Two Trivial Attacks on A5/1: A GSM Stream Cipher Ashish Jain1 and Narendra S. Chaudhari2 Department of Computer Science and Engineering, Indian Institute of Technology Indore, India A B S T R A C T Stream ciphers play an important role in those applications where high throughput remains critical and resources are very restricted e.g. in Europe and North America, A5/1 is widely used stream cipher that ensure confidentiality of conversations in GSM mobile phones. However careful security analysis of such cipher is very important due to widespread practical applicability. The basic building blocks used in the design of A5/1 are linear feedback shift registers (LFSRs). Algebraic attacks are new and very powerful tool to cryptanalyse LFSRs based stream ciphers even non-linear combiner are concerned. In this paper we compared previous attacks on A5/1 as well as an algebraic attack and a new guess and determine attack is proposed. 1. Introduction Stream ciphers are from the class of symmetric key ciphers which ensure privacy and confidentiality of secret data over communication channels. In a stream cipher each plaintext digit is encrypted with the corresponding pseudorandom cipher digit (keystream), to give a digit of the ciphertext. In practice, a digit is typically a bit and the combining operation is a „XOR‟. Typically, stream ciphers depend on a time-varying internal state that uniquely determines the status of stream cipher. An initial state of the stream cipher is normally determined by the secret key and the public initialization vector; the transition from one state to next is controlled by a clock. Stream ciphers are commonly classified as synchronous and asynchronous. In synchronous stream ciphers, the next state of the cryptosystem is defined independently of both the plaintext and ciphertext. Most of the stream ciphers are synchronous binary stream ciphers those are often constructed using linear feedback shift registers (LFSRs) because they can be easily implemented in hardware and can produce keystream bits at or near the clock speed however historically such stream ciphers were developed to employ in high data rate systems but today software based systems e.g. block ciphers are also capable of encrypting at extremely high data rates but some important applications prefer stream ciphers where the resources are restricted and the speed and simplicity of implementation in hardware is required e.g. in secure wireless communication. In general stream ciphers are much faster than block ciphers and typically require fewer resources for implementation in hardware and software. They have small buffer requirements and limited error propagation, since the symbol size is relatively small and each symbols processed independently, these properties make stream ciphers are most suitable for telecommunication applications such as mobile phone networks. Due to such widespread applications, security analysis of stream ciphers is very important; publish your cryptography design and invite others to attack or cryptanalyse it. Nearly all cryptography algorithms undergo this process and carefully examined to establish practical security of the system, in other words the goal of cryptanalysis is to find insecurity in a cryptography scheme thus permitting its subversion [1]. Typically Algebraic attacks, Tradeoff attacks, Correlation attacks, Guess and determine attacks and Statistical distinguishing attacks are methods of cryptanalyse stream ciphers. An algebraic attack on stream ciphers with linear feedback is a new and very powerful tool which has been introduced in 2003 by Courtois and Meier [2]. In this research we investigate algebraic analysis of A5/1 as well as a new guess and determine attack is proposed having time complexity is comparable better than previous guess and determine attack. Anderson [3], Golic [4] and Babbage [5] were the initiator in cryptanalyzing the A5/1 encryption algorithm when only a rough outline of the A5/1 was leaked. After 1999 when A5/1 was reverse engineered, it was analyzed by [6, 7, 8, 9, 10, 11 and 12]. A review and comparison of these previous attacks is presented in section 4, in section 2 basics of algebraic analysis is presented, section 3 describes design of A5/1, in section 5 proposed algebraic attack is explained and in section 6 a new guess and determine attack is described followed by conclusion & future work in section 7. 2. Algebraic Analysis Over Finite Field The general framework for the algebraic attacks on stream ciphers was developed by Courtois and Meier [1] is restricted to synchronous binary stream ciphers defined over GF(2) in which there are a state s∈GF(2)n. At each clock t the state s is updated by a “connection function" s → L(s) that is assumed to be linear over GF(2). Then a combiner f is applied to s, to produce the output bit b = f(s). 