To be published in: Proceeding of Third International Conference on Mathematical Sciences (ICM 2008), Al Ain, UAE, March 2008. ZDD-Based Cryptanalysis of E0 Keystream Generator M. Ghasemzadeh - Ch. Meinel M. Shirmohammadi - M.H. Shahzamanian HPI at the University of Potsdam Computer - Math. Dept. at Yazd University Helmert Str. 2-3, Potsdam, Germany Pejoohesh Street, Safa-ieh, Yazd, Iran {meinel, ghasemzadeh}@hpi.uni-potsdam.de [email protected] Abstract duced their OBDD-based attack to E0 key stream generator. In this paper, we introduce a new attack to key stream gen- BDD is an efficient data structure that in last few years has erators which uses ZDD. Experimental results show that it been used effectively in computer science and engineering. makes a remarkable reduction in time and space complexity BDD-based attack in key stream cryptanalysis is supposed over OBDD and FBDD based attacks. We have also derived to be one of the best forms of attack in its kind. In this a proof which confirms the experimental results. paper, we propose a new key stream attack which is based This paper is organized as follows. Section 2 provides on ZDD(a variant of BDD). We show how our ZDD-based the basic definitions and the main concepts: E0 encryption key stream attack can be used against the E0 type of system and a brief introduction to BDD and ZDD. In sec- the Bluetooth security mechanism. We implemented our tion 3 the proposed attack is introduced. First the FBDD algorithm using CUDD package. The experimental results attack is discussed, then the attack to E0 with OBDD is re- witness the superiority of our method. We have also derived viewed. Finally our ZDD-based attack is introduced. Sec- a mathematical proof for the algorithm, which shows that tion 4 is dedicated to the theoretical complexity analysis of its behavior even under the worst circumstances is better our method. Section 5 provides concludes. than BDD attack. 2 Preliminaries 1 Introduction 2.1 E0 Key Stream Generator In cryptography, pseudo random sequences are fre- E0 is a LFSR-based key stream generator which is used quently used. A pseudo random sequence generator re- in Bluetooth security mechanism. LFSR-based key stream quires to be uniformly distributed, independent, and non- generators consist of two components, a linear bitstream correlated [8]. In implementation of key stream generators, generator and a nonlinear compression function. After ini- the LFSR (Linear Feedback Shift Register) is being used tialization, the linear bitstream generator L, generates the because all above conditions are met and the corresponding bitstream Z. It employs four Linear Feedback Shift Reg- algebraic analysis is also quite simple. isters(LFSR), whose output is the input to the compression The LFSR-based key stream generators consist of two function C. The output of the compression function would components: a linear bitstream generator L and a nonlin- be the key stream Y = C(L(k)). The lengths of the four ear compression function C, i.e. K = (L, C). First they LFSR are |L0| = 25, |L1| = 31, |L2| = 33 and |L3| = 39, generate the key stream Y = C(L(k)), for the cipher key and their feedback polynomials are: k, then Y and the plain text P are bitwise XORed to pro- 25 20 12 8 duce the cipher text E. In cryptanalysis of these generators, p0(x) = x + x + x + x + 1 the encryption system is supposed to be known and we are 31 24 16 12 interested in finding k. p1(x) = x + x + x + x + 1 33 28 24 4 BDD and its variants are data structures that are used ef- p2(x) = x + x + x + x + 1 fectively in computer science and engineering. These data p (x) = x39 + x36 + x28 + x4 + 1 structures give compact and canonical representations for 3 Boolean functions. Recently, a new attack against LFSR- At the beginning, the linear generator needs to be loaded based key stream generators is introduced by Krause [4] with an initial value for the four LFSRs(128 bits in to- which is based on FBDD. Later Shaked and Wool [9] intro- tal). Summation of the four output bits of the LFSRs make 1 the input of the compression function. The compression A Free Binary Decision Diagram is a BDD if along each function is usually organized with a finite state machine path, from root to one of terminal vertices, each variable xi CE0 :(Q, Σ, Γ, I, F, δ) [1, 9, 5]. Figure 1 displays