A Practical Ciphertext-Only Attack on GMR-2 System

We present a ciphertext-only attack on the GEO-Mobile Radio Interface-2 (GMR-2) system for the first time. The GMR-2 is a satellite communication standard adopted by Inmarsat, a British satellite telecommunications company that offers global mobile services. The best publicly known attack on GMR-2 is a known plaintext attack called the inversion attack, proposed by Hu et al. in 2018. It recovers the 64-bit session key in 20 milliseconds when one keystream frame (15-byte) is available. Our contributions are twofold. First, we improve the previous inversion attack using a novel approach, pre-filtration. With our improvement, we can recover the session key in 4.5 milliseconds and 0.62 milliseconds using one and two keystream frames, respectively. Second, we propose a practical ciphertext-only attack on the GMR-2 by exploiting a vulnerability in the CIPHERING MODE COMMAND message type. We find that this message type only has $2^{11}$ degrees of freedom despite being transmitted in a 184-bit format. Additionally, we find that two or more keystream frames can be derived from a single message in four of the six channels through which this message type may be transmitted. Assuming the CIPHERING MODE COMMAND message type is transmitted using one of these four channels, we can iteratively guess the message and conduct a known plaintext attack to recover the session key. Thanks to the speed improvement achieved by our pre-filtration method, our ciphertext-only attack can recover the session key in 1.3 seconds.

Briceno disclosed the A5/2 specification through reverse engineering [4]. Goldberg et al. proposed the first attack on A5/2 [5], and Barkan et al. presented a practical ciphertextonly attack [6]. Driessen et al. proposed a ciphertext-only attack on A5-GMR-1 using Barkan et al.'s attack [2], and this attack has recently been significantly improved in terms of time, data, and memory complexity by Lee et al. [7].
A5-GMR-2 has completely different structure from A5/2. Each of the two parts of A5-GMR-2 selects one byte from the session key in every clock. Driessen et al. proposed a known plaintext attack that uses the possibility of colliding these two bytes [2]. Their read-collision based attack reduces the size of the brute-force space from 2 64 to 2 10 when 14-20 keystream frames are available. 1 Given 4-5 keystream frames, the bruteforce space can be reduced to 2 18 when the time-data tradeoff is used. Li et al. proposed the dynamic guess-and-determine attack, a low-data complexity attack, which reduces the bruteforce space to 2 28 using one keystream frame [8]. The best publicly known attack on A5-GMR-2 is the inversion attack that Hu et al. presented [9]. The inversion attack has three phases: table generation, dynamic table look-up, and verification. Candidate keys are reduced during table generation and dynamic table look-up phases, and during the verification phase, brute-force search is used to identify the correct key. According to [9], the inversion attack uses one keystream frame and takes approximately 20 milliseconds to recover the session key.
This study examined the GMR-2 system's security and demonstrated a practical ciphertext-only attack on it. Our contributions are twofold. First, we added a new phase called pre-filtration between the table generation and dynamic table look-up phases to enhance the inversion attack of [9]. The prefiltration phase requires negligible time and accelerates the dynamic table look-up and verification phases. Therefore, our improved attack incorporating the pre-filtration phase takes 4.5 milliseconds and 0.62 milliseconds on average using one 1 The length of one keystream frame is 15 bytes. and two keystream frames, respectively. This demonstrates that our improved attack is 1.6 and 11.5 times faster than the original inversion attack, respectively, because our implementation of the previous inversion attack takes 7.2 milliseconds to recover the session key with one keystream frame on average. However, execution time may not provide a reliable comparison because it depends on how the attack is implemented and the environment in which it is run. To demonstrate the improved performance, we present two additional metrics that are independent of the execution environment: the total number of vertex visits because a graph traversal is a primary process for the pre-filtration and dynamic table lookup phases, and the size of the brute-force search space for the verification phase. Table 1 presents the comparison of our and previous works based on these metrics. Our improved attack using one keystream frame requires 2.8 (2 1.5 ) times fewer vertex visits than the previous inversion attack. Our improved attack using two keystream frames requires 74 (2 6.2 ) times fewer vertex visits and has a brute-force search space that is 12 (2 3.6 ) times smaller than the previous inversion attack. Our table generation phase and the previous inversion attack are identical and require negligible time. Additionally, we found that 2.75 KB of memory is sufficient to run the previous inversion attack, while [9] indicated that 6 KB is required. Prefiltration requires an additional 2.5 KB of memory, resulting in a memory complexity of 5.25 KB for our improved attack.
Second, we present a practical ciphertext-only attack on the GMR-2 system. Our analysis of the GMR-2 standards shows a vulnerability in the CIPHERING MODE COMMAND message type [10], [11], [12], [13]. This message is sent in a 184-bit format, with 173 of the bits being inferable, limiting the degrees of freedom to 2 11 . According to the standards, the CIPHERING MODE COMMAND message is sent over one of the six channels, but the information provided cannot determine the specific channel used. For each of these six channels, we determined the number of keystream frames that are derived from a single plaintext. This derivation is typically intuitive, but the diagonal interleaving of GMR-2 makes it unusual. Some frames are associated with multiple plaintexts because the diagonal interleaving mixes frames from different plaintexts during channel coding. According to our analysis, we cannot derive any keystream frames from a single plaintext in two of the six channels. In the remaining four channels, we can derive two or more keystream frames from a single plaintext. If the CIPHERING MODE COMMAND message is sent over one of these four channels, we can perform a ciphertext-only attack by guessing 2 11 possible plaintexts and conducting our improved known plaintext attack. Our attack outputs the session key only if the attack is conducted using the correctly guessed plaintext; otherwise, it outputs nothing. This enables us to identify the plaintext corresponding to the given ciphertext, which enables a ciphertext-only attack. The required time is equal to the time required to repeat the known plaintext attack 2 11 times. Therefore, our ciphertext-only attack can recover the session key in 1.3 seconds, thanks to the speed improvement achieved by pre-filtration. The complexity of our ciphertextonly attack is shown in Table 1.
The remainder of this paper is organized as follows. Section II gives the background of the GMR-2 system and some notations required to understand this paper and briefly describes the A5-GMR-2 stream cipher. Section III describes the inversion attack proposed by Hu et al. Section IV presents an improved known plaintext attack. Section V analyzes the relevant standards and presents a practical ciphertext-only attack. Section VI concludes the paper.

