Time–Memory Trade-Off Attack on the GSM A5/1 Stream Cipher Using Commodity GPGPU
Time–memory trade-off (TMTO) cryptanalysis is a powerful technique for practically breaking a variety of security systems in reality. There are mainly four general TMTO cryptanalysis methods, namely Hellman table cryptanalysis, rainbow table cryptanalysis, thin rainbow table cryptanalysis and thick rainbow table cryptanalysis, plus a few supplementary techniques that can be combined with a general method to produce possibly distinct TMTOs, like distinguished points. In this paper, we present a unified TMTO cryptanalysis, which we call unified rainbow table cryptanalysis, basing it on a unified rainbow table, then we describe its general combination with distinguished points, and finally we apply unified rainbow table cryptanalysis to the A5/1 stream cipher being used in the Global System for Mobile Communications (GSM). On a general-purpose graphics processing unit (GPGPU) computer with 3 NVIDIA GeForce GTX690 cards that cost about 15,000 United States dollars in total, we made a unified rainbow table of 984 GB in about 55 days, and implemented a unified rainbow table attack that had an online attack time of 9 s with a success probability of 34 % (or 56 %) when using 4 (respectively, 8) known keystreams (of 114 bits long each). If two such tables of 984 GB were generated, the attack would have an online attack time of 9 s with a success probability of 81 % when using 8 known keystreams. The practical results show again that nowadays A5/1 is rather insecure in reality and GSM should no longer use it.
KeywordsTime–memory trade-off Hellman table cryptanalysis Rainbow table cryptanalysis Stream cipher A5/1 GPGPU
This work resulted from an industry project on rainbow table cryptanalysis of the A5/1 stream cipher. The authors are very grateful to Wun-She Yap and Chee Hoo Yian for their participation in the early stage of the project, in particular, in the implementation of the A5/1 stream cipher.
- 4.Anderson, R.: A5, Newgroup Communication (1994)Google Scholar
- 5.Anderson, R.: On Fibonacci keystream generators. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 346–352. Springer, Heidelberg (1995)Google Scholar
- 7.Barkan, E.: Cryptanalysis of ciphers and protocols. Ph.D. thesis, Technion – Israel Institute of Technology, Israel (2006)Google Scholar
- 16.Briceno, M., Goldberg, I., Wagner, D.: A pedagogical implementation of the GSM A5/1 (1999)Google Scholar
- 23.Harris, M.: Optimizing cuda. SC07: High Performance Computing With CUDA (2007)Google Scholar
- 29.Nvidia, C.: Compute unified device architecture programming guide (2007)Google Scholar
- 30.Nohl, K.: Attacking phone privacy. In: Black Hat USA 2010 Lecture Notes (2010). https://srlabs.de/decrypting-gsm/