A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

Ruilin Li, Heng Li, Chao Li, Bing Sun National University of Defense Technology, Changsha, China

FSE 2013, Singapore 11th ~13th March, 2013 Outline

• Backgrounds and the GMR-2 Cipher • Revisit the Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion

2 Outline

• Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion

3 Backgrounds and the GMR-2 Cipher

• Mobile communication systems have revolutionized the way we interact with each other – GSM, UMTS, CDMA2000, 3GPP LTE • When do we need satellite based mobile system? – In some special cases • researchers on a field trip in a desert • crew on ships on open sea • people living in remote areas or areas that are affected by a natural disaster

4 Backgrounds and the GMR-2 Cipher

• What is GMR? – GMR stands for GEO-Mobile Radio – GEO stands for Geostationary Earth Orbit

– Design heavily inspired from GSM 5 Backgrounds and the GMR-2 Cipher

• Two major GMR Standards – GMR-1 (de-facto standard, Thuraya etc) – GMR-2 (Inmarsat and AcES) • How to protect the security of the communication in GMR system? – Using symmetric cryptography – Both the authentication and encryption are similar as that of GSM A3/A5 algorithms.

6 Backgrounds and the GMR-2 Cipher

• Encryption Algorithms in GMR – Stream ciphers – Reconstructed by Driessen et al. • GMR-1 Cipher – Based on A5/2 of GSM – Totally broken by ciphertext-only attack • GMR-2 Cipher – New design strategy – Can be broken by known-plaintext attack – Read-collision based technique

7 Backgrounds and the GMR-2 Cipher

• In this talk, we focus on GMR-2 stream cipher – Revisit components of the GMR-2 cipher – Propose dynamic guess and determine strategy – Present a low data complexity attack

8 Outline

• Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion

9 Revisit each Component of the GMR-2 Cipher

• Encryption mechanism of the GMR-2 cipher – Data are divided into frames identified by the frame number with 22-bits – New frame is re-initialized – Each frame contains 120-bit (15-byte) • Parameters of the GMR-2 cipher – Key length: 64-bit (Session key) – IV length: 22-bit (Frame number) – Key stream bits length within a frame: 120-bit

10 Revisit each Component of the GMR-2 Cipher

K

t 1

8 6 Z c F G H 8 l 3 4 6

s7 s6 …… s1 s0 8 p • An overview on the GMR-2 cipher – 8-byte shift register S, a 3-bit counter c, and a toggle bit t – byte-oriented, three major components – F combines two bytes of session key with previous output – G is a linear function for mixing purpose – H consists two DES Sboxes as a nonlinear filter 11 Revisit each Component of the GMR-2 Cipher K t

O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – At the l-th clock, the input • 8-byte array holding the session key K, read from two sides. • a counter c ranging from 0 to 7 sequentially and repeatedly. • a toggle bit t=c mod 2.

• the previous key stream byte p=Zl-1 12 Revisit each Component of the GMR-2 Cipher K t

O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – The lower side outputs Kc with the help of the counter c.

– The upper output depends on the lower output Kc , the previous key stream byte p and the toggle bit t.

– t1 maps 4-bit to 3-bit which select the upper output.

– t 2 maps 3-bit to 3-bit which determine the rotation. 13 Revisit each Component of the GMR-2 Cipher K t

O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 p • The F component – The output is ìOK= t( t ( a )) ï 0t1 ( a )• 2 1 í îïO1 =((( Kc Å p )? 4) & 0xF) Å (( K c Å p ) & 0xF) ì(KÅ p ) & 0xF, if t = 0 a = c í 14 î((Kc Å p )? 4)&0xF, if t = 1 Revisit each Component of the GMR-2 Cipher