A. BACKGROUNDS
This subsection provides some technical background on the GMR-2 system. In GMR-2, the Mobile Earth Station (MES) and network send and receive messages. The MES in GMR-2 is equivalent to the Mobile Station (MS) in GSM [10], which refers to the physical equipment that the subscriber uses to gain access to the telecommunication services offered [14]. Messages are transmitted through different channels according to their purpose and type. Before a message is transmitted, it is formatted, channel-coded, mapped to one or more frames, and then encrypted frame by frame. Throughout this paper, a plaintext refers to a formatted message and a ciphertext refers to an encrypted frame. Each channel has a different channel coding scheme, and frames from different messages may be mixed during channel coding, which makes the relationship between known plaintext and known keystream frame non-intuitive. A detailed discussion on channel coding and the non-intuitive relationship between known plaintext and known keystream frame is provided in Section V.
The official standards exclude information about the GMR-2's encryption, such as the specifications of the ciphers used. Additionally, the standards do not specify which channels or message types are encrypted. Therefore, our ciphertext-only attack, proposed in Section V, focuses on the CIPHERING MODE COMMAND message type, although there are other message types with similar limited degrees of freedom. This is the only message type that for which standard mentions whether it is encrypted. The standard states that ''one of three valid forms of CIPHERING MODE COM-MAND is sent in ciphered mode'' [12]. The details of the CIPEHRING MODE COMMAND message are discussed in Section V.

B. NOTATIONS
We introduce the definitions of terms related to graph theory and several data structures required to understand this paper.
Definition 1 (Reachable [15]): In a directed graph, a vertex v is considered reachable from a vertex u if v can be reached by following the directed edges starting from u. The set of all vertices that are reachable from u is referred to as the reachable set of u.
Definition 2 (Predecessor and Successor [15]): In a directed graph, if a vertex v is reachable from a vertex u, then u is a predecessor of v, and v is a successor of u. If there is a directed edge from u to v, then u is an immediate predecessor of v, and v is an immediate successor of u.
Every vertex in the directed graph is reachable from itself, and a vertex with an outdegree one has a unique immediate successor. Definitions 4 and 5 define stack data structures, queue data structures, and some related operations. The specification of A5-GMR-2 stream cipher is disclosed by Driessen et al. through reverse engineering [2]. A5-GMR-2 accepts a 64-bit session key and 22-bit frame number and outputs a 15-byte keystream. It consists of three components: F, G, and H. Fig. 1 shows the overall structure of A5-GMR-2 VOLUME 11, 2023   The following description assumes that the cipher is at the l-th clock and the notation (·) x is used to denote a binary value of x bits.

