An Improved SCARE Cryptanalysis Against a Secret A3/A8 GSM Algorithm

Side-channel analysis has been recognized for several years as a practical and powerful means to reveal secret keys of publicly known cryptographic algorithms. Rarely this kind of cryptanalysis has been applied to reverse engineer a non-trivial part of the specifications of a proprietary algorithm. The target here is no more one’s secret key value but the undisclosed specifications of the cryptographic algorithm itself.

In [8], Novak described how to recover the content of one (out of two) substitution table of a secret instance of the A3/A8 algorithm, the authentication and session key generation algorithm for GSM networks. His attack presents however two drawbacks from a practical viewpoint. First, in order to retrieve one substitution table (

T

2

), the attacker must know the content of an other one (

T

1

). Second, the attacker must also know the value of the secret key

K

.

In this paper, we improve on Novak’s cryptanalysis and show how to retrieve

both

substitution tables (

T

1

and

T

2

)

without any prior knowledge about the secret key

. Furthermore, our attack also recovers the secret key.

With this contribution, we intend to present a practical SCARE (Side Channel Analysis for Reverse Engineering) attack, anticipate a growing interest for this new area of side-channel signal exploitation, and remind, if needed, that security cannot be achieved by obscurity alone.