A GSM Stream Cipher

Home , Birthday attack, Clock (cryptography), Keystream, Stream cipher

Two Trivial Attacks on A5/1: A GSM Stream Cipher

Ashish Jain1 and Narendra S. Chaudhari2 Department of Computer Science and Engineering, Indian Institute of Technology Indore, India

A B S T R A C T

Stream ciphers play an important role in those applications where high throughput remains critical and resources are very restricted e.g. in Europe and North America, A5/1 is widely used stream cipher that ensure confidentiality of conversations in GSM mobile phones. However careful security analysis of such

cipher is very important due to widespread practical applicability. The basic building blocks used in the design of A5/1 are linear feedback shift registers (LFSRs). Algebraic attacks are new and very powerful tool to cryptanalyse LFSRs based stream ciphers even non-linear combiner are concerned. In this paper we compared previous attacks on A5/1 as well as an algebraic attack and a new guess and determine attack is proposed.

1. Introduction

Stream ciphers are from the class of symmetric key ciphers which ensure privacy and confidentiality of secret data over communication channels. In a stream cipher each plaintext digit is encrypted with the corresponding pseudorandom cipher digit (keystream), to give a digit of the ciphertext. In practice, a digit is typically a bit and the combining operation is a „XOR‟. Typically, stream ciphers depend on a time-varying internal state that uniquely determines the status of stream cipher. An initial state of the stream cipher is normally determined by the secret key and the public initialization vector; the transition from one state to next is controlled by a clock. Stream ciphers are commonly classified as synchronous and asynchronous. In synchronous stream ciphers, the next state of the cryptosystem is defined independently of both the plaintext and ciphertext. Most of the stream ciphers are synchronous binary stream ciphers those are often constructed using linear feedback shift registers (LFSRs) because they can be easily implemented in hardware and can produce keystream bits at or near the clock speed however historically such stream ciphers were developed to employ in high data rate systems but today software based systems e.g. block ciphers are also capable of encrypting at extremely high data rates but some important applications prefer stream ciphers where the resources are restricted and the speed and simplicity of implementation in hardware is required e.g. in secure wireless communication. In general stream ciphers are much faster than block ciphers and typically require fewer resources for implementation in hardware and software. They have small buffer requirements and limited error propagation, since the symbol size is relatively small and each symbols processed independently, these properties make stream ciphers are most suitable for telecommunication applications such as mobile phone networks. Due to such widespread applications, security analysis of stream ciphers is very important; publish your cryptography design and invite others to attack or cryptanalyse it. Nearly all cryptography algorithms undergo this process and carefully examined to establish practical security of the system, in other words the goal of cryptanalysis is to find insecurity in a cryptography scheme thus permitting its subversion [1]. Typically Algebraic attacks, Tradeoff attacks, Correlation attacks, Guess and determine attacks and Statistical distinguishing attacks are methods of cryptanalyse stream ciphers. An algebraic attack on stream ciphers with linear feedback is a new and very powerful tool which has been introduced in 2003 by Courtois and Meier [2]. In this research we investigate algebraic analysis of A5/1 as well as a new guess and determine attack is proposed having time complexity is comparable better than previous guess and determine attack. Anderson [3], Golic [4] and Babbage [5] were the initiator in cryptanalyzing the A5/1 encryption algorithm when only a rough outline of the A5/1 was leaked. After 1999 when A5/1 was reverse engineered, it was analyzed by [6, 7, 8, 9, 10, 11 and 12]. A review and comparison of these previous attacks is presented in section 4, in section 2 basics of algebraic analysis is presented, section 3 describes design of A5/1, in section 5 proposed algebraic attack is explained and in section 6 a new guess and determine attack is described followed by conclusion & future work in section 7.

2. Algebraic Analysis Over Finite Field

The general framework for the algebraic attacks on stream ciphers was developed by Courtois and Meier [1] is restricted to synchronous binary stream ciphers defined over GF(2) in which there are a state s∈GF(2)n. At each clock t the state s is updated by a “connection function" s → L(s) that is assumed to be linear over GF(2). Then a combiner f is applied to s, to produce the output bit b = f(s).

