A5/1 A GSM stream cipher algorithm

1
A5/1 A GSM stream cipher algorithm

• Ibrahim Yakut

2
Outline

• Introduction
• History
• A5/1 ciphering
• Overall
• LFSRs
• How it works
• Evaluation
• Security and Computation
• Attacks
• Future Variants
• Final Words

3
Introduction

• A5/1
• A stream cipher providing over-the air
  communication privacy in GSM
• Released with A5/2 and one of them is mandatory
  in GSM standarts
• A5/2 is delibrately weakened due to export
  restrictions on encryption technology during Cold
  War.
• A5/1 is used in US and Europe, while A5/2 in
  other countries.
• Implemented very efficiently on hardware

4
History

• Developed in 1987, method is initally kept secret
• The general design was leaked in 1994
• The algorithms entirely reverse engineered by
  Briceno in 1999 from a mobile phone.
• In 2000, around 130 million of GSM users
• Nowadays, 3.5 billion of the worlds 4.3 billion
  wireless connections use G.S.M( A5/1A5/2).

5
A5/1 Algorithm

• Frames in GSM
• Keys in A5/1
• Linear Feedback Shift Registers
• How it works

6
A5/1 and frames

• GSM phone conversations sequences of frames.
• One 228 bit frame is sent in 4.6 milliseconds
  114 bits for the communication in each direction.
  
• A5/1 produces 228 bits to XOR with the plaintext
  in each frame

7
Keys in A5/1

• Initialized using a 64-bit key (Kc ) combined
  with a publicly-known 22-bit frame number(Fn).
• In some GSM implementations, 10 key bits are
  fixed at zero - effective key length is 54 bits.

RAND (128 bit)
A8
Ki (128 bit)
KC (64 bit)
8
(No Transcript)
9
LFSR structure
b1 b2 b3 b4 ... bn-1 bn
output
new value
Feedback Function XOR

• A5/1 based on Linear Feedback Shift Registers
  LFSRs
• Purpose - to produce pseudo random bit sequence
• Consists of two parts
• shift register bit sequence
• feedback function
• Tap Sequence
• bits that are input to the feedback function

10
LFSR Features

• LFSR Period the length of the output sequence
  before it starts repeating itself.
• n-bit LFSR can be in 2n-1 internal states
• ? the maximal period is also 2n-1
• the tap sequence determines the period
• the polynomial formed by a tap sequence plus 1
  must be a primitive polynomial (mod 2)

11
LFSR Example

• Example
• x12x6x4x1 corresponds to LFSR of length 12

b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12
12
A5/1 LFSRs

• Consists of 3 LFSRs of different lengths
• 19 bits
• x18 x17 x16 x13 1
• clock bit 8
• tapped bits 13, 16, 17, 18
• 22 bits
• x21 x20 1
• clock bit 10
• tapped bits 20, 21
• 23 bits
• x22 x21 x20 x7 1
• clock bit 10
• tapped bits 7, 20, 21, 22

13
A5/1 Operation

• All 3 registers are zeroed
• 64 cycles (without the stop/go clock)
• Each bit of Kc(lsb to msb) is XOR'ed in parallel
  into the lsb's of the registers
• 22 cycles (without the stop/go clock)
• Each bit of Fn (lsb to msb) is XOR'ed in parallel
  into the lsb's of the registers
• 100 cycles with the stop/go clock control,
  discarding the output
• 228 cycles with the stop/go clock control which
  produce the output bit sequence.

14

A5/1 working example
0
0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
1
1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1
0
R1
C1
clock control
21
20
0
1
1 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
1
1
R2
C2
0
1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
0
R3
C3
15
Security of A5/1

• As leakage from the algorithm many cryptanalysis
  works are performed.
• Known-plaintext attacks
• Directly to the GSM networks

16
Known-plaintext Attacks
Who Year Attack Type Pre-Proc. Steps Available Data Storage Attack Time
Golic 1997 Solving Linear Eqns. 240.16 To solve eqns.
Biryukov et al. 2000 Time-memory trade off 248 2 mins. 300 GB 1 second
Biryukov et al. 2000 Random Subgraph 248 2 secs. 300 GB Several Mins.
Biham et al. 2000 238 220.8 bits 32 GB 239.91 clckings
Ekdahl et al. 2003 No initialization No 2-5 mins. Few mins.
Maximov et al. 2004 Improved Ekdahl et al. No A few secs. Less than 1 min
17
Attacks A5/1 as in GSM

• Barkan et al. 2003 Break A5/2, and A5/1 is
  outlined due to a large amount of precomputation.
• 2007, Copacobana project, parallel FPGA-based
  crypto accelerator. 1st commercially available
  soln.
• 2008, The Hackers Choice, 3 TB lookup tables(not
  released), 3-5 minutes of cracking
• 2009, A5/1 cracking project, GPGPUs via P2P
  manner,(40 nodes), in 3-month the tables are
  constructed and published in Dec. 2009

18
Future variants

• 3GPP project
• A5/3 Kasumi
• Stronger version of A5, for use in 3G networks.
• Block cipher (not stream cipher, like other A5
  versions)
• The design is public.
• key-length increased
• Broken before start to be used
• 226 plaintext/ciphertext
• 1 GB storage
• 232 time complexity

19
Final words

• A5/1 and its variants fall in security
• To modify GSM in security, need great
  investments, GSM association is not willing to
  this.
• Security community greatly advocates the proper
  secure algorithm.

20
Thanks

• Questions?