1) F -COMPONENT
In the F-component, two bytes of the session key are used. First, α is calculated from c, p, and t as follows.
Then, O 0 , O 1 are calculated. Two functions τ 1 and τ 2 are defined as Table 2.
2) G-COMPONENT Three linear transformations B 1 , B 2 , and B 3 are used for the G-component. 3

) H-COMPONENT
The H-component uses two 6-bit-input and 4-bit-output S-boxes, namely S 2 and S 6 that are used in the DES block cipher [17]. A detailed description of S 2 and S 6 can be found in Table 3. Note that all values in the table are presented in hexadecimal format. Unlike DES, in A5-GMR-2, the most-significant 4-bits determine the column index and the least-significant 2-bits determine the row index. Based on the toggle-bit t, 1-byte keystream at l-th clock, Z l , is calculated as follows.

4) INITIALIZATION PHASE
The internal states of A5-GMR-2 are initialized as follows:  c, t, and p are set to zero.
-64-bit session key is written into the 8-byte register K in the F-component.

5) GENERATION PHASE
Once the internal states have been initialized, the cipher is clocked to generate a keystream. Following each clock cycle, the cipher updates its internal states as follows: -The cipher generates 1-byte Z l based on the current internal states.
The cipher is clocked 23 times, the first 8 bytes are discarded, and the next 15 bytes are used as a keystream. In the rest of this paper, we count the index of the clock after the first 8 clocks and denote the 15-byte keystream as Z = (Z 0 , Z 1 , .., Z 14 ).

III. INVERSION ATTACK ON A5-GMR-2
The inversion attack, proposed by Hu et al. [9], is currently the best publicly known attack on the A5-GMR-2 cipher. This attack was named an inversion attack because it uses the inverse properties of the F-, G-, and H-component of A5-GMR-2. The phrase inverse property in this context refers to a property that allows the input to be inferred from the output. 2 We omit explaining the detailed process because it is irrelevant to our attack.

A. INVERSE PROPERTY of A5-GMR-2
This subsection introduces and combines the inverse properties of each component.

1) INVERSE PROPERTY OF H-COMPONENT
Each hexadecimal digit from 0 × 0 to 0xF, appears exactly once in each row of Table 3. Therefore, given Z l and l, 3

2) INVERSE PROPERTY OF G-COMPONENT
Equation (3) can be re-written as follows: As the 12 × 12 binary matrix in Eq. (4) is invertible, given can be uniquely determined.

3) INVERSE PROPERTY OF F -COMPONENT
The following four equations can be derived from Eq. (1).

4) COMBINING INVERSE PROPERTIES OF F , G, AND H
Given l, Z l , S 0 , and p, we can combine the inverse properties of the three components to find 256 possibilities for (K c , K τ 1 (α) , τ 1 (α)). The Proposition 1 states that only one of these possibilities is compatible with the session key.

B. ATTACK PROCEDURE
Although our description of the inversion attack may slightly differ from that of [9], the underlying principle and attack complexity remain the same. These modifications aim to make our improved attack more understandable, which is described in Section IV.
The inversion attack is divided into three phases: table generation, dynamic table look-up, and verification. The attack uses one keystream frame (15-byte) to recover the session key. We denote the 15-byte known keystream as Z = (Z 0 , Z 1 , . . . , Z 14 ).
1) G has 8 × 256 vertices. We denote each vertex as 3) For each vertex v 7,j , where 0 ≤ j ≤ 255, we add a self-loop on it.