the occurs at most once. transition function of this finite state machine. An Oracle graph over Xm is a FBDD with only one (un- labeled) terminal for which on each path, from the root to the terminal, all m variables occur. Oracle graph is not de- signed for computing Boolean functions; its aims is to de- fine a set of valid ordering for xi ∈ Xm. G-FBDD is a FBDD if there exists an Oracle graph G that every ordering of the variables requested in FBDD cor- responds to a path of G. A Reduced Ordered Binary Decision Diagram is a G- FBDD if its Oracle graph G has only one path. On the other hand, G is degenerated into a linear list that only shows one order for occurrence of variables. Zero-suppressed Binary Decision Diagram is a variant of BDD that can represent a Boolean function. ZDD like BDD is derived from a BDT by applying similar reduction rules, i.e., merge all 0 − T vertices and 1-T vertices and combine similar subgraphs, but with different reduction rule. The last rule for deriving ZDD, remove the nonterminal vertex N, if High(N) is connected to 0 − T [2, 6, 4, 3]. Figure 1. The FSM transition function 3 ZDD Based Cryptanalysis Of E0 3.1 FBDD Based Cryptanalysis Of Key Stream 2.2 OBDD And ZDD Generator A Binary Decision Tree is a directed acyclic graph over In the algorithm proposed by Krause [4], the method first reduces the problem for the cryptanalysis of LFSR-based a set of Boolean variables ∀m ∈ N, Xm = {x1, ..., xm}; key stream generators. It assumes that except for key k, all it can represent a Boolean function over Xm. A BDT com- prises two kinds of vertices, nonterminal vertices, and ter- other parameters are known. Moreover, it is assumed that minal vertices. Each nonterminal vertex N is assigned a the attacker is able to obtain the first bits of the key stream Y . The attacker’s goal then is computing k = {0, 1}n that label V ar(N) ∈ Xm, and has two children Low(N) corre- produces the observed key stream. Since in an LFSR, the sponding to the answer xi = 0 and High(N) correspond- first output bits are the initialization value of LFSR, then ing to the answer xi = 1. There is exactly one node with indegree 0, the root of BDT. Each terminal vertex T is la- Z = L(k) would contain k in the first bits. Then the prob- beled by either 0 or 1. Depending on its label, a terminal lem reduces to finding a bitstream Z with the following con- vertex is called a 0 − T or 1 − T . A Boolean function com- ditions: m posed of m Boolean variables, has 2 assignments. Each 1. Z can be produced by the linear bitstream generator L. assignment b ∈ {0, 1}m defines a path from root to a ter- minal vertex.The label of this terminal vertex is shown as 2. C(Z) is prefix of the observed key stream Y . F (b). For each m ≥ 1, and the bitstream z ∈ {0, 1}m is defined A Binary Decision Diagram is an efficient graph to rep- as: resent a Boolean function. A BDD is derived from a C BDT by applying the following reduction rules: merge • Gm − F BDD denote the oracle graph that defines for all 0 − T vertices and 1 − T vertices, combine similar each Z the order in which the bits of Z are read by the subgraphs, remove all ”don’t care” nonterminal vertices. compression function C. G G Two subgraphs 1 and 2 are similar, if in their roots • R denote the minimal GC − F BDD that decides g g V ar(g ) = V ar(g ) Low(g ) = Low(g ) m m 1 and 2: 1 2 , 1 2 whether Z can be produced by L. and High(g1) = High(g2). A ”don’t care” nontermi- C nal vertex is one whose two children are the same, i.e., • Qm denote the minimal Gm − F BDD that decides Low(g1) = High(g1). whether C(Z) is prefix of Y . 2 C • Pm denote the minimal Gm − F BDD that decides ∀i = 4j + 1 : zi = zi−48 ⊕ zi−64 ⊕ zi−96 ⊕ zi−124 whether Z can be produced by L and C(Z) is prefix ∀i = 4j + 2 : z = z ⊕ z ⊕ z ⊕ z of Y . i i−16 i−96 i−112 i−132 ∀i = 4j + 3 : zi = zi−16 ⊕ zi−112 ⊕ zi−144 ⊕ zi−156 In [4], the key is considered to be n bits length then it computes m∗, where m∗ denotes the length of the consec- Then based on these equations, Rm graph is produced by utive bitstream required for key discovery. Therefore, the building OBDD for every zi. Figure 2 shows an OBDD rep- following algorithm can compute k: resenting which checks bit z100. In building OBDDs which check bits of each Li, algorithm calls the first |Li| bits in its 1. P ← Qn. bit stream.