 Okay, so now last talk in this session is Refined Cryptanalysis of GPRS Cypers, GEA1 and GEA2 by Itai Jinnur and Dor Anja Lake and Itai will present this paper. Very much for the introduction, I hope that you can hear me well. So this talk is about the GEA1 and GEA2 cypers that were used in the GPRS. So GPRS is a mobile data standard, was used to encrypt data, it was widely deployed in the early 2000s and the encryption was used to protect against eavesdropping on the communication and initially GPRS used the two proprietary screen cypers named GEA1 and GEA2. Now at last year at Eurocrate, a very nice paper by eight authors that are given here. So it presented the first public analysis of the cypers GEA1 and GEA2 and in fact this paper actually first disclosed the specification of the cypers. So I'm going to call this paper in short the BDL from now on. So GEA1 and GEA2 both have 64 bit session keys, nevertheless the previous Eurocrate paper described the weakness that allows to recover the session key of GEA1 and time complexity only two to the 40, given roughly 44 gigabytes of memory. Now the attack only required 65 bits of known key stream that can typically be obtained just by knowing some fixed headers. So the attack is kind of practical, it's really practical, it was actually implemented and however it requires kind of a large amount of memory. So the attack is based on the weakness that is believed to be intentional and the weakness is probably due to some export regulations that were in place at the time that the cypher was designed. Now the use of GEA1 was already prohibited back in 2013 but kind of surprisingly BDL noticed that modern mobile phones still supported the Cypher GEA1 and this could actually lead to some downgrade attacks. So it could have an actual impact in practice but this defect is now supposedly fixed by some removing actually verifying that the GEA1 is no longer supported. Now for GEA2, so GEA2 does not have as far as we know a significant weakness as a GEA1, however the authors still described an attack on a cypher with time complexity two to the 45 but the main kind of practical obstacle in this attack is that it requires 12,800 key stream bits, the knowledge of them in order to that are used to encrypt the full JPRS frame. So this attack is kind of, this kind of limits the practicality of this attack and therefore the previous paper also presented the data time trade-off that beats exhausted search but only given at least 1,400 bits of known key stream. So that was the previous paper now let's move to our results. So basically what we do in the paper is describe improved and we find the attack impacts compared to the previous paper. So for GEA1 we reduce the memory complexity by a factor of roughly 8,000 bit more from 44 gigabytes to about four megabytes while the time complexity remains about two to the 40. So we implemented the attack and the attack runs on a standard laptop and roughly two and a half hours. On the other hand the previous paper, previous authors run the attack on a cluster probably due to the high memory complexity. It's not trivial to implement this on a standard laptop, the previous attack of these. So before moving on to GEA2 I want to just stress the motivation in improving this attack. So in the early 2000s high memory complexity such as the previous attack was actually not obvious to implement, especially if you want to run this attack is wrapping to multiple sessions and you want to implement this attack at scale. It's not obvious how to do it. I mean it's not obvious that you need a lot of resources to do it with a lot of memory. Another motivation and I should say this is a general motivation for this work is to better understand the security of Cypher that were at least the ones widely used. So that's for GEA1 and for GEA2 we actually present two attacks. So in this talk I'll only focus on just one attack, the first attack. So we improved the data time trade-offs presented in the previous papers but the improvement is only up to seven, given 7000 bits of consecutive history. That's what we assume about the data complexity. And the techniques that we use, as we will see, are borrowed from techniques for solving cakes or problems. Okay, so first I'll focus on the GEA1 attack. Before describing the attack then let's see how the Cypher actually works. So I'll start by describing the initialization process. So this process takes its input 64-bit session key and 32-bit IV. And first these inputs are used to compute 64-bit scene. It's not very important how it's done. And then in the second step of the initialization, the seed is used to initialize the 96-bit initial state of GEA1, which is composed of three LFSRs, A, B, and C, of sizes 31, 32, and 33 bits. Okay, as you can see here. And the snapping from the seed to a 96-bit state, we will denote it by M and it should be mentioned. I will mention that M is actually a linear function. Okay, so that's the initialization. And after the initialization, the Cypher is ready to produce a key stream or to encrypt. So how do we do this? So before actually describing how to do this, then let's fix some notation. So given some internal state A of this first LFSR, I'm going to denote F A applied to this internal state indexed by an integer tau. It's going to be just a function that computes the next tau output bits from the internal state A