Remarks on the security of the alpha1 stream cipher by Mitchell, Chris J
Remarks on the security of the
Alpha1 stream cipher
Chris J. Mitchell
Technical Report
RHUL–MA–2001–8
19 December 2001
Royal Holloway
University of London
Department of Mathematics
Royal Holloway, University of London
Egham, Surrey TW20 0EX, England
http://www.rhul.ac.uk/mathematics/techreports
Abstract
A preliminary analysis of the Alpha1 stream cipher is given. Some undesir-
able properties are identified.
1 Introduction
This short note contains some observations on a recent paper [1] by Komni-
nos, Honary and Darnell.
2 Specification issues
The following minor points of correctness arise with the respect to the spec-
ification of the sequence generator in [1].
• It is claimed that all four polynomials (determining the feedbacks for
registers R1–R4) are primitive, which implies that the polynomials are
irreducible. The polynomial for register R4 is listed in Table 1 of [1]
(page 296) as being
x35 + x30 + x22 + x11 + x6 + 1.
Unfortunately this polynomial is not irreducible and hence is not prim-
itive. This is simple to see since
(x+ 1)|(x35 + x30 + x22 + x11 + x6 + 1).
In fact, when working over GF(2), x + 1 is a factor of any polynomial
with an even number of non-zero coefficients, i.e. with an even Ham-
ming weight. Hence, primitive polynomials must always have an odd
number of non-zero coefficients.
One effect of this choice for the R4 polynomial is that, if the register R4
is loaded with all ones, then it will always stay in this state (since there
are an odd number of feedback taps), i.e. it will generate a sequence of
all ones.
• It is stated on page 298 of [1] that the probability that R2, R3 and R4
will be clocked by the control mechanism is approximately 7/13. In
1
fact, if we assume that the six bits used to control the clocking mech-
anism are randomly distributed, then the probability will be precisely
9/16. This is simple to see by considering each of the 26 = 64 possible
6-tuples of bits used to control the clocking mechanism. In precisely
36 of the 64 6-tuples, register R2 will be clocked (the same holds for
registers R3 and R4). Hence the result follows, assuming each 6-tuple
is equally probable and observing that 36/64 = 9/16.
• It is not clear how many times registers R2, R3 and R4 are clocked in
each clock cycle. Specifically, it is not completely clear whether they
are always clocked once and sometimes clocked an additional time, or
whether they are only clocked at most once.
Based on conversations with the authors the assumption is made below
that the latter option applies, i.e. registers R2, R3 and R4 are either
clocked zero or once per output bit.
• A number of references are made to the GSM A5/1 cipher, and to
attacks on this cipher. However, the authors of [1] fail to distinguish
between the so called ‘alleged A5’ scheme, publicised in the mid 1990s,
and the actual A5/1 cipher, which was only put into the public domain
in the late 1990s. The alleged A5 scheme is clearly a rather weak
scheme, and was broken even before its design was publicised. However,
the ‘genuine’ A5/1 scheme was only broken some months after it was
made public, using apparently novel techniques. This distinction is
rather an important one.
3 Analysis
We start by defining some simple notation. The stream cipher output se-
quence is equal to the ex-or of the outputs of all four registers, ex-ored with
the logical-and of the output of registers R2 and R3. That is, if we write xij
for the jth output bit of register Ri, (1 ≤ i ≤ 4, j ≥ 0) then the jth output
bit of keystream is
yj = x1j + x2j + x3j + x4j + x2jx3j.
3.1 A correlation property
We note the following correlation property of the scheme, namely that the
output sequence is strongly correlated to the complement of the sum of the
2
outputs of R1 and R4. Specifically we have the following result.
Lemma 1 The probability that
yj = x1j + x4j + 1
is 0.75.
Proof. To see this, note that
yj + (x1j + x4j + 1) = x2j + x3j + x2jx3j
which is 0 with probability 0.75. The result follows. 2
3.2 Breaking register R1
The following analysis is based on the assumption that registers R2, R3 and
R4 are clocked either zero or one times per clock cycle. We also assume, as
previously, that the linear feedback shift registers R1–R4 will behave ran-
domly, i.e. that the probability that any bit in a register state is 0 is 0.5.
Given these assumptions we now describe a known-plaintext attack of com-
plexity 229 which reveals the initial state of register R1. It operates as follows.
We first need the following result.
Lemma 2 For any j ≥ 0 and any i (2 ≤ i ≤ 4)
xij + xi(j+1) = 0
with probability approximately 23/32.
