699:
milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS. These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time.
2366:
544:
92:
586:
says that the
British insisted on weaker encryption, with Haug saying he was told by the British delegate that this was to allow the British secret service to eavesdrop more easily. The British proposed a key length of 48 bits, while the West Germans wanted stronger encryption to protect against East
534:
Similarly, the 22-bits of the frame number are added in 22 cycles. Then the entire system is clocked using the normal majority clocking mechanism for 100 cycles, with the output discarded. After this is completed, the cipher is ready to produce two 114 bit sequences of output keystream, first 114 for
726:
launched a project to develop a practical attack on A5/1. The attack requires the construction of a large look-up table of approximately 3 terabytes. Together with the scanning capabilities developed as part of the sister project, the group expected to be able to record any GSM call or SMS encrypted
577:
According to professor Jan Arild
Audestad, at the standardization process which started in 1982, A5/1 was originally proposed to have a key length of 128 bits. At that time, 128 bits was projected to be secure for at least 15 years. It is now believed that 128 bits would in fact also still be secure
415:
The registers are clocked in a stop/go fashion using a majority rule. Each register has an associated clocking bit. At each cycle, the clocking bit of all three registers is examined and the majority bit is determined. A register is clocked if the clocking bit agrees with the majority bit. Hence at
698:
We present a very practical ciphertext-only cryptanalysis of GSM encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use "unbreakable" ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen
623:
in real time using a time-memory tradeoff attack, based on earlier work by Jovan Golic. One tradeoff allows an attacker to reconstruct the key in one second from two minutes of known plaintext or in several minutes from two seconds of known plain text, but he must first complete an expensive
404:
These degrees were not chosen at random: since the degrees of the three registers are relatively prime, the period of this generator is the product of the periods of the three registers. Thus the period of A5/1 (before repetition) is 2^64 bits (2 to the power of 64).
711:-based cryptographic accelerator COPACOBANA. COPACOBANA was the first commercially available solution using fast time-memory trade-off techniques that could be used to attack the popular A5/1 and A5/2 algorithms, used in GSM voice encryption, as well as the
794:
One might think of using A5/1 as pseudo-random generator with a 64-bit initialization seed (key size), but it is not reliable. It loses its randomness after only 8 MB (which represents the period of the largest of the three registers).
599:
in 1994. Anderson's basic idea was to guess the complete content of the registers R1 and R2 and about half of the register R3. In this way the clocking of all three registers is determined and the second half of R3 can be computed.
646:
Ekdahl and
Johansson published an attack on the initialisation procedure which breaks A5/1 in a few minutes using two to five minutes of conversation plaintext. This attack does not require a preprocessing stage. In 2004, Maximov
1401:
123:
of 54 bits. This weakness was rectified with the introduction of Comp128v3 which yields proper 64 bits keys. When operating in GPRS / EDGE mode, higher bandwidth radio modulation allows for larger 348 bits frames, and
752:
architecture. Starting in the middle of
September 2009, the project ran the equivalent of 12 Nvidia GeForce GTX 260. According to the authors, the approach can be used on any cipher with key size up to 64-bits.
603:
In 1997, Golic presented an attack based on solving sets of linear equations which has a time complexity of 2 (the units are in terms of number of solutions of a system of linear equations which are required).
107:. In a typical channel and in one direction, one burst is sent every 4.615 milliseconds and contains 114 bits available for information. A5/1 is used to produce for each burst a 114 bit sequence of
791:
Since the degrees of the three LFSRs are relatively prime, the period of this generator is the product of the periods of the three LFSRs, which represents 2^64 bits (2 to the power of 64).
243:
391:
119:
together with a publicly known 22-bit frame number. Older fielded GSM implementations using Comp128v1 for key generation, had 10 of the key bits fixed at zero, resulting in an effective
624:
preprocessing stage which requires 2 steps to compute around 300 GB of data. Several tradeoffs between preprocessing, data requirements, attack time and memory complexity are possible.
756:
In
December 2009, the A5/1 Cracking Project attack tables for A5/1 were announced by Chris Paget and Karsten Nohl. The tables use a combination of compression techniques, including
457:
304:
1513:
835:
558:
Some attacks require an expensive preprocessing stage after which the cipher can be broken in minutes or seconds. Originally, the weaknesses were passive attacks using the
526:
1351:
61:
was developed in 1989. Though both were initially kept secret, the general design was leaked in 1994 and the algorithms were entirely reverse engineered in 1999 by
760:
and distinguished point chains. These tables constituted only parts of the 1.7 TB completed table and had been computed during three months using 40 distributed
1559:
651:
improved this result to an attack requiring "less than one minute of computations, and a few seconds of known conversation". The attack was further improved by
57:
was a deliberate weakening of the algorithm for certain export regions. A5/1 was developed in 1987, when GSM was not yet considered for use outside Europe, and
2346:
2176:
1161:
727:
with A5/1, and within about 3–5 minutes derive the encryption key and hence listen to the call and read the SMS in clear. But the tables weren't released.
