CRYPTANALYSIS OF THE A5/2

ALGORITHM

 

Slob o dan Petrovi c and Amparo Fuster-Sabater

Abstract - An attack on the A5/2 stream cipher algorithm is describ ed,

that determines the linear relations among the output sequence bits. The

vast ma jority of the unknown output bits can b e reconstructed. The time

17

complexity of the attack is prop ortional to 2 .

Introduction: A5 is the stream cipher algorithm used to encrypt the link from the

telephone to the base station in the GSM system. According to [1], twoversions

of A5 exist: A5/1, the 'stronger' version, and A5/2, the 'weaker' version. The

attacks on the A5/1, utilizing the birthday paradox, are describ ed in [2, 3]. The

attack on the A5/2 presented here is of algebraic nature.

The scheme of the A5/2 algorithm is given in the Fig. 1. The LFSR R clo cks

4

the LFSRs R ;:::;R in the stop/go manner. The feedback p olynomials of

1 3

14 17 18 19 21 22

the registers are: g x = 1+x + x + x + x , g x = 1+x + x ,

1 2

8 21 22 23 12 17

g x=1+x + x + x + x , g x=1+x + x . The function F is the

3 4

ma jority function F x ;x ;x =x x + x x + x x .

1 2 3 1 2 1 3 2 3

The communication in the GSM system is p erformed through frames. Each

frame consists of 228 bits. For every frame to b e enciphered, the initialization

pro cedure takes place, that yields the initial state of the LFSRs on the basis of

the 64-bit secret key K and the 22-bit frame number F . During the initializa-

tion, the bits of the secret key are rst imp osed into all the LFSRs, at every

clo ck pulse, without the stop/go clo cking, starting from the LSB of each key

byte. Then the bits of the frame numb er are imp osed into all the LFSRs in the



Instituto de F sica Aplicada CSIC, Serrano 144, 28006 Madrid, Spain 1

same way, starting from the LSB. Finally, the algorithm is run for 100 clo ck

pulses utilizing the stop/go clo cking, but pro ducing no output.

Cryptanalytic attack: The attack consists of up dating the system of linearized

equations that relate the state variables of the LFSRs R ;:::;R with the output

1 3

bits, on the basis of the clo ck-control sequence pro duced by the LFSR R , for

4

17

its initial state picked from the set of 2 p ossible states. The linearization of

the equations is p erformed by substitution of the nonlinear terms by the new

variables. Due to the frequent reinitializations, small numb er of skipp ed bits in

the initialization pro cess and the distribution of the feedback taps, many linearly

dep endent equations app ear, and almost all the unknown output bits, that come

after very few known output bits, can be reconstructed without solving the

system at all.

For the analysis of the system, we start from the analysis of the rank of a matrix

to which a random last row is added. Namely,we prove the following

Prop osition 1 - Let W =[w ] b e a matrix over GF2, whose

i;j

i=1;:::;m;j =1;:::;n

rank is r W  = m. Let U =[u ] be a matrix over GF2,

i;j

i=1;:::;m+1;j =1;:::;n

whose rst m rows are resp ectively equal to the rows of W , and the elements

of the last row are generated indep endently at random, with the probability

Pru =1=0:5, 1  j  n. Then the probability that r U=r W is

m+1;j

mn

Prr U=r W  = 2 : 1

Pro of: The rst m linearly indep endentrows of the matrix U span the vector

m

space, whose cardinalityis2 . The claim that r U=r W  means that the

last row of U must b elong to the vector space spanned by the rst m rows.

mn

Since Pru =1=0:5, the required probabilityis2 . Q.E.D.

m+1;j

Due to the nonlinear order of the ma jority function, the maximum number of

variables in the system will be n = 719. Consider now the pro cess of adding

equations to this system. Supp ose that for some clo ck pulse c of the algorithm,

t

the system consists of m linearly indep endent equations. If the contribution of 2

R to the new equation do es not dep end on k state variables, i =1;:::;3, then

i i

t

the numb er of equations that can b e added to the system reduces at least from

P

3

k

719 719d

i

t

t

, where d = 2 to 2 k + . In sucha way, the probability

t i

t

i=1

2

that the rank of the new system is the same as the rank of the previous system

can b e signi cantly greater than that for the equation generated at random.

In general, d dep ends on the initial state of the algorithm. Let us call a de-

t

pendency the set of state variables on which a particular p osition of an LFSR

dep ends. Due to the concentrations of the feedback taps of the LFSRs R and

1

R to the rightof the inputs to the ma jority function, the input p ositions to

2

this function and the last p ositions of these LFSRs dep end on very few initial

state variables after every initialization. The cardinalities of the dep endencies

of these p ositions will grow much slower than in the case when the feedback

taps are not concentrated at the ends R . Thus, the total cardinalities of the

3

dep endencies for the LFSR R and R can b e very small and the probability

1 2

that the newly added equation will be linearly dep endent on the others can

b ecome very close to one.