Proof. The probability that register Ri is clocked between outputting bits
xij and xi(j+1) is 9/16 (as above). If the register is not clocked then these
two bits will clearly be identical. If the register is clocked, then (using the
randomness assumption) the probability that these two bits will be the same
is 0.5. Hence the probability that xij = xi(j+1) is equal to
7/16 + 0.5× 9/16
and the result follows. 2
This then leads to the following result.
3
Lemma 3 For any j ≥ 0
(yj + x1j) + (yj+1 + x1(j+1)) = 0
with probability approximately 71/128 = 0.5546875.
Proof. We consider four cases.
(i) yj + x1j = x4j + 1 and yj+1 + x1(j+1) = x4(j+1) + 1. In this case, by
Lemma 2, the probability that (yj+x1j)+(yj+1+x1(j+1)) = 0 is 23/32.
(ii) yj+x1j = x4j+1 and yj+1+x1(j+1) = x4(j+1). In this case, by Lemma 2,
the probability that (yj + x1j) + (yj+1 + x1(j+1)) = 0 is 9/32.
(iii) yj+x1j = x4j and yj+1+x1(j+1) = x4(j+1)+1. In this case, by Lemma 2,
the probability that (yj + x1j) + (yj+1 + x1(j+1)) = 0 is 9/32.
(iv) yj + x1j = x4j and yj+1 + x1(j+1) = x4(j+1). In this case, by Lemma 2,
the probability that (yj + x1j) + (yj+1 + x1(j+1)) = 0 is 23/32.
By Lemma 1, the probabilities of the four cases are respectively: (3/4)2 =
9/16, 3/4 × 1/4 = 3/16, 1/4 × 3/4 = 3/16, and (1/4)2 = 1/16. Hence the
overall probability that (yj + x1j) + (yj+1 + x1(j+1)) = 0 is equal to
23/32× 9/16 + 2× 9/32× 3/16 + 23/32× 1/16 = 284/512
and the result follows. 2
We can now describe the attack to find the initial state of register R1. It
involves searching though all the 229 possible initial states for R1. It also
supposes that the attacker knows a number of consecutive pairs of cipher
sequence bits (e.g. as obtained from a known plaintext attack).
For each guess for the initial state of R1, it is trivial to compute the x1j
values for every value of j for which the cipher sequence bit yj is known. For
every value of j for which both yj and yj+1 are known, now compute
(yj + x1j) + (yj+1 + x1(j+1)).
If the guess for the initial state is correct, every such value will be zero
with probability approximately 0.5546875. If the guess for the initial state is
incorrect, every such value will be zero with probability approximately 0.5.
Hence, given a sufficient number of known sequence bits, the correct initial
state for R1 can be found by taking the candidate which yields the maximum
number of zero values for
(yj + x1j) + (yj+1 + x1(j+1)).
4
3.3 Obtaining probabilistic information on the plain-
text
We conclude this short note by observing that, if the attack described im-
mediately above is used to successfully deduce the initial contents of register
R1, this can then be used to deduce probabilistic information regarding the
plaintext corresponding to known ciphertext.
That is, suppose z0, z1, . . . , zt−1 are t bits of known ciphertext. Then we know
that
zi = mi + yi
for every i, where m0,m1, . . . ,mt−1 are the t bits of plaintext enciphered to
yield z0, z1, . . . , zt−1. Now, if the contents for register R1 have been deduced,
the attacker can readily compute x10, x11, . . . , x1(t−1), and hence can compute
the sequence
z0 + x10, z1 + x11, . . . , zt−1 + x1(t−1)
which equals
m0 + y0 + x10,m1 + y1 + x11, . . . ,mt−1 + yt−1 + x1(t−1).
Call this sequence u0, u1, . . . , ut−1.
Hence, for any j (0 ≤ j < t− 1) we know that
mj +mj+1 = (uj + uj+1) + (yj + x1j) + (yj+1 + x1(j+1)).
Thus, by Lemma 3 we know that
mj +mj+1 = (uj + uj+1)
with probability 71/128.
References
[1] N. Komninos, B. Honary, and M. Darnell. An efficient stream cipher
Alpha1 for mobile and wireless devices. In B. Honary, editor, Cryptog-
raphy and Coding — 8th IMA International Conference, UK, December
2001, number 2260 in Lecture Notes in Computer Science, pages 294–300.
Springer-Verlag, Berlin, 2001.
5
