Article

Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2

Authors:

Christof Beierle,

Patrick Derbez,

Gregor Leander,

Gaëtan Leurent,

Håvard Raddum,

David Rupprecht,

Lukas StennesAuthors Info & Claims

Advances in Cryptology – EUROCRYPT 2021: 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, October 17–21, 2021, Proceedings, Part II

Pages 155 - 183

https://doi.org/10.1007/978-3-030-77886-6_6

Published: 17 October 2021 Publication History

Abstract

This paper presents the first publicly available cryptanalytic attacks on the GEA-1 and GEA-2 algorithms. Instead of providing full 64-bit security, we show that the initial state of GEA-1 can be recovered from as little as 65 bits of known keystream (with at least 24 bits coming from one frame) in time

2^{40}

GEA-1 evaluations and using 44.5 GiB of memory.

The attack on GEA-1 is based on an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. This unusual pattern indicates that the weakness is intentionally hidden to limit the security level to 40 bit by design.

In contrast, for GEA-2 we did not discover the same intentional weakness. However, using a combination of algebraic techniques and list merging algorithms we are still able to break GEA-2 in time

2^{45.1}

GEA-2 evaluations. The main practical hurdle is the required knowledge of 1600 bytes of keystream.

References

[1]

Anderson, R.J.: A5 (was hacking digital phones). Newsgroup Communication (1994). http://yarchive.net/phone/gsmcipher.html. Accessed 4 Mar 2021

[2]

Berlekamp, E.R.: Algebraic Coding Theory. McGraw-Hill Series in Systems Science. McGraw-Hill (1968). http://www.worldcat.org/oclc/00256659

[3]

Bettale L, Faugère J, and Perret L Hybrid approach for solving multivariate systems over finite fields J. Math. Cryptol. 2009 3 3 177-197

[4]

Biryukov A, Gong G, and Stinson DR Selected Areas in Cryptography 2011 Heidelberg Springer

[5]

Blahut RE Theory and Practice of Error Control Codes 1983 Boston Addison-Wesley

[6]

Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov et al. [4], pp. 229–240.

[7]

Bouillaguet C et al. Mangard S, Standaert F-X, et al. Fast exhaustive search for polynomial systems in

F_{2}

Cryptographic Hardware and Embedded Systems, CHES 2010 2010 Heidelberg Springer 203-218

[8]

Brookson, C.: GPRS Security (2001). https://web.archive.org/web/20120914110208/www.brookson.com/gsm/gprs.pdf. (snapshot of 14 September 2012)

[9]

Carlet, C., Crama, Y., Hammer, P.L.: Boolean functions for cryptography and error-correcting codes. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press (2010).

[10]

Dagum L and Menon R OpenMP: an industry standard API for shared-memory programming IEEE Comput. Sci. Eng. 1998 5 1 46-55

Digital Library

[11]

Tomcsányi, D.P., Weyres, M., Simao, P.: Analysis of EGPRS Ciphering Algorithms used Worldwide. https://www.umlaut.com/en/analysis-of-egprs-ciphering-algorithms-used-worldwide. (to appear)

[12]

Dunkelman O, Sekar G, and Preneel B Srinathan K, Rangan CP, and Yung M Improved meet-in-the-middle attacks on reduced-round DES Progress in Cryptology – INDOCRYPT 2007 2007 Heidelberg Springer 86-100

[13]

Duval S, Lallemand V, and Rotella Y Robshaw M and Katz J Cryptanalysis of the FLIP family of stream ciphers Advances in Cryptology – CRYPTO 2016 2016 Heidelberg Springer 457-475

Digital Library

[14]

ETSI: ETSI – Coordinated Vulnerability Disclosure. https://www.etsi.org/standards/coordinated-vulnerability-disclosure. Accessed 4 Mar 2021

[15]

ETSI: Security algorithms group of experts (SAGE); report on the specification, evaluation and usage of the GSM GPRS encryption algorithm (GEA). Technical report (1998). https://www.etsi.org/deliver/etsi_tr/101300_101399/101375/01.01.01_60/tr_101375v010101p.pdf. Accessed 8 Oct 2020

[16]

ETSI: Digital cellular telecommunications system (phase 2+) (GSM); security related network functions (3GPP TS 43.020 version 15.0.0 release 15). Technical Specification (2018). https://www.etsi.org/deliver/etsi_ts/143000_143099/143020/15.00.00_60/ts_143020v150000p.pdf. Accessed 8 Oct 2020

[17]

GCF: GCF – Global Certification Forum. https://www.globalcertificationforum.org/. Accessed 4 Mar 2021

