An Improved Guess-and-determine Attack on the A5/1 Stream Cipher

In Europe and North America, the most widely used stream cipher to ensure privacy and confidentiality of conversations in GSM mobile phones is the A5/1. In this paper, we present an improved guess-and-determine attack on the A5/1 stream cipher with an average time complexity of 2 48.5 , which is much less than any known guess-and-determine attack. The attack has a 100% success rate and requires a small amount of memory. We provide a detailed description of our new attack along with its implementation results.


Introduction
The most widely used stream cipher to ensure privacy and confidentiality of communications in GSM mobile phones in Europe and North America is the A5/1.The A5/1 was developed in 1987 when GSM was not considered for use outside of Europe.The description of the A5/1 was initially kept secret.However, its design was disclosed in 1999 by reverse engineering (Briceno, Goldberg, & Wagner, 1999).The GSM organization later confirmed the disclosed algorithm (Biryukov, Shamir, & Wagner, 2001).

Our Contributions
Broadly speaking, attacks on the A5/1 can be classified into known-plaintext attacks and time-memory trade-offattacks.There are some exceptions to this: for example, Ekdahl and Johansson (2003) produced an attack that exploits bad key intializations in A5/1.Other such examples are the bounded distance decoder (BDD) attack (Krause, 2002) or a ciphertext only attack by Barkan et al. (2008).However BDD attack is clearly exponential in the length of the shift registers.There is a general criticism against the time-memory trade-off attacks, they are exponentially more expensive.So one can just increase the register lengths to avoid such attacks.
In this paper, we describe an improved guess-and-determine attack on the A5/1 stream cipher.This attack has an average complexity of 2 48.5 steps, and is better than all known guess-and-determine attacks and expands on a novel idea.Our attack is simple to describe and easy to analyze.Guess-and-determine attacks are of interest because of many reasons; three most important ones are: (a) They are easy to implement, much easier than the time memory trade-off attacks.
(b) They can be efficiently implemented in parallel programming environment.
(c) They are easy to describe.
Our attack is a known-plaintext attack.It can be briefly described (Note 1) as follows, (ref.Figure 1): we assume that the register R 1 is full (guessed) with 19 bits and registers R 2 and R 3 will be filled (determined) sequentially as the attack progresses.At any stage of this attack, R 1 is completely filled and R 2 and R 3 are partially filled.We call these states as state candidates.Once all three registers are completely filled, we call that state candidate a complete state candidate.Our attack has a 100% success rate and has low memory requirement.With the knowledge of only 11 bits of the known keystream, the attack algorithm is able to determine a set of complete state candidates which may contain the key.With every additional round of the attack, the number of complete state candidates increase.We provide a detailed description of our new attack along with its implementation in Sections 4 and 5.
The complexity of this attack is about 2 48.5 A5/1 clockings when done in serial.This means that we go over the guesses of R 1 one after another.However one can easily parallelize this, each thread of computing starts with an independent and different guess.In this case the complexity is substantially reduced.In case of the extreme situation, when we start with 2 19 threads of computation, the complexity is 2 29.5 .
Let us say this upfront: we were unable to do a large-scale industrial-grade implementation of this attack because of resource constraints.We did an implementation, which was not fully optimized.We report some of those results in Table 1.

A Brief Description of the A5/1 Stream Cipher
The A5/1 stream cipher is built from three short linear feedback shift registers (LFSR) of lengths 19, 22 and 23 bits.We denote these by R 1 , R 2 and R 3 respectively.The rightmost bit in each register is labeled as bit zero.The tapping bits of R 1 are at bit positions 13, 16, 17, 18, of R 2 are 20 and 21, and of R 3 are 7, 20, 21 and 22 (ref.The A5/1 keystream generator works as follows: First, an initialization phase is run giving rise to a initial state.Based on this initial state, a warm-up phase is performed.In the keystream production stage the registers are clocked in a stop-and-go fashion using the following majority rule.Each register has a single clocking bit (bit 8 for R 1 , 10 for R 2 , and 10 for R 3 ) which decides the clocking pattern for that register.Before each clocking cycle, the clocking bits are observed; they are either 0 or 1.The majority function outputs the registers that have the most similar bits.Those registers are clocked.At each step either two or three registers are clocked, and each register has 3/4 probability of moving.
A total of four clocking pattern are possible.They are: where CB i denotes the clocking bit for register i where i ∈ {1, 2, 3}.
After clocking, an output bit is generated from the values of R 1 , R 2 , and R 3 by XORing their most significant bits, as shown in Equation 1.This XORed bit is called the keystream bit.We denote the full keystream by KS and the i th bit by KS[i].The keystream is a sequence of these keystream bits indexed by the clocking, where every clock produces a keystream bit. (1)

