BDD-Based Cryptanalysis of Keystream Generators

  • Matthias Krause
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2332)


Many of the keystream generators which are used in practice are LFSR-based in the sense that they produce the keystream according to a rule y = C(L(x)), where L(x) denotes an internal linear bitstream, produced by a small number of parallel linear feedback shift registers (LFSRs), and C denotes some nonlinear compression function. We present an nO(1)2(1−α)/(1+α)n time bounded attack, the FBDD-attack, against LFSR-based generators, which computes the secret initial state x ∈ 0, 1n from cn consecutive keystream bits, where α denotes the rate of information, which C reveals about the internal bitstream, and c denotes some small constant. The algorithm uses Free Binary Decision Diagrams (FBDDs), a data structure for minimizing and manipulating Boolean functions. The FBDD-attack yields better bounds on the effective key length for several keystream generators of practical use, so a 0.656n bound for the self-shrinking generator, a 0.6403n bound for the A5/1 generator, used in the GSM standard, a 0.6n bound for the E0 encryption standard in the one level mode, and a 0.8823n bound for the two-level E 0 generator used in the Bluetooth wireless LAN system.


Boolean Function Compression Ratio Stream Cipher Binary Decision Diagram Compression Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    E. Biham, O. Dunkelman. Cryptanalysis of the A5/1 GSM Stream Cipher. Proc. of INDOCRYPT 2000, LNCS 1977, 43–51.Google Scholar
  2. 2.
    A. Biryukov, A. Shamir, D. Wagner. Real Time Cryptanalysis of A5/1 on a PC. Proc. of Fast Software Encryption 2000, LNCS 1978, 1–18.CrossRefGoogle Scholar
  3. 3.
    Bluetooth SIG. Bluetooth Specification Version 1.0 B,
  4. 4.
    R. E. Bryant. Graph-based algorithms for Boolean function manipulations. IEEE Trans. on Computers 35, 1986, 677–691.zbMATHCrossRefGoogle Scholar
  5. 5.
    M. Briceno, I. Goldberg, D. Wagner. A pedagogical implementation of A5/1., May 1999.
  6. 6.
    C. de Canniere. Analysis of the Bluetooth Stream Cipher. Master’s Project COSIC, Leuven, 2001.Google Scholar
  7. 7.
    S. R. Fluhrer, S. Lucks. Analysis of the E0 Encryption System. Technical Report, Universität Mannheim 2001.Google Scholar
  8. 8.
    J. D. Golić. Cryptanalysis of alleged A5/1 stream cipher. Proc. of EUROCRYPT’97, LNCS 1233, 239–255.Google Scholar
  9. 9.
    J. Gergov, Ch. Meinel. Efficient Boolean function manipulation with OBDDs can be generalized to FBDDs. IEEE Trans. on Computers 43, 1994, 1197–1209.zbMATHCrossRefGoogle Scholar
  10. 10.
    S. W. Golomb. Shift Register Sequences. Aegean Park Press, Laguna Hills, revised edition 1982.Google Scholar
  11. 11.
    M. Krause. BDD-based Cryptanalysis of Keystream Generators. Report 2001/092 in the Cryptology ePrint Archive (
  12. 12.
    Ch. Meinel. Modified Branching Programs and their Computational Power. LNCS 370, 1989.zbMATHGoogle Scholar
  13. 13.
    M. J. Mihaljević. A faster Cryptanalysis of the Self-Shrinking Generator. Proc. of ACIPS’96, LNCS 1172, 182–189.Google Scholar
  14. 14.
    W. Meier, O. Staffelbach. The Self-Shrinking Generator. Proc. of EUROCRYPT’94, LNCS 950, 205–214.Google Scholar
  15. 15.
    R. A. Rueppel. Stream Ciphers. Contemporary Cryptology: The Science of Information Integrity. G. Simmons ed., IEEE Press New York, 1991.Google Scholar
  16. 16.
    D. Sieling, I. Wegener. Graph driven BDDs-a new data structure for Boolean functions. Theoretical Computer Science 141, 1995, 283–310.zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    I. Wegener. Branching Programs and Binary Decision Diagrams. SIAM Monographs on Discrete Mathematics and Applications. Philadelphia 2000.Google Scholar
  18. 18.
    E. Zenner. Kryptographische Protokolle im GSM Standard: Beschreibung und Kryptanalyse (in german). Master Thesis, University of Mannheim, 1999.Google Scholar
  19. 19.
    E. Zenner, M. Krause, S. Lucks. Improved Cryptanalysis of the Self-Shrinking Generator. Proc. of ACIPS’2001, LNCS 2119, 21–35.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Matthias Krause
    • 1
  1. 1.Theoretische InformatikUniversität MannheimMannheimGermany

Personalised recommendations