Cryptanalysis of the A5/2 Algorithm

An attack on the A5/2 stream cipher algorithm is described, that determines the linear relations among the output sequence bits. The vast majority of the unknown output bits can be reconstructed. The time complexity of the attack is proportional to 2. Introduction: A5 is the stream cipher algorithm used to encrypt the link from the telephone to the base station in the GSM system. According to [1], two versions of A5 exist: A5/1, the 'stronger' version, and A5/2, the 'weaker' version. The attacks on the A5/1, utilizing the birthday paradox, are described in [2, 3]. The attack on the A5/2 presented here is of algebraic nature. The scheme of the A5/2 algorithm is given in the Fig. 1. The LFSR R4 clocks the LFSRs R1; : : : ;R3 in the stop/go manner. The feedback polynomials of the registers are: g1(x) = 1 + x 14 + x + x + x, g2(x) = 1 + x 21 + x, g3(x) = 1 + x 8 + x + x + x, g4(x) = 1 + x 12 + x. The function F is the majority function F (x1; x2; x3) = x1x2 + x1x3 + x2x3. The communication in the GSM system is performed through frames. Each frame consists of 228 bits. For every frame to be enciphered, the initialization procedure takes place, that yields the initial state of the LFSRs on the basis of the 64-bit secret key K and the 22-bit frame number F . During the initialization, the bits of the secret key are rst imposed into all the LFSRs, at every clock pulse, without the stop/go clocking, starting from the LSB of each key byte. Then the bits of the frame number are imposed into all the LFSRs in the Instituto de F sica Aplicada (CSIC), Serrano 144, 28006 Madrid, Spain