723:
37:
standard. It is one of several implementations of the A5 security protocol. It was initially kept secret, but became public knowledge through leaks and
1526:
675:
cipher briefly. A5/2 can be broken easily, and the phone uses the same key as for the stronger A5/1 algorithm. A second attack on A5/1 is outlined, a
1272:
1382:
691:
62:
915:
2014:
1632:
1247:
683:
652:
65:
from a GSM telephone. In 2000, around 130 million GSM customers relied on A5/1 to protect the confidentiality of their voice communications.
2406:
79:
in the mid-1980s over whether GSM encryption should be strong or not. The
Germans said it should be, as they shared a long border with the
978:
1446:
1304:
1328:
574:, or even GPRS that allow attackers to tap GSM mobile phone conversations and decrypt them either in real-time, or at any later time.
1877:
1517:
1591:
31:
671:
published several attacks on GSM encryption. The first is an active attack. GSM phones can be convinced to use the much weaker
1144:
1049:
1001:
961:
815:
99:. A register is clocked if its clocking bit (orange) agrees with the clocking bit of one or both of the other two registers.
1066:
1359:
903:
842:
2007:
1939:
1625:
1168:
1162:"Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by Barkan and Biham of Technion (Full Version)"
176:
1563:
324:
1579:
2401:
2225:
2156:
1934:
1924:
1539:
1493:
1202:
132:
2000:
1618:
874:
2341:
2296:
2099:
1279:
2220:
1908:
1767:
1476:
Maximov, Alexander; Thomas
Johansson; Steve Babbage (2004). "An Improved Correlation Attack on A5/1".
1386:
694:
published the full version of their 2003 paper, with attacks against A5/X сiphers. The authors claim:
83:; but the other countries didn't feel this way, and the algorithm as now fielded is a French design."
2336:
579:
428:
416:
each step at least two or three registers are clocked, and each register steps with probability 3/4.
263:
1560:"Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication (Technical Report CS-2006-07)"
2326:
2316:
2171:
1903:
1241:
712:
552:
635:
also published an attack on A5/1 with a total work complexity of 2 A5/1 clockings given 2 bits of
469:
2411:
2396:
2321:
2311:
2104:
2064:
2057:
2042:
2037:
1125:; Nathan Keller (2003). "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication".
2109:
2052:
1194:
1007:
769:
563:
1457:
2416:
2369:
2215:
2161:
1975:
1949:
1802:
1494:"A pedagogical implementation of the GSM A5/1 and A5/2 "voice privacy" encryption algorithms"
809:
765:
749:
409:
1320:
890:
2331:
2255:
1970:
704:
562:
assumption. In 2003, more serious weaknesses were identified which can be exploited in the
8:
2084:
1898:
1406:
886:
731:
38:
2200:
2184:
2126:
1965:
1595:
1219:
1106:
Barkan, Elad; Eli Biham (2005). "Conditional
Estimators: An Effective Attack on A5/1".
773:
716:
116:
135:(LFSRs) with irregular clocking. The three shift registers are specified as follows:
2260:
2250:
2116:
1298:
1140:
1045:
997:
957:
555:
is able to routinely decrypt A5/1 messages according to released internal documents.
547:
The message on the screen of a mobile phone with the warning about lack of ciphering
419:
Initially, the registers are set to zero. Then for 64 cycles, the 64-bit secret key
2195:
2047:
1747:
1223:
1211:
1130:
1081:
1037:
989:
949:
878:
870:
596:
69:
1867:
1862:
1837:
1711:
1135:
1032:
Biham, Eli; Orr
Dunkelman (2000). "Cryptanalysis of the A5/1 GSM Stream Cipher".
937:
676:
636:
616:
559:
1665:
1089:
2270:
2190:
2146:
2089:
2074:
1929:
1782:
1737:
780:
640:
1192:
463:
th key bit is added to the least significant bit of each register using XOR —
2390:
2351:
2306:
2265:
2245:
2136:
2094:
2069:
1882:
1842:
1822:
1812:
1777:
1641:
1402:"By cracking cellphone code, NSA has ability to decode private conversations"
1193:
Gueneysu, Tim; Timo Kasper; Martin Novotný; Christof Paar; Andy Rupp (2008).
993:
929:
757:
679:
time-memory tradeoff attack which requires a large amount of precomputation.
632:
620:
608:
23:
1085:
1041:
953:
941:
2301:
2141:
2131:
2121:
2079:
2023:
746:
735:
115:
with the 114 bits prior to modulation. A5/1 is initialised using a 64-bit
2280:
1817:
1675:
583:
80:
882:
2240:
2210:
2205:
2166:
1944:
1215:
933:
612:
543:
120:
34:
1129:. Lecture Notes in Computer Science. Vol. 2729. pp. 600–16.
