New Attacks on the GPRS Encryption Algorithms GEA-1 and GEA-2

Abstract

GEA-1 and its successor GEA-2 are two stream ciphers, designed to protect against eavesdropping General Packet Radio Service (GPRS) between the phone and the base station. They were widely used for GPRS encryption in the late 1990s and during the 2000s, and are surprisingly still supported in a range of current mobile phones. In this paper, new key recovery attacks on GEA-1 and GEA-2 are proposed by combining with the time-memory trade-off technique. The new attacks significantly reduce the time and memory costs of the previous attacks on GEA-1, and show that GEA-1 only offers 32-bit (out of 64) security. Furthermore, the slide properties of GEA-1 and GEA-2 are first found and used to explore practical related key attacks. The results show that GEA-1 and GEA-2 can be broken on a common PC within about 0.81 and 6.2 seconds in the multiple related key setting, respectively. Finally, an improved variant of GEA-2 called GEA-2a is proposed. The reasons for making the changes from GEA-2 are explained in detail, which indicates that GEA-2a has significantly better resistance than GEA-2 against all known attacks and can offer 64-bit security.