1. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
CRYPTANALYSIS OF A5/1
Submitted by:
Meenakshi Tripathi(113350005)
Guide: Prof. Saravanan Vijayakumaran
Electrical Engineering
Indian Institute of Technology Bombay
Mumbai-400076
Meenakshi Tripathi IIT Bombay
2. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
CONTENTS
Overview Of A5/1 GSM Cipher
1 LFSR(Linear Feedback Shift Register)
2 A5/1 Description
Man in the middle Attack: Barkan,Biham
Time Memory Tradeoff: Golic
Real Time cryptanalysis on PC: Biryukov, Shamir, Wagner
Correlation Attack: Ekdahl and Johansson
Comparison
References
Meenakshi Tripathi IIT Bombay
3. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
LFSR of A5/1
The LFSR Structure used in GSM is as shown.
Figure: LFSR of A5/1
Meenakshi Tripathi IIT Bombay
5. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Steps for Key Generation
All 3 registers are zeroed.
64 cycles (regular clocking): R[0] = R[0] ⊗ Kc [i]
22 cycles (regular clocking): R[0] = R[0] ⊗ Fc [i].
100 cycles (majority rule clocking), output discarded.
228 cycles (majority rule clocking) to produce the output bit
sequence.
Meenakshi Tripathi IIT Bombay
6. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
7. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
8. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
9. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Keystream Generation
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
10. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Instant Ciphertext only Attack on A5/1
Based on flaw in GSM Protocol- same key for A5/1, A5/2 and
GPRS.
Attack on A5/1 by three attacks-
Man-in the middle attack -attacker impersonates as
network to the user and as user to the network.
Classmark attack-By changing the classmark bit information
sent by the mobile by Man-in the middle attack.
Impersonating the network for a short radio session with
the mobile.
Meenakshi Tripathi IIT Bombay
11. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Instant Ciphertext only Attack on A5/1
The Attack has 3 main steps-
1 Known plaintext attack on A5/2-to recover the initial key.
Algebraic in nature.By solving an overdefined system of
quadratic equations.
2 Improving Plaintext attack to Cipher-text only
attack-Based on fact that GSM employs ECC before
encrytion.
3 Active attack on A5/1- Leveraging of attack on A5/2 to an
active attack on A5/1.
Meenakshi Tripathi IIT Bombay
12. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Structure of A5/2
A5/2 is much weaker cipher, used as base for man in the
middle attack on A5/1
A5/2 has 4 LFSRs -R1, R2, R3 and R4 of length 19, 22, 23, 17.
R4 Controls the clocking of the other three registers with bits
R4[3], R4[7] and R4[10].
Output is: XOR of majority output of 3 registers and the
MSB of each register.
One bit of each register is forced to be 1 after initialisation.
Meenakshi Tripathi IIT Bombay
13. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
LFSR of A5/2
The LFSR Structure of A5/2 is as
shown.maj(a, b, c) = a.b + b.c + c.a
Meenakshi Tripathi IIT Bombay
14. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Known plaintext attack on A5/2
Total no of equations required -R1- 18 variables and
(17 ∗ 18)/2 = 153 quadratic terms. R2 21 + (21 ∗ 20)/2 = 220
and R3 22 + (22 ∗ 21)/2 = 253, in all 655 variables.
61 variables form the initial state of R1, R2 and R3.
Each frame gives 114 equations and few such frames can give
655 equations.
Frame number differs in just one bit - formulate the required
no of equations i.t.o initial state of one frame say Vf .
Meenakshi Tripathi IIT Bombay
15. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Steps to Determine Initial State
All the 216 possible values of R4 are tried and for each the
system of equations is solved to get the internal state of
R1,R2 and R3.
R4 known, so the number of times a register needs to be
clocked to produce the output bit known.
216 − 1 wrong states are identified by inconsistencies in Gauss
elimination.
Result is verified by trial encryptions.
Meenakshi Tripathi IIT Bombay
16. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Optimise
Optimise - using pre-computed system of equations for each
value of R4.
For a given R4 value store the LD rows by Gauss elimination.
Check in the data for the same and discard R4 values which
dont have the same LD rows.
Meenakshi Tripathi IIT Bombay
17. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Cryptanalysis of alleged A5 Stream cipher-Golic
Based on solving system of linear equations.
Guess n clock controlling bits from each of the LFSR (3n
equations)
4n/3 clocking sequence on average known hence 4n/3
equations of registers content.
First O/P bit = parity of MSB of 3 LFSR , therefore 1 more
equation obtained.
Max possible n=10, hence 30+40/3+1 = 44.33 equations
known.
Meenakshi Tripathi IIT Bombay
18. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Cryptanalysis of alleged A5 Stream cipher-Golic
Build a tree with valid options corresponding to 3 inputs to
majority clock control function.
5 branches per node so on avg. 2.5 valid options for each
path.
By exhaustive search, on average consider 1/2 of the values to
get the remaining bits .
Initial state s[0] from s[101] by guessing the number of 1’s in
the clocking sequence.
Check the state by generating s[101] again.
Meenakshi Tripathi IIT Bombay
19. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Time-memory Tradeoff -Golic
Time-memory Tradeoff -Golic
Known plaintext case- each sequence gives 102, 64 bit
blocks(228 bits).
