On Fri, Jul 10, 2026 at 4:59 PM John Mattsson <[email protected]> wrote:
> It was never a secret that A5/2 was an export cipher offering only 40-bit > security. This was well known to the countries and operators that, due to > export restrictions, were barred from purchasing A5/1. A5/1 was designed to > meet West German security requirements for protecting its citizens against > eavesdropping by East Germany. > Actually, A5/2 offers significantly fewer bits of security than 40 bits. As early as the reverse engineering of A5/2, an attack taking 2^16 work was suggested [1]. Later on, the attack was shown to be even more devastating, as precomputed inverses of matrices could be stored and used to find the key even more efficiently [2]. I do not believe the governments designing A5/1, A5/2, GEA1, GEA2, and > COMP-128-1 intentionally made them weaker than what export limits required. > They were designed to have good performance on the extremely limited > hardware (mobile phones and SIM cards) of the late 1980s. By comparison, > the later industry-designed E0 cipher for Bluetooth, which faced similar > hardware limits, turned out significantly weaker than these secret, > government-designed ciphers. > Again, A5/2 is much weaker than A5/1. Actually, A5/2 has a larger hardware footprint than A5/1 in exchange for a much weaker algorithm. As a side note I would point out E0 is stronger than A5/2. BTW, COMP128-1 sets 10 bits of the shared 64-bit key to be 0. While this reduces the entropy of the key used in the actual encryption to 54 (which is more than 40-bit security needed for export), it opens up the possibility of a specialized brute forcing machine (being two bits shorter than DES, with a cipher which is more hardware-efficient than DES, would suggest an exhaustive search machine a-la EFF's one for 250,000 US$ to be realizable at the late 1980's) or even Hellman's time-memory tradeoff attack. Of course, one can argue that this is still more than 2^40 (true), but having a time-memory-data tradeoff attack which offers an attack of 2^36 time and 2^36 memory, or if we assume that time-memory-data tradeoff attacks were known to the designers 10 years before academics (as one could extrapolate given the time difference between DES' design and the re-discovery of differential cryptanalysis in academic circles), then one could come up with attacks which require memory which fits the late 80's and early 90's systems (by increasing the number of sessions, i.e., data). > GSM gets an unfairly bad reputation. In a historical context, it was the > first mass-market encryption system, paving the way for the widespread > encryption we rely on today. It was only designed to last 10 years; the > real issue is that it is still in use. Legacy technologies like GSM, GPRS, > and TETRA should have been phased out long ago, and it is frustrating that > modern phones still do not allow users to disable 2G entirely. > I tend to agree that GSM is an historic milestone. But I do take away from it several different lessons: - Legacy code is here to stay. Even today, 30 years after its expected EoL, it is here. Hence, putting in a weak standard is a bad idea. We will get stuck with such standards for many years to come. - GSM did offer several "good for its time" mechanisms such as A5/1, but also some really bad ones for its time (A5/2, COMP-128-1). - The GSM protocol was not designed to be resistant to downgrade attacks. For example, [2] used it to attack A5/1 in less than a second (as the key generation mechanism did not employ domain separation, and the same keys were used both in A5/1 and A5/2). > > Note: These legacy 2G ciphers have no connection to modern systems. While > 2G crypto was government-designed, 3G through 6G cryptography was designed > by the industry group ETSI SAGE, resulting in public and highly secure > algorithms. > > > https://www.ericsson.com/en/blog/2021/6/evolution-of-cryptographic-algorithms > I would like to respectfully disagree with the claims that 3G ciphers (namely, KASUMI) offer highly secure algorithms. I would agree that related-key attacks are not really "in the model" for 3G communication, as an academic studying the security of the cipher, I believe they are part of the security evaluation. There are practical-time related-key attacks on KASUMI [3]. Another thing - earlier you claimed that the government-led efforts in GSM offered better encryption than the industry-led one for E0. At the same time, you claim that the industry led ones for 3G-6G are secure ciphers. I think that this suggests that industry-led processes can produce secure encryption (e.g., when they are done in a public manner). Especially, one needs to remember that governments had an advantage over the industry for many years, so comparing an early 90's industry cipher to early 90's government cipher, is far from being a fair comparison. [1] https://people.eecs.berkeley.edu/~daw/tmp/a52-slides.ps [2] https://link.springer.com/chapter/10.1007/978-3-540-45146-4_35 [3] https://link.springer.com/article/10.1007/s00145-013-9154-9 Cheers, Orr
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