understood. And how is it done? Basically, we have tau iterations. And in each iteration, we apply some output function to the internal state. It's not very important what this function is. It just produces the next output bit. Then we clock the LFSR to obtain the next internal state. And we have tau of these iterations that produce the tau output bits. Okay, so now let's understand how the key stream is generated. So basically, the inputs to the key stream generation are the 96-bit of the initial state ABC and a 12,800-bit packet, which we denote by P. And basically, what we do is just produce 12,800 bits of key stream just by XORing the outputs of these three registers. And the ciphertext is just the XOR of the key stream with the plaintext. Okay, of course, you do this bit by bit, but in general, it doesn't really matter. You produce key stream and then you XOR it with the plaintext to output the ciphertext. Okay, so now that we understand how the GA1 works, let's think about how to break it. So the attacker, what we assume is that the attacker obtained 65 bits of known key stream, which we'll denote by Z, for some packet. So how do we obtain this key stream and practice what we need to do is to actually eavesdrop to get the ciphertext. Okay, eavesdrop to the communication. And we also need to assume that we know the corresponding plaintext that was used in the encryption and 65 bits of key stream is not typically difficult to actually guess or know because you can guess it from some known and fixed headers. Okay, and then the key stream is just the XOR of the plaintext and the ciphertext. Okay, so we assume that we have the 65 bit key stream. And now the goal of the attack is to run some state recovery attack and to recover the initial state ABC of the registers. And now, given the initial state, the attacker can actually invert the initialization process of GA1 and obtain the seed used to produce the states. And from this, it can actually go backwards and obtain the session key. I'm not going to describe how to do this. This is actually described in the video paper, but it's kind of simple. Okay, and given the session key, you can actually, by continuing to eavesdrop, you can actually decrypt the full GPR session. So you have all the communication. So now the goal is basically to right to focus here on this, how do we recover the initial state given the key stream. Well, let's see how to do this. And before we see that, let's describe the actual weakness that was used to that was described in this video paper. So the weakness is actually a weakness in the initialization process of GA1 in the second step of this initialization step that maps the 64 bits into a 96 bit state by this mapping M. And specifically, let's focus on the internal states of ANC. So it turns out that the joint internal states of ANC, which are 64 bits, they can actually assume or obtain only two to the 40 values out of the two to the 64 possible values. Okay, so that's kind of interesting. And equivalently, this means that the dimension of the image of this mapping M, this linear mapping, when projected to the registers ANC is only 40 out of 64, which can be readable. Okay, now given this, let's see how to break the cipher more efficiently than just exhaustive search. So in the attack, what we do is we search for internal states A, B and C that actually produce the given key streams as in this equation. And in order to do this, we will split the attack into the equation into two parts. So the right part only contains the internal states B and the left part only contains internal states of ANC. So how does the attack work? We first focus on the right hand side here. And what we're going to do is we're going to build a table, which we call TB for the function FB. And it's done as follows. So for each value of the internal state B, so we have two to the 32 such values, we're going to produce output 65 bits of output. So we're going to store all the all the states and the outputs and some table, which we'll denote by TB. And that's the size of two to the 32. Okay, that's the right hand side and that's we focus on the left hand side. So for each ANC and the image of M projected to ANC, we know that we have only two to the 40 such joint states. And then we compute the left hand side here and we search it in the table TB that we prepared for the right hand side. Okay, basically each match give you a candidate for the internal state. And because we are using 64, five bits here, then essentially you can do some calculation and show that we expect to actually only output the right internal states of this, if everything is done correctly. Okay, so the complexity of this attack is best if you dominated by this second step because we only have two to the 40 joint AC states and the image and the memory complexity is dominated by the stable TV, which is of size to the 32 words or if you do the calculations 44 gigabytes. Now, the goal, of course, our goal in the paper is actually to reduce the space to roughly two to the 19 words or four megabytes. So how do we do this? So here's an additional observation was actually already made in the previous paper. So let's look at the dimension of M of this linear mapping. Of course, it's max a 64 bit seed, so it's only 64. And on the other hand, let's look at the dimension of the image of M projected to AC, which it's 40, the dimension of the