2.1. Framework for Algebraic Analysis. A typical algebraic attack consists of the following four steps [1]:  Finding a system of algebraic equations that bind the initial state with the keystream that is visible during the attack. An important practical issue is to find as many independent algebraic equations of a low degree as the number of unknown monomials (for the initial state or secret key).  Reducing the degree of the equations by determining their annihilators. This is one of the crucial parts of the attack, because efficiency of attack is depends on the degree of the equations–the smaller the better.  Collecting enough keystream bits and substituting their values into the equations.  Finally, solve the system of algebraic equations.

2.2. Our Contribution. In this paper we describe a simple algebraic attack on the A5/1 stream cipher. The limitation of our method is that there is no boundary for the degree of the generated equations which is crucial part of fast algebraic attack as shown in section 2.1. For effective algebraic attack this improvement in our proposed method is considered as future work.In section 6 we also proposed a new guess and determine attack having time complexity is comparable better than previous guess and determine attack.

3. Description of A5/1 GSM Stream Cipher A GSM conversation is drive as a sequence of frames, every frame is sent in 4.615 milliseconds. Each frame contains 228 bits; 114 bits represent the communication from A to B and the remaining 114 bits represent return communication. Every frame also contains frame counter Fn of 22 bit which is publicly known. In GSM a new 64 bit session key k is generated to drive each conversation. The session key followed by frame counter is used to set initial state of A5/1. A5/1 is built using three linear feedback shift registers (LFSRs) of lengths 19, 22, and 23 bits, denoted by R1, R2 and R3 respectively as shown in Fig. 1. Each linear shift registers have primitive feedback polynomials. Each register has a single "clocking" tap (bit

8 for R1, bit 10 for R2, and bit 10 for R3) they are clocked in a stop/go fashion using the majority rule. Note that at each step either two or three registers are clocked which implies that each register moves with probability 3/4 and stops with probability 1/4.The A5/1 works as follows: First, an initialization step is performed. Initially all LFSRs are set to 0 then all are clocked 64 times regularly and in parallel all bits of session key are consecutively XORed to the feedback of each of the registers. In the second step all LFSRs are again clocked 22 times regularly and the successive bits of frame counter are XORed in parallel to the feedback of each of the registers. In this way the initialization phase takes an overall of 64 + 22 = 86 clock- cycles results an initial state Si. In the third step based on the initial state Si, a warm-up phase is performed in this step all LFSRs are clocked irregularly (according to majority rule) for 100 clock-cycles and the output is discarded. The majority rule is a function from n inputs to one output. The value of the operation is true ┌ ┐ when at least n/2 arguments are true, false otherwise. Finally all LFSRs are irregularly clocked for 228 clock cycles, produces the 228 bits which forms keystream (KS) which combines with 228 bits of plaintext to generate ciphertext of 228 bits. For details about A5/1 we referred [8].

1 0

2 1

3 2

4 3 0

5 4 1

6 5 2

7 6 3

8 7 4

9 8 5

10 9 6 Clock Control Unit 11 10 7

12 11 8

13 12 9

14 13 10

15 14 11

16 15 12

17 16 13 Bits Clocking Tapping bits Purpose → bits 18 17 14 Registers ↓ R 8 13,16,17,18 19 18 15 1 R2 10 20,21

20 19 16 R3 10 7,20,21,22

21 20 17

22 21 18

R3 R2 R1

Keystream (KS)

Fig.1. A5/1 Stream Cipher

4. Comparisons of Known Attacks on A5/1

In 1994, Anderson [3] had proposed a guess-and-determine attack on the A5/1 which was the first attack on alleged design of A5/1, he suggested guess all bits of registers R1 and R2 and the lower half of register R3 and then determine the remaining bits of R3 by the following equation:-

R1[18] XOR R2[21] XOR R3[22] = KS[i] ------(1)

