If the scrambling code used in a CDMA-based signal is known, such as a 3G WCDMA signal, then the bits sent over the channel can be easily determined. While these bits are typically encrypted, extracting them allows for various signal intelligence capabilities. These include, but are not limited to, building a reference signal for specific emitter identification (SEI) and successive interference cancellation (SIC). However, a receiver not participating in the 3G network typically has no knowledge of the scrambling code being used. The problem is then to determine that scrambling code.
In the past, determining the scrambling code in 3G has been computationally prohibitive for two reasons. First, there are approximately 16.8 million possible scrambling codes. Second, the time that marks the beginning of each 10 ms frame is not known a priori. Thus, a brute-force search for the scrambling code would require examining all possible frame timings and all possible scrambling codes, which quickly becomes intractable. For the sake of argument, suppose the chip timing is known a priori. Since there are 38400 chips in a frame, there are approximately 644 billion scrambling code/frame timing combinations. Even if evaluation of each combination (for example, demodulation and verification of the pilot bits on the control channel) takes only 1 μs, it would take approximately 7.5 days to evaluate all combinations.