image of M projected to be a 32. So they sum up to 72. So you can see that there is a gap here of eight. And this gap basically means that there is a shared subspace between kind of between this and this subspace, both this image of dimension 72 minus 64, which is eight. Okay, and using this kind of shared subspace, you can actually decompose the images of M a B and M a C and to this search subspace. Let's go to be projected. I mean, this search subspace projected to be exhaust some direct sum with some other subspace of smaller dimensional dimension only 24. Okay, you can do a similar thing for M a C. Okay, you can decompose it similarly. And we're going to exploit this actually to reduce the memory was exploited previously in order to obtain more filtering condition for the attack but here we'll use a relatively standard trick to reduce the memory complexity of the attack. How does it work. Basically, we have the shares subspace and in general, if there is a common part between the two sides of the meeting in the middle attack, which is basically the share subspace, then can be used to partition the large meet in the middle attack and to smaller attacks, each of these smaller attacks require a smaller memory, because we kind of can reuse the memory for each attack. So let's see how this is done. So specifically, we have, we'll have an auto loop that iterates over all elements of the shared subspace. And now for the first part of the attack. So, instead of just iterating over all these, we need to iterate now, given the seal, we need to only iterate over the remaining elements of V one, and there are only two to the 24. And for each one of them we compute the internal states, according to kind of this equation of being and then we compute the output and we start in table TV. Of course it's a small table because we're only iterating over this V one space. So the tables only have side to the 24 for each iteration. And so when we do the same thing for the second part of the attack, we need to iterate only over this little space computer joint AC state. Compute the left hand side of the equation search it and TV and so forth. Okay, so that's basically how the, how the improve the attacks. So the complexity here while the time complexity remains the same. We didn't do anything to special to optimize time complexity over the space complexity is reduced to two to the 24. And just because the smaller tables to be here only require to the 24 words, which are the basically the dimension of the one. The memory complexity is now reduced to 256 megabyte roughly. However, if you remember correctly we want to reduce it to four megabytes so we're still missing something. Okay, so how can we reduce the memory further. And the main observation here is to notice that the steps, if you look at this attack the steps are actually not balanced. The first step, it requires relatively small amount of time but the large amount of memory to build this table to be. And the second step requires a relatively large amount of time but the smaller amount of space, so we can try to kind of balance the steps of the attack. So the idea is to use a technique called clamping through pre computation that is typically used to solve to solve in to solve the case or problem. The general idea is as follows we're going to add an additional condition to this loop. Okay, so let's assume that we just fix some five bit string, let's call it t just five bits and just a medical parameter here. We have more loops here but for each for each loop what we do is we're going to store. We're going to store FB we're going to store this internal state only if it produces this special the special output prefix. So we add another condition another five bit condition. And because that's because of this we're actually right storing less, less elements in the table by factor of two to the five, so the tables will be small. That's kind of makes sense. So we add this condition we of course need to iterate over all, over all output prefixes. And now we were storing in the table only kind of output prefixes that only sorry internal states that actually produce this output prefix. Okay, so the space is indeed in reduced like what we want to four megabytes. Okay, that kind of makes sense. So that that works. We did reduce the space. Unfortunately, we did not optimize the second step so the second step was the bottleneck in terms of time complexity and we did not optimize it and therefore because we have more loops here we have 32 factor we increase the number of loops by a factor of 32 or two to the five that over all time complexity will be increased from two to the 40 to two to the 45. So we kind of have to optimize the second step in order to actually reduce the time complexity back to two to the 40. So that's not really how to do this, actually, if you kind of try to look into the details it's it's actually not obvious if you can that you can do this at all. It turns out that you can do this, you can implement the step in the second step and reduce time complexity so I'm not going to destroy to you how to do this the details are in the paper. So even the main observation used to reduce the time complexity the main observation is that is that the output function of a restricted to five bits. It only depends on 26 bits out of the 31 of the of the internal state a. So we have a similar like a slow diffusion