In the worst-case the verification of each of the 252 determined state candidates against the known keystream need to perform. Golic [5] proposed an attack that has a set of 240 linear equations. His idea was to guess the lower half of all three registers and determine the remaining bits with the known keystream using equation 1 but each operation in this attack is much more complicated since it is based on the solutions of system of linear equations. In practice, this algorithm is not better than the Anderson's algorithm and Keller-Seitz‟s concept. In deriving the solution of the system of equations, we additionally require solving 44 linear equations using Gaussian Elimination method. This makes Golic's approach impractical to implement. The Biham-Dunkelman attack [6] is much faster than the Anderson's and Keller-Seitz's attack. This attack requires 247 A5/1 clocking and 220.8 bits of plaintext data which is equivalent to 2.36 minutes of conversation. The attacker guesses 12 bits {(R1[9] to R1[18] except R1[13]), (R2[0], R3[22] and R3[10])} and determines the remaining bits of registers R1 and R2 by equation 1. The attack algorithm assumes that register R3 is not clocked (i.e., R1[8] = R2[10] ≠ R3[10]) for 10 consecutive rounds. Such an event will occur once out of 220 possible cipher states. The attacker must know exactly the location of the information-leaking event where register R3 is unclocked for 10 consecutive rounds. This is a big assumption. Thus, the attacker will need to probe about 220 different starting locations by trial-and-error before the event actually occurs.

Also, the probability that such an event, where register R3 is not clocked for consecutive 10 rounds occurs is close to zero. This attack requires a lot of precomputation data and large space that‟s why this attack is also not practical for implementation. Keller and Seitz [7] designed an attack based on the attack proposed by Anderson. But unlike Anderson, the asynchronous clocking of the A5/1 stream cipher was also taken into account. According to their algorithm, the attacker guesses registers R1 and R2 and determines all bits of register R3 using equation 1. The attack was divided into two phases: a determination phase in which an internal state of A5/1 is generated and subsequently post-processing-phase in which the state candidate is checked for consistency. In the determination phase, the authors try to reduce the complexity of the simple guess-and- determine attack by early recognizing contradictions that could occur by guessing the clocking bit of R3 such that R3 will not clocked. Hence, all states arising out of the contradictory guess neither need to be computed further nor checked afterwards. The authors further reduce the complexity by not only discarding the incorrect possibilities for R3[22] in case of contradiction, but also limit the number of choices to the one of not-clocking R3, if this is possible without any contradiction. If a case arises when clock bits of registers R1 and R2 are equal and R3 need to be guessed, then the authors suggest to always consider the case R1[8] =

R2[10] = R3[10]. This leaves out the possible case of R1[8] = R2[10] ≠ R3[10]. Thus, the success probability of this attack is approximately 18%, and the number of state candidates inspected by Keller and Seitz to the number of valid states is 0.18. In addition to Golic‟s attack, Biryukov-Shamir-Wagner [8] proposed an attack in which they proposed two new cryptanalytic attacks on A5/1, in which a single PC can extract the conversation key in real time from a small amount of generated output. The first attack called the biased birthday attack requires two minutes of data and one second of processing time, whereas the second attack called the random Subgraph attack requires two seconds of data and several minutes of processing time. This attacks are the type of space/time trade-off attack therefore there are many possible choices of Tradeo, and three of them are summarized in Table 1. The success probabilities of these attacks are 60%. Barkan et al [11] also proposed guess and determine attack. However, in the precomputation phase of attack huge amounts of data need to be computed and stored. For example, with three minutes of ciphertext available, one needs to precompute about 50 TB of data to achieve a success probability of about 60%. These are practical obstacles that make the implementation of such attacks very difficult. Gendrullis et al [12] proposed a modification to the Keller-Seitz attack. Unlike Keller-Seitz, the authors only discard the wrong possibilities for the clocking bit of register R3 that would lead to a contradiction. But if no contradiction exists, they check all possibilities of the clocking bit of R3, which means the case of clocking and not- clocking R3. Thus, every possible state candidate is taken into account, hence giving us a success probability of 100%. Maria Kalenderi et al [13] proposed a different attack based on the creation of the A5/1 rainbow tables in reconfigurable hardware that map the internal state of cipher with the keystream. The limitation of this approach is the rainbow table creation is the most expensive portion of cracking a particular encrypted information exchange.

