Keywords

1 Introduction

People converse over distances by wireless communication. Since huge exposure of wireless network, it’s vulnerable by an eavesdropper. In the GSM communications security has offered by A5/1 stream cipher. Initially the cipher was kept undisclosed, but through leaks and reverse engineering it became public. The number of severe limitations in the cipher has been identified [1]. The A5/1 stream cipher designed using three Linear Feedback Shift Registers, length of 19, 22, and 23 bits respectively. The output of this these Linear feedback shift register is combined using XOR gate to generate the key stream for secure communication in GSM Technology.

Recent research, analysis gives you an idea about limitations of GSM cipher due to which it is vulnerable to a number of attacks [2, 3]. GSM cipher was first broken by Golic and a rough sketch of A5/1 was disclosed. After A5/1 was inverse plotted, it was investigated by Biryukov et al. [4], Dunkelman and Biham [5], Johansson and Ekdahl [6], Johansson et al. [7], and freshly by Biham and Barkan [8]. The GSM stream cipher have been poorly broken down using a range of attacks like faster time-memory trade off attack have need of some pre working out, basic correlation attack, mathematical attack, linear estimate attack, Bereleykamp-Massey attack, general inversion attack and also the brute force attack requiring no pre computation. A suitable preference of merging nonlinear function significantly advances the performance of the cipher from the security aspects. A combination function has to be impartial and nonlinear in nature; it should have high statistical degree and correlation immunity against attacks [1, 9]. Thus to carry out modifications by considering above points on the existing A5/1 algorithm to make it more robust and non-linear.

The rest of the paper is planned as follow. Section 2 stretches the comprehensive information on the A5/1 algorithm. In Sect. 3, the improved scheme of proposed A5/1 architecture is discussed. Section 4 explained the mathematical proof of proposed algorithm to enhance security of GSM stream cipher, finally conclude in Sect. 5.

2 GSM Stream Cipher—A5/1 Algorithm

The GSM stream cipher is a part of SIM card which provides security during GSM communication between Mobile station and Base station. Before start the communication the Mobile Equipment requires to acquire authentication on the network. The authentication procedure is carried out by an A3 algorithm using challenge- response mechanism by Subscriber Authentication Key Ki and a 128 bits nonce called RAND. After the authentication process A8 algorithm is used to generates the 64 bits session key Kc using Ki and RAND [10]. The Mobile station and Base station uses same 64 bits of session key to initialize the three LFSRs. The 64 bits of session key requires 64 clock cycles to load all the three registers. The GSM stream cipher as shown in Fig. 1 uses three LFSRs. The polynomial primitives of 19 bits, 22 bits and 23 bits are x19 + x18 + x17 + x14 + 1, x22 + x21 + 1 and x23 + x22 + x21 + x8 + 1 which is derived using Galois field [3]. After that 22 bits of frame counter (Fn) value is also loaded into the three LFSRs in the similar manner using 22 clock cycle. Subsequently the LFSR are irregularly clocked for 100 times using the majority rule. According to the majority rule if two or more LFSR’s clocking bits are enable, then those LFSRs has been consider for that round and other become disable. Thus minimum two LFSRs has been enable in the particular round. To apply majority rule position 8 of 19 bit LFSR, position 10 for 22 bit of LFSR, and position 10 for 23 bit of LFSR is taken into consideration. These clocking bits are most irregular in nature and hence consider in majority rule. For this 100 clock cycles output bits are discarded. After that LFSRs are clocked for 228 times to generate 228 bits key stream where 114 bits are for uplink communication and 114 bits are downlink communication. This entire cycle repeats by incrementing the value of frame counter by one for a single session of communication in GSM Technology [5.10].

Fig. 1
figure 1

Black-box view of conventional GSM stream cipher

Full size image

3 Proposed Algorithm of GSM Stream Cipher

The prototype of the suggested stream cipher involves primary modifications in the improvement in feedback tapping units as well in combining function of conventional A5/1 shown in Fig. 2. The feedback taps mechanism enhanced by six polynomial primitive for each LFSR and four nonlinear combination functions are introduced in the A5/1 stream cipher to make it more robust and protected. To rise the randomness of the output stream; instead of one polynomial primitive, to design LFSR, six polynomial primitives are used with the same degree of GF (2). Also, to decrease hardware complication, the polynomial primitives with minor distinction in tap positions is identified. Six polynomial primitives of each LFSR and access hardware requirement is also computed and state in Table 1. The key stream is produced based on four non liner function, which is known as the nonlinear combination function. Moreover, the combiner perhaps has flip-flops to store previous output key stream to compute next state of the key stream.

