GSM & A5

[David Wagner]

>> (still) vulnerable as in 'Real Time Cryptanalysis of the Alleged A5/1 on a
>> PC' by Biryukov/Shamir, December 9, 1999?
>
>As published this is a theoretical rather than practical attack.  
>Certain minor details of the alleged A5/1 algorithim do not ring true, 

Can you elaborate?  What does not "ring true", and what do you mean by that?

Please note that the Briceno/Goldberg/Wagner reverse-engineering of A5/1
is slightly different from Anderson/Roe's earlier attempt.  I think that
A/R's algorithm was slightly incorrect, but I believe that the B/G/W algorithm
is correct (as far as I know).  Do you have any information to the contrary?

>and the attack requires an amount of 'known plaintext' i.e. 
>compressed & encoded speech in each call that is attacked.

Can you point me to any work estimating how much known plaintext is/isn't
available in each call?

(By the way, we were aware of this issue: the paper explicitly says "we
would like to stress that this paper considers the narrow issue of the
cryptographic strength of A5/1, and not the broader issue of the practical
security of fielded GSM systems, about which we make no claims.")

>There is claimed to be a fast, near real-time, attack on A5/2.  
>Which presumably again needs known plaintext, but I have not 
>seen any details of the attack.  (Web search for Goldberg, Wagner 
>and Briceno.)

Well, known-plaintext is not needed, but I can't say I know for sure whether
the attack is practical.  In one version of the attack, it suffices to know
that two frames N positions apart have the same plaintext (the plaintext
itself need not be known).  For example, if silence frames are often encoded
to the same plaintext, one might conjecture that this might allow a
ciphertext-only attack, but I can't tell you myself whether or not this
condition holds.

We described the attack in a rump session talk at CRYPTO'99 (?).
I apologize, but we never got around to writing up the attack.