## Abstract

At EUROCRYPT 2021, Beierle et al. presented the first public analysis of the GPRS ciphers GEA-1 and GEA-2. They showed that although GEA-1 uses a 64-bit session key, it can be recovered with the knowledge of only 65 bits of keystream in time 2 ^{40} using 44 GiB of memory. The attack exploits a weakness in the initialization process of the cipher that was presumably hidden intentionally by the designers to reduce its security. While no such weakness was found for GEA-2, the authors presented an attack on this cipher with time complexity of about 2 ^{45}. The main practical obstacle is the required knowledge of 12800 bits of keystream used to encrypt a full GPRS frame. Variants of the attack are applicable (but more expensive) when given less consecutive keystream bits, or when the available keystream is fragmented (it contains no long consecutive block). In this paper, we improve and complement the previous analysis of GEA-1 and GEA-2. For GEA-1, we devise an attack in which the memory complexity is reduced by a factor of about 2 ^{13}= 8192 from 44 GiB to about 4 MiB, while the time complexity remains 2 ^{40}. Our implementation recovers the GEA-1 session key in average time of 2.5 h on a modern laptop. For GEA-2, we describe two attacks that complement the analysis of Beierle et al. The first attack obtains a linear tradeoff between the number of consecutive keystream bits available to the attacker (denoted by ℓ ) and the time complexity. It improves upon the previous attack in the range of (roughly) ℓ≤ 7000. Specifically, for ℓ= 1100 the complexity of our attack is about 2 ^{54}, while the previous one is not faster than the 2 ^{64} brute force complexity. In case the available keystream is fragmented, our second attack reduces the memory complexity of the previous attack by a factor of 512 from 32 GiB to 64 MiB with no time complexity penalty. Our attacks are based on new combinations of stream cipher cryptanalytic techniques and algorithmic techniques used in other contexts (such as solving the k-XOR problem).

Original language | English |
---|---|

Title of host publication | Advances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings |

Editors | Orr Dunkelman, Stefan Dziembowski |

Publisher | Springer Science and Business Media Deutschland GmbH |

Pages | 57-85 |

Number of pages | 29 |

ISBN (Print) | 9783031070815 |

DOIs | |

State | Published - 1 Jan 2022 |

Event | 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2022 - Trondheim, Norway Duration: 30 May 2022 → 3 Jun 2022 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 13277 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Conference

Conference | 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2022 |
---|---|

Country/Territory | Norway |

City | Trondheim |

Period | 30/05/22 → 3/06/22 |

## ASJC Scopus subject areas

- Theoretical Computer Science
- Computer Science (all)