ISSN 1990-4789, Journal of Applied and Industrial Mathematics, 2012, Vol. 6, No. 2, pp. 194–202. c© Pleiades Publishing, Ltd., 2012.Original Russian Text c© S.A. Kiselev, N.N. Tokareva, 2011, published in Diskretnyi Analiz i Issledovanie Operatsii, 2011, Vol. 18, No. 2, pp. 51–63.

Reduction of the Key Space of the Cipher A5/1and Invertibility of the Next-State Function

for a Stream Generator

S. A. Kiselev1, 2* and N. N. Tokareva1, 2**

1Sobolev Institute of Mathematics, pr. Akad. Koptyuga 4, Novosibirsk, 630090 Russia2Novosibirsk State University, ul. Pirogova 2, Novosibirsk, 630090 Russia

Received June 24, 2010; in final form, February 19, 2011

Abstract—We study the stream ciphers that are based on the feedback shift registers. For a streamgenerator (in general form), we prove a theorem which allows us to equate the concept of invertibilityof the next-state function and the concept of recurrency of the shift control function. Then we studya generator for the stream cipher A5/1 used in the GSM cellular telephone standard to ensurethe confidentiality of conversations. For this generator, we count the number of states that can beobtained after t clock cycles from the initial states without predecessors and cannot be obtained inthis way after the smaller number of cycles. We show how to exponentially reduce the key space ofA5/1 while clocking. The results can be directly used in cryptanalysis of A5/1.

DOI: 10.1134/S199047891202007X

Keywords: stream cipher, feedback shift register, A5/1

INTRODUCTION

GSM (Group Special Mobile) is a global digital standard for mobile cellular communications whichwas developed in the late 1980s. The basis of the GSM security system consists of the three algorithms:the A3 authentication algorithm, the A8 crypto key generation algorithm, and the A5 digitized speechencryption algorithm to ensure the confidentiality of conversations between the subscriber and the basestation. The mobile stations (phones) are equipped with a smart card containing the algorithms A3and A8, whereas the phone has an ASIC-chip with the A5 algorithm. The base stations are also equippedwith the ASIC-chip containing the A5 algorithm and the center of authentication using the A3, A5, andA8 algorithms to identify a mobile subscriber and generate the session key. GSM uses two main types ofthe A5 algorithm: A5/1 denoting the A5/1 algorithm which is a strong version of the cipher for selectedcountries (including Russia) and A5/2 denoting the A5/2 algorithm which is a weakened version for allothers.

The A5/2 algorithm of cryptanalysis was proposed in 1999 by Wagner and Goldberg [8]. Thecomplexity of the cryptanalysis was 219 bit operations. Attacks on the A5/1 cipher began in 1994immediately after the leak of information from the British Telecom [2]. In June 1994, Dr. Simon Shepherdof Bradford University was due to present his correlation method of the cipher autopsy of A5/1 toan IEEE colloquium in London [7]. But at the last moment, his speech was prohibited by the UKGovernment Communications Headquarter. As for the most well-known current studies, see the articlewritten by Golic [5] and by Biryukov, Shamir, and Wagner [3] using similar ideas such as the birthdayparadox and the time-memory tradeoff. The theoretical complexity of their methods is about 240 bitoperations. They partially studied the graph of all states of A5/1: it was presented the fraction of stateswith 0, 1, 2, 3, and 4 predecessors, respectively. They also studied the structure of randomly generatedtrees (individually selected from the graph of all states). Note that the same key stream (or gamma) of

*E-mail: kiselev.senya@gmail.com**E-mail: tokareva@math.nsc.ru

194

REDUCTION OF THE KEY SPACE OF THE CIPHER A5/1 195

arbitrary length can be generated from different secret keys (or states of A5/1). These situations arecalled the collisions, examples of which are given in [6], and the search of whom proved to be quite timeconsuming. We performed an analytical study on these situations.

1. ON INVERTIBILITY OF THE NEXT-STATE FUNCTION

In this section, we prove a theorem that allows us to equate the concept of invertibility of the next-state function and the concept of recurrency of the shift control function.

A feedback shift register consists of the two parts: a shift register itself and a feedback function. Theregister consists of bits, its length is their number. A state of the register is an arbitrary set of values ofits bits. While clocking, all bits of the current state of the register are shifted left by one bit position. Theleftmost bit is stored to the gamma. The new rightmost bit is determined by a function of the remainingbits.

