A real-time inversion attack on the GMR-2 cipher used in the satellite phones

  • Jiao Hu
  • Ruilin Li
  • Chaojing Tang
Research Paper


The GMR-2 cipher is a type of stream cipher currently being used in some inmarsat satellite phones. It has been proven that such a cipher can be cracked using only one single-frame (15 bytes) known keystream but with moderate executing time. In this paper, we present a new thorough security analysis of the GMR-2 cipher. We first study the inverse properties of the cipher’s components to reveal a bad one-way character of the cipher. By then introducing a new concept called “valid key chain” according to the cipher’s key schedule, we propose an unprecedented real-time inversion attack using a single-frame keystream. This attack comprises three phases: (1) table generation; (2) dynamic table look-up, filtration and combination; and (3) verification. Our analysis shows that, using the proposed attack, the size of the exhaustive search space for the 64-bit encryption key can be reduced to approximately 213 when a single-frame keystream is available. Compared with previous known attacks, this inversion attack is much more efficient. Finally, the proposed attack is carried out on a 3.3-GHz PC, and the experimental results thus obtained demonstrate that the 64-bit encryption-key could be recovered in approximately 0.02 s on average.


satellite phone stream cipher GMR-2 cryptanalysis inversion attack 



The authors wish to thank the anonymous reviewers for their valuable suggestions and comments, which greatly improve the presentation and quality of the current paper. This work in this paper was supported by National Nature Science Foundation of China (Grant Nos. 61402515, 61672530).


  1. 1.
    ETSI TS. GEO-Mobile Radio Interface Specifications. 2001Google Scholar
  2. 2.
    Biryukov A, Shamir A, Wagner D. Real time cryptanalysis of A5/1 on a PC. In: Proceedings of the 7th International Workshop on Fast Software Encryption. Berlin: Springer, 2000. 1–18Google Scholar
  3. 3.
    Dunkelman O, Keller N, Shamir A. A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony. In: Proceedings of Annual Cryptology Conference, Santa Barbara, 2010. 393–410Google Scholar
  4. 4.
    Kircanski A, Youssef A M. On the sliding property of SNOW 3G and SNOW 2.0. IET Inf Secur, 2011, 5: 199–206CrossRefGoogle Scholar
  5. 5.
    Li L, Liu X H,Wang Z, et al. An improved attack on clock-controlled shift registers based on hardware implementation. Sci China Inf Sci, 2013, 56: 112107Google Scholar
  6. 6.
    Wu H J, Huang T, Nguyen P H, et al. Differential attacks against stream cipher ZUC. In: Proceedings of the 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, 2012. 262–277Google Scholar
  7. 7.
    Zhang B, Xu C, Meier W. Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. In: Proceedings of Annual Cryptology Conference, Santa Barbara, 2015. 643–662Google Scholar
  8. 8.
    Zhou C F, Feng X T, Lin D D. The initialization stage analysis of ZUC v1.5. In: Proceedings of International Conference on Cryptology and Network Security, Sanya, 2011. 40–53CrossRefGoogle Scholar
  9. 9.
    Driessen B, Hund R, Willems C, et al. Don’t trust satellite phones: a security analysis of two satphone standards. In: Proceedings of IEEE Symposium on Security and Privacy (SP), Oakland, 2012. 128–142Google Scholar
  10. 10.
    Driessen B, Hund R, Willems C, et al. An experimental security analysis of two satphone standards. ACM Trans Inf Syst Secur, 2013, 16: 10CrossRefGoogle Scholar
  11. 11.
    Barkan P, Biham E, Keller N. Instant cipher-text only cryptanalysis of GSM encrypted communication. J Cryptol, 2008, 21: 392–429CrossRefzbMATHGoogle Scholar
  12. 12.
    Bogdanov A, Eisenbarth T, Rupp A. A hardware assisted real-time attack on A5/2 without precomputations. In: Proceedings of the 9th International Workshop on Cryptographic Hardware and Embedded Systems, Vienna, 2007. 394–412Google Scholar
  13. 13.
    Li R L, Li H, Li C, et al. A low data complexity attack on the GMR-2 cipher used in the satellite phones. In: Proceedings of International Workshop on Fast Software Encryption, Singapore, 2013. 485–501Google Scholar
  14. 14.
    Golic J D. On the security of nonlinear filter generators. In: Proceedings of the 3rd International Workshop on Fast Software Encryption, Cambridge, 1996. 173–188CrossRefGoogle Scholar
  15. 15.
    Golic J D, Clark A, Dawson E. Inversion attack and branching. In: Proceedings of Australasian Conference on Information Security and Privacy, Wollongong, 1999. 99–102Google Scholar
  16. 16.
    Golic J D, Clark A, Dawson E. Generalized inversion attack on nonlinear filter generators. IEEE Trans Comput, 2000, 49: 1100–1109CrossRefzbMATHGoogle Scholar

Copyright information

© Science China Press and Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.College of Electronic ScienceNational University of Defense TechnologyChangshaChina

Personalised recommendations