论文信息 - A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony

A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony

The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 2 data, 2 bytes of memory, and 2 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2 complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem.

Adi Shamir | Orr Dunkelman | Nathan Keller

[1] Eli Biham,et al. The Rectangle Attack - Rectangling the Serpent , 2001, EUROCRYPT.

[2] Thomas Johansson,et al. Another attack on A5/1 , 2003, IEEE Trans. Inf. Theory.

[3] Alex Biryukov,et al. Cryptanalysis of SAFER++ , 2003, CRYPTO.

[4] Jongsung Kim,et al. Related-Key Rectangle Attacks on Reduced Versions of SHACAL-1 and AES-192 , 2005, FSE.

[5] Eli Biham,et al. A Related-Key Rectangle Attack on the Full KASUMI , 2005, ASIACRYPT.

[6] Eli Biham,et al. Conditional Estimators: An Effective Attack on A5/1 , 2005, Selected Areas in Cryptography.

[7] Eli Biham,et al. New Results on Boomerang and Rectangle Attack , 2002, IACR Cryptol. ePrint Arch..

[8] Alex Biryukov,et al. The Boomerang Attack on 5 and 6-Round Reduced AES , 2004, AES Conference.

[9] Alex Biryukov,et al. Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[10] Alex Biryukov,et al. Related-Key Cryptanalysis of the Full AES-192 and AES-256 , 2009, ASIACRYPT.

[11] Jongsung Kim,et al. The Related-Key Rectangle Attack - Application to SHACAL-1 , 2004, ACISP.

[12] Eli Biham,et al. New types of cryptanalytic attacks using related keys , 1994, Journal of Cryptology.

[13] Bruce Schneier,et al. Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES , 1996, CRYPTO.

[14] Eli Biham,et al. Related-Key Boomerang and Rectangle Attacks , 2005, EUROCRYPT.

[15] Orr Dunkelman,et al. An Improved Impossible Differential Attack on MISTY1 , 2008, ASIACRYPT.