988:. Lecture Notes in Computer Science. Vol. 1233. pp. 239–55.
916:"Sources: We were pressured to weaken the mobile security in the 80's"
2230:
1857:
1787:
1721:
1428:
1122:
1036:. Lecture Notes in Computer Science. Vol. 1977. pp. 43–51.
719:
against GSM eliminating the need of large precomputed lookup tables.
687:
656:
628:
567:
108:
41:. A number of serious weaknesses in the cipher have been identified.
1583:
1497:
1475:
1309:
Subverting the security base of GSM. Karsten Nohl and Sascha Krißler
948:. Lecture Notes in Computer Science. Vol. 1978. pp. 1–18.
2275:
2235:
1670:
1453:
707:
and Kiel started a research project to create a massively parallel
730:
A similar effort, the A5/1 Cracking
Project, was announced at the
551:
A number of attacks on A5/1 have been published, and the American
128:
is then used in a stream cipher mode to maintain confidentiality.
91:
1716:
1690:
1534:
768:. More recently the project has announced a switch to faster ATI
587:
German spying, so the compromise became a key length of 54 bits.
27:
2151:
1807:
1772:
1742:
1706:
1491:
739:
76:
50:
1832:
1827:
928:
1852:
1492:
Briceno, Marc; Ian Goldberg; David Wagner (23 October 1999).
772:
code, together with a change in the format of the tables and
742:
1557:
1120:
72:
reported in 1994 that "there was a terrific row between the
1872:
1847:
1797:
1792:
1660:
804:
761:
708:
672:
571:
125:
96:
73:
58:
54:
1514:"Huge GSM flaw allows hackers to listen in on voice calls"
1680:
783:
in 2013 state that the NSA "can process encrypted A5/1".
776:
announced breaks of A5/1 using the ATI generated tables.
112:
1159:
738:
and Sascha Krißler. It created the look-up tables using
425:
is mixed in according to the following scheme: in cycle
786:
2177:
Cryptographically secure pseudorandom number generator
1064:
570:
and Nathan Keller demonstrated attacks against A5/1,
472:
431:
327:
266:
179:
1602:
1558:
Barkan, Elad; Eli Biham; Nathan Keller (July 2006).
1527:"Technion team cracks GSM cellular phone encryption"
1400:
Timberg, Craig; Soltani, Ashkan (13 December 2013).
639:. The attack requires 32 GB of data storage after a
1380:
1031:
904:NSA Able To Crack A5/1 Cellphone Crypto - Slashdot
520:
451:
385:
298:
237:
662:
566:, or by an active attacker. In 2006 Elad Barkan,
2388:
103:A GSM transmission is organised as sequences of
1447:"A precis of the new attacks on GSM encryption"
1352:"Hackers Show It's Easy to Snoop on a GSM Call"
1240:Nohl, Karsten; Chris Paget (27 December 2009).
1239:
1105:
1399:
2008:
1626:
869:
595:The first attack on the A5/1 was proposed by
238:{\displaystyle x^{19}+x^{18}+x^{17}+x^{14}+1}
1246:. 26th Chaos Communication Congress (26C3).
386:{\displaystyle x^{23}+x^{22}+x^{21}+x^{8}+1}
131:A5/1 is based around a combination of three
1318:
1235:
1233:
979:"Cryptanalysis of Alleged A5 Stream Cipher"
26:used to provide over-the-air communication
2015:
2001:
1633:
1619:
590:
1592:"Animated SVG showing A5/1 stream cypher"
1134:
1065:Ekdahl, Patrik; Thomas Johansson (2003).
942:"Real Time Cryptanalysis of A5/1 on a PC"
1230:
1160:Barkan, Elad; Eli Biham; Nathan Keller.
865:
863:
542:
90:
1321:"Cellphone Encryption Code Is Divulged"
1267:
1265:
1074:IEEE Transactions on Information Theory
2389:
1524:
1303:: CS1 maint: archived copy as title (
1034:Progress in Cryptology —INDOCRYPT 2000
833:
1996:
1614:
976:
860:
816:Cellular Message Encryption Algorithm
582:. Audestad, Peter van der Arend, and
1444:
1349:
1262:
1127:Advances in Cryptology - CRYPTO 2003
787:Using A5/1 as pseudorandom generator
44:
2407:Mobile telecommunications standards
1478:Selected Areas in Cryptography 2004
1319:O'Brien, Kevin (28 December 2009).
1250:from the original on 6 January 2010
1108:Selected Areas in Cryptography 2005
13:
1640:
1525:Horesh, Hadar (3 September 2003).
1383:"Cracks beginning to show in A5/1"
1331:from the original on 29 April 2011
875:"A5 (Was: HACKING DIGITAL PHONES)"
732:2009 Black Hat security conference
95:The A5/1 stream cipher uses three
14:
2428:
1485:
1381:Frank A. Stevenson (1 May 2010).