Consider a stream generator of a pseudorandom sequence consisting of k feedback shift registers.A state of the generator is called a binary vector x of length n whose bits consistently fill all bits of allk registers, where n is the sum of the lengths of all registers. The key space of the generator is called theset of all its possible states; i.e., the set of binary vectors of length n.

At each clock cycle, it may be shifted states of not all registers. A shift is determined by the followingfunction: A shift control function is called a vector boolean function

c : Zn2 → Z

k2, c(x) = (y1, . . . , yk),

such that if the generator is at the state x then, during the next clock cycle, the state of the jth register isshifted if and only if yj = 1. For each jth shift register, there is its feedback function fj . The next-statefunction is called a vector boolean function next : Z

n2 → Z

n2 which, in accordance with the shift control

function and the feedback functions, determines the next state: next(x) = x′. In this case, we say that xis the predecessor of the state x′ or, alternatively, x′ is the successor of the state x.

We represent the state x in the form x = (x1, . . . , xk), where xj is the vector of the jth state of the shiftregister. Similarly, we represent the vector x′. Then the next-state function next : x → x′ is convenientlyrepresented as a set of k vector boolean functions nextj : xj → x′

j. It is easy to show that we have thefollowing

Lemma 1. The function nextj is invertible if and only if fj is linear in the last variable.

Let x′ = next(x). We say that the shift control function possesses the property of it recurrency if, forevery state x′, you can uniquely recover the vector c(x).

Theorem 1. Suppose that, for all j = 1, . . . , k, the function fj is linear in the last variable. Thenthe next-state function is invertible if and only if the shift control function possesses the propertyof recurrency.

Proof. Necessity: Let the function next be invertible. Then, for every x′, we recover the state x whichenables us to calculate c(x). Thus, for x′, we have recovered the value c(x).

Sufficiency: Let c(x) possess the property of recurrency. We show that the function next is invertible;i.e., the vector x is recovered uniquely by x′. Suppose that it is not. Then there are two generator’sstates x and z such that x �= z and x′ = z′, where x = next(x) and z′ = next(z). Without loss ofgenerality, we assume that the states x and z differ in the first register (there is always a register in whichthey differ, we will consider it the first); i.e., x1 �= z1 holds for this x′

1 = z′1. Since the shift control functionhas the property of recurrency, we have c(x) = c(z).

This means that, during transition from x to x′ and from z to z′, the states of the first registersimultaneously either were shifted or not. If the shift was not, we must have x1 = z1 = x′

1 = z′1 whichis not true. If there was a shift then x1 = z1 since the function next1 is invertible by Lemma 1. In bothcases, we obtain a contradiction to our assumption. Hence, the function next is invertible.

The proof of Theorem 1 is complete.

JOURNAL OF APPLIED AND INDUSTRIAL MATHEMATICS Vol. 6 No. 2 2012

196 KISELEV, TOKAREVA

R3

22 a3 7 0

R2

21 a2 0

R1

18 13 a1 0

Fig. 1.

Thus, we can reduce such a complex issue as the invertibility of a rather cumbersome function nextto studying the property of recurrency of the more simple shift control function.

For example, for an А5/1 stream generator, the question of invertibility of the function

next : Z642 → Z

642

reduces to the study of the function c : Z32 → Z

32.

2. A STREAM GENERATOR FOR А5/1 STUDY

2.1. Description

А5/1 is a stream encryption algorithm used to ensure the confidentiality of data transmitted be-tween the phone and the base station in the pan-European cellular digital mobile communicationssystem GSM. In A5/1, a pseudorandom sequence is realized on the basis of three linear feedback shiftregisters. The registers have lengths 19, 22, and 23 bits, respectively. The shifts are manipulated by a so-called majority function (also known as the majority: m(a1, a2, a3) = a1a2 ∨ a2a3 ∨ a1a3). Namely,each register has a control bit: bit 8 for the first register (denote it by a1), bit 10 in the second (denotedby a2), and in the third register (denoted by a3). Bits are numbered from right to left. At the next clock,the states of only those registers are shifted whose values of the control bits coincide with the value of m.The shift control function and m(a1, a2, a3) are related as follows:

c(x) = (a1 ≡ m,a2 ≡ m,a3 ≡ m).

