A real-time inversion attack on the GMR-2 cipher used in the satellite phones
- 30 Downloads
The GMR-2 cipher is a type of stream cipher currently being used in some inmarsat satellite phones. It has been proven that such a cipher can be cracked using only one single-frame (15 bytes) known keystream but with moderate executing time. In this paper, we present a new thorough security analysis of the GMR-2 cipher. We first study the inverse properties of the cipher’s components to reveal a bad one-way character of the cipher. By then introducing a new concept called “valid key chain” according to the cipher’s key schedule, we propose an unprecedented real-time inversion attack using a single-frame keystream. This attack comprises three phases: (1) table generation; (2) dynamic table look-up, filtration and combination; and (3) verification. Our analysis shows that, using the proposed attack, the size of the exhaustive search space for the 64-bit encryption key can be reduced to approximately 213 when a single-frame keystream is available. Compared with previous known attacks, this inversion attack is much more efficient. Finally, the proposed attack is carried out on a 3.3-GHz PC, and the experimental results thus obtained demonstrate that the 64-bit encryption-key could be recovered in approximately 0.02 s on average.
Keywordssatellite phone stream cipher GMR-2 cryptanalysis inversion attack
The authors wish to thank the anonymous reviewers for their valuable suggestions and comments, which greatly improve the presentation and quality of the current paper. This work in this paper was supported by National Nature Science Foundation of China (Grant Nos. 61402515, 61672530).
- 1.ETSI TS. GEO-Mobile Radio Interface Specifications. 2001Google Scholar
- 2.Biryukov A, Shamir A, Wagner D. Real time cryptanalysis of A5/1 on a PC. In: Proceedings of the 7th International Workshop on Fast Software Encryption. Berlin: Springer, 2000. 1–18Google Scholar
- 3.Dunkelman O, Keller N, Shamir A. A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony. In: Proceedings of Annual Cryptology Conference, Santa Barbara, 2010. 393–410Google Scholar
- 5.Li L, Liu X H,Wang Z, et al. An improved attack on clock-controlled shift registers based on hardware implementation. Sci China Inf Sci, 2013, 56: 112107Google Scholar
- 6.Wu H J, Huang T, Nguyen P H, et al. Differential attacks against stream cipher ZUC. In: Proceedings of the 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, 2012. 262–277Google Scholar
- 7.Zhang B, Xu C, Meier W. Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. In: Proceedings of Annual Cryptology Conference, Santa Barbara, 2015. 643–662Google Scholar
- 9.Driessen B, Hund R, Willems C, et al. Don’t trust satellite phones: a security analysis of two satphone standards. In: Proceedings of IEEE Symposium on Security and Privacy (SP), Oakland, 2012. 128–142Google Scholar
- 12.Bogdanov A, Eisenbarth T, Rupp A. A hardware assisted real-time attack on A5/2 without precomputations. In: Proceedings of the 9th International Workshop on Cryptographic Hardware and Embedded Systems, Vienna, 2007. 394–412Google Scholar
- 13.Li R L, Li H, Li C, et al. A low data complexity attack on the GMR-2 cipher used in the satellite phones. In: Proceedings of International Workshop on Fast Software Encryption, Singapore, 2013. 485–501Google Scholar
- 15.Golic J D, Clark A, Dawson E. Inversion attack and branching. In: Proceedings of Australasian Conference on Information Security and Privacy, Wollongong, 1999. 99–102Google Scholar