946:Fast Software Encryption—FSE 2000
2365:
2364:
2022:
1516:. 25 August 2009. Archived from
1445:Rose, Greg (10 September 2003).
1421:
1393:
1374:
1343:
1312:
1195:"Cryptanalysis with COPACOBANA"
1186:
1153:
1114:
535:downlink, last 114 for uplink.
531:Each register is then clocked.
452:{\displaystyle 0\leq {i}<64}
299:{\displaystyle x^{22}+x^{21}+1}
133:linear-feedback shift registers
2226:Information-theoretic security
1203:IEEE Transactions on Computers
1099:
1058:
1025:
970:
922:
908:
897:
891:2ts9a0$ 95r@lyra.csx.cam.ac.uk
827:
764:nodes and then published over
663:Attacks on A5/1 as used in GSM
512:
506:
497:
491:
482:
476:
408:The bits are indexed with the
86:
1:
834:Quirke, Jeremy (1 May 2004).
821:
1925:block ciphers in stream mode
1136:10.1007/978-3-540-45146-4_35
836:"Security in the GSM system"
521:{\displaystyle R=R\oplus K.}
77:signal intelligence agencies
7:
2342:Message authentication code
2297:Cryptographic hash function
2100:Cryptographic hash function
841:. AusMobile. Archived from
798:
580:advent of quantum computing
538:
10:
2433:
2221:Harvest now, decrypt later
1909:alternating step generator
1580:"Nathan Keller's Homepage"
2360:
2337:Post-quantum cryptography
2289:
2030:
1992:
1958:
1917:
1891:
1760:
1730:
1699:
1689:
1648:
1610:
1606:
1456:Australia. Archived from
977:Golić, Jovan Dj. (1997).
2327:Quantum key distribution
2317:Authenticated encryption
2172:Random number generation
1904:self-shrinking generator
1438:
1067:"Another attack on A5/1"
994:10.1007/3-540-69053-0_17
713:Data Encryption Standard
619:showed that A5/1 can be
564:ciphertext-only scenario
553:National Security Agency
2322:Public-key cryptography
2312:Symmetric-key algorithm
2105:Key derivation function
2065:Cryptographic primitive
2058:Authentication protocol
2043:Outline of cryptography
2038:History of cryptography
1086:10.1109/TIT.2002.806129
1042:10.1007/3-540-44495-5_5
954:10.1007/3-540-44706-7_1
715:(DES). It also enables
591:Known-plaintext attacks
53:and the United States.
2110:Secure Hash Algorithms
2053:Cryptographic protocol
705:Universities of Bochum
701:
548:
522:
453:
387:
300:
239:
100:
2402:Broken stream ciphers
2216:End-to-end encryption
2162:Cryptojacking malware
1976:stream cipher attacks
750:distributed computing
696:
546:
523:
454:
410:least significant bit
388:
301:
240:
94:
2332:Quantum cryptography
2256:Trusted timestamping
1971:correlation immunity
1463:on 27 September 2011
812:, also known as A5/3
779:Documents leaked by
470:
429:
325:
264:
177:
68:Security researcher
2085:Cryptographic nonce
1899:shrinking generator
1649:Widely used ciphers
1566:on 27 December 2019
1520:on 14 October 2009.
1407:The Washington Post
722:In 2008, the group
717:brute force attacks
39:reverse engineering
2201:Subliminal channel
2185:Pseudorandom noise
2127:Key (cryptography)
1966:correlation attack
1362:on 20 January 2012
1350:McMillan, Robert.
1216:10.1109/TC.2008.80
1174:on 25 January 2020
774:Frank A. Stevenson
734:by cryptographers
724:The Hackers Choice
549:
518:
449:
383:
296:
235:
101:
35:cellular telephone
2382:
2381:
2378:
2377:
2261:Key-based routing
2251:Trapdoor function
2117:Digital signature
1988:
1987:
1984:
1983:
1756:
1755:
1598:on 26 March 2012.
1500:on 8 October 2018
1210:(11): 1498–1513.
1146:978-3-540-40674-7
1051:978-3-540-41452-0
1003:978-3-540-62975-7
963:978-3-540-41728-6
918:. 9 January 2014.
402:
401:
45:History and usage
2424:
2368:
2367:
2196:Insecure channel
2048:Classical cipher
2017:
2010:
2003:
1994:
1993:
1697:
1696:
1635:
1628:
1621:
1612:
1611:
1608:
1607:
1604:
1603:
1599:
1594:. Archived from
1587:
1582:. Archived from
1575:
1573:
1571:
1562:. Archived from
1554:
1552:
1550:
1544:
1538:. Archived from
1531:
1521:
1509:
1507:
1505:
1496:. Archived from
1481:
1472:
1470:
1468:
1462:
1451:
1433:
1432:
1425:
1419:
1418:
1416:
1414:
1397:
1391:
1390:
1389:on 6 March 2012.
