More on A5 strength
Ross Anderson
Ross.Anderson at cl.cam.ac.uk
Fri, 24 Apr 1998 12:31:55 +0100
> Does anyone see a shortcut there?
Last time I looked at it carefully I concluded that you only
need to guess the clock inout bit half the time, so you need
about 5 bit guesses giving an overall complexity of 2^45. I
could be wrong though - it's notorious that you only get the
real complexity of an attack when you implement and test it.
Jovan Golic showed that you can get a 2^40 attack with a
little more work, and you can work back from a reconstructed
state to get Kc. This paper is worth studying; it's in the
proceedings of Eurocrypt 97 (LNCS v 1233) pp 239-255 and
entitled `Cryptanalysis of Alleged A5 Stream Cipher'
Ross