Design Principles for Combiners with Memory Frederik Armknecht, Matthias Krause, and Dirk Stegemann Theoretical Computer Science, University of Mannheim, Germany {armknecht, krause, stegemann}@th.informatik.uni-mannheim.de Abstract. Stream ciphers are widely used for online-encryption of ar- bitrarily long data, for example when transmitting speech-data between a mobile phone and a base station. An important class of stream ciphers are combiners with memory, with the E0 generator from the Bluetooth standard for wireless communication being their most prominent exam- ple. In this paper, we develop design principles for increasing the resis- tance of combiners with memory against the most dangerous types of cryptanalytic attacks, namely correlation attacks and algebraic attacks. In the case of algebraic attacks, we introduce the first method to guar- antee lower bounds on the attack complexity. Starting from the design of the E0 generator, we combine our results in order to construct ciphers that are simultaneously strengthened against both kinds of attacks. Our analysis shows that small changes in the design of E0 already suffice to improve its security enormously. Keywords: Stream cipher, combiners with memory, algebraic attacks, correlation attacks, Bluetooth E0. 1 Introduction Today, electronic communication has gained more and more importance, in- voking an increasing demand for confidential data transmission. Widely used are keystream generators which produce bitstreams z := z1,z2,... of arbitrary length in dependence on a secret initial value K ∈{0, 1}n. The sender en- crypts a stream of plaintext bits p := p1,p2,... to a stream of ciphertext bits c := c1,c2,... by XOR-ing p and z componentwise, i.e., ct := pt ⊕ zt. A receiver who shares the secret key K can produce z in the same way as the sender and decrypt ct via pt = ct ⊕ zt. Following Kerckhoff’s principle, it is assumed that an adversary knows the specification of the keystream generator and some of the keystream bits zt,whereasK is secret to him. Consequently, an attack consists of recovering the secret key K. An important class of keystream generators are combiners with memory. Since their introduction in [17] to overcome the trade-off between linear com- plexity and correaltion immunity, they have been widely examined in cryptog- raphy and have found their way into practical applications. The perhaps best known example used in practice is the E0 keystream generator which is part of S. Maitra et al. (Eds.): INDOCRYPT 2005, LNCS 3797, pp. 104–117, 2005. c Springer-Verlag Berlin Heidelberg 2005 Design Principles for Combiners with Memory 105 the Bluetooth standard, a widely applied standard for short- to mid-distance wireless communication between mobile devices. The best attacks against combiners with memory that are currently known are correlation attacks [10, 11, 18, 14, 15] and algebraic attacks [1, 6]. A correla- tion attack consists of finding and exploiting linear functions L(Xt,...,Xt+r−1,zt,...,zt+r−1) which are biased, i.e., equal to zero with some probability =1 /2. Algebraic at- tacks mark somehow the opposite. Here, valid non-linear equations of preferably low degree are used to describe K by a system of equations. Although much effort has been put into the refinement of these attacks, only little is known about how to resist them. Our results are design principles for combiners with memory to improve the security in respect of both kinds of attacks. In general, finding highly biased linear functions L for correlation attacks are only feasible for small values of r. However, in the case of E0, the best currently known attack [14] uses a special class of biased linear functions which allow for an exhaustive search for the best correlations even for relatively large values of r, more precisely for r up to 25. We show how to avert this approach completely. Further on, we introduce a design principle which guarantees that all valid equations in Xt,...,Xt+r−1,zt,...,zt+r−1 have a degree greater than or equal to a certain lower bound. This marks the first lower bound on the complexity of algebraic attacks derived so far. Our proposals can be easily combined to construct combiners with memory which are strengthend against both correlation and algebraic attacks. The paper is structured as follows. Section 2 defines combiners with memory and explains correlation and algebraic attacks against them. In Sects. 3 and 4, we put correlation attacks and algebraic attacks into theoretical frameworks and derive according countermeasures, which we use in Sect. 5 to introduce and examine modified versions of E0. Section 6 concludes the paper. 