Time–Memory Trade-Off Attack on the GSM A5/1 Stream Cipher Using Commodity GPGPU

(Extended Abstract)
  • Jiqiang LuEmail author
  • Zhen Li
  • Matt Henricksen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9092)


Time–memory trade-off (TMTO) cryptanalysis is a powerful technique for practically breaking a variety of security systems in reality. There are mainly four general TMTO cryptanalysis methods, namely Hellman table cryptanalysis, rainbow table cryptanalysis, thin rainbow table cryptanalysis and thick rainbow table cryptanalysis, plus a few supplementary techniques that can be combined with a general method to produce possibly distinct TMTOs, like distinguished points. In this paper, we present a unified TMTO cryptanalysis, which we call unified rainbow table cryptanalysis, basing it on a unified rainbow table, then we describe its general combination with distinguished points, and finally we apply unified rainbow table cryptanalysis to the A5/1 stream cipher being used in the Global System for Mobile Communications (GSM). On a general-purpose graphics processing unit (GPGPU) computer with 3 NVIDIA GeForce GTX690 cards that cost about 15,000 United States dollars in total, we made a unified rainbow table of 984 GB in about 55 days, and implemented a unified rainbow table attack that had an online attack time of 9 s with a success probability of 34 % (or 56 %) when using 4 (respectively, 8) known keystreams (of 114 bits long each). If two such tables of 984 GB were generated, the attack would have an online attack time of 9 s with a success probability of 81 % when using 8 known keystreams. The practical results show again that nowadays A5/1 is rather insecure in reality and GSM should no longer use it.


Time–memory trade-off Hellman table cryptanalysis Rainbow table cryptanalysis Stream cipher A5/1 GPGPU 



This work resulted from an industry project on rainbow table cryptanalysis of the A5/1 stream cipher. The authors are very grateful to Wun-She Yap and Chee Hoo Yian for their participation in the early stage of the project, in particular, in the implementation of the A5/1 stream cipher.


  1. 1.
  2. 2.
  3. 3.
    Amirazizi, H.R., Hellman, M.E.: Time-memory-processor trade-offs. IEEE Trans. Inf. Theory 34(3), 505–512 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Anderson, R.: A5, Newgroup Communication (1994)Google Scholar
  5. 5.
    Anderson, R.: On Fibonacci keystream generators. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 346–352. Springer, Heidelberg (1995)Google Scholar
  6. 6.
    Avoine, G., Junod, P., Oechslin, P.: Characterization and improvement of time-memory trade-off based on perfect tables. ACM Trans. Inf. Syst. Secur. 11(4), 17:1–17:22 (2008)CrossRefGoogle Scholar
  7. 7.
    Barkan, E.: Cryptanalysis of ciphers and protocols. Ph.D. thesis, Technion – Israel Institute of Technology, Israel (2006)Google Scholar
  8. 8.
    Barkan, E., Biham, E.: Conditional estimators: an effective attack on A5/1. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 1–19. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  9. 9.
    Barkan, E., Biham, E., Keller, N.: Instant ciphertext-only cryptanalysis of GSM encrypted communication. J. Cryptology 21(3), 392–429 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Barkan, E., Biham, E., Shamir, A.: Rigorous bounds on cryptanalytic time/memory tradeoffs. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 1–21. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  11. 11.
    Biham, E.: How to decrypt or even substitute DES-encrypted messages in \(2^{28}\) steps. Inf. Process. Lett. 84(3), 117–124 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Biham, E., Dunkelman, O.: Cryptanalysis of the A5/1 GSM stream cipher. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977, pp. 43–51. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  13. 13.
    Biryukov, A., Mukhopadhyay, S., Sarkar, P.: Improved time-memory trade-offs with multiple data. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 110–127. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  14. 14.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  15. 15.
    Biryukov, A., Shamir, A., Wagner, D.: Real time cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 1–18. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  16. 16.
    Briceno, M., Goldberg, I., Wagner, D.: A pedagogical implementation of the GSM A5/1 (1999)Google Scholar
  17. 17.
    De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  18. 18.
    Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Boston (1982) zbMATHGoogle Scholar
  19. 19.
    Golić, J.D.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  20. 20.
    Ekdahl, P., Johansson, T.: Another attack on A5/1. IEEE Trans. Inf. Theory 49(1), 284–289 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Fiat, A., Naor, M.: Rigorous time/space trade-offs for inverting functions. SIAM J. Comput. 29(3), 790–803 (1999)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Gendrullis, T., Novotný, M., Rupp, A.: A real-world attack breaking A5/1 within hours. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 266–282. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  23. 23.
    Harris, M.: Optimizing cuda. SC07: High Performance Computing With CUDA (2007)Google Scholar
  24. 24.
    Hellman, M.E.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Hong, J.: The cost of false alarms in Hellman and rainbow tradeoffs. Des. Codes Crypt. 57(3), 293–327 (2010)CrossRefzbMATHGoogle Scholar
  26. 26.
    Hong, J., Moon, S.: A comparison of cryptanalytic tradeoff algorithms. J. Crypt. 26(4), 559–637 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Maximov, A., Johansson, T., Babbage, S.: An improved correlation attack on A5/1. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 1–18. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  28. 28.
    Nickolls, J., Buck, I., Garland, M., Skadron, K.: Scalable parallel programming with cuda. Queue 6(2), 40–53 (2008)CrossRefGoogle Scholar
  29. 29.
    Nvidia, C.: Compute unified device architecture programming guide (2007)Google Scholar
  30. 30.
    Nohl, K.: Attacking phone privacy. In: Black Hat USA 2010 Lecture Notes (2010).
  31. 31.
    Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  32. 32.
    Standaert, F.X., Rouvroy, G., Quisquater, J.J., Legat, J.D.: A time-memory tradeoff using distinguished points: new analysis & FPGA results. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 593–609. Springer, Heidelberg (2003) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Infocomm Security DepartmentInstitute for Infocomm Research, Agency for Science, Technology and ResearchSingaporeSingapore

Personalised recommendations