[4681] in cryptography@c2.net mail archive
Re: A5/1 cracking hardware estimate
daemon@ATHENA.MIT.EDU (David Wagner)
Tue May 11 17:28:11 1999
To: cryptography@c2.net
From: daw@cs.berkeley.edu (David Wagner)
Date: 11 May 1999 13:37:57 -0700
Brute force keysearch is not the best algorithm for cracking A5/1.
Much better is Jovan Golic's technique for breaking A5 with something
like 2^40 steps. (See ``Cryptanalysis of Alleged A5 Stream Cipher'',
EUROCRYPT'97, and <http://jya.com/a5-hack.htm>.)
The question, as I see it, is how fast you can do each of those 2^40
steps in a real hardware implementation. How much faster would a A5/1
key cracker be than a DES cracker? The exact answer is, I believe,
still unknown.
Also, at the time Jovan Golic's paper was written, it was not publicly
known that 10 bits of the 64-bit A5/1 key are always zero, nor was it
known that the frame counter is mixed into the registers linearly (no
funky clocking!). This suggests another question for research: can either
of these new discoveries be used to improve the attack?
