Ciphering in GSM
Mobile
Stations
Base Station
Subsystem
Network
Management
Subscriber and terminal
equipment databases
OMC
BTS
Exchange
System
VLR
BTS
BSC
MSC
HLR AUC
BTS
EIR
A5 Encryption
1
Ciphering in GSM
FRAME NUMBER
Kc
PLAINTEXT
SEQUENCE
FRAME NUMBER
Kc
A5
A5
CIPHERING
SEQUENCE
CIPHERING
SEQUENCE

Sender
(Mobile Station or Network)
CIPHERTEXT
SEQUENCE

PLAINTEXT
SEQUENCE
Receiver
(Network or Mobile Station)
2
A5/1 Overview
“Cryptography is a mixture of mathematics and muddle, and without the
muddle the mathematics can be used against you.”
- Ian Cassells, a former Bletchly Park cryptanalyst.



A5/1 is a stream cipher, which is initialized all over again for every
frame sent.
Consists of 3 LFSRs of 19, 22, 23 bits length.
The 3 registers are clocked in a stop/go fashion using the majority
rule.
Register
Number
Length
In bits
Primitive
Polynomial
Clock-Controlling
Bit (LSB is 0)
Bits that
Are XORed
1
19
x19 + x18 + x17+ x16+ x13 + 1
8
18,17,16,13
2
22
x22 + x21 + x20 + 1
10
21,20
3
23
x23 + x22 + x21 + x20 + x7 + 1
10
22,21,20,7
Parameters of the A5/1 Registers
3
0
18 17 16
01
1
0111
00
11
01
00
11
00
11
01
00
11
00
11
00
11
00
R1
C1
10
21 20
11
clock
control
0
10
0
1111
0 0 01 10 00 01 10 011001100111111000011
R2
C2
1
0
22 21 20
0
11
00
11
00
11
0 01 0 10 1 01 10 11 11 01 10 11 01 00 10 01 1001
C3
R3
0
4
A5/1 : Operation
All 3 registers are zeroed
 64 cycles (without the stop/go clock) :
◦ Each bit of KC (lsb to msb) is XOR'ed in parallel into
the lsb's of the registers
 22 cycles (without the stop/go clock) :
◦ Each bit of Fn (lsb to msb) is XOR'ed in parallel into
the lsb's of the registers
 100 cycles with the stop/go clock control, discarding the
output
 228 cycles with the stop/go clock control which produce
the output bit sequence.

5