Known Attacks on the A5/1
This section surveys many known guess-and-determine attacks on the A5/1.A guess-and-determine attack is a known-plaintext attack on a stream cipher, where the attacker knows some bits of the keystream and the remaining bits are determined from the known keystream bits.A known plaintext attack, is an attack model where the attacker has access to both the plaintext and its encrypted ciphertext.This can be used to reveal the keystream used for encrypting the known plaintext to the ciphertext.Guess-and-determine attacks include Anderson's attack (Anderson, 1994), Golic's attack (Golic, 1997), Biham-Dunkelman's attack (Biham & Dunkelman, 2000), Keller-Seitz's attack (Keller & Seitz, 2001) and Gendrullis-Novotny-Rupp's attack (also known as the modified Keller-Seitz attack) (Gendrullis, Novotny, & Rupp, 2008).All these attacks assume that consecutive 64 bits of the keystream are known.

Guess-and-Determine Attacks
The first guess-and-determine attack on the A5/1 was proposed by Anderson (1994).Anderson suggested guessing all bits of registers R 1 and R 2 and the lower half of register R 3 (i.e., 19 + 22 + 11 = 52 bits) to determine the remaining bits of R 3 by Equation 1.In the worst-case, each of the possible 2 52 state candidates would have to be verified against the known keystream.This attack was not implemented as Biham-Dunkelman's attack and Keller-Seitz's attack had better complexity.
Golic proposed an attack that had a complexity of 2 40 , additionally one has to solve a 64×64 set of linear equations (Golic, 1997).His approach was to guess the lower half of all three registers and determine the remaining bits of the registers with the known keystream by Equation 1.However, each operation in this attack was much more complicated as it was based on finding solutions of a system of linear equations.In practice, Anderson's approach (Anderson, 1994) and Keller-Seitz's (Keller & Seitz, 2001) approach are better than Golic's attack.Pornin and Stern (2000) proposed a software-hardware trade-off attack, which was based on Golic's approach.But in contrast to Golic's approach, they guessed the clocking sequence at the very beginning.The increased assumptions and complexity of the attacks made the actual implementation very difficult and impractical.
The Biham-Dunkelman attack (Biham & Dunkelman, 2000) was expected to be a thousand times faster than the Anderson's attack (Biham & Dunkelman, 2000) or Keller-Seitz's attack (Keller & Seitz, 2001).The attack requires 2 47 A5/1 clockings and about 2 20.8 bits of plaintext data, which is equivalent to 2.36 minutes of conversation.The attacker guesses 12 bits from R and determines the remaining bits of registers R 1 and R 2 by Equation 1 and the known keystream bits.The attack algorithm assumes that register R 3 is not clocked (i.e., R 1 ) for 10 consecutive rounds.Such an event will occur in one out of 2 20 possible cipher states.The attacker must know the exact location of the information-leaking event where register R 3 is not clocked for 10 consecutive rounds.This is a big assumption.Thus, the attacker will need to probe about 2 20 different starting locations by trial-and-error before the event actually occurs.This attack requires a lot of data and precomputation space.Hence this attack is not practical for implementation.
Keller and Seitz designed a new attack (Keller & Seitz, 2001) based on the attack proposed by Anderson.But unlike Anderson's approach, they took into account the asynchronous clocking of the A5/1 stream cipher.According to their algorithm, the attacker guesses registers R 1 and R 2 completely and determines all bits of register R 3 by Equation 1.The attack was divided into two phases: a determination phase in which a possible state candidate consisting of the three registers of A5/1 after its warm-up phase (Briceno et al., 1999) is generated, and a subsequent post-processing-phase in which the state candidate is checked for consistency.In the determination phase, the authors try to reduce the complexity of the simple guess-and-determine attack by early recognizing contradictions that could occur on guessing the clocking bit of R 3 such that R 3 will not be clocked.Hence, all states arising out of the contradictory guesses neither need to be computed further nor checked afterwards.The authors not only discard the incorrect possibilities for R 3 [22] in case of contradiction, but also limit the number of choices to the one of non-clocking R 3 , when this is possible without any contradiction.This further reduces the complexity.If a case arises where R 1 [8] = R 2 [10] and R 3 [10] has to be guessed, the authors suggest to always consider the case  (Keller & Seitz, 2001), the authors only discard the wrong possibilities for the clocking bit of register R 3 which would lead to a contradiction.But if no contradiction exists, they consider both cases: clocking and notclocking of R 3 .Thus, every possible state candidate is taken into account.This gives us a success probability of 100%.The attacker needs an expected 17.67 clocking rounds to determine a complete state candidate and check it for consistency with the given keystream.The time complexity of the complete attack is 2 54.02 .
Besides Golic (1997) and Babbage (1995), Biryukov, Shamir and Wagner (2001) proposed an attack with a complexity of 2 48 , which requires about 300 GB storage, where the online phase of the attack can be executed within minutes and has a success probability of 60%.Barkan-Biham-Keller et al. (2008) also proposed another attack along these lines.However, in the precomputation phase of such an attack huge amount of data need to be computed and stored.For example, with three minutes of ciphertext available, one needs to precompute about 50 TB of data to achieve a success probability of about 60%.These are practical obstacles that make the implementation of such attacks very difficult.
4. An Improved Guess-and-Determine Attack on the A5/1 Stream Cipher -Our Attack Our approach is based on the guess-and-determine attack proposed by Anderson (1994), but with novel modifications that makes the attack faster.With 64 bits of the keystream known, all bits of register R 1 are guessed and all bits of registers R 2 and R 3 are determined.Eventually, we have about 2 48.5 possible state candidates, which is better than all known guess-and-determine attacks, see Table 2 for details.
The attack consists of two phases, the determination phase and the post-processing phase.The determination phase is again divided into two parts, the processing-phase1 and the processing-phase2.

