AN IMPROVEMENT TO A CORRELATION ATTACK ON A5/1H. Nikoonia, F. Amin, A. H. JahangirComputer Engineering Department, Sharif University of Technology

Outline

Introduction Attacks

Time-memory trade off Guess-and-determine Correlation Attacks

A brief description of A5/1 Correlation Attack on A5/1 The New Method Conclusions References

Introduction

Introduction

Over a billion customers world-wide own a GSM cell-phone.

The privacy of conversation in GSM standard is protected by A5/1 or A5/2.

A5/2 proved to be insecure [4]. The design of A5/1 and A5/2 was kept

secret until 1999 that the exact design of A5/1 and A5/2 was reversed engineered by Briceno [7].

Guess-and-determineTime-memory trade-offCorrelation Attacks

Attacks

Attacks

The first attack on A5/1 was proposed by Golic [5].

Biryukov, Shamir and Wagner proposed attacks that in some scenarios find the key in less than a second [6].

Correlation Attacks

Ekdahl and Johansson proposed the first correlation attack on A5/1 [1].

Requires 10,000 to 70,000 of known frames.

Success rate of 2 to 76%.

Correlation Attacks

Maximov, Johansson and Babbage improved the previous attack [2].

Requires 2,000 to 10,000 of known-frames.

Success rate of 5 to 99%

Correlation Attacks

In [3], Barkan and Biham proposed “Conditional Estimators”.

They discovered some weaknesses of R2.

Requires 1,500 to 2,000 of known-frames.

Success rate of 91%. They also present a new source of

known-keystream.

Advantages of Correlation Attacks Require no long-term storage. No preprocessing. they are immune to transmission errors

[3].

A Brief Description of A5/1

A Brief Description of A5/1

228 bit frames. 64 bit key. 22 bit frame number. LFSRs of size 19, 22, 23 bits.

A Brief Description of A5/1

Irregular clocking. Each LFSR is clocked with probability of

3/4.

Initialization Process

Step 1: LFSRs are initiated with zero. they are clocked regularly 64 times and key

bits are XOR-ed to the feedback of each LFSR in parallel.

Then registers are clocked another 22 times, again regularly, and each bit of frame number is XOR-ed to the feedback of each register.

Let us call the value of LFSRs at this moment the “initial state”.

Initialization Process

Step 2: LFSRs are clocked 100 times with irregular

clocking. But this step does not produce any

output.

Initialization Process

Step 3: LFSRs are clocked 228 times with irregular

clocking. The output of this step is used as

keystream.

Correlation attack on A5/1

Correlation attack on A5/1

the output of R1 after i-times of regular clocking Ui

1 : Key K, frame number j Si

1 : Key K, frame number 0 Fi

1 : Key 0, frame number j

Fi2, Si

2, Ui2, Fi

3, Si3 and Ui

3 are defined in the similar way for R2 and R3.

(U01, U1

1... U181) describes the initial state

of R1.

Correlation attack on A5/1

The “bad property” : key and frame number are combined linearly to form the initial state.

We can write:

Correlation attack on A5/1

Let us call the output Z1 to Z228. It holds with P(cl1,cl2,cl3,i+100)

probability.

Correlation attack on A5/1

What we want is the bellow formula for different value of cl1,cl2,cl3.

We will recover initial state of R1, R2 and R3 with them.

Correlation attack on A5/1

It is non zero for interval of size of 18 to 47.

Correlation attack on A5/1

Correlation attack on A5/1

Correlation attack on A5/1

A “received word” A guess.

Correlation attack on A5/1

A configuration defines intervals for clis.

Correlation attack on A5/1

Decoding this word is done by exhaustive search.

For each interval 1000 results with closer hamming distance to received word is stored.

Results from different intervals are joined to make final candidates.

These candidates checked for validation. Overlapped intervals are used to reduce the

number of final candidates.

Correlation attack on A5/1

The New Method

The New Method

The proposed attack by Ekdahl and Johansson in [1] with 65536 frames and 8/3 configuration has a success rate of 32%.

This means that 32% of final candidates describe the initial state completely.

But we observe that there are some conditions that 2 LFSRs have been guessed correctly but not the other one.

Doing exhaustive search over 219 to 223 states is practical.

Observation

Success Rate with Our Method

The New Method

If we do exhaustive search on R2 for each final candidate, we are adding a search space of 222 states to the original attack.

Searching this search space for each candidate and validating the result takes about 12.5 seconds on our simulation machine.

But we don’t have to examine all candidates. there are some candidates that have the same

R1 and R3 but different R2 (51% to 81%).

Additional Time

Conclusion

Conclusion

Our method increases the success rate of the attack by additional 16% in some cases.

It adds some hours to the original attack time.

This time could be reduced by reducing the number of final candidates.

References