Let AX = B be a linear system over GF2, where A =[a ] ,

i;j

i=1;:::;m;j =1;:::;n

0

X = [x ] , and B = [b ] . Denote by A the extended matrix of

i i

i=1;:::;n i=1;:::;m

0

the system. Let us transform the matrix A into the trap ezoidal form using

0

the Gauss algorithm. Denote the state of the matrix A after the p erforming

0 0 0

. Thus, A = A . Let us de ne of the k -th set of such transformations by A

0

k

the matrix P =[p ] in the following way: p =1, p =0; at

i;j 0 0

i;i

i;j;i6=j

i;j =1;:::;m

0

the k -th step of the transformation, if i-th and j -th rows of the matrix A are

k

interchanged or summed, so are the resp ectiverows of P . In suchaway, the

k

nonzero elements of the i-th row of the matrix P , i =1;:::;m at the k -th step

k

of the transformation, p oint to the ordinal numb ers of the rows of the original

0

, on which the i-th row of the matrix A linearly dep ends. system A

k

0

0

Let A b e the extended matrix of the system AX = B in its trap ezoidal form

m

0

and supp ose that the rank of this system is r A = m. Let us add the new

m

equation WX = Z to the system, where W =[w ] , and Z =[z ]. Let

i 1

i=1;:::;n 3

 denote the op eration of adding a row to a matrix. Apply the pro cess of

transformation to the trap ezoidal form to the new system CX = D, where C =

A  W =[c ] and D = B  Z =[d ] . Supp ose

m i;j m i

i=1;:::;m+1

i=1;:::;m+1;j =1;:::;n

0

=1. r C =m and denote by q the biggest row index for which p

m+1

q;m+1 m+1

0

If q = m + 1 and z is known, then c = 0 and

1

m+1

q;n+1

m

X

: 2 z = b p

1 i m+1

q;i

i=1

0

If q = m + 1 and z is not known, we can guess z and transform the matrix C

1 1

0

in the same wayasif z were known. Since r C =m, for the correct value

1

m+1

0

of z , c must b e zero. Thus, in this case, z is also given by 2.

1 1

m+1

q;n+1

If q

1

m

X

0

z = c + b p : 3

1 i m+1

m+1 q;i

q;n+1

i=1

But if q

1

calculated value for z can b e incorrect.

1

The degenerate cases when q

cannot b e reconstructed, the runs of these cases should b e short. Exp eriments

p erformed on a great numb er of frames show that approximately 70 of these

runs are of length less than 10.

The attack on the A5/2 consists of the following ma jor steps:

Input: 4 frames of the output sequence and their corresp onding frame numb ers;

frame numb ers of the output sequence frames to b e reconstructed; threshold T

chosen according to the actual bit error ratio in the channel;

Output: reconstructed frames of the output sequence, except of the bits that

corresp ond to the degenerate cases and to the linearly indep endent equations.

1. SET s =0; f Ordinal number of the initial state of R g

4

SET i =0; f Frame number index g 4

SET m =0; f The number of linearly independent equations g

2. Cho ose the s-th state of the LFSR R ; SET d =0 ;

4

3. SET i = i + 1; Complete the initialization pro cess, starting from the state s

of R , imp osing the frame number F into all the LFSRs, and keeping track

4 i

of the dep endencies;

4. IF d> T THEN SET s = s + 1, and go to Step 2; if the end of the frame is

reached, then go to Step 3; otherwise, run the algorithm A5/2 for one cycle,

keeping track of the dep endencies, and setting the equation that relates

these dep endencies and the corresp onding output bit;

5. Linearize the obtained equation, by substituting the nonlinear terms by the

new variables; add this equation to the system;

6. Check the current system for its rank, up dating the matrix P; if the current

rank is greater than the previous rank, then SET m = m + 1 and go to Step

4; if the current rank is equal to the previous rank and the current output

bit is known, check whether the known bit is equal to the bit calculated by

the relation 3; if not, then SET d = d + 1, return to the previous state of

the system and go to Step 4; if the current rank is equal to the previous rank

and the output bit is unknown, nd the biggest q such that p =1;

m+1

q;m+1

IF q = m + 1, then calculate the unknown bit by the relation 2, return to

the previous state of the system and go to Step 4; IF q

to the previous state of the system and go to Step 4.

17

Our algorithm examines all the p ossible 2 initial states of the LFSR R in the

4

worst case. For each such state and for all the checks after the rst one, the

system already has the trap ezoidal form, except for the newly added last row.

So, the complexity of these checks will b e linear in m.

Acknowledgement

This work was supp orted by C.A.M., Spain, under grant 07T/0044/1998. 5

References

[1] http://cryptome.org/gsm-a512.htm, 1999.

[2] Biryukov A., Shamir A., Wagner D., 'Real Time Cryptanalysis of A5/1

on a PC', in Pro ceedings of Fast Software Encryption, New York, 2000,

Lecture Notes in Computer Science, Berlin: Springer Verlag, in press.

-

[3] Goli cJ.D., 'Cryptanalysis of Alleged A5 Stream Cipher', in Advances in

Cryptology - EUROCRYPT '97, Lecture Notes in Computer Science 1233,

W. Fumy ed., Berlin: Springer-Verlag, 1997, pp. 239-255.

[4] Parker D. S., Dinh L., 'How to Eliminate Pivoting from Gaussian Elimina-

tion - by Randomizing Instead', Technical Rep ort No. CSD-950022, Com-

puter Science Department, University of California, Los Angeles, 1995. 6

Fig. 1 - The scheme of the A5/2 algorithm 7