Determination Phase
We assume that the register R 1 is full and the registers R 2 and R 3 are vacant.We are trying to fill these two registers in this phase with the help of a known keystream.We introduce two counters t 2 and t 3 and initialize them to 0. Every time register R 2 moves we increment the counter t 2 by one and similarly for R 3 we increment t 3 .

Processing-Phase1
Compute the most significant bits of register R 2 and register R 3 using the MSB of register R 1 and KS bit by Equation 1.If the values of three of these bits are known, the fourth can be computed easily by the equation.If R 2 [21] and R 3 [22] are unknown, then there exist four possible combinations for the unknown bits -00, 01, 10 and 11.But Equation 1 reduces the number of possibilities to two.The two possible combinations that satisfy the equation are: This reduces the number of possible cases by half and the number of possible state candidates to two.For more details see Figure 2.

Processing-Phase2
Consider the clocking bits of registers R 2 and R 3 .There are three possibilities: • Since the bit R 3 [7] is a feedback bit, we need to take special care of R 3 [7].If there is a feedback, i.e., clocking in R 3 , that bit needs to be full.So after each replication we see whether there will be clocking in the register R 3 from the majority function.If there is clocking and R 3 [7] is vacant, we duplicate that state candidate and fill 0 in R 3 [7] for one, and 1 in the other.Thus, all possible combinations are taken into consideration.Further details are available in Figure 3. Now consider the bits R 2 [20] and R 3 [21] and let KS[i] be the known keystream bit for some i ∈ N. If registers R 2 and R 3 are clocked, then these bits will become the new MSBs for their respective registers after clocking.If both these bits are vacant, there are four possible combinations for these bits; i.e., 00, 01, 10 and 11.But Equation 4.1 in Figure 3  If only one of these bits is vacant, there are two possibilities for the vacant bit, 0 or 1.But this is reduced to only one possibility.For example, if In this case, only R 3 [21] is unknown.This bit can be calculated by the above equation.Here, two possibilities for R 3 [21] reduce to only one possibility.This reduces the number of cases by half.
Follow this protocol as long as t 2 < 10 or t 3 < 11.When this condition is not satisfied, i.e., the first time t 2 ≥ 10 and t 3 ≥ 11, stop.At this moment, registers R 2 and R 3 are completely determined for the known KS and register R 1 .The number of bits between the clocking bit (CB) and the MSB for register R 2 is 10 and for register R 3 is 11.Hence, register R 2 has to be clocked at least 10 times and register R 3 has to be clocked at least 11 times to determine all the bits in those registers.
A complete state candidate is a state candidate with all bits filled.The minimum number of KS bits required to obtain a set of complete state candidates is eleven.This will happen when both registers R 2 and R 3 are clocked together for 10 consecutive clocking cycles and register R 3 is clocked again in the next round.