Type of Attack Preprocessing Data Storage Attack Time Complexity Recorded Required

Biased Birthday Attack(1) 242 2 minutes 4 1 second

Biased Birthday Attack(1) 248 2 minutes 2 1 second

Random Subgraph Attack 248 2 minutes 4 3-6 minutes

Table 1: Summary of Space-Time Trade-off Attack on A5/1

5. Algebraic Attack on A5/1

For generating the system of equations, first of all we emphasize on irregular clocking of all three LFSRs, it is clear from majority function (described in section 3) that at least two registers will be clocked at a time. If clocking bits represented by C1, C2, C3 then C= C1C2 + C2C3 + C3C1= 1 or 0, depends on majority th bits. From the idea of this equation we can write the equation for transforming i LFSR from the state Sj to

Sj+1 for i=1, 2 and 3 as:

i i i i i S j+1 = C(CiS j Li +(1-Ci) S j) + (1-C)(CiS j + (1-Ci)S jLi)

Now, we start generating the system of equations. We fill the LFSRs by fresh variables, which represent the initial configuration of the key generator and simulate according to feedback polynomial and for each known keystream bit zk generate the equation of the form f(l1, l2, l3) = zk, where f is XOR function and li are i substituted from the content of the state S 0 as we initially filled. There is an upper boundary by number of variables which is 64; therefore maximum numbers of monomials which may appear in system of equations will be 264. The problem of this simple algebraic attack is that there is no upper boundary by the degree of generated equations as well as the size of generated equations will grow exponentially this is why because we are considering irregular clocking of registers for generating equations. In each cycle the clocking possibilities for each LFSR is 3 out of 4. This method can be improved by reducing the degree of equations which is our future work.

6. A New Guess and Determine attack on A5/1

Our approach is based on the attack proposed by Anderson [3] and Golic [5], but with several modifications. In this analysis we guess all bits of register R1 then all bits of registers R2 and R3 are determined using 64 known keystream (KS) bits. This attack is comparable better than the previous guess and determines attack. The attack consists of two phases, the determination phase and the processing phase.

6.1. Determination Phase. This phase generates all possible state candidates when the cipher was in internal state. Let t2 and t3 denote the number of times the registers R2 and R3 are clocked, respectively. Every time a register is clocked, increment the counter for that register by one. The input to the algorithm

(Fig. 2.) is the known keystream bits and all guessed bits of the register R1.First we compute the most significant bits (MSBs) of register R2 and R3 by substituting MSB of register R1 and keystream bit in equation

1. If MSB of R2 and R3 are unknown, then there exist four possible combinations for the unknown bits; i.e. 00, 01, 10 and 11. But these four possibilities reduced to the two possibilities. The two possible combinations that satisfy the equation 1 are:

If R1[18] = KS[i] then R2[21]=R3[22]=0 (or) R2[21]=R3[22]=1. Possibility (1)

If R1[18] ≠ KS[i] then R2[21]=0, R3[22]=1 (or) R2[21]=1, R3[22]=0.

This reduces the number of possible state candidates to half. In the above arrangement index i is set to 0, and with every additional clocking round, the index i increases by 1. Now, we consider the clocking bits of registers R2 and R3. There are three possibilities:

If R2[10] is known and R3[10] is unknown, then replicate the state candidate twice, fill one copy

with R3[10]=0, and the other copy with R3[10]=1.

If R2[10] is unknown and R3[10] is known, then replicate the state candidate twice, fill one copy

with R2[10]=0, and the other copy with R2[10]=1.

If R2[10] and R3[10] are both known, then replicate the state candidate four times, fill the first copy

with R2[10]=0, R3[10]=0; the second copy with R2[10]=0, R3[10]=1; the third copy with R2[10]=1,

R3[10]=0; and the fourth copy with R2[10]=1,R3[10]=1.