2.1. Framework for Algebraic Analysis. A typical algebraic attack consists of the following four steps [1]: Finding a system of algebraic equations that bind the initial state with the keystream that is visible during the attack. An important practical issue is to find as many independent algebraic equations of a low degree as the number of unknown monomials (for the initial state or secret key). Reducing the degree of the equations by determining their annihilators. This is one of the crucial parts of the attack, because efficiency of attack is depends on the degree of the equations–the smaller the better. Collecting enough keystream bits and substituting their values into the equations. Finally, solve the system of algebraic equations. 2.2. Our Contribution. In this paper we describe a simple algebraic attack on the A5/1 stream cipher. The limitation of our method is that there is no boundary for the degree of the generated equations which is crucial part of fast algebraic attack as shown in section 2.1. For effective algebraic attack this improvement in our proposed method is considered as future work.In section 6 we also proposed a new guess and determine attack having time complexity is comparable better than previous guess and determine attack. 3. Description of A5/1 GSM Stream Cipher A GSM conversation is drive as a sequence of frames, every frame is sent in 4.615 milliseconds. Each frame contains 228 bits; 114 bits represent the communication from A to B and the remaining 114 bits represent return communication. Every frame also contains frame counter Fn of 22 bit which is publicly known. In GSM a new 64 bit session key k is generated to drive each conversation. The session key followed by frame counter is used to set initial state of A5/1. A5/1 is built using three linear feedback shift registers (LFSRs) of lengths 19, 22, and 23 bits, denoted by R1, R2 and R3 respectively as shown in Fig. 1. Each linear shift registers have primitive feedback polynomials. Each register has a single "clocking" tap (bit 8 for R1, bit 10 for R2, and bit 10 for R3) they are clocked in a stop/go fashion using the majority rule. Note that at each step either two or three registers are clocked which implies that each register moves with probability 3/4 and stops with probability 1/4.The A5/1 works as follows: First, an initialization step is performed. Initially all LFSRs are set to 0 then all are clocked 64 times regularly and in parallel all bits of session key are consecutively XORed to the feedback of each of the registers. In the second step all LFSRs are again clocked 22 times regularly and the successive bits of frame counter are XORed in parallel to the feedback of each of the registers. In this way the initialization phase takes an overall of 64 + 22 = 86 clock- cycles results an initial state Si. In the third step based on the initial state Si, a warm-up phase is performed in this step all LFSRs are clocked irregularly (according to majority rule) for 100 clock-cycles and the output is discarded. The majority rule is a function from n inputs to one output. The value of the operation is true ┌ ┐ when at least n/2 arguments are true, false otherwise. Finally all LFSRs are irregularly clocked for 228 clock cycles, produces the 228 bits which forms keystream (KS) which combines with 228 bits of plaintext to generate ciphertext of 228 bits. For details about A5/1 we referred [8]. 0 1 0 2 1 3 2 4 3 0 5 4 1 6 5 2 7 6 3 8 7 4 9 8 5 10 9 6 Clock Control Unit 11 10 7 12 11 8 13 12 9 14 13 10 15 14 11 16 15 12 17 16 13 Bits Clocking Tapping bits Purpose → bits 18 17 14 Registers ↓ R1 8 13,16,17,18 19 18 15 R2 10 20,21 20 19 16 R3 10 7,20,21,22 21 20 17 22 21 18 R3 R2 R1 Keystream (KS) Fig.1. A5/1 Stream Cipher 4. Comparisons of Known Attacks on A5/1 In 1994, Anderson [3] had proposed a guess-and-determine attack on the A5/1 which was the first attack on alleged design of A5/1, he suggested guess all bits of registers R1 and R2 and the lower half of register R3 and then determine the remaining bits of R3 by the following equation:- R1[18] XOR R2[21] XOR R3[22] = KS[i] ------ (1) In the worst-case the verification of each of the 252 determined state candidates against the known keystream need to perform. Golic [5] proposed an attack that has a set of 240 linear equations. His idea was to guess the lower half of all three registers and determine the remaining bits with the known keystream using equation 1 but each operation in this attack is much more complicated since it is based on the solutions of system of linear equations.