Skip to main content

Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12697)


This paper presents the first publicly available cryptanalytic attacks on the GEA-1 and GEA-2 algorithms. Instead of providing full 64-bit security, we show that the initial state of GEA-1 can be recovered from as little as 65 bits of known keystream (with at least 24 bits coming from one frame) in time \(2^{40}\) GEA-1 evaluations and using 44.5 GiB of memory.

The attack on GEA-1 is based on an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. This unusual pattern indicates that the weakness is intentionally hidden to limit the security level to 40 bit by design.

In contrast, for GEA-2 we did not discover the same intentional weakness. However, using a combination of algebraic techniques and list merging algorithms we are still able to break GEA-2 in time \(2^{45.1}\) GEA-2 evaluations. The main practical hurdle is the required knowledge of 1600 bytes of keystream.


  • GPRS Encryption
  • Stream cipher
  • Algebraic attacks
  • GEA

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-77886-6_6
  • Chapter length: 29 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-77886-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   139.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.


  1. 1.

    Available via and, accessed Oct-06, 2020.

  2. 2.

    See minute 32:15 of the recorded talk.

  3. 3.

    The size of the registers are visible in the live state-recovery attack, see minute 48:25 of the recorded talk.

  4. 4.

    The authors acknowledged Mate Soos for ideas and also admitted that the live attack did not apply the SAT solver yet.

  5. 5.

    The complexity will be measured by the amount of operations that are roughly as complex as GEA-1 evaluations (for generating a keystream of size \(\le 128\) bit).

  6. 6.

    In a brute-force search, the initialization requires at least 195 clocking of the W register per key.


  1. Anderson, R.J.: A5 (was hacking digital phones). Newsgroup Communication (1994). Accessed 4 Mar 2021

  2. Berlekamp, E.R.: Algebraic Coding Theory. McGraw-Hill Series in Systems Science. McGraw-Hill (1968).

  3. Bettale, L., Faugère, J., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 3(3), 177–197 (2009).

    MathSciNet  CrossRef  MATH  Google Scholar 

  4. Biryukov, A., Gong, G., Stinson, D.R. (eds.): SAC 2010. LNCS, vol. 6544. Springer, Heidelberg (2011).

    CrossRef  MATH  Google Scholar 

  5. Blahut, R.E.: Theory and Practice of Error Control Codes. Addison-Wesley, Boston (1983)

    MATH  Google Scholar 

  6. Bogdanov, A., Rechberger, C.: A 3-subset meet-in-the-middle attack: cryptanalysis of the lightweight block cipher KTANTAN. In: Biryukov et al. [4], pp. 229–240.

  7. Bouillaguet, C., et al.: Fast exhaustive search for polynomial systems in \({\mathbb{F}_2}\). In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 203–218. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

  8. Brookson, C.: GPRS Security (2001). (snapshot of 14 September 2012)

  9. Carlet, C., Crama, Y., Hammer, P.L.: Boolean functions for cryptography and error-correcting codes. In: Crama, Y., Hammer, P.L. (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257–397. Cambridge University Press (2010).

  10. Dagum, L., Menon, R.: OpenMP: an industry standard API for shared-memory programming. IEEE Comput. Sci. Eng. 5(1), 46–55 (1998)

    CrossRef  Google Scholar 

  11. Tomcsányi, D.P., Weyres, M., Simao, P.: Analysis of EGPRS Ciphering Algorithms used Worldwide. (to appear)

  12. Dunkelman, O., Sekar, G., Preneel, B.: Improved meet-in-the-middle attacks on reduced-round DES. In: Srinathan, K., Rangan, C.P., Yung, M. (eds.) INDOCRYPT 2007. LNCS, vol. 4859, pp. 86–100. Springer, Heidelberg (2007).

    CrossRef  MATH  Google Scholar 

  13. Duval, S., Lallemand, V., Rotella, Y.: Cryptanalysis of the FLIP family of stream ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 457–475. Springer, Heidelberg (2016).

