Real Time Cryptanalysis of A5/1 on a PC

Biryukov, Alex; Shamir, Adi; Wagner, David

doi:10.1007/3-540-44706-7_1

Cited by 305 publications

(254 citation statements)

References 3 publications

Supporting

Mentioning

241

Contrasting

Unclassified

Order By: Relevance

“…The larger internal state makes practical time-memory tradeoffs infeasible for DSC. Since more bits are used in the output combiner, the sampling of special states [10] is much harder for DSC than for A5/1. At the same time, the non-linearity of the output combiner in DSC improves its resilience against divide and conquer strategies.…”

Section: Dsc Weaknesses and Mitigationsmentioning

confidence: 99%

Cryptanalysis of the DECT Standard Cipher

Nohl

Tews

Weinmann

2010

Fast Software Encryption

View full text Add to dashboard Cite

Abstract. The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output combiner. The cipher is meant to provide confidentiality for cordless telephony. This paper illustrates how the DSC was reverse-engineered from a hardware implementation using custom firmware and information on the structure of the cipher gathered from a patent. Beyond disclosing the DSC, the paper proposes a practical attack against DSC that recovers the secret key from 2 15 keystreams on a standard PC with a success rate of 50% within hours; somewhat faster when a CUDA graphics adapter is available.

show abstract

Section: Dsc Weaknesses and Mitigationsmentioning

confidence: 99%

Cryptanalysis of the DECT Standard Cipher

Nohl

Tews

Weinmann

2010

Fast Software Encryption

View full text Add to dashboard Cite

show abstract

“…One more cycle will be needed for the reload of the state, so we can try up to 37 millions initial states per second per Pamette. This is faster than the best known software implementation of A5/1, described in [2], which can treat up to 8 steps at a time, but runs at the speed of a workstation's RAM. Pamette cards give a high degree of intrinsic parallelism.…”

Section: Implementation Of A5/1 On a Pamettementioning

confidence: 99%

“…The chosen algorithm is A5/1; this stream cipher is used in GSM mobile phones to ensure confidentiality of "over the air" communication. A5/1 was published in [1] unofficially, but Alex Biryukov, Adi Shamir and David Wagner claim in [2] that they received confirmation from the GSM organization that this design is the true A5/1 as used in GSM phones. Therefore we will assume that the A5/1 described here is indeed the correct algorithm; anyway, this algorithm is merely used as an illustration of our technique.…”

Section: Introductionmentioning

confidence: 99%

“…Recently, Alex Biryukov, Adi Shamir and David Wagner presented in [2] an impressive attack against the A5/1 cipher; this attack is a time-memory trade-off that requires a non-negligeable amount of known plaintext (about 25000 bits). Since the internal state of A5/1 is only 64-bit, it should be recoverable with only 64-bit of known plaintext; we therefore consider this framework, where only 64 consecutive bits or so of plaintext (and the corresponding ciphertext) have been intercepted.…”

Section: Introductionmentioning

confidence: 99%

“…Since the internal state of A5/1 is only 64-bit, it should be recoverable with only 64-bit of known plaintext; we therefore consider this framework, where only 64 consecutive bits or so of plaintext (and the corresponding ciphertext) have been intercepted. Moreover, the time-memory trade-off of [2] is made very effective due to many features of A5/1 that allow some smart optimizations. We do not use such features, and our work should be applicable to other similar ciphers.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Software-Hardware Trade-Offs: Application to A5/1 Cryptanalysis

Pornin

Stern

2000

Cryptographic Hardware and Embedded Systems — CHES 2000

View full text Add to dashboard Cite

Abstract. This paper shows how a well-balanced trade-off between a generic workstation and dumb but fast reconfigurable hardware can lead to a more efficient implementation of a cryptanalysis than a full hardware or a full software implementation. A realistic cryptanalysis of the A5/1 GSM stream cipher is presented as an illustration of such trade-off. We mention that our cryptanalysis requires only a minimal amount of cipher output and cannot be compared to the attack recently announced by

show abstract

Security in Mobile Telecommunication Networks

Härri¹,

Bonnet²

2009

Wireless and Mobile Network Security

View full text Add to dashboard Cite

Real Time Cryptanalysis of A5/1 on a PC

Cited by 305 publications

References 3 publications

Cryptanalysis of the DECT Standard Cipher

Cryptanalysis of the DECT Standard Cipher

Software-Hardware Trade-Offs: Application to A5/1 Cryptanalysis

Security in Mobile Telecommunication Networks

Contact Info

Product

Resources

About