On Fri, Jul 10, 2026 at 4:59 PM John Mattsson <[email protected]>
wrote:

> It was never a secret that A5/2 was an export cipher offering only 40-bit
> security. This was well known to the countries and operators that, due to
> export restrictions, were barred from purchasing A5/1. A5/1 was designed to
> meet West German security requirements for protecting its citizens against
> eavesdropping by East Germany.
>

Actually, A5/2 offers significantly fewer bits of security than 40 bits. As
early as the reverse engineering of A5/2, an attack taking 2^16 work was
suggested [1]. Later on, the attack was shown to be even more devastating,
as precomputed inverses of matrices could be stored and used to find the
key even more efficiently [2].

I do not believe the governments designing A5/1, A5/2, GEA1, GEA2, and
> COMP-128-1 intentionally made them weaker than what export limits required.
> They were designed to have good performance on the extremely limited
> hardware (mobile phones and SIM cards) of the late 1980s. By comparison,
> the later industry-designed E0 cipher for Bluetooth, which faced similar
> hardware limits, turned out significantly weaker than these secret,
> government-designed ciphers.
>

Again, A5/2 is much weaker than A5/1. Actually, A5/2 has a larger hardware
footprint than A5/1 in exchange for a much weaker algorithm. As a side note
I would point out E0 is stronger than A5/2.

BTW, COMP128-1 sets 10 bits of the shared 64-bit key to be 0. While this
reduces the entropy of the key used in the actual encryption to 54 (which
is more than 40-bit security needed for export), it opens up the
possibility of a specialized brute forcing machine (being two bits shorter
than DES, with a cipher which is more hardware-efficient than DES, would
suggest an exhaustive search machine a-la EFF's one for 250,000 US$ to be
realizable at the late 1980's) or even Hellman's time-memory tradeoff
attack. Of course, one can argue that this is still more than 2^40 (true),
but having a time-memory-data tradeoff attack which offers an attack of
2^36 time and 2^36 memory, or if we assume that time-memory-data tradeoff
attacks were known to the designers 10 years before academics (as one could
extrapolate given the time difference between DES' design and the
re-discovery of differential cryptanalysis in academic circles), then one
could come up with attacks which require memory which fits the late 80's
and early 90's systems (by increasing the number of sessions, i.e., data).



> GSM gets an unfairly bad reputation. In a historical context, it was the
> first mass-market encryption system, paving the way for the widespread
> encryption we rely on today. It was only designed to last 10 years; the
> real issue is that it is still in use. Legacy technologies like GSM, GPRS,
> and TETRA should have been phased out long ago, and it is frustrating that
> modern phones still do not allow users to disable 2G entirely.
>

I tend to agree that GSM is an historic milestone. But I do take away from
it several different lessons:
- Legacy code is here to stay. Even today, 30 years after its expected EoL,
it is here. Hence, putting in a weak standard is a bad idea. We will get
stuck with such standards for many years to come.
- GSM did offer several "good for its time" mechanisms such as A5/1, but
also some really bad ones for its time (A5/2, COMP-128-1).
- The GSM protocol was not designed to be resistant to downgrade attacks.
For example, [2] used it to attack A5/1 in less than a second (as the key
generation mechanism did not employ domain separation, and the same keys
were used both in A5/1 and A5/2).


>
> Note: These legacy 2G ciphers have no connection to modern systems. While
> 2G crypto was government-designed, 3G through 6G cryptography was designed
> by the industry group ETSI SAGE, resulting in public and highly secure
> algorithms.
>
>
> https://www.ericsson.com/en/blog/2021/6/evolution-of-cryptographic-algorithms
>

I would like to respectfully disagree with the claims that 3G ciphers
(namely, KASUMI) offer highly secure algorithms. I would agree that
related-key attacks are not really "in the model" for 3G communication, as
an academic studying the security of the cipher, I believe they are part of
the security evaluation. There are practical-time related-key attacks on
KASUMI [3].

Another thing - earlier you claimed that the government-led efforts in GSM
offered better encryption than the industry-led one for E0. At the same
time, you claim that the industry led ones for 3G-6G are secure ciphers. I
think that this suggests that industry-led processes can produce secure
encryption (e.g., when they are done in a public manner). Especially, one
needs to remember that governments had an advantage over the industry for
many years, so comparing an early 90's industry cipher to early 90's
government cipher, is far from being a fair comparison.

[1] https://people.eecs.berkeley.edu/~daw/tmp/a52-slides.ps
[2] https://link.springer.com/chapter/10.1007/978-3-540-45146-4_35
[3] https://link.springer.com/article/10.1007/s00145-013-9154-9

Cheers,
Orr
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to