Research And Cryptanalysis Of The GMR-2 Stream Cipher Used In The Satellite Phones

With the rapid evolution and development of 4G technologies,mobile phone systems are available worldwide nowadays,still it is difficult to build a complete mobile network in some remote areas,such as outlying desert areas,oceans,and mountains.Thus,to fill the gaps left behind by radio-based technologies,satel ite phones have been widely used in these areas.Currently,the commonly used satel ite communication standards are mainly developed by international standards organization ETSI,including the GMR-1standard and the GMR-2 standard.However,the details of these satel ite cipher algorithms were non-public until the German research team Driessen et al.uncovered the GMR-1 and the GMR-2 cipher by reverse engineering in 2012.Their analysis results il ustrate that both two ciphers are stream ciphers.In particular,the GMR-2 cipher is an entirely newly designed stream cipher,however,it has been found to be insecure for two types of known plaintext attacks.Driessen et al.proposed a known plaintext attack against it for the first time based on the read-collision technique according to the key-scheduling features of the GMR-2 cipher.The time complexity of such attack is about 2¹⁸ with approximately 50?65 bytes of keystream.Li et al.further put forward a low data complexity attack method cal ed the dynamic guess-and-determine attack which can break the GMR-2 cipher by guessing about 28 bits on average when 15 bytes of keystream are available.In this paper,we study the inverse properties of the GMR-2 cipher to show a bad one-way character of such cipher,then we propose what we call the inversion attack against the GMR-2 cipher.Our proposed attack consists of three major phases:?1?table generation,?2?dynamic table looks-up,filtration and combination,?3?verification.With the help of an extra 6kB memory storage,this attack can reduce the exhaustive search space from 2⁶⁴ to about 2¹³ on average when one frame?15 bytes?keystream is available.The experimental results on a 3.3GHz platform demonstrate that the 64-bit encryption-key can be completely retrieved in around 0.02s.This paper also presents a collision property analysis of the GMR-2 cipher.By using theF-component as a bridge,and analyzing the relationship between the difference of the key byte and the collision of the output of F as well as the link between the collision of the output of F and the collision of keystream byte,we finally get the relationship between the difference of the original key byte and the keystream collision.The research shows that for a random frame number,a special chosen key pair can lead to a collision keystream with a high probability,when the key pair has only one byte difference and the most significant 4-bit of the difference is equal to the last significant 4-bit.The experimental result shows that the keystream collision probability is 2^-8.248(the theoretical value is 2^-8.314),which is far higher than the ideal collision probability 2^-120.This proves once again,that there exists serious potential security hazards in the GMR-2 cipher.