Now consider the second most significant bits of register R2 and R3 i.e. R2[20] and R3[21]. If registers R2 and R3 are clocked, then these bits will become the new MSBs after clocking. There are four possible combinations for these bits; i.e., 00, 01, 10 and 11. But equation 2 and equation 3 reduces them to two possibilities. This reduces the number of possible cases by half.

R2[20] + R3[21] = R1[17]+KS[i+1] ------(2)

R2[20] + R3[21] = R1[18]+KS[i+1] ------(3)

Algorithm: Determination Input: KS64bits

Initialize clock counters: t2=0 and t3=0

1. While t2<10 and t3<11

Do: Clock registers, Increase counter t2 and t3 by +1 and repeat step 2.

2. If MSB of both registers R2 and R3 are unknown. Then determine MSB of both registers R2 and R3 by possibilities 1 and equation 1 and go to step 3.

Else if MSB of register R2 is known but MSB of register R3 is unknown. Then determine MSB of register

R3 by equation 1 and go to step 3. Else if MSB of register R3 is known but MSB of register R2 is unknown. Then determine MSB of register R2 by equation 1 and go to step 3. Else go to step 3.

3. If clock bits of both registers R2 and R3 are filled with new values. Then go to step 4. Else if clock bits of R2 got new value but clock bits of R3 is stable. Then make two replicate copies Copy 1: R3[10]=0, Copy 2: R3[10]=1 and go to step 4. Else if clock bits of R3 got new value but clock bits of R2 is stable. Then make two replicate copies Copy 1: R2[10]=0, Copy 2: R2[10]=1 and go to step 4. Else Make the four replicated copies Copy 1: R2[10]=0, R3[10]=0 Copy 2: R2[10]=0, R3[10]=1 Copy 3: R2[10]=1, R3[10]=0 Copy 4: R2[10]=1, R3[10]=1 Go to step 4.

4. If R2[20] and R3[21] has been changed, Then go to step 1. Else, For each copy do the following: If R1[8]=R2[10]=R3[10], Then replicate this new copy twice and fill each with a valid combination for R2[20] and R3[21] using equation 2. Else if R1[8]≠R2[10]=R3[10], Then replicate this new copy twice and fill each with a valid combination for R2[20] and R3[21] using equation 3. Else if R2[10]≠R1[8]=R3[10] , Then R3[21]=R1[17]+R2[21]+KS[i+1]. Else R2[20]=R1[17]+R3[22]+KS[i+1] // Because R3[10]≠R1[8]=R2[10]. Replicate R3 [7] twice as 0 and 1.

Fig. 2. Algorithm for Determining All Bits of Register R2 and R3

The above algorithm repeated till t2 < 10 and t3 < 11 because of the number of bits between the clocking bit and the MSB for register R2 is 10 and for register R3 is 11. Hence, register R2 has to be clocked at least 10 times and register R3 has to be clocked at least 11 times to determine all the bits of that register. At this moment, registers R2 and R3 are completely determined from the known KS and register R1. A complete state candidate is a state candidate with all bits filled. The minimum number of KS bits required to obtain a set of complete state candidates is 11. This will happen when both registers R2 and R3 are clocked together for 10 consecutive clocking cycles and register R3 is clocked again in the next round.

6.2 Processing Phase. This phase of the attack checks for the key from the set of complete state candidates obtained from the determination phase. As discussed in Section 6.1, the minimum number of rounds needed to get the complete state candidate is 11. The number of complete state candidates increases with every additional round. Hence, the probability of finding the key increases with every additional round. In this phase we generate output bits by performing normal A5/1 encryption with each of the complete state candidates obtained from the determination phase. Match these output bits bit-wise with the known Keystream bits. If the Keystream bits and output bits match, continue clocking and generate output bits till a contradiction of bit-wise matching occurs. If all the output bits match the given 64 Keystream bits, the complete state candidate is the key. Hence, we have found the key among all the complete state candidates.