The last bits of the registers are summed modulo two. The result of the summation is a new bit of thegamma. The gamma is applied to a plaintext, and in consequence the ciphertext is obtained. One keygenerates 114 bits of a gamma. The linear feedback functions can be conveniently represented by meansof polynomials, namely, by assigning to each bit of the register the corresponding degree of the variable x.In the cipher A5/1, the feedback functions are given by the following polynomials:

x19 + x18 + x17 + x14 + 1 for R1,

x22 + x21 + 1 for R2,

x23 + x22 + x21 + x8 + 1 for R3.

For example, in the first register, the bits with numbers 18, 17, 16, and 13 are summed (bits are numberedfrom right to left, starting at 0). The result becomes the new value of the rightmost bit (see Fig. 1).

In Fig. 1, the control bits are denoted by the symbols a1, a2, and a3, whereas the darker color marksthe bits such that the feedback functions are strongly dependent on them.

JOURNAL OF APPLIED AND INDUSTRIAL MATHEMATICS Vol. 6 No. 2 2012

REDUCTION OF THE KEY SPACE OF THE CIPHER A5/1 197

R3

22 a3 7 0

R2

21 a2 0

R1

18 13 a1 0

11

01

01

Fig. 2.

2.2. Analysis of the Shift Control Function

We introduce the following definition: A state template is called a set of states of the generator suchthat some bits are fixed by specific values, and some are not. For example, if we choose and fix four bitsthen this state template consists of 260 states because we can assign the values to the remaining sixtybits exactly by this number of ways.

Proposition 1. The shift control function of the generator for A5/1 does not have the propertyof recurrency.

Proof. Giving a general counterexample is suffice for our purposes. Consider a state template with thesix fixed bits, as it is done in Fig. 2.

It is easy that, for each state of the template, it is impossible to determine the registers whose stateswere shifted during the last clock cycle. The states could be shifted of the first and the third, or thesecond and the third, or of all three registers. This means that the shift control function does not possessthe property of recurrency. The proof is over.

Proposition 1 and Theorem 1 imply that, for the A5/1 generator, the next-state function is notinvertible.

2.3. Count of the Number of t-Prime States

We introduce the following definitions:A state without predecessors is called a state of the generator which can not be get from any other

state.A t-prime state of the generator, where t is an integer, t � 0, is called such a state that is obtained

after t clock cycles from the initial states without predecessors and cannot be obtained in this way afterthe smaller number of cycles.

It is obvious that the 0-prime states are precisely the states without predecessors. The number oft-prime states is denoted by Nt.

We denote the control bits of the registers by a1, a2, and a3, whereas the bits to the left of the controlbits are denoted by b1, b2, and b3.

Proposition 2. N0 = 3 · 261.

Proof. We fix b1, b2, and b3 by different values, and the remaining bits are assumed to be arbitrary. Inthis case, the set of all states of the generator is broken into the eight corresponding templates. Eachstate of the templates that is defined by the vectors (000) and (111) obviously has a predecessor. Indeed,it could be obtained by shifting the states of all three registers.

Consider the templates having 0s as well as 1s in these bits. Consider the templates which are presentin these bits as 0 and 1. For example, consider a template defined by the vector (101). This template wedivide into two subtemplates by fixing the value of the fourth bits, namely, the bit a2. If a2 = 0 then allstates of the subtemplate have their predecessors. Indeed, these states can be obtained during the last

JOURNAL OF APPLIED AND INDUSTRIAL MATHEMATICS Vol. 6 No. 2 2012

198 KISELEV, TOKAREVA

R3

22 a3 7 0

R2

21 a2 0

R1

18 13 a1 0

1

10

1

Fig. 3.

clock cycle by a shift of the states of the first and the third registers. Consider a subtemplate in whicha2 = 1. It is represented in Fig. 3.

We prove that the states of this subtemplate have no predecessors. Suppose that the state s′ of thesubtemplate has a predecessor s. Let, under the transition from s to s′, the state of the second registerwas shifted; i.e., a2(s) = 0. Since b1(s′) = 1 and b3(s′) = 1, the states of the first and the third registerswere not be able to shift, which is impossible, because, in the generator, the states of at least two registersshould be shifted. Hence, the state of the second register was not shifted. Then the states of the first andthe third registers had to be shifted; but due to the fact that a1(s) = 1, a3(s) = 1, and a2(s) = 1, thestates of the second register must also have been shifted; a contradiction. This means that any state s′

of the indicated subtemplate with size 260 has no predecessor.