K frames give 102 K keystream blocks.
M 64-bit initial states stored in a table, sorted w.r.t. output
bits produced.
Precomputation time O(M) required for sorting is MlogM
approx. M
Meenakshi Tripathi IIT Bombay
20. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Time-memory Tradeoff -Golic
Time-memory Tradeoff -Golic
By B’Day paradox the probability of atleast one of the 102 K
keystream blocks in the sample to coincide with one of the
output block in the table-
102.K.M > 263.32.
Time T to find the keystream block be 102.K then TMTO is
possible if
T.M > 263.32 and T < 102.222.
Meenakshi Tripathi IIT Bombay
21. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
Disk access is time consuming-So store only Special states on
disk which produce output bits with a particular pattern alpha
of length k=16
States which produce the output sequence starting with given
alpha are easily generated.
Meenakshi Tripathi IIT Bombay
22. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
During precomputation store (prefix, state) pair in sorted
order for subset of chosen states.
Total number of states which generate this alpha as output
prefix is - 264 ∗ 2−16 = 248.
Search Output for the occurence of output prefixes in all
partially overlapping prefixs.
In a frame bit positions 1 to 177 are taken to get sufficiently
long prefix of say 35 bits after alpha.
Meenakshi Tripathi IIT Bombay
23. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
Red State - the states which produce the output bits starting
with alpha. R is approx 248.
Green State - the states which produce the output bits with
alpha anywhere in between 101 to 277 bits. G is 177 ∗ 248.
Weight W (s) of tree with root as red state is defined as the
number of green states in its belt.
Meenakshi Tripathi IIT Bombay
24. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Trees of Red and Green states
Figure: LFSR of A5/1Meenakshi Tripathi IIT Bombay
25. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Real Time cryptanalysis of A51 on PC - Biryukov, Shamir , Wagner
Real Time cryptanalysis of A51 on PC
Red states are kept on the disk and the collision with their
prefixes is checked for.
Green states contain alpha and can act as the initial state in
that frame.
Store only heavy trees and discard the parasitic red states by
comparing the sequence produced with the output beyond
occurence of alpha -reduced candidate states.
Further reduction by using the exact depth of occurence of
alpha.
Meenakshi Tripathi IIT Bombay
26. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Basic Correlation Attack
Known Plaintext Attack- N bits known from m frames.
Independent of length of LFSRs
Depends on number of clockings before O/P generated.
Exploits bad key initialisation-key and frame counter initialised
in linear fashion.
Breaks A5/1 in 5 few minutes with 2-5 min of plaintext.
Meenakshi Tripathi IIT Bombay
27. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Notation
ui
t = si
t + ¯f i
t , t ≥ 0.
P(s1
76 + s2
76 + s3
76 = Oj
(76,76,76,1)) =
P(assumption correct) ∗ 1 + P(assumption not correct) ∗ 1/2.
Generalising over m frames gives one bit of information one
bit of Information.
Meenakshi Tripathi IIT Bombay
28. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Steps of Attack
Calculate probability of clocking (cl1, cl2, cl3) in v:th position.
Consider an interval I for v, where probability of occurrence of
v is non-zero.
Enhance estimate by generalising the value of linear
combination using m frames.
Finally estimate the LinearCombination of keybits with simple
Hard Decision.
One interval of 8 bits eg (79, 80, 81, .., 86) gives
8 + 8 + 8 = 24 bit information of key K. Consider 3 such
sub-intervals to get 72 bits more than needed i.e. 64.
Meenakshi Tripathi IIT Bombay
29. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Comparison of Various Attacks
Attack Type Pre
compu-
tation
Analysis
Com-
plexity
Data
Com-
plexity
Memory
Complexi
Golic [1] TMTO 235.65 227.67 228.8 862 GB
Barkan,Biham
[4]
Man
in the
middle
Nil 247 Ciphertext
only
M = 228.8
Biryukov,
Shamir [3]
TMTO 248 2 minutes 214.7 146 GB
Biham,
Dulkelman[2]
TMTO 238 239.91 220.8 32 GB
Meenakshi Tripathi IIT Bombay
30. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
References
J. Golic. Cryptanalysis of Alleged A5 Stream Cipher.
Biham and Dunkelman. Cryptanalysis of the A5/1 GSM
Stream Cipher.
Biryukov,Shamir, and Wagner. Real Time Cryptanalysis of
A5/1 on a PC.
Barkan, Biham, and Keller. Instant Ciphertext-Only
Cryptanalysis of GSM Encrypted Commu- nications.
Ekdahl and Johansson. Another Attack on A5/1.
Maximov, Johansson, and Babbage. An Improved Correlation
Attack on A5/1.
Barkan and Biham. Conditional Estimators: An effective
Attack on A5/1.
Wikipedia-http://www.wikipedia.org.
Meenakshi Tripathi IIT Bombay
31. CONTENTS OVERVIEW Keystream Generation Instant Ciphertext only Attack on A5/1-Barkan ,Biham Instant Ciphertext only
Thank You
Meenakshi Tripathi IIT Bombay