property for C, and you can use this properties actually to optimize this second step. So the details are a bit too technical to describe in this stuff but please look at the paper to understand that. So this will give us the time complexity to the 40 and the space complexity is like now really small for megabytes or it actually fits into cash. So that's the details about the GA one attack. Let's move quickly to the GA to attack and then I'll conclude. So, we call the GA to does not have a significant weakness as a GA one, but the previous paper still describe an attack on it with that. The attack is faster than the exhaustive search only from kind of 1,400. So this is kind of the data time trade off and that the only bits of exhaustive search kind of from this point, moving to the right. So we describe a different attack that improves the previous attack, given assuming that we have less history but at most 7,000. So you can imagine that this. I mean, it's probably easier to obtain limit more limited amount of data so in some sense it's. You can say it's more practical for these this region of data. And you can see the kind of the points that we get here. So specifically if we can focus on this point here. So, given 1,100 bits of available key screen the time complexity that we get this to the 54, whereas previously the best known attack was exhaustive search of to the 64. So we can improve it by a factor with the data. So I should mention that this attack is actually a generic attack it applies to all screen cypher combiners as we will see shorten. Okay, so that's an overview of the attack now let's I won't go into many details in this attack but let's kind of see how flavor how it works. And by describing the structure of the GA to cypher cypher. So during an initialization a 64 bit session key and 32 bit IV, as in GA one. So these are the inputs but now they are mapped into a larger state ABCD with four registers. So we have an additional register D of size at 29 bits and this gives a total size of the internal state of 125 bits, and not 96 bits like in GA one. Okay, so the details of the initialization are actually not important for this attack. Okay, and the key stream is basically generated in a similar way to GA one just that we need to sort the outputs of four registers instead of basically everything remains similar. Okay, so now moving on to the attack. So we assume for simplicity that the length of all registers is 32 bits, they're kind of close to that, but let's assume that they're all 32 bits for simplicity. So the attack is going to recover the initial states given the initial state given L known keys from bits. So, like in the case of the one from this initial state you can actually compute the session key and and the crib the entire GPR session. So again the focus here is on state recovery. Okay, so let's first assume that we're given just 128 output bits of the cycle. So assume you're given Z. This is the key stream of length 128. And again we're fine to manage the state recovery attack so we're looking for internal state ABCD such that that produces this key stream Z. And once again we can split this equation to two parts a part that involves on the NB and this the right part involves only CD. So the kind of each part has two to the 64 state and the standard beat in the middle attack will give you time complexity to the 64 and space complexity also to the 64. Okay. Now we can actually improve the memory complexity based on the classical Chapelle and Shamir algorithm for subsets subsets some. So, the idea is as follows so first if if this equation holds for states ABCD, then, once again we kind of partition it into two parts but the idea is now to enumerate over 32 bit values T of each side of the equation, kind of independently. So it allows us to split the fork store problem here into two to store problems and each one will be solved using a meat in the middle attack but it will operate on a smaller table. Okay, so specifically let's fix some 32 bit value here once again 32 bits is kind of a magical parameter here used to optimize the complexity. Okay, so let's fix some 32 bit value here for each side. And then what we'll do by emitting in metal tech so we can compute all internal states and be that actually satisfy this left hand side and will store all this internal states and table to be. And if you do the calculation the size of the table will be two to the 32. So the left hand side here and the right hand side you do similar thing. Okay, you compute all CD states that satisfy the right hand side and store them in a table, T CD. And then you merge these to take two tables according to the full equation here. Okay, and the full, full number of bits. So that's basically the attack and if you do the analysis then the sizes of T a B and T CD are each to the 32 so the space complexity is indeed to the 32 because we're reusing the space across iterations. And the time complexity we have to the 32 iterations each one of them takes to the 32 times so the time complexity remains to the 64 as in the previous. Okay, but remember that our goal is actually to improve the time complexity and using more larger key stream. Let's see how to do this. So we have an attack with 128 bits of history with time complexity to the 64. So how can you optimize it given the larger amount of history. So you kind of artificially create multiple