2 Combiners with Memory A combiner with memory, or shortly a (k, )-combiner, consists of k driving devices, a finite state machine (FSM) C with an bit state and two mappings k k k f : {0, 1} ×{0, 1} →{0, 1} and δ : {0, 1} ×{0, 1} →{0, 1} .LetXt ∈{0, 1} denote the output of the driving devices and Ct ∈{0, 1} the state of the FSM at clock t ≥ 1. Combiners with memory are regulary clocked. At each clock, one keystream bit is produced as zt = f(Ct,Xt), and the state of the FSM is updated to Ct+1 := δ(Ct,Xt). Combiners with memory have the advantage that they combine high algebraic degree with high correlation immunity (cf. [19]). Correlation immunity means that the output zt is not or only weakly correlated to the sum of a subset of the input bits. 106 F. Armknecht, M. Krause, and D. Stegemann For the rest of the paper, we focus on the well-studied subclass of combin- ers with memory that use Linear Feedback Shift Registers (LFSRs) as driv- ing devices. The output xt of an LFSR is computed as xt = Lt(K), where Lt denotes a known linear Boolean function and K ∈{0, 1}n the LFSR’s secret initial state. A famous practical LFSR-based combiner with memory is the (4, 4)-combiner E0, which uses four LFSRs of lengths 25, 31, 33 and 39, respectively. Based on an internal key K that is re-initialized frequently, the Bluetooth stream cipher utilizes E0 to produce consecutive, fixed-length frames of keystream. In [3], it was shown that an efficient attack on E0 implies an efficient attack on the whole cipher. Consequently, improving the security of E0 is a natural demand. Amongst all publicly known attacks on combiners with memory, the fastest are correlation attacks and algebraic attacks. In the following, we give a brief description of these attacks. Correlation attacks exploit linear equations L(Xt,...,Xt+r−1,zt,...,zt+r−1)=0 which are true with probability 1/2+λ with λ =0. λ is called the bias. General methods to systematically compute the equations with the highest value of |λ| exist (e.g., cf. [10]), but since their complexity is exponential in k, and r,these methods are only feasible for small values. However, if the output function f(C, X) can be written as the sum of two functions α(X)andβ(C), i.e., zt = α(Xt) ⊕ β(Ct), one can try to use biased linear combinations in the expressions β(Ct). More precisely, an attacker looks for coefficients γ =(γ0,...,γr−1) such that r−1 r−1 λ := λ(γ):= Pr γi · βt+i =0 − Pr γi · βt+i =1 =0 . (1) i=0 i=0 Amongst all non-trivial biases, the attacker is interested in finding and using the maximum bias, which is defined as λmax := max{|λ(γ)|}. The output function of E0 is exactly of the desired type. In [14], it was proved that λmax =25/256 for r ≤ 25, where 25 is the length of the shortest LFSR. This observation and the exploit of a synchronization flaw led to the best currently known attack on the Bluetooth cipher [15]. The complexities of this attack are given in Table 1. Table 1. The complexity of the fastest correlation attack on E0 as presented in [15] λmax Frames Data Time Space 1 236.59 · 18 · 18 λ m =max(λ10 , λ8 ) 24m 36m +3 2 min(m, 2 ) m 25 34.74 39.32 40.17 34.74 256 2 2 2 2 Design Principles for Combiners with Memory 107 Algebraic attacks are based on solving systems of equations. An attacker uses a Boolean function F : {0, 1}k·r →{0, 1} such that for all clocks t, it holds that F (Xt,...,Xt+r−1,zt,...,zt+r−1)=0 . (2) The existence of such equations has been proved in [1]. Using the equivalence Xt = Lt(K), (2) allows to write a system of equations which describes the secret key K in dependence of the observed keystream (zt). Accordingly, the secret key K can be recovered by solving the system of equations. Although computing the solution is NP-hard in general, it might become eas- ier if the number of known keystream bits and therefore the number of equations increases. Let R denote the number of accessible equations and µ the number of occurring monomials. If R µ, the best method known today is to compute Groebner bases. Unfortunately, until now it is impossible to predict the time effort, albeit simulations indicate that the effort drops with increasing number of equations (cf. [9]). In the case of R ≈ µ, linearization [7] is the first choice. The idea of lin- earization is to substitute each occurring monomial by a new variable and to treat the whole system as a system of linear equations, making it easily solvable by Gaussian elimination. For the case that the number of equations exceeds the number of monomials, one might reduce the degree of the equations in a precomputation step.