Similar arguments can be made for the remaining five templates defined by the bits b1, b2, and b3.Thus, we obtain the number N0 of states without predecessors:

N0 = 6 · 260 = 3 · 261.

The proof of Proposition 2 is complete.

Based on data obtained and the very construction of the generator, we calculate the number of the 1-prime states. For this, we use the method of inclusion-exclusion. According to the proof of Proposition 2,all states without predecessors can be represented by the six templates of size 260 each. Make a clockfor the states of each template. The resulting set of states can be represented as the union of the new24 templates of a smaller size: from each of the initial templates, fixing the new bits and appropriatelyshifting the “picture” to the left, we obtain four new templates. Every time we fix exactly two bits, so thatthe templates obtained are of size 258.

In Fig. 4, the first 12 templates are presented (the square 3 × 3 shows, starting with the control bits,the bits of the three registers that are written under each other). Another 12 templates are obtained fromthese by replacing 1s by 0s and 0s by 1s. Next, we need to calculate the size of the intersection of theresulting templates of states.

Proposition 3. The number of the 1-prime states is equal to N1 = 13 · 258 which is approxi-mately 261.7004.

Proof. The number of pairwise intersections of the templates of the 1-ordinary states of size 257 is equalto 12. The number of pairwise intersections of size 256 is equal to 30. The number of triple intersections ofsize 256 is equal to 6. The number of triple intersections of size 255 is equal to 8. Nonempty intersectionsof other multiplicities and other sizes do not exist. By the inclusion-exclusion formula, we obtain thenumber of the 1-prime states:

N1 = 24 · 258 − 12 · 257 − 30 · 256 + 6 · 256 + 8 · 255 = 13 · 258.

The proof is over.

JOURNAL OF APPLIED AND INDUSTRIAL MATHEMATICS Vol. 6 No. 2 2012

REDUCTION OF THE KEY SPACE OF THE CIPHER A5/1 199

b a

1 1

1 1

0 1

b a

0 1

1 1

1 1

b a

1 1

0 1

1 1

1 1

1 0

0 1

0 1

1 1

1 0

1 1

0 1

1 0

1 0

1 1

0 1

0 1

1 0

1 1

1 0

0 1

1 1

1 0

1 0

0 1

0 1

1 0

1 0

1 0

0 1

1 0

Fig. 4.

The templates of the 1-prime states conveniently lead to the same species. Namely, we can fill in theempty cells of the square 3 × 3 with all possible values (in this case, we obtain eight new templatesof size 255 from the same template). Thus, we get 24 · 8 = 192 templates. After eliminating of theoverlapping templates, we have exactly 104 different templates. It is more convenient to work with thembecause they do not have intersections with each other. As shown above,

N1 = 104 · 255 = 13 · 258.

We find a number of the t-prime states, where t = 2, . . . , 8. For the calculation, we wrote a programthat works according to the following algorithm:

Let t = 2. We make one clock cycle with all 104 templates of the 1-prime states. In this case, in eachtemplate, there is a shift of at least two states of the registers. For example, the states of the first tworegisters are shifted. So,

if the filling before the shift is as follows:

1 1 0

1 1 0

0 1 1

, then after the shift we have:

1 1 0

1 1 0

0 1 1

.

Fill in these three new empty cells with all possible values. Thus, from the square 3 × 3 determininga template of a 1-prime state, we go to the eight rectangles 3 × 4 determining the templates of statesobtained in two clock cycles. Their total number is 104 · 8. Since, in each template, the set of the fixingbits is the same, the templates are either disjoint or coincide. After exclusion of the matching templates,we have 744 templates. We need to check now whether the states of some of them can be obtained fora smaller number of clock cycles (i.e., for one cycle). In other words, we check whether they are notcovered by the templates of the 1-prime states.

To do this, in the rectangle 3× 4 it suffices to select the rightmost square 3 × 3 and to check whetherit is the determining set of a template of the 1-prime state. After these checks, exactly 454 templatesremain of size 252 each. Just these templates contain all 2-prime states. Thus, we obtain the following

Proposition 4. N2 = 227 · 253 ≈ 260.8265.For t = 3, we act in a similar way: we make a clock cycle with the templates of the 2-prime states.