Fig. 2
figure 2

Black-box view of proposed A5/1 stream cipher

Full size image
Table 1 Analysis of access hardware requirement
Full size table

To enhance the linear complexity of the GSM stream cipher and to make it more conquer, four cryptography improved nonlinear functions are employed [9], each is having nonlinear order of degree three. Furthermore the combining functions are dynamic in nature using one selection bits from the preceding state of key stream P(t − 1). The four nonlinear functions f1(.), f2(.), f3(.) and f4(.) are as under:

$${\text{f}}1\left( {\text{x}} \right) \to\upalpha1\; \oplus\upalpha2 \oplus\upalpha1\upalpha2\; \oplus\upalpha1 \wedge\upalpha2 \wedge\upalpha3 = {\text{P}}1$$
(1)
$${\text{f}}2\left( {\text{x}} \right) \to\upalpha2\; \oplus\upalpha3\; \oplus\upalpha2\upalpha3\; \oplus\upalpha1 \wedge\upalpha2 \wedge\upalpha3 = {\text{P}}2$$
(2)
$${\text{f}}3\left( {\text{x}} \right) \to\upalpha1\; \oplus\upalpha3 \oplus\upalpha1\upalpha3\; \oplus\upalpha1 \wedge\upalpha2 \wedge\upalpha3 = {\text{P}}3$$
(3)
$${\text{f}}4\left( {\text{x}} \right) \to\upalpha1\; \oplus \;\upalpha2\; \oplus \;\upalpha3 = {\text{P}}4$$
(4)

4 Security Analysis of Proposed Algorithm

4.1 Linear Approximation Attack

It is easy to approximate linear function compare to nonlinear function by linear approximation attack. In the proposed scheme we convert linear function into nonlinear function to prevent key stream estimation [11] by linear approximation attack. Maximum linear complexity of proposed algorithm compare to original A5/1 algorithm is \({\text{LC}} \to 22 + 23 + 22 *23 + 19 *22 *23 = 10165\) while conventional algorithm having linear complexity LC → 64, hence proposed mechanism is robust and resistive to this attack.

4.2 Correlation Attack

Firstly is intending at the nonlinear combiners, Siegen haler primary pioneered the correlation attack in the middle of the 1980s [12]. Correlation attack discovers the flaw in the combination function of given stream cipher which has numerous LFSRs series inputs and identify the relationship amongst input literals and output literals of combination function and then apply methodology to taking out information about the correlated input literals. Truth Table of input streams \({\mathbf{\alpha 1}},\;{\mathbf{\alpha 2}} ,\;{\varvec{\upalpha}}{\mathbf{3}}\) (output of each LFSR respectively) and output of nonlinear combination function p1, p2, p3 and p4 is as in Table 2. To pass up this attack in LFSR based stream ciphers is to decide the correlation probabilities of the function must be constant. To make it feasible, choose nonlinear function dynamically by applying a variation in its function. Correlation probabilities of sequences \({\varvec{\upalpha}}{\mathbf{1}} , {\varvec{\upalpha}}{\mathbf{2}} , {\varvec{\upalpha}}{\mathbf{3}}\) two key streams p1(t), p2(t), p3(t), p4(t) is as in Table 3.

Table 2 Input stream output of nonlinear combination function
Full size table
Table 3 Correlation probabilities
Full size table

When four nonlinear function p1(t), p2(t), p3(t), p4(t) selected alternatively then correlation probabilities are as under.

Correlation Probability (CP) of α1:

$$\begin{aligned} & \frac{1}{4}({\text{prob}}\left( {{\text{p}}1\left( {\text{t}} \right) =\upalpha1} \right) + {\text{prob}}\left( {{\text{p}}2\left( {\text{t}} \right) =\upalpha1} \right) + {\text{prob}}\left( {{\text{p}}3\left( {\text{t}} \right) =\upalpha1} \right) \\ & \quad + {\text{prob}}\left( {{\text{p}}4\left( {\text{t}} \right) =\upalpha1} \right)) \mathop \Rightarrow \limits_{{{\text{CP}}\left( {\upalpha1} \right)}} 1/4\left[ {\mathop \sum \limits_{{{\text{i}} = 1}}^{4} {\text{prob}}({\text{pi}}\left( {\text{t}} \right)} \right] = \frac{5}{8} + \frac{3}{8} + \frac{5}{8} + \frac{4}{8} = 0.53 \\ \end{aligned}$$
(5)

