Cryptoppt

CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
CRYPTANALYSIS OF A5/1
Submitted by:
Meenakshi Tripathi(113350005)
Guide: Prof. Saravanan Vijayakumaran
Electrical Engineering
Indian Institute of Technology Bombay
Mumbai-400076
Meenakshi Tripathi IIT Bombay

CONTENTS
Overview Of A5/1 GSM Cipher
1 LFSR(Linear Feedback Shift Register)
2 A5/1 Description
Man in the middle Attack: Barkan,Biham
Time Memory Tradeoﬀ: Golic
Real Time cryptanalysis on PC: Biryukov, Shamir, Wagner
Correlation Attack: Ekdahl and Johansson
Comparison
References

LFSR of A5/1
The LFSR Structure used in GSM is as shown.
Figure: LFSR of A5/1

A5/1 Description
LFSR
number
Length
in bits
Feedback Poly-
nomial
Clocking
Bit
Tapped Bits
1 19 x19 + x18 + x17
+ x14 + 1
8 13, 16, 17, 18
2 22 x22 + x21 + 1 10 20, 21
3 23 x23 + x22 + x21
+ x8 + 1
10 7, 20, 21, 22

Steps for Key Generation
All 3 registers are zeroed.
64 cycles (regular clocking): R[0] = R[0] ⊗ Kc [i]
22 cycles (regular clocking): R[0] = R[0] ⊗ Fc [i].
100 cycles (majority rule clocking), output discarded.
228 cycles (majority rule clocking) to produce the output bit
sequence.

Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay

Instant Ciphertext only Attack on A5/1
Based on ﬂaw in GSM Protocol- same key for A5/1, A5/2 and
GPRS.
Attack on A5/1 by three attacks-
Man-in the middle attack -attacker impersonates as
network to the user and as user to the network.
Classmark attack-By changing the classmark bit information
sent by the mobile by Man-in the middle attack.
Impersonating the network for a short radio session with
the mobile.

Instant Ciphertext only Attack on A5/1
The Attack has 3 main steps-
1 Known plaintext attack on A5/2-to recover the initial key.
Algebraic in nature.By solving an overdeﬁned system of
quadratic equations.
2 Improving Plaintext attack to Cipher-text only
attack-Based on fact that GSM employs ECC before
encrytion.
3 Active attack on A5/1- Leveraging of attack on A5/2 to an
active attack on A5/1.

Structure of A5/2
A5/2 is much weaker cipher, used as base for man in the
middle attack on A5/1
A5/2 has 4 LFSRs -R1, R2, R3 and R4 of length 19, 22, 23, 17.
R4 Controls the clocking of the other three registers with bits
R4[3], R4[7] and R4[10].
Output is: XOR of majority output of 3 registers and the
MSB of each register.
One bit of each register is forced to be 1 after initialisation.

LFSR of A5/2
The LFSR Structure of A5/2 is as
shown.maj(a, b, c) = a.b + b.c + c.a

Known plaintext attack on A5/2
Total no of equations required -R1- 18 variables and
(17 ∗ 18)/2 = 153 quadratic terms. R2 21 + (21 ∗ 20)/2 = 220
and R3 22 + (22 ∗ 21)/2 = 253, in all 655 variables.
61 variables form the initial state of R1, R2 and R3.
Each frame gives 114 equations and few such frames can give
655 equations.
Frame number diﬀers in just one bit - formulate the required
no of equations i.t.o initial state of one frame say Vf .

Steps to Determine Initial State
All the 216 possible values of R4 are tried and for each the
system of equations is solved to get the internal state of
R1,R2 and R3.
R4 known, so the number of times a register needs to be
clocked to produce the output bit known.
216 − 1 wrong states are identiﬁed by inconsistencies in Gauss
elimination.
Result is veriﬁed by trial encryptions.

Optimise
Optimise - using pre-computed system of equations for each
value of R4.
For a given R4 value store the LD rows by Gauss elimination.
Check in the data for the same and discard R4 values which
dont have the same LD rows.

Cryptanalysis of alleged A5 Stream cipher-Golic
Based on solving system of linear equations.
Guess n clock controlling bits from each of the LFSR (3n
equations)
4n/3 clocking sequence on average known hence 4n/3
equations of registers content.
First O/P bit = parity of MSB of 3 LFSR , therefore 1 more
equation obtained.
Max possible n=10, hence 30+40/3+1 = 44.33 equations
known.