B1 O0¢ O0 6 8 B1

O1 B3 Å 4

B2

O¢ 8 1 B2 6

S0 • The G component

ìB13210:(,,,)( x x x xa x 3032031ÅÅx , x x Å x ,,); x x ï íB2:(,,,) x 3 x 2 x 1 x 0a (, x1 x 3 , x 0 , x2 ); ï îB3:(,,,)(x 3 x 2 x 1 x 0a x2, x 0, x 3 Å x 1 Å x 0 , x 3 Å x 0 ). 15 Revisit each Component of the GMR-2 Cipher t

O¢ 2 Z 0 6 S 4 l 8 O¢ 6 1 S 4 6

• The H component ( (O¢ ), ( O ¢ )) if t = 0 ì SS2 1 6 0 8 Zl =í ( (O¢ ), ( O ¢ )) if t = 1 î SS2 0 6 1 8 where and are the two sboxes of DES. Assume the input of SS2 6 is (x , x , x , x , x , x ), then ( x , x ) selects the row index, and S 5 4 3 2 1 0 1 0 16 (x5 , x 4 , x3 , x 2 ) selects the column index. Revisit each Component of the GMR-2 Cipher

F G H

• Initialization Mode – Set c=0, t=0, and initialize S with frame number N – 8-byte key is written into the resister in F

– Clock the cipher 8 times and discard the output Zl

17 Revisit each Component of the GMR-2 Cipher

F G H

• Generation Mode – For each frame number N, further clock the cipher 15 times, and the output keystream is ¢ (0) (0) (0) (1) (1) (1) (2) ZZZZZZZZ=(,,,;,,;,)0 1LLL 14 0 1 14 0 ()N Zl denotes the l-th byte of keystream generated after initialization with N 18 Revisit each Component of the GMR-2 Cipher

• Property of F

ì(Kc Å p ) & 0xF, if t = 0 a = í î((Kc Å p )? 4)&0xF, if t = 1 – If p is known, then we can get the value of a only

by the most/least significant four bits of Kc K t

O0 t 2 >>> 8 a K0 K1 K2 K3 K4 K5 K6 K7 t O1 1 Å 4 c 4 4 Å 8 19 p Revisit each Component of the GMR-2 Cipher

• Property of H – We can “invert ” / SS2 6 • Given the row index and the output, the column index can be uniquely obtained. • Given the column index and the output, the row index can be uniquely obtained, except for when the column index is 4 and S 6 the output is 9, the row index can be either 0 or 3. • Given the outputs of both S-boxes, there will be 16 possible inputs.

2 O0¢ S Z l

¢ O1 S6 20 Revisit each Component of the GMR-2 Cipher

• Property of G – The key point – The links between the input and output of the G component can be expressed by a well-structured matrix

B1 O0¢ O0 6 8 B1

O1 B3 Å 4

B2

O¢ 8 1 B2 6 21

S0 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ ' ê ú çO 0 , 2 ÷ çO ÷ ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 S 0 , 6 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1 0 0 ç ÷ ç ÷ ê ú çO ÷ ç 0 ÷ ' ê ú 1 ,1 çO 1,1 ÷ ç ÷ ç ÷ ë 0 0 0 0 0 0 0 0 0 0 0 1 û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø

22 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ ' ê ú çO 0 , 2 ÷ çO ÷ ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 S 0 , 6 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1 0 0 ç ÷ ç ÷ ê ú çO ÷ ç 0 ÷ ' ê ú 1 ,1 çO 1,1 ÷ ç ÷ ç ÷ ë 0 0 0 0 0 0 0 0 0 0 0 1 û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø

