CRYPTANALYSIS OF THE A5/2 ALGORITHM Slob o dan Petrovi c and Amparo Fuster-Sabater Abstract - An attack on the A5/2 stream cipher algorithm is describ ed, that determines the linear relations among the output sequence bits. The vast ma jority of the unknown output bits can b e reconstructed. The time 17 complexity of the attack is prop ortional to 2 . Introduction: A5 is the stream cipher algorithm used to encrypt the link from the telephone to the base station in the GSM system. According to [1], twoversions of A5 exist: A5/1, the 'stronger' version, and A5/2, the 'weaker' version. The attacks on the A5/1, utilizing the birthday paradox, are describ ed in [2, 3]. The attack on the A5/2 presented here is of algebraic nature. The scheme of the A5/2 algorithm is given in the Fig. 1. The LFSR R clo cks 4 the LFSRs R ;:::;R in the stop/go manner. The feedback p olynomials of 1 3 14 17 18 19 21 22 the registers are: g x = 1+x + x + x + x , g x = 1+x + x , 1 2 8 21 22 23 12 17 g x=1+x + x + x + x , g x=1+x + x . The function F is the 3 4 ma jority function F x ;x ;x =x x + x x + x x . 1 2 3 1 2 1 3 2 3 The communication in the GSM system is p erformed through frames. Each frame consists of 228 bits. For every frame to b e enciphered, the initialization pro cedure takes place, that yields the initial state of the LFSRs on the basis of the 64-bit secret key K and the 22-bit frame number F . During the initializa- tion, the bits of the secret key are rst imp osed into all the LFSRs, at every clo ck pulse, without the stop/go clo cking, starting from the LSB of each key byte. Then the bits of the frame numb er are imp osed into all the LFSRs in the Instituto de F sica Aplicada CSIC, Serrano 144, 28006 Madrid, Spain 1 same way, starting from the LSB. Finally, the algorithm is run for 100 clo ck pulses utilizing the stop/go clo cking, but pro ducing no output. Cryptanalytic attack: The attack consists of up dating the system of linearized equations that relate the state variables of the LFSRs R ;:::;R with the output 1 3 bits, on the basis of the clo ck-control sequence pro duced by the LFSR R , for 4 17 its initial state picked from the set of 2 p ossible states. The linearization of the equations is p erformed by substitution of the nonlinear terms by the new variables. Due to the frequent reinitializations, small numb er of skipp ed bits in the initialization pro cess and the distribution of the feedback taps, many linearly dep endent equations app ear, and almost all the unknown output bits, that come after very few known output bits, can be reconstructed without solving the system at all. For the analysis of the system, we start from the analysis of the rank of a matrix to which a random last row is added. Namely,we prove the following Prop osition 1 - Let W =[w ] b e a matrix over GF2, whose i;j i=1;:::;m;j =1;:::;n rank is r W = m. Let U =[u ] be a matrix over GF2, i;j i=1;:::;m+1;j =1;:::;n whose rst m rows are resp ectively equal to the rows of W , and the elements of the last row are generated indep endently at random, with the probability Pru =1=0:5, 1 j n. Then the probability that r U=r W is m+1;j mn Prr U=r W = 2 : 1 Pro of: The rst m linearly indep endentrows of the matrix U span the vector m space, whose cardinalityis2 . The claim that r U=r W means that the last row of U must b elong to the vector space spanned by the rst m rows. mn Since Pru =1=0:5, the required probabilityis2 . Q.E.D. m+1;j Due to the nonlinear order of the ma jority function, the maximum number of variables in the system will be n = 719. Consider now the pro cess of adding equations to this system. Supp ose that for some clo ck pulse c of the algorithm, t the system consists of m linearly indep endent equations. If the contribution of 2 R to the new equation do es not dep end on k state variables, i =1;:::;3, then i i t the numb er of equations that can b e added to the system reduces at least from P 3 k 719 719d i t t , where d = 2 to 2 k + . In sucha way, the probability t i t i=1 2 that the rank of the new system is the same as the rank of the previous system can b e signi cantly greater than that for the equation generated at random. In general, d dep ends on the initial state of the algorithm. Let us call a de- t pendency the set of state variables on which a particular p osition of an LFSR dep ends. Due to the concentrations of the feedback taps of the LFSRs R and 1 R to the rightof the inputs to the ma jority function, the input p ositions to 2 this function and the last p ositions of these LFSRs dep end on very few initial state variables after every initialization. The cardinalities of the dep endencies of these p ositions will grow much slower than in the case when the feedback taps are not concentrated at the ends R . Thus, the total cardinalities of the 3 dep endencies for the LFSR R and R can b e very small and the probability 1 2 that the newly added equation will be linearly dep endent on the others can b ecome very close to one. Let AX = B be a linear system over GF2, where A =[a ] , i;j i=1;:::;m;j =1;:::;n 0 X = [x ] , and B = [b ] . Denote by A the extended matrix of i i i=1;:::;n i=1;:::;m 0 the system. Let us transform the matrix A into the trap ezoidal form using 0 the Gauss algorithm. Denote the state of the matrix A after the p erforming 0 0 0 . Thus, A = A . Let us de ne of the k -th set of such transformations by A 0 k the matrix P =[p ] in the following way: p =1, p =0; at i;j 0 0 i;i i;j;i6=j i;j =1;:::;m 0 the k -th step of the transformation, if i-th and j -th rows of the matrix A are k interchanged or summed, so are the resp ectiverows of P . In suchaway, the k nonzero elements of the i-th row of the matrix P , i =1;:::;m at the k -th step k of the transformation, p oint to the ordinal numb ers of the rows of the original 0 , on which the i-th row of the matrix A linearly dep ends. system A k 0 0 Let A b e the extended matrix of the system AX = B in its trap ezoidal form m 0 and supp ose that the rank of this system is r A = m. Let us add the new m equation WX = Z to the system, where W =[w ] , and Z =[z ]. Let i 1 i=1;:::;n 3 denote the op eration of adding a row to a matrix. Apply the pro cess of transformation to the trap ezoidal form to the new system CX = D, where C = A W =[c ] and D = B Z =[d ] . Supp ose m i;j m i i=1;:::;m+1 i=1;:::;m+1;j =1;:::;n 0 =1. r C =m and denote by q the biggest row index for which p m+1 q;m+1 m+1 0 If q = m + 1 and z is known, then c = 0 and 1 m+1 q;n+1 m X : 2 z = b p 1 i m+1 q;i i=1 0 If q = m + 1 and z is not known, we can guess z and transform the matrix C 1 1 0 in the same wayasif z were known. Since r C =m, for the correct value 1 m+1 0 of z , c must b e zero. Thus, in this case, z is also given by 2. 1 1 m+1 q;n+1 If q<m+ 1 and z is known, then the following relation will obviously hold: 1 m X 0 z = c + b p : 3 1 i m+1 m+1 q;i q;n+1 i=1 But if q<m+ 1 and z is not known, the relation 3 will still hold, but the 1 calculated value for z can b e incorrect. 1 The degenerate cases when q<m+ 1 will b e rare [4]. To guess the bits that cannot b e reconstructed, the runs of these cases should b e short. Exp eriments p erformed on a great numb er of frames show that approximately 70 of these runs are of length less than 10. The attack on the A5/2 consists of the following ma jor steps: Input: 4 frames of the output sequence and their corresp onding frame numb ers; frame numb ers of the output sequence frames to b e reconstructed; threshold T chosen according to the actual bit error ratio in the channel; Output: reconstructed frames of the output sequence, except of the bits that corresp ond to the degenerate cases and to the linearly indep endent equations.