Cryptanalysis of alleged A5 Stream cipher-Golic
Build a tree with valid options corresponding to 3 inputs to
majority clock control function.
5 branches per node so on avg. 2.5 valid options for each
path.
By exhaustive search, on average consider 1/2 of the values to
get the remaining bits .
Initial state s[0] from s[101] by guessing the number of 1’s in
the clocking sequence.
Check the state by generating s[101] again.

Time-memory Tradeoﬀ -Golic
Known plaintext case- each sequence gives 102, 64 bit
blocks(228 bits).
K frames give 102 K keystream blocks.
M 64-bit initial states stored in a table, sorted w.r.t. output
bits produced.
Precomputation time O(M) required for sorting is MlogM
approx. M

By B’Day paradox the probability of atleast one of the 102 K
keystream blocks in the sample to coincide with one of the
output block in the table-
102.K.M > 263.32.
Time T to ﬁnd the keystream block be 102.K then TMTO is
possible if
T.M > 263.32 and T < 102.222.

Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
Disk access is time consuming-So store only Special states on
disk which produce output bits with a particular pattern alpha
of length k=16
States which produce the output sequence starting with given
alpha are easily generated.

During precomputation store (prefix, state) pair in sorted
order for subset of chosen states.
Total number of states which generate this alpha as output
prefix is - 264 ∗ 2−16 = 248.
Search Output for the occurence of output prefixes in all
partially overlapping prefixs.
In a frame bit positions 1 to 177 are taken to get sufficiently
long prefix of say 35 bits after alpha.

Red State - the states which produce the output bits starting
with alpha. R is approx 248.
Green State - the states which produce the output bits with
alpha anywhere in between 101 to 277 bits. G is 177 ∗ 248.
Weight W (s) of tree with root as red state is deﬁned as the
number of green states in its belt.

Trees of Red and Green states
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay

Red states are kept on the disk and the collision with their
preﬁxes is checked for.
Green states contain alpha and can act as the initial state in
that frame.
Store only heavy trees and discard the parasitic red states by
comparing the sequence produced with the output beyond
occurence of alpha -reduced candidate states.
Further reduction by using the exact depth of occurence of
alpha.

Basic Correlation Attack
Known Plaintext Attack- N bits known from m frames.
Independent of length of LFSRs
Depends on number of clockings before O/P generated.
Exploits bad key initialisation-key and frame counter initialised
in linear fashion.
Breaks A5/1 in 5 few minutes with 2-5 min of plaintext.

Notation
ui
t = si
t + ¯f i
t , t ≥ 0.
P(s1
76 + s2
76 + s3
76 = Oj
(76,76,76,1)) =
P(assumption correct) ∗ 1 + P(assumption not correct) ∗ 1/2.
Generalising over m frames gives one bit of information one
bit of Information.

Steps of Attack
Calculate probability of clocking (cl1, cl2, cl3) in v:th position.
Consider an interval I for v, where probability of occurrence of
v is non-zero.
Enhance estimate by generalising the value of linear
combination using m frames.
Finally estimate the LinearCombination of keybits with simple
Hard Decision.
One interval of 8 bits eg (79, 80, 81, .., 86) gives
8 + 8 + 8 = 24 bit information of key K. Consider 3 such
sub-intervals to get 72 bits more than needed i.e. 64.

Comparison of Various Attacks
Attack Type Pre
compu-
tation
Analysis
Com-
plexity
Data
Com-
plexity
Memory
Complexi
Golic [1] TMTO 235.65 227.67 228.8 862 GB
Barkan,Biham
[4]
Man
in the
middle
Nil 247 Ciphertext
only
M = 228.8
Biryukov,
Shamir [3]
TMTO 248 2 minutes 214.7 146 GB
Biham,
Dulkelman[2]
TMTO 238 239.91 220.8 32 GB

References
J. Golic. Cryptanalysis of Alleged A5 Stream Cipher.
Biham and Dunkelman. Cryptanalysis of the A5/1 GSM
Stream Cipher.
Biryukov,Shamir, and Wagner. Real Time Cryptanalysis of
A5/1 on a PC.
Barkan, Biham, and Keller. Instant Ciphertext-Only
Cryptanalysis of GSM Encrypted Commu- nications.
Ekdahl and Johansson. Another Attack on A5/1.
Maximov, Johansson, and Babbage. An Improved Correlation
Attack on A5/1.
Barkan and Biham. Conditional Estimators: An eﬀective
Attack on A5/1.
Wikipedia-http://www.wikipedia.org.

Thank You

Cryptoppt

More Related Content

What's hot

Viewers also liked

Similar to Cryptoppt

More from Meenakshi Tripathi

Recently uploaded

Cryptoppt