1385:. Archived from
1378:
1372:
1371:
1369:
1367:
1358:. Archived from
1356:IDG News Service
1347:
1341:
1340:
1338:
1336:
1316:
1310:
1308:
1302:
1294:
1292:
1290:
1284:
1278:. Archived from
1277:
1269:
1260:
1259:
1257:
1255:
1237:
1228:
1227:
1199:
1190:
1184:
1183:
1181:
1179:
1173:
1167:. Archived from
1166:
1157:
1151:
1150:
1138:
1118:
1112:
1111:
1103:
1097:
1096:
1094:
1088:. Archived from
1071:
1062:
1056:
1055:
1029:
1023:
1022:
1020:
1018:
1012:
1006:. Archived from
983:
974:
968:
967:
926:
920:
919:
912:
906:
901:
895:
894:
873:(17 June 1994).
867:
858:
857:
855:
853:
847:
840:
831:
667:In 2003, Barkan
527:
525:
524:
519:
458:
456:
455:
450:
442:
392:
390:
389:
384:
376:
375:
363:
362:
350:
349:
337:
336:
305:
303:
302:
297:
289:
288:
276:
275:
244:
242:
241:
236:
228:
227:
215:
214:
202:
201:
189:
188:
138:
137:
49:A5/1 is used in
2432:
2431:
2427:
2426:
2425:
2423:
2422:
2421:
2387:
2386:
2383:
2374:
2356:
2285:
2026:
2021:
1980:
1954:
1913:
1887:
1752:
1726:
1685:
1644:
1639:
1590:
1586:on 4 June 2008.
1578:
1569:
1567:
1548:
1546:
1545:on 3 March 2016
1542:
1529:
1512:
1503:
1501:
1488:
1466:
1464:
1460:
1449:
1441:
1436:
1431:. January 2020.
1427:
1426:
1422:
1412:
1410:
1398:
1394:
1379:
1375:
1365:
1363:
1348:
1344:
1334:
1332:
1317:
1313:
1296:
1295:
1288:
1286:
1285:on 26 July 2011
1282:
1275:
1273:"Archived copy"
1271:
1270:
1263:
1253:
1251:
1238:
1231:
1197:
1191:
1187:
1177:
1175:
1171:
1164:
1158:
1154:
1147:
1119:
1115:
1104:
1100:
1095:on 25 May 2005.
1092:
1069:
1063:
1059:
1052:
1030:
1026:
1016:
1014:
1013:on 15 July 2010
1010:
1004:
981:
975:
971:
964:
927:
923:
914:
913:
909:
902:
898:
868:
861:
851:
849:
848:on 12 July 2004
845:
838:
832:
828:
824:
801:
789:
677:ciphertext-only
665:
637:known plaintext
627:The same year,
593:
560:known plaintext
541:
471:
468:
467:
438:
430:
427:
426:
371:
367:
358:
354:
345:
341:
332:
328:
326:
323:
322:
284:
280:
271:
267:
265:
262:
261:
250:13, 16, 17, 18
223:
219:
210:
206:
197:
193:
184:
180:
178:
175:
174:
162:
157:
152:
147:
142:
89:
47:
17:
12:
11:
5:
2430:
2420:
2419:
2414:
2412:3GPP standards
2409:
2404:
2399:
2397:Stream ciphers
2380:
2379:
2376:
2375:
2373:
2372:
2361:
2358:
2357:
2355:
2354:
2349:
2347:Random numbers
2344:
2339:
2334:
2329:
2324:
2319:
2314:
2309:
2304:
2299:
2293:
2291:
2287:
2286:
2284:
2283:
2278:
2273:
2271:Garlic routing
2268:
2263:
2258:
2253:
2248:
2243:
2238:
2233:
2228:
2223:
2218:
2213:
2208:
2203:
2198:
2193:
2191:Secure channel
2188:
2182:
2181:
2180:
2169:
2164:
2159:
2154:
2149:
2147:Key stretching
2144:
2139:
2134:
2129:
2124:
2119:
2114:
2113:
2112:
2107:
2102:
2092:
2090:Cryptovirology
2087:
2082:
2077:
2075:Cryptocurrency
2072:
2067:
2062:
2061:
2060:
2050:
2045:
2040:
2034:
2032:
2028:
2027:
2020:
2019:
2012:
2005:
1997:
1990:
1989:
1986:
1985:
1982:
1981:
1979:
1978:
1973:
1968:
1962:
1960:
1956:
1955:
1953:
1952:
1947:
1942:
1937:
1932:
1930:shift register
1927:
1921:
1919:
1915:
1914:
1912:
1911:
1906:
1901:
1895:
1893:
1889:
1888:
1886:
1885:
1880:
1875:
1870:
1865:
1860:
1855:
1850:
1845:
1840:
1835:
1830:
1825:
1820:
1815:
1810:
1805:
1800:
1795:
1790:
1785:
1780:
1775:
1770:
1764:
1762:
1758:
1757:
1754:
1753:
1751:
1750:
1745:
1740:
1734:
1732:
1728:
1727:
1725:
1724:
1719:
1714:
1709:
1703:
1701:
1694:
1687:
1686:
1684:
1683:
1678:
1673:
1668:
1663:
1658:
1652:
1650:
1646:
1645:
1642:Stream ciphers
1638:
1637:
1630:
1623:
1615:
1601:
1600:
1588:
1576:
1555:
1522:
1510:
1487:
1486:External links
1484:
1483:
1482:
1473:
1440:
1437:
1435:
1434:
1420:
1392:
1373:
1342:
1325:New York Times
1311:
1261:
1229:
1185:
1152:
1145:
1121:Barkan, Elad;
1113:
1098:
1057:
1050:
1024:
1002:
986:Eurocrypt 1997
969:
962:
930:Biryukov, Alex
921:
907:
896:
859:
825:
823:
820:
819:
818:
813:
807:
800:
797:
788:
785:
781:Edward Snowden
758:rainbow tables
664:
661:
641:precomputation
592:
589:
540:
537:
529:
528:
517:
514:
511:
508:
505:
502:
499:
496:
493:
490:
487:
484:
481:
478:
475:
448:
445:
441:
437:
434:
400:
399:
398:7, 20, 21, 22
396:
393:
382:
379:
374:
370:
366:
361:
357:
353:
348:
344:
340:
335:
331:
320:
317:
313:
312:
309:
306:
295:
292:
287:
283:
279:
274:
270:
259:
256:
252:
251:
248:
245:
234:
231:
226:
222:
218:
213:
209:
205:
200:
196:
192:
187:
183:
172:
169:
165:
164:
159:
154:
149:
144:
88:
85:
46:
43:
15:
9:
6:
4:
3:
2:
2429:
2418:
2415:
2413:
2410:
2408:
2405:
2403:
2400:
2398:
2395:
2394:
2392:
2385:
2371:
2363:
2362:
2359:
2353:
2352:Steganography
2350:
2348:
2345:
2343:
2340:
2338:
2335:
2333:
2330:
2328:
2325:
2323:
2320:
2318:
2315:
2313:
2310:
2308:
2307:Stream cipher
2305:
2303:
2300:
2298:
2295:
2294:
2292:
2288:
2282:
2279:
2277:
2274:
2272:
2269:
2267:
2266:Onion routing
2264:
2262:
2259:
2257:
2254:
2252:
2249:
2247:
2246:Shared secret
2244:
2242:
2239:
2237:
2234:
2232:
2229:
2227:
2224:
2222:
2219:
2217:
2214:
2212:
2209:
2207:
2204:
2202:
2199:
2197:
2194:
2192:
2189:
2186:
2183:
2178:
2175:
2174:
2173:
2170:
2168:
2165:
2163:
2160:
2158:
2155:
2153:
2150:
2148:
2145:
2143:
2140:
2138:
2137:Key generator
2135:
2133:
2130:
2128:
2125:
2123:
2120:
2118:
2115:
2111:
2108:
2106:
2103:
2101:
2098:
2097:
2096:
2095:Hash function
2093:
2091:
2088:
2086:
2083:
2081:
2078:
2076:
2073:
2071:
2070:Cryptanalysis
2068:
2066:
2063:
2059:
2056:
2055:
2054:
2051:
2049:
2046:
2044:
2041:
2039:
2036:
2035:
2033:
2029:
2025:
2018:
2013:
2011:
2006:
2004:
1999:
1998:
1995:
1991:
1977:
1974:
1972:
1969:
1967:
1964:
1963:
1961:
1957:
1951:
1948:
1946:
1943:
1941:
1938:
1936:
1933:
1931:
1928:
1926:
1923:
1922:
1920:
1916:
1910:
1907:
1905:
1902:
1900:
1897:
1896:
1894:
1890:
1884:
1881:
1879:
1876:
1874:
1871:
1869:
1866:
1864:
1861:
1859:
1856:
1854:
1851:
1849:
1846:
1844:
1841:
1839:
1836:
1834:
1831:
1829:
1826:
1824:
1821:
1819:
1816:
1814:
1811:
1809:
1806:
1804:
1801:
1799:
1796:
1794:
1791:
1789:
1786:
1784:
1781:
1779:
1776:
1774:
1771:
1769:
1766:
1765:
1763:
1761:Other ciphers
1759:
1749:
1746:
1744:
1741:
1739:
1736:
1735:
1733:
1729:
1723:
1720:
1718:
1715:
1713:
1710:
1708:
1705:
1704:
1702:
1698:
1695:
1692:
1688:
1682:
1679:
1677:
1674:
1672:
1669:
1667:
1664:
1662:
1659:
1657:
1654:
1653:
1651:
1647:
1643:
1636:
1631:
1629:
1624:
1622:
1617:
1616:
1613:
1609:
1605:
1597:
1593:
1589:
1585:
1581:
1577:
1565:
1561:
1556:
1541:
1537:
1536:
1528:
1523:
1519:
1515:
1511:
1499:
1495:
1490:
1489:
1479:
1474:
1459:
1455:
1448:
1443:
1442:
1430:
1424:
1409:
1408:
1403:
1396:
1388:
1384:
1377:
1361:
1357:
1353:
1346:
1330:
1326:
1322:
1315:
1306:
1300:
1281:
1274:
1268:
1266:
1249:
1245:
1244:
1236:
1234:
1225:
1221:
1217:
1213:
1209:
1205:
1204:
1196:
1189:
1170:
1163:
1156:
1148:
1142:
1137:
1132:
1128:
1124:
1117:
1109:
1102:
1091:
1087:
1083:
1080:(1): 284–89.