6.3 Analysis of the Proposed Attack. After initialization, the first step of attack is the determination step. The state candidate has all bits of register R1 and all bits of registers R2 and R3 are unknown. According to the algorithm, the determination phase determines the most significant bits (MSBs) of registers R2 and R3, the clocking bits of R2 and R3, second MSBs of R2 and R3 and if possible R3[7] (involve as tapping bit in R3).

As we saw in the algorithm the MSBs of R2 and R3 is determined using equation1 and due to possibility

1 we are saving 50% cases. Then, we considered four unknown bits: R2[10], R3[10],R2[20] and R3[21]. In the table 2, we consider all possible cases of these four bits being known, and the number of maximum possible valid combinations that exist as a result of equation 1. In this way a total of 7 bits (i.e., R2[21], R2[20], R2[10], 7 R3[22], R3[21], R3[10] and R3[7]) is determined. These 7 bits would have 2 = 128 possible combinations. But our algorithm found these bits in 32 valid possible combinations, saving 96 combinations i.e., a saving of 75%.

If R3[7] is not considered, the first round of implementation will always generate 12 state candidates. On an average, the second round generates 60 state candidates and the third round generates 300 state candidates. The number of state candidates (till round 10) can be approximated by the formula 12*5n-1, where n denotes the nth round, n < 11. It is only after the 11th round that we will get the first set of complete state candidates (with all registers full). When bit R3[7] is taken into consideration, the first round of implementation will always generate 24 state candidates. From round three to round ten, the number of possible state candidates after every round is approximately five times the total number in the previous round. If clock bit of register R3 is unknown then R3[21] has to be unknown thus such cases will be NA.

Known Bits No. of Valid Saving

R2[10] R2[20] R3[10] R3[21] Cases Cases Cases K K K K 0 0 0% K K K U 2 1 50% K K U K 2 NA NA K U K K 2 1 50% U K K K 2 2 0% K K U U 4 2 50% K U K U 4 2 50% K U U K 4 NA 0% U K K U 4 2 50% U K U K 4 NA 0% U U K K 4 2 50% K U U U 8 3 62.5% U K U U 8 4 50% U U K U 8 3 62.5% U U U K 8 NA 0% U U U U 16 6 62.5%

Table 2: Percentage Saving in Finding Unknown Bit (K-Known bit, U-Unknown bit, NA- Not Applicable) 6.4 Probability of Finding key and Success. According to the majority function, in every clocking cycle at least two registers will get clocked i.e. a register will get clocked 3 out of 4 times. Formally, Let n1 → an event that registers R2 and R3 are clocked together. n2 → an event that registers R1 is clocked either with register R2 or R3.

P(n1) and P(n2) → Probabilities of events n1 and n2 occur respectively, which is each equal to ½.

Now, Let P(n2) = P(n2‟) + P(n2‟‟) = ¼ + ¼; where P(n2‟) is the probability of the event that register R1 is clocked with register R2 and P(n2”) is the probability of the event that register R1 is clocked with register R3.

Hence P(n1)+P(n2‟)+P(n2”) = 1.

Finally, Let Y be the random variable denoting the number of clocking cycles needed to obtain complete state candidate. Let x1, x2 and x3 be the number of clocking cycles needed for the event n1,n2‟ and n2” respectively. Where x1=10 and as we have discussed in section 6.1 and 6.2 that registers R2 and R3 have to be clocked at least 10 and 11 times respectively to determine all bits of respective registers i.e. x2=10 and x3=11 to obtain complete state candidates. Then the expectation for Y can be given as:

x *P(n ) + x *P(n ‟)+ x *P(n ”) 10 * 1/2 + 2* (10*1/4 + 11*1/4) E[Y] = 1 1 2 2 3 2 = = 15.5 P ( n 1 ) + P(n2‟) + P(n2”) 1/2+1/4+1/4

6.5 Experimental Analysis. We experiment normal encryption of A5/1 using random inputs to determine the average number of rounds needed to clock register R2 10 times and register R3 11 times. The experiment performed with 300 inputs thrice and we get on an average 15.52 clocking rounds needed which conforms that experimental results corroborate to the theoretical proof.