    CrossRef  Google Scholar 

  14. ETSI: ETSI – Coordinated Vulnerability Disclosure. Accessed 4 Mar 2021

  15. ETSI: Security algorithms group of experts (SAGE); report on the specification, evaluation and usage of the GSM GPRS encryption algorithm (GEA). Technical report (1998). Accessed 8 Oct 2020

  16. ETSI: Digital cellular telecommunications system (phase 2+) (GSM); security related network functions (3GPP TS 43.020 version 15.0.0 release 15). Technical Specification (2018). Accessed 8 Oct 2020

  17. GCF: GCF – Global Certification Forum. Accessed 4 Mar 2021

  18. Golić, J.D.: Cryptanalysis of alleged A5 stream cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997).

    CrossRef  Google Scholar 

  19. GSMA: GSMA – Coordinated Vulnerability Disclosure Programme. Accessed 4 Mar 2021

  20. Hoffman, K., Kunze, R.A.: Linear Algebra. PHI Learning (2004).

  21. Kalenderi, M., Pnevmatikatos, D.N., Papaefstathiou, I., Manifavas, C.: Breaking the GSM A5/1 cryptography algorithm with rainbow tables and high-end FPGAS. In: Koch, D., Singh, S., Tørresen, J. (eds.) 22nd International Conference on Field Programmable Logic and Applications (FPL), Oslo, Norway, 29–31 August 2012, pp. 747–753. IEEE (2012).

  22. Khovratovich, D., Naya-Plasencia, M., Röck, A., Schläffer, M.: Cryptanalysis of Luffa v2 components. In: Biryukov et al. [4], pp. 388–409.

  23. Koops, B.J.: Crypto law survey (2013). Accessed 8 Oct 2020

  24. Lamberger, M., Mendel, F., Rechberger, C., Rijmen, V., Schläffer, M.: Rebound distinguishers: results on the full whirlpool compression function. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 126–143. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  25. Albrecht, M., Bard, G.: The M4RI Library. The M4RI Team (2021). Accessed 4 Mar 2021

  26. Massey, J.L.: Shift-register synthesis and BCH decoding. IEEE Trans. Inf. Theory 15(1), 122–127 (1969).

    MathSciNet  CrossRef  MATH  Google Scholar 

  27. McFarland, R.L.: A family of difference sets in non-cyclic groups. J. Comb. Theory Ser. A 15(1), 1–10 (1973).

    MathSciNet  CrossRef  MATH  Google Scholar 

  28. MediaTek: Test Vector GEA1/2 – MediaTek-HelioX10-Baseband. Accessed 4 Mar 2021

  29. Nohl, K., Melette, L.: GPRS intercept: Wardriving your country. Chaos Communication Camp (2011). Slides Accessed 8 Oct 2020. Recorded talk Accessed 8 Oct 2020

  30. Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003).

    CrossRef  Google Scholar 

  31. osmocom: osmocom – Cellular Network Infrastructure. Accessed 4 Mar 2021

  32. Rothaus, O.S.: On “bent” functions. J. Comb. Theory Ser. A 20(3), 300–305 (1976).

    CrossRef  MATH  Google Scholar 

  33. Sasaki, Y.: Meet-in-the-middle preimage attacks on AES hashing modes and an application to Whirlpool. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 378–396. Springer, Heidelberg (2011).

    CrossRef  Google Scholar 

  34. Schneier, B.: Applied Cryptography - Protocols, Algorithms, and Source Code in C, 2nd edn. Wiley (1996).

  35. Schroeppel, R., Shamir, A.: A T=O(2\({}^{\text{ n/2 }}\)), S=O(2\({}^{\text{ n/4 }}\)) algorithm for certain np-complete problems. SIAM J. Comput. 10(3), 456–464 (1981).

    MathSciNet  CrossRef  MATH  Google Scholar 

  36. Siegenthaler, T.: Decrypting a class of stream ciphers using ciphertext only. IEEE Trans. Comput. 34(1), 81–85 (1985).

    CrossRef  Google Scholar 

  37. The Sage Developers: SageMath, the Sage Mathematics Software System (2020).

Download references


This work was supported by the German Research Foundation (DFG) within the framework of the Excellence Strategy of the Federal Government and the States – EXC 2092 CaSa – 39078197, and by French Agence Nationale de la Recherche (ANR), under grant ANR-20-CE48-0017 (project SELECT). Patrick Derbez was supported by the French Agence Nationale de la Recherche through the CryptAudit project under Contract ANR-17-CE39-0003.

Most of all, we give thanks to Dieter Spaar and Harald Welte for their support and contact persons of the osmocom project.

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Christof Beierle , Patrick Derbez , Gregor Leander , Gaëtan Leurent , Håvard Raddum , Yann Rotella , David Rupprecht or Lukas Stennes .

Editor information

Editors and Affiliations


Appendix A Source Code to Compute the Kernels

figure d

Appendix B Source Code to Compute the Dimensions

figure e

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Beierle, C. et al. (2021). Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-77885-9

  • Online ISBN: 978-3-030-77886-6

  • eBook Packages: Computer ScienceComputer Science (R0)