Title: A5/1 A GSM stream cipher algorithm
1A5/1 A GSM stream cipher algorithm
2Outline
- Introduction
- History
- A5/1 ciphering
- Overall
- LFSRs
- How it works
- Evaluation
- Security and Computation
- Attacks
- Future Variants
- Final Words
3Introduction
- A5/1
- A stream cipher providing over-the air
communication privacy in GSM - Released with A5/2 and one of them is mandatory
in GSM standarts - A5/2 is delibrately weakened due to export
restrictions on encryption technology during Cold
War. - A5/1 is used in US and Europe, while A5/2 in
other countries. - Implemented very efficiently on hardware
4History
- Developed in 1987, method is initally kept secret
- The general design was leaked in 1994
- The algorithms entirely reverse engineered by
Briceno in 1999 from a mobile phone. - In 2000, around 130 million of GSM users
- Nowadays, 3.5 billion of the worlds 4.3 billion
wireless connections use G.S.M( A5/1A5/2).
5A5/1 Algorithm
- Frames in GSM
- Keys in A5/1
- Linear Feedback Shift Registers
- How it works
6A5/1 and frames
- GSM phone conversations sequences of frames.
- One 228 bit frame is sent in 4.6 milliseconds
114 bits for the communication in each direction.
- A5/1 produces 228 bits to XOR with the plaintext
in each frame
7Keys in A5/1
- Initialized using a 64-bit key (Kc ) combined
with a publicly-known 22-bit frame number(Fn). - In some GSM implementations, 10 key bits are
fixed at zero - effective key length is 54 bits.
RAND (128 bit)
A8
Ki (128 bit)
KC (64 bit)
8(No Transcript)
9 LFSR structure
b1 b2 b3 b4 ... bn-1 bn
output
new value
Feedback Function XOR
- A5/1 based on Linear Feedback Shift Registers
LFSRs - Purpose - to produce pseudo random bit sequence
- Consists of two parts
- shift register bit sequence
- feedback function
- Tap Sequence
- bits that are input to the feedback function
10LFSR Features
- LFSR Period the length of the output sequence
before it starts repeating itself. - n-bit LFSR can be in 2n-1 internal states
- ? the maximal period is also 2n-1
- the tap sequence determines the period
- the polynomial formed by a tap sequence plus 1
must be a primitive polynomial (mod 2)
11LFSR Example
- Example
- x12x6x4x1 corresponds to LFSR of length 12
b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12
12A5/1 LFSRs
- Consists of 3 LFSRs of different lengths
- 19 bits
- x18 x17 x16 x13 1
- clock bit 8
- tapped bits 13, 16, 17, 18
- 22 bits
- x21 x20 1
- clock bit 10
- tapped bits 20, 21
- 23 bits
- x22 x21 x20 x7 1
- clock bit 10
- tapped bits 7, 20, 21, 22
13A5/1 Operation
- All 3 registers are zeroed
- 64 cycles (without the stop/go clock)
- Each bit of Kc(lsb to msb) is XOR'ed in parallel
into the lsb's of the registers - 22 cycles (without the stop/go clock)
- Each bit of Fn (lsb to msb) is XOR'ed in parallel
into the lsb's of the registers - 100 cycles with the stop/go clock control,
discarding the output - 228 cycles with the stop/go clock control which
produce the output bit sequence.
14 A5/1 working example
0
0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
1 0 1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0
1
1 1 1 1 0 1 1 0 1 0 1 1 0 1 0 1 0 1
0
R1
C1
clock control
21
20
0
1
1 0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
0 1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 1 1 0 0 1
1
1
R2
C2
0
1 0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
0 1 0 1 0 1 0 0 1 1 0 1 1 1 0 1 1 0 0 1 0 1
0
R3
C3
15 Security of A5/1
- As leakage from the algorithm many cryptanalysis
works are performed. - Known-plaintext attacks
- Directly to the GSM networks
16Known-plaintext Attacks
Who Year Attack Type Pre-Proc. Steps Available Data Storage Attack Time
Golic 1997 Solving Linear Eqns. 240.16 To solve eqns.
Biryukov et al. 2000 Time-memory trade off 248 2 mins. 300 GB 1 second
Biryukov et al. 2000 Random Subgraph 248 2 secs. 300 GB Several Mins.
Biham et al. 2000 238 220.8 bits 32 GB 239.91 clckings
Ekdahl et al. 2003 No initialization No 2-5 mins. Few mins.
Maximov et al. 2004 Improved Ekdahl et al. No A few secs. Less than 1 min
17Attacks A5/1 as in GSM
- Barkan et al. 2003 Break A5/2, and A5/1 is
outlined due to a large amount of precomputation. - 2007, Copacobana project, parallel FPGA-based
crypto accelerator. 1st commercially available
soln. - 2008, The Hackers Choice, 3 TB lookup tables(not
released), 3-5 minutes of cracking - 2009, A5/1 cracking project, GPGPUs via P2P
manner,(40 nodes), in 3-month the tables are
constructed and published in Dec. 2009
18Future variants
- 3GPP project
- A5/3 Kasumi
- Stronger version of A5, for use in 3G networks.
- Block cipher (not stream cipher, like other A5
versions) - The design is public.
- key-length increased
- Broken before start to be used
- 226 plaintext/ciphertext
- 1 GB storage
- 232 time complexity
19Final words
- A5/1 and its variants fall in security
- To modify GSM in security, need great
investments, GSM association is not willing to
this. - Security community greatly advocates the proper
secure algorithm.
20Thanks