Feedback shift registers with carry operation (FCSR’s) are described, implemented, and analyzed with respect to memory requirements, initial loading, period, and distributional properties of their output sequences. Many parallels with the theory of linear feedback shift registers (LFSR’s) are presented, including a synthesis algorithm (analogous to the Berlekamp-Massey algorithm for LFSR’s) which, for any pseudorandom sequence, constructs the smallest FCSR which will generate the sequence. These techniques are used to attack the summation cipher. This analysis gives a unified approach to the study of pseudorandom sequences, arithmetic codes, combiners with memory, and the Marsaglia-Zaman random number generator. Possible variations on the FCSR architecture are indicated at the end. Index Terms – Binary sequence, shift register, stream cipher, combiner with memory, cryptanalysis, 2-adic numbers, arithmetic code, 1/q sequence, linear span. 1

Abstract. We study both distinguishing and key-recovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite state machine output sequences up to 26 bits for E0 and allows us to verify the two known correlations to be the largest for the first time. Second, we apply the concept of convolution to the analysis of the distinguisher based on all correlations, and propose an efficient distinguisher due to the linear dependency of the largest correlations. Last, we propose a novel maximum likelihood decoding algorithm based on fast Walsh transform to recover the closest codeword for any linear code of dimension L and length n. It requires time O(n + L · 2 L) and memory min(n, 2 L). This can speed up many attacks such as fast correlation attacks. We apply it to E0, and our best key-recovery attack works in 2 39 time given 2 39 consecutive bits after O(2 37) precomputation. This is the best known attack against E0 so far. 1

Abstract. A general linear iterative cryptanalysis method for solving binary systems of approximate linear equations which is also applicable to keystream generators producing short keystream sequences is proposed. A linear cryptanalysis method for reconstructing the secret key in a general type of initialization schemes is also developed. A large class of linear correlations in the Bluetooth combiner, unconditioned or conditioned on the output or on both the output and one input, are found and characterized. As a result, an attack on the Bluetooth stream cipher that can reconstruct the 128-bit secret key with complexity about 2 70 from about 45 initializations is proposed. In the precomputation stage, a database of about 2 80 103-bit words has to be sorted out. Key words Linear cryptanalysis, linear correlations, iterative probabilistic decoding, reinitialization. 1

matt�rsa.com

Synchronous stream ciphers need perfect synchronization between sender and receiver. In practice, this is ensured by a resync mechanism.

OF MASTER'S THESIS Author: Miia Hermelin Title of thesis: Cryptographic properties of the Bluetooth combination generator Finnish title: Bluetooth yhdistjgeneraattorin kryptograsia ominaisuuksia Date: 28th February 2000 Pages: 55 Department: Department of Engineering Physics and Mathematics Chair: Mat-1 Mathematics Supervisor: Professor Olavi Nevanlinna Instructor: Principal scientist, docent Kaisa Nyberg Bluetooth is a technical specication designed for ad-hoc nets. It is developed and maintained by the Bluetooth Special Interest Group. This thesis concentrates on the combination generator dened in the algorithm E 0 of Bluetooth and on its cryptographical properties. The thesis is mainly concentrated on the correlation properties of Bluetooth, but other security issues are also considered. A combination generator consists of linear feedback shift registers (LFSR), a memory and linear and nonlinear combiner functions. In Bluetooth, there are four bits of memory and four LFSR...

In its intended usage the lengths of the key stream sequences produced by the Bluetooth stream cipher E0 are strictly limited. In this paper the importance of this limitation is proved by showing that the Bluetooth stream cipher with 128 bit key can be broken in O(2^64) steps given an output key stream segment of length O(2^64). We also show how the correlation properties of the E0 combiner can be improved by making a small modification in the memory update function.

We apply the algebraic attacks on stream ciphers with memories to the summation generator. For a summation generator that uses n LFSRs, an algebraic equation relating the key stream bits and LFSR output bits can be made to be of degree less than or equal to 2 , using dlog 2 ne + 1 consecutive key stream bits. This is much lower than the upper bound given by previous general results. We also show that the techniques of [5] can be applied to summation generators using 2 LFSRs to reduce the eective degree of the algebraic equation.

A general mathematical framework behind algebraic cryptanalytic attacks is developed.

Abstract. Pseudorandom generators based on linear feedback shift registers (LFSR) are a traditional building block for cryptographic stream ciphers. In this report, we review the general idea for such generators, as well as the most important techniques of cryptanalysis. 1 Security Model 1.1 Shannon’s model Basic setting: The most basic task of cryptography is encryption. The setting was captured by Shannon in [47] as a modification of his well-known communication model, proposed in [46]. Consider two entities, named sender and receiver, who want to transmit an arbitrary message at an arbitrary point in time in complete privacy. There are two communication channels available: – The secret channel is completely confidential. No information that is transmitted using this channel can be observed by a third party. However, the secret channel has the disadvantage of being available only at fixed points in time (e.g., when sender and receiver meet in person).