Correlation Probability (CP) of α2:

$$\begin{aligned} & \frac{1}{4}({\text{prob}}\left( {{\text{p}}1\left( {\text{t}} \right) =\upalpha2} \right) + {\text{prob}}\left( {{\text{p}}2\left( {\text{t}} \right) =\upalpha2} \right) + {\text{prob}}\left( {{\text{p}}3\left( {\text{t}} \right) =\upalpha2} \right) \\ & \quad + {\text{prob}}\left( {{\text{p}}4\left( {\text{t}} \right) =\upalpha2} \right)) \mathop \Rightarrow \limits_{{{\text{CP}}\left( {\upalpha2} \right)}} 1/4\left[ {\mathop \sum \limits_{{{\text{i}} = 1}}^{4} {\text{prob}}({\text{pi}}\left( {\text{t}} \right)} \right] = \frac{5}{8} + \frac{5}{8} + \frac{3}{8} + \frac{4}{8} = 0.53 \\ \end{aligned}$$
(6)

Correlation Probability (CP) of α3:

$$\begin{aligned} & \frac{1}{4}({\text{prob}}\left( {{\text{p}}1\left( {\text{t}} \right) =\upalpha3} \right) + {\text{prob}}\left( {{\text{p}}2\left( {\text{t}} \right) =\upalpha3} \right) + {\text{prob}}\left( {{\text{p}}3\left( {\text{t}} \right) =\upalpha3} \right) + \\ & \quad + {\text{prob}}\left( {{\text{p}}4\left( {\text{t}} \right) =\upalpha3} \right)) \mathop \Rightarrow \limits_{{{\text{CP}}\left( {\upalpha3} \right)}} 1/4\left[ {\mathop \sum \limits_{{{\text{i}} = 1}}^{4} {\text{prob}}({\text{pi}}\left( {\text{t}} \right)} \right] = \frac{3}{8} + \frac{5}{8} + \frac{5}{8} + \frac{4}{8} = 0.53 \\ \end{aligned}$$
(7)

Therefore the correlation probability of output sequences α i of LFSRs and key stream p(t) can be removed as it is constant.

4.3 Algebraic Attack

The algebraic attack [11, 1315] is reasonably fresh in the research literature but has so many reflexion [9]. The LFSR-based ciphers are susceptible against this attack and it has been successfully proved that the algebraic attack against a various stream ciphers is applied and well-organized [1316]. To resist this attack, notion of algebraic degree is applied. Algebraic degree determined by the maximum number of variables employed to describe part of the function. In convention cipher an algebraic degree of the blend function is 1 instead in the proposed algorithm the algebraic degree of the blend function is 3. Hence proposed scheme offers more resistance to algebraic attack.

4.4 Berlekamp-Massey Attack

The notable Berlekamp-Massey algorithm is a very effective algorithm to determine the linear complexity of a finite binary series of bit length n within O(n2) bit operations [6, 17]. As greater the linear complexity avoids this attack. It identifies the shortest length of LFSR used in stream ciphers. This attack required twice of LC consecutive bits of the series generated by stream cipher in order to design LFSR of length LC which generates the same output key stream [1].

The change in polynomial primitive at Time instant t is

$$1 9\;{\text{bits}}\;{\text{LFSR:}}\,39 + 129*{\text{t }}(38 + 44 + 46 = 128\;{\text{where }}\;{\text{t}} = 0 \,{\text{to}}\,5)$$
(8)
$$2 2\;{\text{bits}}\;{\text{LFSR:}}\,83 + 129*{\text{t }}(38 + 44 + 46 = 128 \;{\text{where}}\; {\text{t}} = 0\,{\text{to}}\,5)$$
(9)
$$2 3\;{\text{bits}}\;{\text{LFSR:}}\,129 + 129*{\text{t }}(38 + 44 + 46 = 128\;{\text{where }}\;{\text{t}} = 0\,{\text{to}}\, 5)$$
(10)

Thus a variable taps mechanism provides more prevention against Berlekamp-Massey attack.

5 Conclusion

This paper is attempted to upgrade security on GSM stream cipher using consolidating methodology applying on a linear feedback shift register using variable tap mechanism and nonlinear combination functions. Proposed algorithm improves keystrems in terms of randomness and offering more security. A5/1 has weak linear complexity and output keystream generation of A5/1 has a low rate of unpredictability. To defeat these issues we present variable tap system improved by six variable taps for every LFSR and four nonlinear combination functions. It has been mathematically inclined that proposed calculation is having high algebraic degree correlation immunity against correlation attack, linear approximation attack, algebraic attack and Berlekamp-Massey attack because of nonlinear combination generator on account of the nonlinear blending generator.

6 Future Work

Further work of this paper is to design existing algorithm as well as proposed algorithm using VHDL language, simulate using ISIM simulator and deploy it on FPGA-SPARTAN 6 Xilinx 12.4 ISE toolkit. NIST Statistical test suite is use to measure direct unpredictability of output key stream and compare it with an original A5/1 algorithm. Further extensions to this project is to build a generic framework of the pseudo random number generator.