Fixing the bits, we get the new templates, eliminate repetition, and check whether some of them are notcovered by the templates of the 1- and 2-prime states. We find that the set of all 3-prime states is the

JOURNAL OF APPLIED AND INDUSTRIAL MATHEMATICS Vol. 6 No. 2 2012

200 KISELEV, TOKAREVA

R3

22 a3 7 0

R2

21 a2 0

R1

18 13 a1 0

Fig. 5.

union of 2568 = 3 · 107 · 23 nonintersecting templates of size 249. Each template is given by the rectangle3 × 5 in which the rightmost column is the column of the control bits.

Proposition 5. The number of the 3-prime states is equal to N3 = 321 · 252, which is approxi-mately 260.3264.

Similarly, the set of the 4-prime states can be determined with the help of 15 266 = 17 · 449 · 2templates of size 246. Each template is determined by the values of 18 bits.

Proposition 6. N4 = 7 633 · 247 ≈ 259.8980.The 5-prime states are determined by 91 468 = 13 · 1759 · 22 templates of size 243.Proposition 7. The number of the 5-prime states is equal to N5 = 22 867 · 245, which is

approximately 259.4809.All 6-prime states can be represented as the union of 548 694 = 35 · 1129 · 2 templates of size 240.Proposition 8. N6 = 274 347 · 241 ≈ 259.0656.The set of the 7-prime states is determined by 3 292 064 = 102 877 · 25 templates of size 237.Proposition 9. N7 = 102 877 · 242 ≈ 258.6505.All 8-prime states are represented as the union of 19 752 298 templates of size 234. Each template is

determined by fixing the already 30 bits in the rectangle of size 3 × 10.In Fig. 5, the bits which determine the template are marked by dots.Proposition 10. N8 = 9 876 149 · 235 ≈ 258.2355.The calculation of the last two values already required some serious computational costs. To compute

N7, it took about 1 Gb of the random access memory (RAM) and 25 seconds of work of the centralprocessing unit (CPU) Core i7 3.0 Ghz 12 Gb. The parameter N8 was calculated on the same processorfor 3 minutes using 6 Gb of RAM.

3. REDUCING THE KEY SPACE OF А5/1

Consider the following attack on the stream cipher A5/1. Suppose that, from some state unknownto us, the generator produces a gamma. With each new bit of the gamma, the process reduces the set ofstates in which the generator is able to go after producing also this bit.

Our task is as follows: Analyzing the gamma, determine the current state of the generator.The theoretical resistance to such an attack (or the distance of uniqueness) is called the smallest

length L of the initial segment of the gamma which is sufficient for unique recovery of the state of thegenerator in which it will be after producing this segment of the gamma.

Recall that Nt denotes the number of states of the generator in which it can go for t clock cycles of itswork and can not go for the smaller number of clock cycles from all possible states without predecessors.If K is the number of all states of the generator (in our case, it is equal to 264) then, after making t clockcycles, the generator can only be in one of the Kt states, where

Kt = K −t−1∑

i=0

Ni, t � 1.

JOURNAL OF APPLIED AND INDUSTRIAL MATHEMATICS Vol. 6 No. 2 2012

REDUCTION OF THE KEY SPACE OF THE CIPHER A5/1 201

Number of cycles, t log2(Nt−1) log2(Kt) (Kt/K) · 100%

0 – 64.0000 100%

1 62.5849 63.3219 62.5000%

2 61.7004 62.7548 42.1875%

3 60.8265 62.3151 31.1035%

4 60.3264 61.8963 23.2666%

5 59.8980 61.4807 17.4430%

6 59.4809 61.0656 13.0815%

7 59.0656 60.6505 9.8110%

8 58.6505 60.2355 7.3583%

It is convenient to assume that K0 = K. Let t∗ be the smallest number of clock cycles for which Kt∗ = 1.Then

L � min{t∗, P + T},where P and T are the pre-period and the period lengths of the gamma, respectively.

It is easy to verify that, in the generator A5/1, all feedback polynomials are primitive over GF (2).It implies that each of the three registers has the maximum period 2� − 1, where � is the length of theregister. In the generator A5/1, the probability of movement of the state of each register is equal to 3/4.So, we have

Proposition 11 [4]. The minimum period of the generator A5/1 is equal to 4/3 · (219 − 1).

