 360–367. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  22. 22.
    Löhlein, B.: Attacks based on Conditional Correlations against the Nonlinear Filter Generator, available at
  23. 23.
    Lu, Y., Vaudenay, S.: Faster Correlation Attack on Bluetooth Keystream Generator E0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 407–425. Springer, Heidelberg (2004)Google Scholar
  24. 24.
    Lu, Y., Vaudenay, S.: Cryptanalysis of Bluetooth Keystream Generator Two-level E0. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 483–499. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Matsui, M.: Linear Cryptanalysis Method for DES Cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  26. 26.
    Meier, W., Staffelbach, O.: Fast Correlation Attacks on Certain Stream Ciphers. Journal of Cryptology 1, 159–176 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  27. 27.
    Meier, W., Staffelbach, O.: Correlation Properties of Combiners with Memory in Stream Ciphers. Journal of Cryptology 5, 67–86 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC, Boca Raton (1996)CrossRefGoogle Scholar
  29. 29.
    Saarinen, M.: Re: Bluetooth and E0, Posted at sci.crypt.research (02/09/2000)Google Scholar
  30. 30.
    Siegenthaler, T.: Decrypting a class of Stream Ciphers using Ciphertext only. IEEE Transactions on Computers C-34, 81–85 (1985)CrossRefGoogle Scholar
  31. 31.
    Vaudenay, S.: An Experiment on DES - Statistical Cryptanalysis. In: Proceedings of the 3rd ACM Conferences on Computer Security, pp. 139–147 (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Yi Lu
    • 1
  • Willi Meier
    • 2
  • Serge Vaudenay
    • 1
  1. 1.EPFLLausanneSwitzerland
  2. 2.FH AargauWindischSwitzerland

Personalised recommendations