[18]

Golić JD Fumy W Cryptanalysis of alleged A5 stream cipher Advances in Cryptology — EUROCRYPT ’97 1997 Heidelberg Springer 239-255

[19]

GSMA: GSMA – Coordinated Vulnerability Disclosure Programme. https://www.gsma.com/security/gsma-coordinated-vulnerability-disclosure-programme/. Accessed 4 Mar 2021

[20]

Hoffman, K., Kunze, R.A.: Linear Algebra. PHI Learning (2004). http://www.worldcat.org/isbn/8120302702

[21]

Kalenderi, M., Pnevmatikatos, D.N., Papaefstathiou, I., Manifavas, C.: Breaking the GSM A5/1 cryptography algorithm with rainbow tables and high-end FPGAS. In: Koch, D., Singh, S., Tørresen, J. (eds.) 22nd International Conference on Field Programmable Logic and Applications (FPL), Oslo, Norway, 29–31 August 2012, pp. 747–753. IEEE (2012).

[22]

Khovratovich, D., Naya-Plasencia, M., Röck, A., Schläffer, M.: Cryptanalysis of Luffa v2 components. In: Biryukov et al. [4], pp. 388–409.

[23]

Koops, B.J.: Crypto law survey (2013). http://www.cryptolaw.org. Accessed 8 Oct 2020

[24]

Lamberger M, Mendel F, Rechberger C, Rijmen V, and Schläffer M Matsui M Rebound distinguishers: results on the full whirlpool compression function Advances in Cryptology – ASIACRYPT 2009 2009 Heidelberg Springer 126-143

Digital Library

[25]

Albrecht, M., Bard, G.: The M4RI Library. The M4RI Team (2021). http://m4ri.sagemath.org. Accessed 4 Mar 2021

[26]

Massey JL Shift-register synthesis and BCH decoding IEEE Trans. Inf. Theory 1969 15 1 122-127

Digital Library

[27]

McFarland RL A family of difference sets in non-cyclic groups J. Comb. Theory Ser. A 1973 15 1 1-10

[28]

MediaTek: Test Vector GEA1/2 – MediaTek-HelioX10-Baseband. https://github.com/Dude100/MediaTek-HelioX10-Baseband/blob/591772a0d659ef0f7bba1953d18f8fe7c18b11de/(FDD)MT6795.MOLY.LR9.W1423.MD.LWTG.MP.V24/driver/cipher/include/gcu_ut.h. Accessed 4 Mar 2021

[29]

Nohl, K., Melette, L.: GPRS intercept: Wardriving your country. Chaos Communication Camp (2011). Slides http://events.ccc.de/camp/2011/Fahrplan/attachments/1868_110810.SRLabs-Camp-GRPS_Intercept.pdf. Accessed 8 Oct 2020. Recorded talk https://media.ccc.de/v/cccamp11-4504-gprs_intercept-en#t=1744. Accessed 8 Oct 2020

[30]

Oechslin P Boneh D Making a faster cryptanalytic time-memory trade-off Advances in Cryptology - CRYPTO 2003 2003 Heidelberg Springer 617-630

[31]

osmocom: osmocom – Cellular Network Infrastructure. https://osmocom.org/projects/cellular-infrastructure. Accessed 4 Mar 2021

[32]

Rothaus OS On “bent” functions J. Comb. Theory Ser. A 1976 20 3 300-305

[33]

Sasaki Y Joux A Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool Fast Software Encryption 2011 Heidelberg Springer 378-396

[34]

Schneier, B.: Applied Cryptography - Protocols, Algorithms, and Source Code in C, 2nd edn. Wiley (1996). http://www.worldcat.org/oclc/32311687

[35]

Schroeppel R and Shamir A A T=O(2

^{n/2}

), S=O(2

^{n/4}

) algorithm for certain np-complete problems SIAM J. Comput. 1981 10 3 456-464

Digital Library

[36]

Siegenthaler T Decrypting a class of stream ciphers using ciphertext only IEEE Trans. Comput. 1985 34 1 81-85

Digital Library

[37]

The Sage Developers: SageMath, the Sage Mathematics Software System (2020). https://www.sagemath.org

Cited By

Bouillaguet C(2024)Algorithm 1052: Evaluating a Boolean Polynomial on All Possible InputsACM Transactions on Mathematical Software10.1145/369995750:4(1-37)Online publication date: 10-Oct-2024
https://dl.acm.org/doi/10.1145/3699957
Wu ZDing LLi ZWang XGuan Z(2024)New Practical Attacks on GEA-1 Based on a New-Found WeaknessIET Information Security10.1049/2024/66740192024Online publication date: 2-Mar-2024
https://dl.acm.org/doi/10.1049/2024/6674019
Avoine GCarpent XClaverie TDevine CLeblanc-Albarel D(2024)Time-Memory Trade-Offs Sound the Death Knell for GPRS and GSMAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68385-5_7(206-240)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68385-5_7
Show More Cited By

