A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones

Abstract. The GMR-1 and GMR-2 stream ciphers, which are used in the satellite phones, have been reconstructed by Driessen et al. recently. The GMR-1 cipher is shown to be a proprietary variant of the GSM A5/2 algorithm, thus it could be cracked using the previous known method. For the newly designed GMR-2 cipher, by observing a non-uniform behavior of its component, Driessen et al. proposed an efficient known plaintext attack to recover the encryption key (a session key with 64-bit) with approximately 5 ∼ 6 frames (50 ∼ 65 bytes) of keystream. In this paper, we first revisit the properties of each component of the GMR-2 cipher, and then present a low data complexity attack on it by adopting the strategy of guess-and-determine. We call this kind of attack the dynamic guess and determine attack, since the evolution of the guessing part of the internal state of the attack is changed dynamically according to the intermediate process. Our theoretical analysis demonstrates that, using the proposed attack, the 64-bit encryption key could be recovered by guessing no more than 32 bits when 15 bytes (1 frame) of the keystream is available. Some experimental results are also performed on a single PC to confirm our analysis, and the number of candidates for exhaustive search is about 2 on average.