No. of Rounds Total State Candidates (T) Complete State Candidates (C) (T/C)*100 11 245.1 239.1 1.56% 12 246 242.5 8.83% 13 246.6 244.3 20.30% 14 246.8 245.2 32.98% 15 247.1 246.1 50.00% 16 249 248.9 93.30% Table 3: Success Probability Based on Experimental Analysis

6.6 Time Complexity. As shown in table 3, in each round we are saving at least half of the possible cases over exhaustive key search (264) and in section 6.4 theoretically as well as experimentally we proved that 15.5 the average number of rounds to get the key is 15.5. Hence for 15.5 rounds we save (1/2) cases, Thus 64 15.5 48.5 the time complexity to get the key will be 2 × (1/2) = 2 .

7. Conclusion and Future Work

In this paper we presented a new guess and determine attack on A5/1 with an average time complexity is 248.5 which is better than previous attacks on A5/1 in terms of combination of time complexity and success probability which is 90% in our case because after 15.5 round there is a high probability that the set of complete state candidates contain the secret key. In section 5 we have discussed simple algebraic attack on A5/1 but the complexity of attack is much worse than brute force attack which needs to improve. We are considering the concept of reducing degree of equations of the proposed algebraic attack is our future work.

References

[1] http://en.citizendium.org/wiki/Cryptanalysis. [2] Courtois N. T. and Meier Willi, “Algebraic attacks on stream ciphers with linear feedback” In Proc. Of Eurocrypt‟03, LNCS 2656, pp. 345-359, Springer-Berlin, 2003. [3] Anderson, R., A5 (was: Hacking digital phones), http://yarchive.net/phone/gsmcipher.html, Newsgroup Communication, 1994. [4] Babbage, S., A Space/Time Tradeo in Exhaustive Search Attacks on Stream Ciphers, European Convention on Security and Detection IEEE Confrence Publication, 1995.

[5] Golic, J., Cryptanalysis of Alleged A5 Stream Cipher, In Proc. of Eurocrypt'97, LNCS1233, pp. 239-255, Springer-Verlag, 1997. [6] Biham, E. and Dunkelman, O., Cryptanalysis of the A5/1 GSM Stream Cipher, In Proc. of Indocrypt‟00, LNCS 1977, pp. 43-51, Springer-Verlag, 2000. [7] Keller, J., and Seitz, B., A Hardware-Based Attack on the A5/1 Stream Cipher, http://pv.fernuni- hagen.de/docs-/apc2001-nal.pdf,2001. [8] Biryukov, A., Shamir, A. and Wagner, D., Real Time Cryptanalysis of A5/1 on a PC, In Proc. of FSE'00, LNCS1978, pp. 1-18. Springer-Verlag, 2001. [9] Ekdahl, P. and Johansson, T., Another Attack on A5/1, IEEE Transactions on Information Theory, Vol. 49 issue 1, pp. 284-289, 2002. [10] Maximov, A., Johansson, T. and Babbage, S., An Improved Correlation Attack on A5/1, In Proc. of SAC'04, LNCS 3357, pp. 239-255, Springer-Verlag 2005. [11] Barkan, E., Biham, E., and Keller, N., Instant Ciphertext-only Cryptanalysis of GSM Encrypted Communication, Technical Report CS-2006-07, Technion, 2006. [12] Gendrullis, T., Novotny, M., and Rupp, A., A Real-World Attack Breaking A5/1 within Hours, In Proc. of CHES'08, LNCS 5154, pp. 266-282, Springer-Verlag, 2008. [13] Kalenderi Maria, Pnevmatikatos Dionisios , Papaefstathiou Ioannis , Manifavas Charalampos Breaking the GSM A5/1 Cryptography Algorithm with Rainbow Tables and High-End FPGAs, In Proc. of 22nd international Confrence on Field programmable logic and applications, pp. 747-753, 2012.