Reducing the Space Complexity of BDD-Based Attacks on Keystream Generators

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4047)


The main application of stream ciphers is online-encryption of arbitrarily long data, for example when transmitting speech data between a Bluetooth headset and a mobile GSM phone or between the phone and a GSM base station. Many practically used and intensively discussed stream ciphers such as the E 0 generator used in Bluetooth and the GSM cipher A5/1 consist of a small number of linear feedback shift registers (LFSRs) that transform a secret key x∈{0,1} n into an output keystream of arbitrary length. In 2002, Krause proposed a Binary Decision Diagram (BDD) based attack on this type of ciphers, which in the case of E 0 is the best short-keystream attack known so far. However, BDD-attacks generally require a large amount of memory. In this paper, we show how to substantially reduce the memory consumption by divide-and-conquer strategies and present the first comprehensive experimental results for the BDD-attack on reduced versions of E 0, A5/1 and the self-shrinking generator.


Stream cipher cryptanalysis BDD Bluetooth E0 GSM A5/1 self-shrinking generator 


  1. 1.
    Armknecht, F., Krause, M.: Algebraic attacks on combiners with memory. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 162–175. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Armknecht, F., Krause, M., Stegemann, D.: Design principles for combiners with memory. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 104–117. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., Shamir, A., Wagner, D.: Real time cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 1–13. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    The Bluetooth SIG. Specification of the Bluetooth System (February 2001) Google Scholar
  5. 5.
    Briceno, M., Goldberg, I., Wagner, D.: A pedagogical implementation of A5/1 (May 1999),
  6. 6.
    Courtois, N.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 177–194. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Ekdahl, P., Johansson, T.: Another attack on A5/1. In: Proc. of International Symposium on Information Theory, p. 160. IEEE, Los Alamitos (2001)Google Scholar
  8. 8.
    Fluhrer, S.R., Lucks, S.: Analysis of the E 0 encryption system. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 38–48. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Golić, J.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997)Google Scholar
  10. 10.
    Krause, M.: BDD-based cryptanalysis of keystream generators. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 222–237. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Lu, Y., Meier, W., Vaudenay, S.: The conditional correlation attack: A practical attack on bluetooth encryption. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 97–117. Springer, Heidelberg (2005)Google Scholar
  12. 12.
    Lu, Y., Vaudenay, S.: Cryptanalysis of the bluetooth keystream generator twolevel E0. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 483–499. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Maximov, A., Johansson, T., Babbage, S.: An improved correlation attack on A5/1. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 1–18. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Meier, W., Staffelbach, O.: The self-shrinking generator. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 205–214. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  15. 15.
    Mihaljević, M.J.: A faster cryptanalysis of the self-shrinking generator. In: Pieprzyk, J.P., Seberry, J. (eds.) ACISP 1996. LNCS, vol. 1172, pp. 192–198. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Shaked, Y., Wool, A.: Cryptanalysis of the bluetooth E 0 cipher using OBDDs. Technical report, Cryptology ePrint Archive, Report 2006/072 (2006)Google Scholar
  17. 17.
    Somenzi, F.: CUDD: CU decision diagram package. University of Colorado, Boulder, CO, USA (March 2001),
  18. 18.
    Wegener, I.: Branching Programs and Binary Decision Diagrams: Theory and Applications. SIAM Monographs on Discrete Mathematics and Applications (2000)Google Scholar
  19. 19.
    Zenner, E., Krause, M., Lucks, S.: Improved cryptanalysis of the self-shrinking generator. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 21–35. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  1. 1.Theoretical Computer ScienceUniversity of MannheimGermany

Personalised recommendations