BDD-Based Cryptanalysis of Keystream Generators
Many of the keystream generators which are used in practice are LFSR-based in the sense that they produce the keystream according to a rule y = C(L(x)), where L(x) denotes an internal linear bitstream, produced by a small number of parallel linear feedback shift registers (LFSRs), and C denotes some nonlinear compression function. We present an nO(1)2(1−α)/(1+α)n time bounded attack, the FBDD-attack, against LFSR-based generators, which computes the secret initial state x ∈ 0, 1n from cn consecutive keystream bits, where α denotes the rate of information, which C reveals about the internal bitstream, and c denotes some small constant. The algorithm uses Free Binary Decision Diagrams (FBDDs), a data structure for minimizing and manipulating Boolean functions. The FBDD-attack yields better bounds on the effective key length for several keystream generators of practical use, so a 0.656n bound for the self-shrinking generator, a 0.6403n bound for the A5/1 generator, used in the GSM standard, a 0.6n bound for the E0 encryption standard in the one level mode, and a 0.8823n bound for the two-level E 0 generator used in the Bluetooth wireless LAN system.
KeywordsBoolean Function Compression Ratio Stream Cipher Binary Decision Diagram Compression Function
- 1.E. Biham, O. Dunkelman. Cryptanalysis of the A5/1 GSM Stream Cipher. Proc. of INDOCRYPT 2000, LNCS 1977, 43–51.Google Scholar
- 3.Bluetooth SIG. Bluetooth Specification Version 1.0 B, http://www.bluetooth.com
- 5.M. Briceno, I. Goldberg, D. Wagner. A pedagogical implementation of A5/1. http://www.scard.org, May 1999.
- 6.C. de Canniere. Analysis of the Bluetooth Stream Cipher. Master’s Project COSIC, Leuven, 2001.Google Scholar
- 7.S. R. Fluhrer, S. Lucks. Analysis of the E0 Encryption System. Technical Report, Universität Mannheim 2001.Google Scholar
- 8.J. D. Golić. Cryptanalysis of alleged A5/1 stream cipher. Proc. of EUROCRYPT’97, LNCS 1233, 239–255.Google Scholar
- 10.S. W. Golomb. Shift Register Sequences. Aegean Park Press, Laguna Hills, revised edition 1982.Google Scholar
- 11.M. Krause. BDD-based Cryptanalysis of Keystream Generators. Report 2001/092 in the Cryptology ePrint Archive (http://eprint.iacr.org/curr/).
- 13.M. J. Mihaljević. A faster Cryptanalysis of the Self-Shrinking Generator. Proc. of ACIPS’96, LNCS 1172, 182–189.Google Scholar
- 14.W. Meier, O. Staffelbach. The Self-Shrinking Generator. Proc. of EUROCRYPT’94, LNCS 950, 205–214.Google Scholar
- 15.R. A. Rueppel. Stream Ciphers. Contemporary Cryptology: The Science of Information Integrity. G. Simmons ed., IEEE Press New York, 1991.Google Scholar
- 17.I. Wegener. Branching Programs and Binary Decision Diagrams. SIAM Monographs on Discrete Mathematics and Applications. Philadelphia 2000.Google Scholar
- 18.E. Zenner. Kryptographische Protokolle im GSM Standard: Beschreibung und Kryptanalyse (in german). Master Thesis, University of Mannheim, 1999.Google Scholar
- 19.E. Zenner, M. Krause, S. Lucks. Improved Cryptanalysis of the Self-Shrinking Generator. Proc. of ACIPS’2001, LNCS 2119, 21–35.Google Scholar