|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
To: iang@cs.berkeley.edu (Ian Goldberg) Cc: cryptography@c2.net From: Andreas Bogk <andreas@artcom.de> Date: 15 Apr 1998 15:03:56 +0200 In-Reply-To: iang@cs.berkeley.edu's message of "14 Apr 1998 15:44:26 GMT" iang@cs.berkeley.edu (Ian Goldberg) writes: > Actually, the quadratic factor is in the precomputation required to build > a certain table. But we've finished that, so it's irrelevant now. > > Here's what the break requires, to a first approximation: > > o Posession of a SIM, hooked up to a smartcard reader > o Expected 175000 chosen queries to the SIM, performing trivial work on > the results. (We can query the SIM we've got at 6.25 per second, which > works out to a little under 8 hours.) > o Expected 2^15 brute force queries to the COMP128 algorithm. (We can > do about 7000 per second on a single PC, which works out to about > 5 seconds.) I've implemented an attack along your description, which works on the distributed COMP128 source. I haven't yet tested it on a real smartcard. I don't have a table (is it the one I'd assume to be 8 GB in size?), but test key bytes against the collisions I found, which amounts to an additional 2^18 COMP128 queries (actually, the first two rounds suffice). Andreas -- The obvious mathematical breakthrough [to break modern encryption] would be development of an easy way to factor large prime numbers. -- Bill Gates from "The Road Ahead," p. 265.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |