A Hardware-Assisted Realtime Attack on A5/2 Without Precomputations

  • Andrey Bogdanov
  • Thomas Eisenbarth
  • Andy Rupp
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4727)


A5/2 is a synchronous stream cipher that is used for protecting GSM communication. Recently, some powerful attacks [2,5] on A5/2 have been proposed. In this contribution we enhance the ciphertext-only attack [2] by Barkan, Biham, and Keller by designing special-purpose hardware for generating and solving the required systems of linear equations. For realizing the LSE solver component, we use an approach recently introduced in [5,6] describing a parallelized hardware implementation of the Gauss-Jordan algorithm. Our hardware-only attacker immediately recovers the initial secret state of A5/2 - which is sufficient for decrypting all frames of a session - using a few ciphertext frames without any precomputations and memory. More precisely, in contrast to [2] our hardware architecture directly attacks the GSM speech channel (TCH/FS and TCH/EFS). It requires 16 ciphertext frames and completes the attack in about 1 second. With minor changes also input from other GSM channels (e.g., SDCCH/8) can be used to mount the attack.


A5/2 GSM SMITH special-purpose hardware cryptanalysis linear systems of equations Gaussian elimination 


  1. 1.
    Barkan, E., Biham, E.: Conditional estimatores: An Effective Attack on A5/1. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Barkan, E., Biham, E., Keller, N.: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communications. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729. Springer, Heidelberg (2003)Google Scholar
  3. 3.
    Biham, E., Dunkelman, O.: Cryptanalysis of the A5/1 GSM Stream Cipher. In: Roy, B., Okamoto, E. (eds.) INDOCRYPT 2000. LNCS, vol. 1977. Springer, Heidelberg (2000)Google Scholar
  4. 4.
    Biryukov, A., Shamir, A., Wagner, D.: Real Time Cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A., Mertens, M., Paar, C., Pelzl, J., Rupp, A.: A Parallel Hardware Architecture for fast Gaussian Elimination over GF(2). In: Proc. of FCCM 2006, pp. 237–248. IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  6. 6.
    Bogdanov, A., Mertens, M., Paar, C., Pelzl, J., Rupp, A.: SMITH - a Parallel Hardware Architecture for fast Gaussian Elimination over GF(2). In: Workshop on Special-purpose Hardware for Attacking Cryptographic Systems (SHARCS 2006), Conference Records (2006)Google Scholar
  7. 7.
    Briceno, M., Goldberg, I., Wagner, D.: A Pedagogical Implementation of the GSM A5/1 and A5/2 ”voice privacy” Encryption Algorithms (1999),
  8. 8.
    Intel Corporation: Intel Unveils World’s Best Processor. Press Release (July 27, 2006)Google Scholar
  9. 9.
    Ekdahl, P., Johansson, T.: Another Attack on A5/1. IEEE Transactions on Information Theory 49(1), 284–289 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Goldberg, I., Wagner, D., Green, L.: The Real-Time Cryptanalysis of A5/2. In: Presented at the Rump Session of Crypto 1999 (1999)Google Scholar
  11. 11.
    Golic, J.: Cryptanalysis of Alleged A5 Stream Cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997)Google Scholar
  12. 12.
    Hochet, B., Quintin, P., Robert, Y.: Systolic Gaussian Elimination Over GF(p) with Partial Pivoting. IEEE Trans. Comput. 38(9), 1321–1324 (1989)CrossRefMathSciNetGoogle Scholar
  13. 13.
    European Telecommunications Standards Institute: Digital Cellular Telecommunications System (Phase 2+); Channel Coding (GSM 05.03 Version 8.5.1 Release 1999) (1999),
  14. 14.
    Maximov, A., Johansson, T., Babbage, S.: An Improved Correlation Attack on A5/1. In: Handschuh, H., Hasan, M.A. (eds.) SAC 2004. LNCS, vol. 3357, pp. 239–255. Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Petrovic, S., Fuster-Sabater, A.: Cryptanalysis of the A5/2 Algorithm. IACR ePrint Report 200/52 (2000),
  16. 16.
    Pornin, T., Stern, J.: Software-hardware Trade-offs: Application to A5/1 Cryptanalysis. In: Paar, C., Koç, Ç.K. (eds.) CHES 2000. LNCS, vol. 1965, pp. 318–327. Springer, Heidelberg (2000)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Andrey Bogdanov
    • 1
  • Thomas Eisenbarth
    • 1
  • Andy Rupp
    • 1
  1. 1.Horst-Görtz Institute for IT-Security, Ruhr-University BochumGermany

Personalised recommendations