1079:
1075:
1068:
1061:
1053:
1047:
1043:
1039:
1035:
1028:
1009:
1005:
999:
995:
991:
987:
980:
973:
965:
959:
955:
951:
947:
943:
939:
935:
931:
925:
917:
911:
905:
900:
892:
888:
884:
880:
876:
872:
871:Ross Anderson
866:
864:
844:
837:
830:
826:
817:
814:
811:
808:
806:
803:
802:
796:
792:
784:
782:
777:
775:
771:
767:
763:
759:
754:
751:
748:
744:
741:
737:
733:
728:
725:
720:
718:
714:
710:
706:
700:
695:
693:
692:Nathan Keller
689:
685:
680:
678:
674:
670:
660:
658:
654:
650:
644:
642:
638:
634:
633:Orr Dunkelman
630:
625:
622:
621:cryptanalysed
618:
614:
610:
609:Alex Biryukov
605:
601:
598:
597:Ross Anderson
588:
585:
581:
575:
573:
569:
565:
561:
556:
554:
545:
536:
532:
515:
509:
503:
500:
494:
488:
485:
479:
473:
466:
465:
464:
462:
446:
443:
439:
435:
432:
424:
423:
417:
413:
411:
406:
397:
394:
380:
377:
372:
368:
364:
359:
355:
351:
346:
342:
338:
333:
329:
321:
318:
315:
314:
310:
307:
293:
290:
285:
281:
277:
272:
268:
260:
257:
254:
253:
249:
246:
232:
229:
224:
220:
216:
211:
207:
203:
198:
194:
190:
185:
181:
173:
170:
167:
166:
160:
155:
150:
145:
140:
139:
136:
134:
129:
127:
122:
118:
114:
110:
106:
98:
93:
84:
82:
78:
75:
71:
70:Ross Anderson
66:
64:
60:
56:
52:
42:
40:
36:
33:
29:
25:
24:stream cipher
21:
16:Stream cipher
2417:GSM standard
2384:
2302:Block cipher
2142:Key schedule
2132:Key exchange
2122:Kleptography
2080:Cryptosystem
2024:Cryptography
1655:
1596:the original
1584:the original
1570:15 September
1568:. Retrieved
1564:the original
1549:15 September
1547:. Retrieved
1540:the original
1533:
1518:the original
1502:. Retrieved
1498:the original
1477:
1465:. Retrieved
1458:the original
1423:
1413:28 September
1411:. Retrieved
1405:
1395:
1387:the original
1376:
1364:. Retrieved
1360:the original
1355:
1345:
1333:. Retrieved
1324:
1314:
1287:. Retrieved
1280:the original
1252:. Retrieved
1242:
1207:
1201:
1188:
1178:15 September
1176:. Retrieved
1169:the original
1155:
1126:
1116:
1107:
1101:
1090:the original
1077:
1073:
1060:
1033:
1027:
1015:. Retrieved
1008:the original
985:
972:
945:
938:David Wagner
924:
910:
899:
850:. Retrieved
843:the original
829:
793:
790:
778:
755:
747:peer-to-peer
736:Karsten Nohl
729:
721:
702:
697:
681:
668:
666:
648:
645:
643:stage of 2.
626:
617:David Wagner
606:
602:
594:
576:
557:
550:
533:
530:
460:
421:
420:
418:
414:
412:(LSB) as 0.
407:
403:
130:
104:
102:
67:
63:Marc Briceno
48:
19:
18:
2290:Mathematics
2281:Mix network
1366:29 December
1335:29 December
1289:29 December
1254:30 December
1243:GSM: SRSLY?
