A Hardware-Assisted Realtime Attack on A5/2 Without Precomputations

Andrey Bogdanov, Thomas Eisenbarth, Andy Rupp


A5/2 is a synchronous stream cipher that is used for protecting GSM communication. Recently, some powerful attacks [2,5] on A5/2 have been proposed. In this contribution we enhance the ciphertext-only attack [2] by Barkan, Biham, and Keller by designing special-purpose hardware for generating and solving the required systems of linear equations. For realizing the LSE solver component, we use an approach recently introduced in [5,6] describing a parallelized hardware implementation of the Gauss-Jordan algorithm. Our hardware-only attacker immediately recovers the initial secret state of A5/2 - which is sufficient for decrypting all frames of a session - using a few ciphertext frames without any precomputations and memory. More precisely, in contrast to [2] our hardware architecture directly attacks the GSM speech channel (TCH/FS and TCH/EFS). It requires 16 ciphertext frames and completes the attack in about 1 second. With minor changes also input from other GSM channels (e.g., SDCCH/8) can be used to mount the attack.
Original languageEnglish
Title of host publicationCryptographic Hardware and Embedded Systems - CHES 2007
EditorsPascal Paillier, Ingrid Verbauwhede
Number of pages19
Place of PublicationBerlin, Heidelberg
PublisherSpringer Berlin Heidelberg
Publication date09.2007
ISBN (Print)978-3-540-74734-5
ISBN (Electronic)978-3-540-74735-2
Publication statusPublished - 09.2007
Event9th International Workshop on Cryptographic Hardware and Embedded Systems - Vienna, Austria
Duration: 10.09.200713.09.2007


Dive into the research topics of 'A Hardware-Assisted Realtime Attack on A5/2 Without Precomputations'. Together they form a unique fingerprint.

Cite this