2) PHASE 2: DYNAMIC TABLE LOOK-UP
Assume that there exist directed edges from v i 0 ,j 0 to v i 1 ,j 1 and from v i 1 ,j 1 to v i 2 ,j 2 . The existence of these two directed edges implies that ''if K i 0 = j 0 then K i 1 = j 1 '' and ''if K i 1 = j 1 then K i 2 = j 2 '', respectively, which can be simplified to ''if K i 0 = j 0 then K i 1 = j 1 and K i 2 = j 2 .'' From this concept, we present Proposition 2, which generalizes the idea of combining multiple relations.
which is a contradiction. This leads us to the conclusion that K i ̸ = j. Proposition 3 generalizes this idea.
Proposition 3: Let G be a directed graph constructed in the table generation phase. If a reachable set of vertex v i,j of G includes two vertices v x,y and v x,y ′ such that y ̸ = y ′ , then v i,j can never be compatible with the correct session key, meaning K i ̸ = j.
All session key candidates can be mapped to {v 0,j 0 , v 1,j 1 , · · · , v 7,j 7 }, where 0 ≤ j 0 , j 1 , · · · , j 7 ≤ 255. If there exists j i , such that the reachable set of v i,j i includes v x,y , where y ̸ = j x , then {v 0,j 0 , v 1,j 1 , · · · , v 7,j 7 } never be the correct session key. Therefore, we can restrict the session key candidates  to the sets of vertices that satisfy the following: Assume that S = {v 0,j 0 , v 1,j 1 , · · · , v 7,j 7 }, and R 0,j 0 , R 1,j 1 , · · · , R 7,j 7 are the reachable sets of v 0,j 0 , v 1,j 1 , · · · , v 7,j 7 , then S = R 0,j 0 ∪ R 1,j 1 ∪ · · · ∪ R 7,j 7 . Algorithm 1 gives the process of finding all such S in G and storing them in KC, a set of key candidates. We begin at the vertex v 0,0 and traverse the graph G by following its directed edges in a deterministic manner 4 (Steps 13-14 and 24-26). We store the visited vertices in a stack data structure and perform operations as follows: • If a contradiction occurs, the algorithm backtracks to a new starting point (Steps 1-11 and 15-16).
• If the desired set is found, the set is stored and then the algorithm backtracks to a new starting point (Steps 1-11 and 17-19).
• If the number of vertices visited through traversing is less than eight, the algorithm jumps to a new starting point (Steps 20-23).
• The algorithm terminates when there are no vertices to backtrack. (Steps 27-29).

3) PHASE 3: VERIFICATION
During the verification phase, we find the correct one among the session key candidates in KC that is obtained during the dynamic table look-up phase. We pick a key candidate and check if the cipher generates the given keystream with the picked key candidate. According to the previous work [9], only one of the key candidates generates the known keystream with a 97.2% probability. Otherwise (worst case), multiple candidates generate the given keystream and the adversary cannot uniquely determine the correct session key. Previous work stated that even in the worst-case scenario, the adversary can determine the correct session key if only one additional keystream byte is provided. However, this argument is flawed because, in GMR-2, the size of the frame is fixed to 15 bytes, that is, the cipher never generates the 16th keystream byte. Instead, to determine the correct session key in the worst-case scenario, the adversary needs one more keystream frame.

C. COMPLEXITY ANALYSIS
Hu et al. stated that the inversion attack recovers the session key in an average of 20 milliseconds and requires 6 KB memory [9]. For a fair comparison with our improved attack discussed in Section IV, we implement the inversion attack directly on our computer. Our implementation takes 7.2 milliseconds to recover the session key. 5 The only memory required is for storing the directed graph G constructed in the table generation phase. For v i,j in G, assume that v x,y is an immediate successor of v i,j . We store x and y using i and j as indices. Because we need 3-bit and 8-bit to store x and y, respectively, our implementation only requires 2.75 KB (=2048 × 11 bits) of memory.

IV. IMPROVED KNOWN PLAINTEXT ATTACK
We introduce a new phase called the pre-filtration phase and add it between the table generation and dynamic table lookup phases to improve the time complexity of the inversion attack. The pre-filtration phase requires negligible time, but significantly reduces the time required for the dynamic table lookup and verification phases, which results in an overall time complexity reduction.

A. NEW PHASE: PRE-FILTRATION
First, we define the black vertex and dead vertex as Definition 5 and the reachable index set as Definition 6. 5 We use our implementation of the previous inversion attack for comparison with our improved attack. Additionally, we present two more metrics other than execution time to demonstrate improvement in Section IV. According to Proposition 3, a dead vertex can never be an element of the set we are looking for in the dynamic table look-up phase. Therefore, traversing a dead vertex in the dynamic table look-up phase is futile. We effectively find all dead vertices and exclude them from G to reduce the time complexity of the dynamic table look-up phase.

