Refined Cryptanalysis of the GPRS Ciphers GEA-1 and GEA-2

Dor Amzaleg, Itai Dinur

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

2 Scopus citations


At EUROCRYPT 2021, Beierle et al. presented the first public analysis of the GPRS ciphers GEA-1 and GEA-2. They showed that although GEA-1 uses a 64-bit session key, it can be recovered with the knowledge of only 65 bits of keystream in time 2 40 using 44 GiB of memory. The attack exploits a weakness in the initialization process of the cipher that was presumably hidden intentionally by the designers to reduce its security. While no such weakness was found for GEA-2, the authors presented an attack on this cipher with time complexity of about 2 45. The main practical obstacle is the required knowledge of 12800 bits of keystream used to encrypt a full GPRS frame. Variants of the attack are applicable (but more expensive) when given less consecutive keystream bits, or when the available keystream is fragmented (it contains no long consecutive block). In this paper, we improve and complement the previous analysis of GEA-1 and GEA-2. For GEA-1, we devise an attack in which the memory complexity is reduced by a factor of about 2 13= 8192 from 44 GiB to about 4 MiB, while the time complexity remains 2 40. Our implementation recovers the GEA-1 session key in average time of 2.5 h on a modern laptop. For GEA-2, we describe two attacks that complement the analysis of Beierle et al. The first attack obtains a linear tradeoff between the number of consecutive keystream bits available to the attacker (denoted by ℓ ) and the time complexity. It improves upon the previous attack in the range of (roughly) ℓ≤ 7000. Specifically, for ℓ= 1100 the complexity of our attack is about 2 54, while the previous one is not faster than the 2 64 brute force complexity. In case the available keystream is fragmented, our second attack reduces the memory complexity of the previous attack by a factor of 512 from 32 GiB to 64 MiB with no time complexity penalty. Our attacks are based on new combinations of stream cipher cryptanalytic techniques and algorithmic techniques used in other contexts (such as solving the k-XOR problem).

Original languageEnglish
Title of host publicationAdvances in Cryptology – EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2022, Proceedings
EditorsOrr Dunkelman, Stefan Dziembowski
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages29
ISBN (Print)9783031070815
StatePublished - 1 Jan 2022
Event41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2022 - Trondheim, Norway
Duration: 30 May 20223 Jun 2022

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13277 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2022

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science (all)


Dive into the research topics of 'Refined Cryptanalysis of the GPRS Ciphers GEA-1 and GEA-2'. Together they form a unique fingerprint.

Cite this