Post-Processing-Phase
The post-processing-phase checks for the key from the set of complete state candidates obtained after the determination phase.As discussed in Section 4.1, the minimum number of rounds needed to perform the post-processingphase is 11.The number of complete state candidates increases with every additional round.Hence, the probability of finding the key increases with every additional round.
In this phase, we generate output bits by performing normal A5/1 encryption with each of the complete state candidates obtained from the determination phase.Match these output bits bit-wise with the known KS bits.If the KS bits and output bits match, continue clocking and generating output bits until a contradiction of bit-wise matching occurs.If all the output bits match the given 64 KS bits, that complete state candidate is the key.We have thus found the key among the set of complete state candidates.

Analysis of the Attack
After initialization, we perform the determination phase.At this stage, all bits of register R 1 are filled, while registers R 2 and R 3 are vacant.According to the attack protocol, the determination phase determines the most significant bits of registers R 2 and R 3 (R 2 [21] and R 3 [22]) in the processing-phase1; the clocking bits of R 2 and R 3 (R 2 [10] and If vacant, MSB of registers R 2 and R 3 are to be determined.The number of possible combinations reduces from four to two by Equation 1.During the implementation of further rounds, there may be a possibility where only one of the MSB of R 2 or R 3 is vacant.Theoretically, the number of combinations to fill that vacant bit is two, but Equation 1 reduces that to only one correct possibility.
Processing-phase2 of the determination phase considers four bits: R 2 and R 3 [21].All these four bits may or may not be vacant at all times.In the following table (Figure 4), we consider all possible cases of these four bits being vacant or full, and the number of maximum possible valid combinations that exist as a result of Equation 1.The last column depicts the percentage of the total possible cases that are discarded due to the attack algorithm compared to an exhaustive search.Now let us consider the bit R 3 [7] in register R 3 , which is part of the feedback bit for the register.If this bit is vacant, there are two possibilities, 0 or 1.We could not eliminate any of these possibilities in our algorithm, so this case is not included in Figure 4.

EMPTY?
After the determination phase of our algorithm, if the clocking bit of R 3 is vacant, the bit R 3 [21] must also be vacant.It is impossible to have a case where clocking bit of R 3 is vacant, but bit R 3 [21] is filled.This reduces the number of possible valid cases and is denoted in Figure 4 as Not Applicable (NA) cases.
In the determination phase, a total of 7 bits (i.e., R 2 ) have to be determined.These 7 bits would have 2 7 = 128 possible combinations.But the attack algorithm gives only 24 valid possible combinations.Thus rejecting 104 combinations, a saving of 81.25%.
If R 3 [7] is not considered, the first round of implementation will always generate 12 state candidates.On an average, the second round generates 60 state candidates and the third round generates 300 state candidates.The number of state candidates (up to round 10) can be approximated by the formula 12 × 5 n−1 , where n denotes the number of round, 1 ≤ n < 11.It is only after the 11 th round that we get the first set of complete state candidates.When the bit R 3 [7] is taken into consideration, the first round of implementation will always generate 24 state candidates.From round three to round ten, the number of possible state candidates after every round is approximately five times the total number in the previous round.

Discussion
We discuss in detail a probabilistic approach to determine the time complexity and success probability of our new attack.The results of this probabilistic approach are also corroborated by experimental data.According to these results, the average number of rounds necessary to get the key is 15.5 and the average number of complete state candidates obtained after 15.5 rounds is 2 48.5 .We conclude this section with a comparison of our attack with other known attacks.

