[2579] in cryptography@c2.net mail archive
Re: More on A5 strength
daemon@ATHENA.MIT.EDU (Ross Anderson)
Sun Apr 26 21:46:29 1998
To: ukcrypto@maillist.ox.ac.uk
cc: cryptography@c2.net, Ross.Anderson@cl.cam.ac.uk
In-reply-to: Your message of "Thu, 23 Apr 1998 15:47:00 +0200."
<m0ySMLJ-0003b8C@ulf.mali.sub.org>
Date: Fri, 24 Apr 1998 12:31:55 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
> Does anyone see a shortcut there?
Last time I looked at it carefully I concluded that you only
need to guess the clock inout bit half the time, so you need
about 5 bit guesses giving an overall complexity of 2^45. I
could be wrong though - it's notorious that you only get the
real complexity of an attack when you implement and test it.
Jovan Golic showed that you can get a 2^40 attack with a
little more work, and you can work back from a reconstructed
state to get Kc. This paper is worth studying; it's in the
proceedings of Eurocrypt 97 (LNCS v 1233) pp 239-255 and
entitled `Cryptanalysis of Alleged A5 Stream Cipher'
Ross
