Cryptanalysis of the DECT Standard Cipher Karsten Nohl 1 and Erik Tews 2 and Ralf-Philipp Weinmann 3 1 University of Virginia, 2 Technische Universit¨ at Darmstadt, 3 University of Luxembourg nohl@cs.virginia.edu, e tews@cdc.informatik.tu-darmstadt.de, ralf-philipp.weinmann@uni.lu Abstract. The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output com- biner. The cipher is meant to provide confidentiality for cordless tele- phony. This paper illustrates how the DSC was reverse-engineered from a hardware implementation using custom firmware and information on the structure of the cipher gathered from a patent. Beyond disclosing the DSC, the paper proposes a practical attack against DSC that recovers the secret key from 2 15 keystreams on a standard PC with a success rate of 50% within hours; somewhat faster when a CUDA graphics adapter is available. Keywords: DECT, DECT Standard Cipher, stream cipher, cryptanalysis, linear feedback shift register. 1 Introduction Cordless phones using the Digital Enhanced Cordless Telecommunications stan- dard (DECT) are among the most widely deployed security technologies with 90 million new handsets shipping every year [1]. However, DECT does not pro- vide sufficient security for its intended application ’cordless telephony’ as it fails to deliver confidentiality and access control. The technology is also popular in other applications with even higher secu- rity needs including machine automation, building access control, alarm sys- tems, and wireless credit card terminals [2]. DECT’s need for security is covered by two proprietary algorithms: The DECT Standard Authentication Algorithm (DSAA) for authentication [3] and the DECT Standard Cipher (DSC) for encryption. The first attacks on DECT be- came known in 2008 [3]. Researchers demonstrated that encryption and even authentication could easily be switched off due to insecure DECT implemen- tations that do not enforce them. Furthermore, the researchers observed that even when security is switched on, many devices use highly predictable ran- dom numbers thereby undermining the level of protection the DSC aims to achieve.