State space convergence in the A5/1 keystream generator Ali Al Hamdan and Harry Bartlett Information Security Institute / Faculty of Science and Technology, Queensland University of Technology

Background A5/1 Keystream generator provides keystream for packet encryption in GSM mobile phone systems uses 3 linear feedback shift registers (LFSRs) with a majority clocking arrangement [the only non-linear element in this generator] after loading key and IV, registers are clocked 100 times before being used to generate keystream non-linear clocking arrangement leads to shrinkage of available internal state space

Background (2) Diagram of shift registers and clocking:

Previous work Golic (1997, 2000): 3/8 of possible states become unattainable after one clock step [drop from 2 64 to 5*2 61 “working” states] Al Hamdan (2009): exhaustive evaluation of smaller analogue (2 15 initial states): within 10 steps, over 50% of states unreachable. Clock steps: Reachable states: Proportion: Proportion not reachable:

Previous work (2) Others have obtained similar results through random sampling of full generator: −Birukov, Shamir and Wagner (2001): of 10 8 random states − ≈15% attainable after 100 clocks − up to 120 initial states lead to each −others (www.reflextor.com/trac/a51/wiki, 2010) : from 10 6 and 10 8 random starting states − similar results to BSW above − 50% of final states from 18% of initial states; other 50% from remaining 82% of initial states

Current work (1) extension to second clock step: another 3/64 of states unattainable (‘blocked’) comparison of patterns involved gives lower bound on proportion blocked: 3/8 + 3/64 + 3/ /7 Blocked states at first and second steps: 1 st step: 2 nd step: [Golic]

Current work (2) extension to third step: further 9/512 blocked additional pattern appears: gives a new lower bound estimate 3/8 + 3/64 + 9/ / /20 Blocked states at third step:

Current work (3) further extension to fourth and fifth steps gives still more blocked patterns after 5 steps, total proportion of blocked states is 3/8 + 3/64 + 9/ / /32768 ≈ − almost identical to Al Hamdan’s results. arranging blocked states as branching tree, branch proportions suggest that extra proportion blocked at each step remains above 1% for next steps

Implications of state convergence * During the 100 clock steps before producing keystream, expect usable state space to drop to about 15−20% of possible states. * This reduces search requirements for brute force search. * Since convergence is not uniform, some key-IV combinations will be more likely than others to generate collisions in keystream output. * Use of majority clocking to provide non-linearity has introduced other security issues.