Definition 5 (Black Vertex and Dead Vertex): Let G be a directed graph constructed in the table generation phase. For a vertex v in G, v is called a dead vertex if its reachable set includes any pair of vertices
Algorithm 2 gives the process of classifying all vertices in graph G as either black or dead. We traverse the graph G following the directed edges and use a queue, Q, to store the path of the visited vertices. For simplicity of explanation, we call a vertex that we do not yet know whether it is a black or dead vertex a white vertex, and a gray vertex if it is in Q.
We initially set all 2048 vertices to white and operate based on the following five rules: Rule 1 outlines the action to take when the queue Q is empty, and Rules 2-5 explain the operation for the remaining cases. In Rules 2-5, v cur refers to the last vertex pushed to Q and v i,j refers to the immediate successor of v cur (Steps 3,6, and 11). If v i,j is a gray vertex, this implies that all the vertices in Q are black vertices. As we pop vertices one by one from Q, we store the reachable index set of each vertex. Note that a cycle is formed from v i,j . (Steps 13-17) • Rule 4: If v i,j is a black vertex, let R idx be its reachable index set. Suppose that there exist x and y such that v x,y is in Q and x is in R idx . Then, there must exist a y ′ such that the vertex v x,y ′ is reachable from v i,j . Given that v i,j is black, we know that v x,y ′ is also black. Additionally, because v x,y is gray, we must have y ̸ = y ′ . This causes a contradiction. We pop vertices while such v x,y exist in Q and classify them as dead. The remaining vertices in Q are black. As we pop the remaining vertices one by one from Q, we store the reachable index set of each vertex. We now explain how to extend the pre-filtration phase given two keystream frames. We conduct the table generation VOLUME 11, 2023 44525 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.

Algorithm 2 Pre-Filtration
Input: G, a directed graph constructed in the table generation phase Classify v as dead.
Go to Step 7.
13 else if v i,j is gray then 14 while Q is not empty do 15 v ← Q.pop 16 Classify v as black 17 Store the reachable index set of v.
Classify v as dead. and pre-filtration phase with the first known keystream frame. Then, we independently conduct the table generation phase with the second known keystream frame. Let the resulting graph be G. Before starting the pre-filtration phase on G, we initialize the vertices as follows: If a vertex v i,j is determined to be a black vertex after the pre-filtration phase with the first keystream frame, we initialize v i,j to a white vertex.
Otherwise, it is initialized as a dead vertex. Following the second pre-filtration, far fewer vertices are classified as black, which significantly reduces the time required for the dynamic table look-up phase. Additionally, the size of the KC is also reduced, which significantly reduces the time required for the verification phase. Table 1 lists the results of testing the inversion attack and our attack 10,000 times each. For a fair comparison, we present not only the average execution time but also two additional metrics that are not influenced by the execution environment. The first metric is the number of vertex visits during the pre-filtration and dynamic table look-up phases. Because traversing the graph is the main process for both the prefiltration and dynamic table look-up phases, it is a fair metric to validate the speedup of the dynamic table look-up phase. The second metric is the size of the brute-force space (the size of KC), which allows a direct comparison of the time required for the verification phase. Our implementation of the previous inversion attack takes 7.2 milliseconds to recover the session key, requires 2 19 vertex visits for the dynamic table look-up phase, and has the brute-force space size of 2 12.8 . Our improved inversion attack with one keystream frame takes 4.5 milliseconds to recover the session key, requires 2 17.5 vertex visits for the prefiltration and dynamic table look-up phase, and has the bruteforce space size of 2 12.8 . Our improved inversion attack with two keystream frames takes 0.62 milliseconds to recover the session key, requires 2 12.8 vertex visits for the pre-filtration and dynamic table look-up phase, and has the brute-force space size of 2 9.2 . The results are summarized in Table 1.

B. COMPLEXITY ANALYSIS
The experimental results demonstrate that, compared with the previous inversion attack, our improved attacks are between 1.6 and 11.5 times better in terms of time complexity. To store the reachable index set and state (white, gray, black, or dead) of each vertex, 8-bit and 2-bit are required, respectively. Therefore, the memory complexity of our attack is 5.25 KB (=2.75 KB + 2048 × 10 bits).