Time Complexity
We now study the time-complexity of our algorithm.The work done by this algorithm can be split in the following: • checking to see if a cell in a register is vacant or full, in this paper we often called it as a bit is full or vacant.
• replication of state candidates.
• filling up vacant bits.
It is reasonable to assume that the checking and filling of bits take negligible amount of time.Hence, we can safely assume that the unit of our time complexity measurement should be the number of replications needed, where one unit of time is one replication.The algorithm starts with registers R 2 and R 3 vacant and register R 1 filled (guessed).
The number of bits between the clocking bit (CB) and the most significant bit for register R 2 is 10 and for register R 3 is 11.Hence, the number of times the registers R 2 and R 3 have to be clocked to fill all the bits is at least 10 and 11 respectively.The minimum number of KS bits required to obtain a set of complete state candidates is 11.This will occur when both registers R 2 and R 3 are clocked together for 10 consecutive clocking cycles and register R 3 is clocked again in the following round.For one guess of the register R 1 , the number of complete state candidates after 11 clocking rounds is approximately 2 40 .With every clocking round, the number of complete state candidates increases.
According to the majority function for the clocking rule of the A5/1, a register will get clocked 3 out of 4 times.At every clocking cycle, at least two registers will get clocked.As stated in Section 2, a total of four cases are possible for the clocking patterns of the registers and each are equally likely with a probability of 0.25.Let n 1 be the event that exactly one of the registers R 2 or R 3 is clocked along with R 1 .Let n 2 be the event that both the registers R 2 and R 3 are clocked.The probability that an event n i to occur is denoted by P(n i ) where i = 1, 2. Thus P(n i ) = 0.5 for each i.Registers R 2 and R 3 have to be clocked at least 10 and 11 times respectively to determine all bits in those registers.
Let X be the random variable denoting the number of clocking cycles needed to obtain a complete state candidate.Let x 1 be the minimum number of clocking cycles needed for event n 1 to get a complete state candidate.Let x 2 be the number of clocking cycles needed to get a complete state candidate from the event n 2 .It is easy to see that x 1 = 21, x 2 = 10.The expectation for this variable X is given by We concluded earlier that the minimum number of clocking cycles necessary to obtain a set of complete state candidates is 11.After 15.5 rounds, there is a very high probability that the set of complete state candidate contains the key.Experimental results show us that after 11 rounds we get about 2 40 complete state candidates.The advantage of this attack is that once we have a set of complete state candidates, we can perform the postprocessing-phase separately and simultaneously, independent of the processing-phases of the next round and save time.

Success Probability
In Remark: Our guess-and-determine attack guesses the entries of the register R 1 and tries to determine the bits of the register R 2 and R 3 .Once R 1 is fixed we have 19 fixed bits.In Figure 2, and the subsequent text we produced an algorithm to determine these bits.We argued that the number of choices our algorithm makes is at most half the amount of choices one would have made, if all possible combinations were taken into account.We also showed that one would need, in average, about 15.5 clocking cycles.Now if all the possible choices of R 2 and R 3 were considered then that would be 2 45 choices.In 15.5 clock cycles we would fill the registers R 2 and R 3 if all possible choices were made.So the number of choices in our algorithm is 2 45 × 1 2 15.5 = 2 29.5 .So for each possible choices of the register R 1 there are 2 29.5 choices.There are 2 19 choices for the register R 1 .If one works in serial, one choice for R 1 after another then the total number of A5/1 clocking is 2 19 × 2 29.5 = 2 48.5 .It is now clear that this complexity can be substantially reduced by parallelizing this algorithm, where each thread of computation takes on a different choice for R 1 .

Figure 3 .
Figure 3. Determination phase of the attack (processing-phase2) 10] and clock register R 3 with register R 1 and register R 2 .This leaves out the possible case of R 1 [8] = R 2 [10] R 3[10].Thus, the success probability of this attack is approximately 18%, and the number of state candidates inspected by Keller and Seitz to the number of valid states is 86 471 ≈ 0.18.Gendrullis, Novotny and Rupp (2008) (GNR) proposed a modification to the Keller-Seitz attack.UnlikeKeller- Seitz

Table 1 ,
we describe the data obtained from our experiments with this attack.The four columns of the table are: number of clocking rounds, total number of state candidates obtained after that round, total number of complete state candidates obtained, and the percentage of complete state candidates over the total number of state candidates for that particular round.All values of the experimental data in the table are approximated to one decimal place.

Table 2 .
Comparison of the known attacks on the A5/1