23 æO ' ö 0 , 5 æO ö ç ÷ 0 , 7 æS 0 , 5 ö çO ' ÷ é100100000000 ù ç ÷ ç ÷ 0 , 4 ê ú O ç ÷ ç0 , 6 ÷ çS 0 , 7 ÷ ' ê1 1 0 1 0 0 0 0 0 0 0 0 ú çO 0 , 3 ÷ A ç ÷ ç ÷ O 0 , 5 S ç ÷ ê1 0 0 0 0 0 0 0 0 0 0 0 ú ç ÷ ç0 , 4 ÷ y ' ê ú 1 çO 0 , 2 ÷ çO ÷ x ç ÷ ê 0 0 1 0 0 0 0 0 0 0 0 0 ú 0 , 4 1 S 0 , 6 v1 ç' ÷ ç ÷ ç ÷ O 1, 5 ê ú O ç ÷ 0 0 0 0 1 0 0 1 0 0 0 0 ç0 , 3 ÷ çS 0 ,1 ÷ ç' ÷ ê ú ç ÷ ç ÷ O 1, 4 ê 0 0 0 0 1 1 0 1 0 0 0 0 ú O 0 , 2 S ç ÷ = ç ÷ Å ç 0 , 3 ÷ ç' ÷ ê A ú gç ÷ O 000010000000 O 0 ,1 ç S ÷ ç1, 3 ÷ ê ú ç ÷ ç 0 , 0 ÷ ' ê 000000100000 ú çO ÷ çO 1, 2 ÷ 0 , 0 ç S 0 , 2 ÷ ç ÷ ê ú ç ÷ ç ÷ ' 0 0 0 0 0 0 0 0 1 0 1 1 ê ú çO 1 , 3 ÷ 0 çO 0 ,1 ÷ ç ÷ ê0 0 0 0 0 0 0 0 1 0 0 1 ú ç ÷ ç' ÷ O ç ÷ O ê ú ç1 , 2 ÷ 0 y ç0 , 0 ÷ 0 0 0 0 0 0 0 0 0 1B 0 0 ç ÷ 2 ç ÷ ê ú çO ÷ x ç 0 ÷ ' ê ú 1 ,1 2 v2 çO 1,1 ÷ ç ÷ ç ÷ ë 0 0 0 0 0 0 0 0 0 0 0 1 û ç ÷ 0 ç' ÷ èO 1 , 0 ø è ø èO 1, 0 ø

24 Revisit each Component of the GMR-2 Cipher

• Three linear systems

25 Revisit each Component of the GMR-2 Cipher

• Another linear system – Let

then thus from we obtain

26 Revisit each Component of the GMR-2 Cipher ìy =W· x Å v ï ïy1 =W1· x1 Å v 1 ï íy2 =W2· x2 Å v 2 ïy =W· kÅ W· k Å W· u Å v ï 2 2h 2 l 2 2 ïx = K t(() t a ) î 1 t1 ( a )• 2 1

• W,,, W1 W 2, v v 1 , v 2 u are known values.

• Given x () x i , we can obtain y () y i , and vice vera. y ,a x , K • Given 1 , we can get 1 t 1 () a , and vice vera.

• y1 selects the column index of the S-box and y 2 selects the row index.

27 Revisit each Component of the GMR-2 Cipher

' Kt() a t2( t 1 ( a )) 1 •\ S K Å p c S F G H

K t( t ( a )) t1 () a •\2 1 K t( t ( a )) t1 () a •\2 1

Kc Å p

28 Revisit each Component of the GMR-2 Cipher

K t( t ( a )) x1 ' t1 () a •\2 1 x S K Å p 2 c S F G H

K t( t ( a )) t1 () a •\2 1 K t( t ( a )) t1 () a •\2 1

Kc Å p

29 Revisit each Component of the GMR-2 Cipher

y1

K t( t ( a )) x1 ' t1 () a •\2 1 x S K Å p 2 c S F G H y2 K t( t ( a )) t1 () a •\2 1 K t( t ( a )) t1 () a •\2 1

Kc Å p

30 Outline

• Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion

31 The Low Data Complexity Attack

• Known-plaintext attack – From keystream bits to recover the session key • Guess and Determine – Guess -Determine -Verify – The Guessed and Determined Parts of the internal state are known in prior before applying the attack • Dynamic Guess and Determine – Dynamically Guess and Determine – Dynamically Check the candidate by backtracking

32 The Low Data Complexity Attack

• Basic Analysis – How these three components interact each other • The linear transformation G plays a central role • Since p and S0 must be known to us, we should analyze the cipher at the (c+8)th-clock ( 0 £ c £ 6 ) in the keystream generation phase.