852:8 September
684:Elad Barkan
653:Elad Barkan
584:Thomas Haug
153:polynomial
87:Description
81:Warsaw Pact
2391:Categories
2241:Ciphertext
2211:Decryption
2206:Encryption
2167:Ransomware
1945:T-function
1892:Generators
1768:Achterbahn
1504:23 January
1467:17 October
1017:13 January
934:Adi Shamir
883:uk.telecom
822:References
766:BitTorrent
613:Adi Shamir
578:until the
146:Length in
121:key length
2231:Plaintext
1858:SOBER-128
1788:KCipher-2
1722:SOSEMANUK
1693:Portfolio
1123:Eli Biham
879:Newsgroup
770:Evergreen
688:Eli Biham
682:In 2006,
659:in 2005.
657:Eli Biham
629:Eli Biham
607:In 2000,
568:Eli Biham
501:⊕
436:≤
156:Clocking
111:which is
109:keystream
2370:Category
2276:Kademlia
2236:Codetext
2179:(CSPRNG)
2157:Machines
1731:Hardware
1700:Software
1671:Crypto-1
1454:QUALCOMM
1429:"A51-en"
1329:Archived
1299:cite web
1248:Archived
940:(2001).
799:See also
703:In 2007
539:Security
151:Feedback
2031:General
1959:Attacks
1748:Trivium
1717:Salsa20
1691:eSTREAM
1535:Haaretz
1480:: 1–18.
1224:8754598
1110:: 1–19.
887:Usenet:
881::
311:20, 21
161:Tapped
143:number
30:in the
28:privacy
2152:Keygen
1918:Theory
1868:Turing
1863:Spritz
1838:Scream
1808:Phelix
1803:Panama
1773:F-FCSR
1743:MICKEY
1712:Rabbit
1707:HC-128
1666:ChaCha
1222:
1143:
1048:
1000:
960:
889:
810:KASUMI
745:via a
743:GPGPUs
740:Nvidia
669:et al.
649:et al.
459:, the
105:bursts
51:Europe
2187:(PRN)
1940:NLFSR
1853:SOBER
1783:ISAAC
1738:Grain
1543:(PDF)
1530:(PDF)
1461:(PDF)
1450:(PDF)
1439:Notes
1283:(PDF)
1276:(PDF)
1220:S2CID
1198:(PDF)
1172:(PDF)
1165:(PDF)
1093:(PDF)
1070:(PDF)
1011:(PDF)
982:(PDF)
846:(PDF)
839:(PDF)
163:bits
148:bits
113:XORed
97:LFSRs
22:is a
1935:LFSR
1883:WAKE
1878:VMPC
1873:VEST
1848:SNOW
1843:SEAL
1833:RC4A
1828:RC4+
1823:QUAD
1813:Pike
1798:ORYX
1793:MUGI
1778:FISH
1661:A5/2
1656:A5/1
1572:2019
1551:2019
1506:2017
1469:2004
1415:2016
1368:2009
1337:2009
1305:link
1291:2009
1256:2009
1180:2019
1141:ISBN
1046:ISBN
1019:2016
998:ISBN
958:ISBN
854:2008
805:A5/2
762:CUDA
709:FPGA
673:A5/2
655:and
631:and
615:and
572:A5/3
444:<
158:bit
141:LFSR
126:A5/3
74:NATO
59:A5/2
55:A5/2
20:A5/1
1681:RC4
1212:doi
1131:doi
1082:doi
1038:doi
990:doi
950:doi
117:key
32:GSM
2393::
1950:IV
1818:Py
1676:E0
1532:.
1452:.
1404:.
1354:.
1327:.
1323:.
1301:}}
1297:{{
1264:^
1232:^
1218:.
1208:57
1206:.
1200:.
1139:.
1078:49
1076:.
1072:.
1044:.
996:.
984:.
956:.
944:.
936:;
932:;
885:.
877:.
862:^
690:,
686:,
611:,
447:64
395:10
360:21
347:22
334:23
319:23
308:10
286:21
273:22
258:22
225:14
212:17
199:18
186:19
171:19
2016:e
2009:t
2002:v
1634:e
1627:t
1620:v
1574:.
1553:.
1508:.
1471:.
1417:.
1370:.
1339:.
1307:)
1293:.
1258:.
1226:.
1214::
1182:.
1149:.
1133::
1084::
1054:.
1040::
1021:.
992::
966:.
952::
893:.
856:.
516:.
513:]
510:i
507:[
504:K
498:]
495:0
492:[
489:R
486:=
483:]
480:0
477:[
474:R
461:i
440:i
433:0
422:K
381:1
378:+
373:8
369:x
365:+
356:x
352:+
343:x
339:+
330:x
316:3
294:1
291:+
282:x
278:+
269:x
255:2
247:8
233:1
230:+
221:x
217:+
208:x
204:+
195:x
191:+
182:x
168:1
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.