Thus, for every initial state of the generator, the inequality holds:

P + T � 4/3 · (219 − 1).

This number is large enough. It is natural to assume that the theoretical resistance L will rather beestimated by the number t∗. Examine progress in the calculation of this parameter.

We found the values N0, . . . , N8 that constitute the total of a sufficiently large number. The tableabove summarizes the obtained results. It also contains the rounded values of (Kt/K) · 100% fort = 0, . . . , 9. These numbers show how big is the volume of the possible states of the generator (asa percentage of initial) remaining after t clock cycles.

For example, at the beginning of the process, all 264 states of the generator are possible. After thefirst clock cycle, the generator will be in one of 0.625 · 264 states, in one of 0.421875 · 264 states after thesecond clock cycle, etc. After the ninth clock, only about 5.5% its states are possible which are easy toobtain in explicit form acting as shown in Section 2.3. This fact can be directly used in the cryptanalysisof A5/1.

Note that there is exponential reduction of the key space with each new clock cycle. The questionremains open: Will this trend continue? Further calculations are needed. However, increasing thenumber of the clock cycles, it is necessary to take into account the fact that the bits which are fixed in thetemplates will soon reach the left edge of the registers. When this happens, the technique of calculatingthe t-prime states need to be changed.

It is interesting to obtain an upper bound of t∗ and also determine the number of the clock cycle, afterwhich the key space will not be reduced (or almost no).

Some of the results of the paper were announced in [1].

JOURNAL OF APPLIED AND INDUSTRIAL MATHEMATICS Vol. 6 No. 2 2012

202 KISELEV, TOKAREVA

ACKNOWLEDGMENTS

The authors are deeply grateful to G. P. Agibalov and I. A. Pankratova for the valuable comments thatimproved the paper, the identification of a number of inaccuracies as well as for giving a simpler proofof Theorem 1.

The authors were supported by the President of the Russian Federation (project for the Young Rus-sian Scientists no. MK–1250.2009.1). The second author was supported by the Russian Foundationfor Basic Research (projects nos. 09–01–00528, 10–01–00424, and 11–01–00997), and The FederalTarget Program “Scientific and Educational Personnel of Innovative Russia” for 2009–2013 (Statecontract no. 02.740.11.0429).

REFERENCES1. S. A. Kiselev, “On Reducing the Key Space of the Cipher A5/1 While Clocking,” Prikl. Diskret. Mat. Pril. 3,

pp. 21–23 (2010).2. R. Anderson, “Subject: A5,” Posting to Newsgroups: sci.crypt, alt.security, uk.telecom; 17 June 1994.3. A. Biryukov, A. Shamir, and D. Wagner, “Real Time Cryptanalysis of A5/1 on a PC,” in Proceedings of

Fast Software Encryption Workshop—FSE’2000 (New York, April 10–12, 2000) (Springer, Berlin, 2001),pp. 1–18.

4. W. G. Chambers, “On Random Mappings and Random Permutations,” in Proceedings of Fast SoftwareEncryption Workshop — FSE’1994 (Leuven, December 14–16, 1994) (Springer, Berlin, 1995), pp. 22–28.

5. J. Golic, “Cryptanalysis of Alleged A5 Stream Cipher,” in Advanced Cryptology. Workshop on the The-ory and Application of Cryptographic Techniques — EUROCRYPT’97 (Konstanz, May 11–15, 1997)(Springer, Berlin, 1997), pp. 239–255.

6. A. Semenov, O. Zaikin, D. Bespalov, and M. Posypkin, “Parallel Algorithms for SAT in Application to DiscreteFunctions Inversion Problems,” arXiv.org, Preprint 1102.3563v1.

7. S. J. Shepherd, “Cryptanalysis of the GSM A5 Cipher Algorithm,” in IEEE Colloquium on Security andCryptography Applications to Radio Systems, (Savoy Place, London, June 3, 1994), Digest No. 1994/141.

8. D. Wagner et al., “The Real-Time Cryptanalysis of A5/2,” in Proceedings of Crypto’99 (Santa Barbara,August 15–19, 1999) (Springer, Berlin, 1999), pp. 12–21.

JOURNAL OF APPLIED AND INDUSTRIAL MATHEMATICS Vol. 6 No. 2 2012