V. CIPHERTEXT-ONLY ATTACK ON GMR-2
This section presents a practical ciphertext-only attack on the GMR-2 system. We identify a vulnerability in the GMR-2 system by analyzing the relevant standards [11], [12] and develop a ciphertext-only attack based on it. Our attack specifically targets the CIPHERING MODE COMMAND message. We limit the degrees of freedom of this message type to 2 11 by inferring all but 11 bits. We also find the six channels through which the CIPHERING MODE COM-MAND message might be transmitted. We analyze these six channels and demonstrate that if the four specific channels among them are used to transmit CIPHERING MODE COM-MAND messages, the session key can be recovered through a ciphertext-only attack.

A. INFERRING CIPHERING MODE COMMAND MESSAGE
The GMR-2 standard provides a secure satellite communication system; however, our examination of the standards reveals a vulnerability that allows for the inference of certain messages, specifically those of type CIPHERING MODE COMMAND. This subsection presents the process of inferring all but 11 bits of the CIPHERING MODE COMMAND plaintext based on two GMR-2 standards [11] and [12].
First, we identify the key clauses in [12]. Clause 10.1.9 provides the functional definitions and contents of the CIPHER-ING MODE COMMAND message. This message is sent on the main Satellite Dedicated Control Channel (S-DCCH) from the network to the MES, to indicate whether ciphering will be performed or not. The contents are three bytes long as shown in Fig. 5. Clause 4.4.7.2 defines three valid CIPHER-ING MODE COMMAND message formats, but we concentrate on only one transmitted in ciphered mode. This form indicates no ciphering and is received by the MES in ciphered mode. The other two forms are transmitted in not ciphered mode. Therefore, we can deduce that all encrypted CIPHER-ING MODE COMMAND messages indicate no ciphering. The value of contents can be inferred from Clause 11. 6 According to Clause 11.2, the protocol discriminator for the radio resource (RR) management message is represented by the 4-bit value of 0110. Clause 11.3 states that any message received with a skip indicator other than 0000 should be ignored. The 8-bit message type for the CIPHERING MODE COMMAND message is defined in Clause 11.4 as 00110101. According to Clauses 11.5.2.9 and 11.5.2.10, the configuration of the 1 byte for ciphering mode setting and cipher response is shown in Fig. 6. In the case of the message indicating no ciphering, the 1-bit SC is set to 1. The 3-bit algorithm indicator is set to 000 if SC is 1. The 3-bit spare is always set to 000. The CR, a 1-bit value, is used to indicate information that should be included in the response to the CIPHERING MODE COMMAND message, and we cannot infer its value.
We now examine the key clauses in [11] to understand the content formatting and deduce the remaining bits. According to Clause 5.1, the frame format used for the CIPHER-ING MODE COMMAND message is as shown in Fig. 7. 7 Clauses 5.3, 5.4, and 5.5 specify that the address field, control field, and length indicator field are each 1 byte long. Clause 8.8.3 details the maximum length of the information field for each channel, with a 20-byte limit for the main S-DCCH. The total length of the information field and the fill bits is equal to the maximum length of the information field. If the content length is less than the maximum length of the information field, the remaining space is allocated to the fill bits. Because the contents of the CIPHERING MODE COMMAND message are three bytes long, the information 6 The detailed use of each element, which is defined in [18], will not be covered because it falls outside the scope of this paper. 7 The length of each field shown in 7 is specific to the CIPHERING MODE COMMAND message and may differ for other message types.  field is 3 bytes long, and the remaining 17 bytes are allocated to the fill bits.
Clause 5.2 specifies that all bytes of the fill bits in messages sent by the network must be set to the binary value 00101011. The formats of other fields are described in Clause 6. Clause 6.1 states that the spare bits are set to 0. Clause 6.2 outlines the address field's format and is shown in Fig. 8. Clause 6.2 also describes the 2-bit link protocol discriminator (LPD), but we cannot determine its value from the information provided. Further details regarding the variables are outlined in Clause 6.3. The address field extension bit (EA) is used to manage situations in which the length of the address field is extended. Because the address field in our target message is 1 byte long, EA is set to 1. The command/response field (C/R) bit indicates whether a frame is a command or a response. Our target message is a command from the network to the MES; therefore, C/R is set to 1. Clause 6.3.3 states that the service access point identifier (SAPI) for radio resource management messages is set to 000. Clause 6.4 describes the format of the control field, but we cannot determine its value from the information provided. Clause 6.6 details the format of the length indicator field, as shown in Fig. 9. The length indicator field extension (EL) bit is used to manage situations in which the length of the length indicator field is extended. Because the length indicator field in our target message is 1 byte long, EL is set to 1.
The more data bit (M) is used to indicate the segmentation of frames. The information field in our target message is set to 3 bytes long, which is less than the maximum length of 20 bytes. Therefore, segmentation is not required, and M is set to 0. The length indicator (L) indicates the length of the information field. Because the information field in our target message is 3 bytes long, L takes the binary value 000011.  In the previous subsection, we discovered that the CIPHER-ING MODE COMMAND is sent on the main S-DCCH. Clause 3.1 of [12] states that S-FACCH or S-SDCCH is called the main S-DCCH in GMR-2. According to the standard [13], 4 S-FACCHs (S-FACCH/Q2.4, H2.4, QBS, HRS) and 2 S-SDCCHs (S-SDCCH/E, Q) are supported in the GMR-2 system. We analyze how a plaintext corresponds to a keystream in each of these six channels.
We use S-FACCH/HR2.4 (Satellite Fast S-TCH/HR2.4 Associated Control Channel) as an example. In S-FACCH/ HR2.4, a plaintext is channel coded as follows: A plaintext of 184 bits is first extended with the 40-bit fire code and 24 zeros, resulting in a block of 248 bits. This block is then encoded using a 1/4, 64-state convolutional code, and 32 coded bits are punctured, leading to a length of 960 bits, represented as c = {c(0), c(1), · · · c(959)}. 8 Then, c is split into two 480 bit blocks, ce and co as follows: ce(k) = c(2k), co(k) = c(2k + 1) for k = 0, 1, · · · , 479. ce is then divided into four equal parts, each consisting of 120 bits. The first part, SubGroup 1 , consists of c(0) to c(119); the second part, SubGroup 2 , consists of c(120) to c(239); and so on. We denote SubGroup i as ce i = {ce i (0), · · · ce i (119)}. Then, 15 SubGroups, SubGroup −6 , to SubGroup 8 , are diagonally interleaved together. Note that for i ≤ 0, SubGroup i represents 120 coded bits from the previous data, and for i > 4, SubGroup i represents 120 coded bits from the subsequent data. Set it to 120 zero bits, if there is no such data. Among the diagonally interleaved blocks, there are 11 blocks related to the current data. We denote them from known plaintext corresponds to a known keystream for each channel.

