Skip to Main content Skip to Navigation
Conference papers

Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2

Abstract : This paper presents the first publicly available cryptanalytic attacks on the GEA-1 and GEA-2 algorithms. Instead of providing full 64-bit security, we show that the initial state of GEA-1 can be recovered from as little as 65 bits of known keystream (with at least 24 bits coming from one frame) in time $2^{40}$ GEA-1 evaluations and using 44.5 GiB of memory. The attack on GEA-1 is based on an exceptional interaction of the deployed LFSRs and the key initialization, which is highly unlikely to occur by chance. This unusual pattern indicates that the weakness is intentionally hidden to limit the security level to 40 bit by design. In contrast, for GEA-2 we did not discover the same intentional weakness. However, using a combination of algebraic techniques and list merging algorithms we are still able to break GEA-2 in time $2^{45.1}$ GEA-2 evaluations. The main practical hurdle is the required knowledge of 1600 bytes of keystream.
Document type :
Conference papers
Complete list of metadata
Contributor : Gaëtan Leurent Connect in order to contact the contributor
Submitted on : Monday, January 17, 2022 - 3:08:38 PM
Last modification on : Monday, April 4, 2022 - 9:28:32 AM
Long-term archiving on: : Monday, April 18, 2022 - 8:51:09 PM


Files produced by the author(s)



Christof Beierle, Patrick Derbez, Gregor Leander, Gaëtan Leurent, Håvard Raddum, et al.. Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2. EUROCRYPT 2021 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Oct 2021, Zagreb, Croatia. pp.155-183, ⟨10.1007/978-3-030-77886-6_6⟩. ⟨hal-03529373⟩



Record views


Files downloads