' Kt() a t2( t 1 ( a )) 1 •\ 8 6 S Zc+8 Kc Å p 4 6 S F S0 G H

33 The Low Data Complexity Attack

' Kt() a t2( t 1 ( a )) 1 •\ 8 6 S Zc+8 Kc Å p 4 6 S F S0 G H • Rule 1 –

Let Kc = (kh , k l ), assume c is odd, and given a guessed value for k h , if c =t1 ( a ),

then using the theory of linear consistence test , k l has no solution or can be ()N determined by Zc+8 ;Similarly,assume c is even,and given a guessed value for k l , ()N if c =t1 ( a ), then kh has no solution or can be determined by Zc+ 8 . 34 The Low Data Complexity Attack

' Kt() a t2( t 1 ( a )) 1 •\ 8 6 S Zc+8 Kc Å p 4 6 S F S0 G H • Rule 2 –

Let KK = (k , k ),and given guessed values for and k , then k can be c h lt1 () a h l determined by ZK()N ;Similarly, given guessed values for and k , then k c+8t1 ( a ) l h ()N can be determined by Zc+8 . 35 The Low Data Complexity Attack

' Kt() a t2( t 1 ( a )) 1 •\ 8 6 S Zc+8 Kc Å p 4 6 S F S0 G H • Rule 3 –

Given a guessed value for K , if t ( a ) ¹ c , then K can be c 1t1 ( a ) ()N determined by Zc+8 .

36 The Low Data Complexity Attack

' Kt() a t2( t 1 ( a )) 1 •\ 8 6 S Zc+8 Kc Å p 4 6 S F S0 G H • Rule 4 – Given guessed values for KK and , then we can determine whether c t1 () a those guessed values are wrong.

37 The Low Data Complexity Attack

• Attack Procedure – Capture a frame of keystream bits (15-byte)

(0) (0) (0) (0) (0) (ZZZZZ0,,,,,,1¼ 7 8 ¼ 14 ) – Apply Guess-and-Determine Attack on 8~14th clock • Define a index set G , and initialized with G = Æ – G saves the indices for the session key that has been known • Analyzing the cipher at the (c+8)-th clock sequentially

– Calculate t, c, p, S0, judge whether c ÎG – Adopt Rule 1~ Rule 4 to perform the attack – A little boring, see the full version paper 38 The Low Data Complexity Attack

• Complexity analysis – Data Comp. • A frame of Data (15-byte keystream) • The last 7 bytes used for guess-and-determine • The first 8 bytes used for verification – Time Comp. • When guessing 8/4-bit, we will determine 8/4-bit • The 64-bit session key can be obtained by guessing at most 32-bit • Rough estimation, seems hard to obtain exact analysis • Experimental results are a little better, about 228 exhaustive search

39 Outline

• Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion

40 Experimental Result

1000 Experimental Results with Random IV and Session Key 41 Experimental Result

• Some explanations – Operated on a 3.2 GHz laptop – Non-optimized realization – 700 seconds on average • 580 seconds for deducing candidates • 120 seconds for exhaustive search

42 Outline

• Backgrounds and the GMR-2 Cipher • Revisit each Component of the GMR-2 Cipher • The Low Data Complexity Attack • Experimental Result • Conclusion

43 Conclusion

• We perform a security analysis of the GMR-2 cipher – Revisit the components of GMR-2 cipher – Propose “dynamic guess and determine strategy” – Present a low data complexity attack • The design methodology of the GMR-2 cipher is far from what is “state of the art” in stream ciphers • Be careful when using the Satellite phones

44 Thanks for your Attention! Q & A

45