C. SESSION KEY RECOVERY WITH INFERRED MESSAGE
We can infer all but 11 bits of the CIPHERING MODE COMMAND message from the previous subsection. We also know that, given a single plaintext, we can derive at least two complete keystream frames in S-SDCCH/E, S-SDCCH/Q, S-FACCH/QBS, and S-FACCH/HRS.
If one of these four channels is used to transmit the CIPHERING MODE COMMAND message, we can perform a ciphertext-only attack by guessing 2 11 possible plaintexts, computing the corresponding keystream frames, and conducting our improved known plaintext attack with those keystream frames. Our attack only outputs the session key if the attack is conducted with the keystream from the correctly guessed message; otherwise, it outputs nothing. This allows us to distinguish the message corresponding to the given ciphertext and recover the session key. The required time is approximately 1.3 seconds, which is equal to the time required to repeat the known plaintext attack 2 11 times.

VI. CONCLUSION
In this study, we analyzed the security of the GMR-2 satellite communication standard. First, we proposed an improved inversion attack on A5-GMR-2. Our attack, using pre-filtration, recovers the session key within 4.5 milliseconds given one keystream frame and within 0.62 milliseconds given two keystream frames. Additionally, we investigated the relationship between known plaintext and keystream frames in each channel of GMR-2. Our analysis revealed that in some channels, two or more keystream frames are derived from a single plaintext, making the speedup of our attack given two keystream frames more significant. Furthermore, we discovered that GMR-2 uses an inferrable message type. By combining our inversion attack with pre-filtration and the presence of inferrable message types, we presented a practical-time ciphertext-only attack on GMR-2 systems for the first time.