solutions for the attack for the poor. That that actually solve the problem. So what is the solution here what what are we searching for we're, we're looking for an internal state ABCD at some, and the thing is, is that we don't actually need to recover the only the internal state we can actually recover some internal state at some clock see. So if we kind of try to focus to recover what some internal states that is used in the computation of the key stream then then we can we may have multiple solutions that we can work with. And once we recover one of them then the attack will actually work. So assume that we actually can do this that we can actually, you know, obtain some for in some way multiple solutions, then we can actually amount to more efficient, more efficient attack. And how this is done. So, if we look back at the previous attack so now assume that there are actually are solutions meaning our good ABCD states that actually produce. There are actually solutions to this problem so assuming that we have our solutions meaning that we have basically are good values of tea. We actually need to iterate only over roughly two to the 32 divided by our values of tea, because we just need to find one out of our solutions. And then the complexity of the attack drops by a factor of R so it will become to the 32 divided by R. Okay, this of course assume and assume that we can actually obtain this magic solutions are solutions. So how can we actually do this so how do we. We can use our solutions or target states, so given a longer history. The main idea. So I'm not going to describe this in detail you can look at the paper but the main idea is to actually look at shifted key strings that we have a long history and we can kind of look at the key string that starts from the first beat the key string that starts from the second bits and so forth. And, and if we have a little bit history that we actually have roughly L it's it's not really L it's a bit smaller but roughly L shifted key string produced by L internal states. Okay, this gives us actually the solutions the multiple solutions that we need for the attack. Again, this the details are described in the paper. One last thing that I want to mention before I conclude this that the attack is actually generic. It does not actually use any of the properties of the internal stream ciphers that are sort together. I mean, it can be applied also to if you change the output functions of the stream ciphers arbitrarily as long as you saw their outputs together. So it that that is actually generic and it's applicable to all source stream cipher to minus. Okay, so finally let me conclude so we're at this rather improved and refined the tax on the ciphers GA one and GA to the techniques that we use are based on on the new applications of cakes or algorithms to stream cycle crypt analysis. And in particular the attack on GA to is a generic attack that applicable to all sort of miners off for stream sectors. And finally, I think the main open problem here is that is we want what we would really like to have as a is to have a really efficient attack for GA to given a low amount of data and I think maybe. If you can optimize our tech further maybe exploiting the structure of the internal structure of the stream cipher. Then it would be I think, really interesting. Okay, so basically that that was my talk. Thank you very much. Yeah, question. Comments. Thank you very much for the talk. I wanted to know you said the GA to attack is generic. Was it. So is this in contrast to the BDL work or was it already generic there. No, no the BDR attack actually exploited the low algebraic degree of the output functions of the cipher. I mean, they exploited the fact that it's an LFSR and the output function is the filter function is of algebraic degree four. So if you kind of change it to an non linear, say feedback shift registered and this attack will not no no longer work but our attack will work. Okay, thank you very much. No problem. So this is on yes. And when you showed the attack on GA to right you sort of searched over the AB registers and the CD individually, do you think it would be possible to exploit the inherent weakness between the the A and C registers right that only can take two to 40 states. And the GA one attack. Yeah, well, could you reuse the because the the weakness from GA one is also inherent in GA to right. No, that's, it's not so I, I try to. I mentioned this year, maybe I did it quickly but I feel. Yeah, because the A and C registers are the same there in GA. No, no, but the initials but the initials they the weaknesses in the initialization it's not in the actual registers. So the weaknesses is in the mapping that takes a seed and maps it to an internal state. And this mapping is different for GA to so the weakness that's present in GA one does not actually. Yeah, right. Okay. Okay, thank you. Initialization initialization of GA two is different from the one of GA one. So it does not have the same weakness. Yeah, so it's not does not depend on the tap positions of A and C there. Okay, good. Thanks. No, it does depend but it's different. I mean, it's not, it's not the same. It's not, it's not the same weakness. I mean, it's not, it's not the same function so it doesn't have the same weakness. Yeah, any other question. Sorry. No, any other question, comments, anything. Okay, then let us dance.