Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2.

This paper presents the first publicly available cryptanalytic attacks on the GEA-1 and GEA-2 algorithms. Instead of providing full 64-bit security, we show that the initial state of GEA-1 can be recovered from as little as 65 bits of known keystream (with at least 24 bits coming from one frame) in time \(2^{40}\) GEA-1 evaluations and using 44.5 GiB of memory.