Linear Cryptanalysis of Bluetooth Stream Cipher

  • Jovan Dj. Golić
  • Vittorio Bagini
  • Guglielmo Morgari
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2332)


A general linear iterative cryptanalysis method for solving binary systems of approximate linear equations which is also applicable to keystream generators producing short keystream sequences is proposed. A linear cryptanalysis method for reconstructing the secret key in a general type of initialization schemes is also developed. A large class of linear correlations in the Bluetooth combiner, unconditioned or conditioned on the output or on both the output and one input, are found and characterized. As a result, an attack on the Bluetooth stream cipher that can reconstruct the 128-bit secret key with complexity about 270 from about 45 initializations is proposed. In the precomputation stage, a database of about 280 103-bit words has to be sorted out.

Key words

Linear cryptanalysis linear correlations iterative probabilistic decoding reinitialization 


  1. 1.
    Bluetooth™, Bluetooth Specification, Version 1.1, Feb. 2001.Google Scholar
  2. 2.
    V. Chepyzhov and B. Smeets, “On a fast correlation attack on stream ciphers,” Advances in Cryptology-EUROCRYPT’ 91, Lecture Notes in Computer Science, vol. 547, pp. 176–185, 1991.Google Scholar
  3. 3.
    E. Dawson and A. Clark, “Divide and conquer attacks on certain classes of stream ciphers,” Cryptologia, vol. 18, pp. 25–40, 1994.zbMATHCrossRefGoogle Scholar
  4. 4.
    S. Fluhrer and S. Lucks, “Analysis of the E0 encryption system,” Selected Areas in Cryptography-SAC 2001, Lecture Notes in Computer Science, vol. 2259, pp. 38–48, 2001.CrossRefGoogle Scholar
  5. 5.
    M. P. C. Fossorier, M. J. Mihaljević, and H. Imai, “Reduced complexity iterative decoding of low-density parity check codes based on belief propagation,” IEEE Trans. Commun., vol. 47, pp. 673–680, May 1999.Google Scholar
  6. 6.
    R. G. Gallager, “Low-density parity-check codes,” IRE Trans. Inform. Theory, vol. 8, pp. 21–28, Jan. 1962.Google Scholar
  7. 7.
    J. Dj. Golić, “Correlation properties of a general binary combiner with memory,” Journal of Cryptology, vol. 9, pp. 111–126, 1996.CrossRefzbMATHGoogle Scholar
  8. 8.
    J. Dj. Golić, “Computation of low-weight parity-check polynomials,” Electronics Letters, vol. 32, pp. 1981–1982, Oct. 1996.Google Scholar
  9. 9.
    J. Dj. Golić, “Cryptanalysis of alleged A5 stream cipher,” Advances in Cryptology-EUROCRYPT’ 97, Lecture Notes in Computer Science, vol. 1233, pp. 239–255, 1997.Google Scholar
  10. 10.
    J. Dj. Golić, M. Salmasizadeh, and E. Dawson, “Fast correlation attacks on the summation generator,” Journal of Cryptology, vol. 13, pp. 245–262, 2000.CrossRefzbMATHGoogle Scholar
  11. 11.
    J. Dj. Golić, “Iterative optimum symbol-by-symbol decoding and fast correlation attacks,” IEEE Trans. Inform. Theory, vol. 47, pp. 3040–3049, 2001.CrossRefzbMATHMathSciNetGoogle Scholar
  12. 12.
    M. Jakobsson and S. Wetzel, “Security weaknesses in Bluetooth,” Topics in Cryptology-CT-RSA 2001, Lecture Notes in Computer Science, vol. 2020, pp. 176–191, 2001.CrossRefGoogle Scholar
  13. 13.
    C. R. P. Hartmann and L. D. Rudolph, “An optimum symbol-by-symbol decoding rule for linear codes,” IEEE Trans. Inform. Theory, vol. 22, pp. 514–517, Sept. 1976.Google Scholar
  14. 14.
    M. Hermelin and K. Nyberg, “Correlation properties of the Bluetooth combiner,” Information Security and Cryptology-ICISC’ 99, Lecture Notes in Computer Science, vol. 1787, pp. 17–29, 1999.CrossRefGoogle Scholar
  15. 15.
    D. J. C. MacKay, “Good error-correcting codes based on very sparse matrices,” IEEE Trans. Inform. Theory, vol. 45, pp. 399–431, Mar. 1999.Google Scholar
  16. 16.
    W. Meier and O. Staffelbach, “Fast correlation attacks on certain stream ciphers,” Journal of Cryptology, vol. 1, pp. 159–176, 1989.zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    W. Meier and O. Staffelbach, “Correlation properties of combiners with memory in stream ciphers,” Journal of Cryptology, vol. 5, pp. 67–86, 1992.zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    M. J. Mihaljević and J. Dj. Golić, “A method for convergence analysis of iterative probabilistic decoding,” IEEE Trans. Inform. Theory, vol. 46, pp. 2206–2211, Sept. 2000.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Jovan Dj. Golić
    • 1
  • Vittorio Bagini
    • 1
  • Guglielmo Morgari
    • 1
  1. 1.Rome CryptoDesign Center, GemplusRomeItaly

Personalised recommendations