Recommendations

Refined Cryptanalysis of the GPRS Ciphers GEA-1 and GEA-2
Advances in Cryptology – EUROCRYPT 2022
Abstract
At EUROCRYPT 2021, Beierle et al. presented the first public analysis of the GPRS ciphers GEA-1 and GEA-2. They showed that although GEA-1 uses a 64-bit session key, it can be recovered with the knowledge of only 65 bits of keystream in time $2^{40}$ ...
$^{}$
$^{}$ $^{}$
$^{}$ $^{}$
Cryptanalysis of Mir-1: A T-Function-Based Stream Cipher

This correspondence describes the cryptanalysis of Mir-1, a T-function based stream cipher proposed at eSTREAM (the ECRYPT Stream Cipher Project) in 2005. This cipher uses a multiword T-function, with four 64-bit words, as its basic structure. Mir-1 ...
Differential-Linear Cryptanalysis from an Algebraic Perspective
Advances in Cryptology – CRYPTO 2021
Abstract
The differential-linear cryptanalysis is an important cryptanalytic tool in cryptography, and has been extensively researched since its discovery by Langford and Hellman in 1994. There are nevertheless very few methods to study the middle part ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Advances in Cryptology – EUROCRYPT 2021: 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, October 17–21, 2021, Proceedings, Part II

Oct 2021

936 pages

ISBN:978-3-030-77885-9

DOI:10.1007/978-3-030-77886-6

Editors:
Anne Canteaut
Inria, Paris, France
,
François-Xavier Standaert
UCLouvain, Louvain-la-Neuve, Belgium

© International Association for Cryptologic Research 2021.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 17 October 2021

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 23 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bouillaguet C(2024)Algorithm 1052: Evaluating a Boolean Polynomial on All Possible InputsACM Transactions on Mathematical Software10.1145/369995750:4(1-37)Online publication date: 10-Oct-2024
https://dl.acm.org/doi/10.1145/3699957
Wu ZDing LLi ZWang XGuan Z(2024)New Practical Attacks on GEA-1 Based on a New-Found WeaknessIET Information Security10.1049/2024/66740192024Online publication date: 2-Mar-2024
https://dl.acm.org/doi/10.1049/2024/6674019
Avoine GCarpent XClaverie TDevine CLeblanc-Albarel D(2024)Time-Memory Trade-Offs Sound the Death Knell for GPRS and GSMAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68385-5_7(206-240)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68385-5_7
Leander GPaar CSpeith JStennes L(2024)HAWKEYE – Recovering Symmetric Cryptography From Hardware CircuitsAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68385-5_11(340-376)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68385-5_11
Hou QDong XQin LZhang GWang X(2023)Automated Meet-in-the-Middle Attack Goes to FeistelAdvances in Cryptology – ASIACRYPT 202310.1007/978-981-99-8727-6_13(370-404)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1007/978-981-99-8727-6_13
Leander GStennes LVorloeper J(2023)Falling into Bytes and Pieces – Cryptanalysis of an Apple Patent ApplicationProgress in Cryptology – INDOCRYPT 202310.1007/978-3-031-56232-7_13(269-286)Online publication date: 10-Dec-2023
https://dl.acm.org/doi/10.1007/978-3-031-56232-7_13
Qin LHua JDong XYan HWang X(2023)Meet-in-the-Middle Preimage Attacks on Sponge-Based HashingAdvances in Cryptology – EUROCRYPT 202310.1007/978-3-031-30634-1_6(158-188)Online publication date: 23-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30634-1_6
Beierle CBeyne TFelke PLeander G(2022)Constructing and Deconstructing Intentional Weaknesses in Symmetric CiphersAdvances in Cryptology – CRYPTO 202210.1007/978-3-031-15982-4_25(748-778)Online publication date: 15-Aug-2022
https://dl.acm.org/doi/10.1007/978-3-031-15982-4_25
Amzaleg DDinur I(2022)Refined Cryptanalysis of the GPRS Ciphers GEA-1 and GEA-2Advances in Cryptology – EUROCRYPT 202210.1007/978-3-031-07082-2_3(57-85)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1007/978-3-031-07082-2_3

View Options

View options

Media

Figures

Other

Tables

View Table of Contents