The A5/1 release at this month's Cypherpunks meeting brought up a few
questions from the attendees. Since I suspect others might have the same
questions, I'll answer them below.
o A5 is an LFSR-based stream cipher. It takes a 64 bit key and a 22 bit
frame number. Ross Anderson's variant was mostly correct.
o All GSM keygen implementations we looked at set the last 10 bits of the
key to zero. That doesn't mean there may not be GSM providers that use the
full 64 bit keyspace. It simply means we have yet to find one that does.
As a first approximation, the attacker knows 10 bits of the key.
o During about the first 1/10th of a call the vocoder will encode silence.
A very rough estimate is 13000 bps * 0.1 s = 1300 bits of known plaintext.
Clearly, the cryptanalyst has a lot to work with here.
o I would love to read some well-founded estimates on how fast this
algorithm could be made to run on a Pentium class CPU and a low-cost FPGA.
Just so we all know what the upper bounds for a brute force attack are.
Not that I believe brute force to be the most efficient means of attack.
o I am pretty sure we know how to find A5/2. It mostly requires some
simple hardware work that we have not had time to implement. Stay tuned.
(I don't make a dime of exposing the incompetence of the GSM designers or
how intelligence agencies have subverted GSM's security to the detriment
of over 100 million users worldwide. This project only gets cycles when I
have some spare time. Claims by members of the GSM MOU that our work is
funded by suitcases full of cash from GSM's competition notwithstanding.
My apologies if things have been a bit slow in progressing for a while.
o offers from websites with export controls in place to host the code are
appreciated. I will email the algorithm to anybody I personally know to be
an US citizen. The rest has to wait until nature takes it course. Which,
if history is any guide, won't be very long.
Have fun,
-- Lucky Green [EMAIL PROTECTED] PGP v5 encrypted email preferred.
