A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony

Orr Dunkelman, Nathan Keller, Adi Shamir
2013 Journal of Cryptology  
The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced by the new A5/3 (and the soon to be announced A5/4) algorithm based on the block cipher KASUMI, which is a modified version of MISTY. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an
more » ... zingly high probability of 2 −14 . By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 2 26 data, 2 30 bytes of memory, and 2 32 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2 128 complexity of exhaustive search, which indicates that the changes made by ETSI's SAGE group in moving from MISTY to KASUMI resulted in a much weaker cipher. ⋆ The second author was partially supported by the Koshland center for basic research. In response to these developments, the GSM Association had stated in [26] that they might speed up their transition to a new cryptosystem called A5/3, and they plan to discuss this matter in a meeting that was held in February 2010. This algorithm was developed for GSM telephony in 2002, and its specifications were published in 2003 [24]. It is already implemented in about 40% of the three billion available handsets, but very few of the 800 mobile carriers in more than 200 countries which currently use GSM cellular telephony have switched so far to the new standard. Once adopted, A5/3 will become one of the most widely used cryptosystems in the world, and its security will become one of the most important practical issues in cryptography. The core of the A5/3 cryptosystem, as well as of the UAE1 cryptosystem (which replaces A5/3 in the third generation telephony networks), is the KA-SUMI block cipher, which is based on the MISTY block cipher which was published at FSE 1997 by Matsui [22]. MISTY has 64-bit blocks, 128-bit keys, and a complex recursive Feistel structure with 8 rounds, each one of which consists of 3 rounds, each one of which has 3 rounds of nonlinear SBox operations. MISTY has provable security properties against various types of attacks, and no attack is known on its full version. The best published attack can be applied to a 6-round reduced variant of the 8-round MISTY, and has a completely impractical time complexity of more than 2 123 [15] . However, the designers of A5/3 decided to make MISTY faster and more hardware-friendly by simplifying its key schedule and modifying some of its components. In [25], the designers provide a rationale for each one of these changes, and in particular they analyze the resistance of KASUMI against related-key attacks by stating that "removing all the FI functions in the key scheduling part makes the hardware smaller and/or reduces the key set-up time. We expect that related key attacks do not work for this structure". The best attack found by the designers and external evaluators of KASUMI is described as follows: "There are chosen plaintext and/or related-key attacks against KASUMI reduced to 5 rounds. We believe that with further analysis it might be possible to extend some attacks to 6 rounds, but not to the full 8 round KASUMI." The existence of better related-key attacks on the full KASUMI was already shown in [8, 21] . Their attack had a data complexity of 2 54.6 and time complexity of 2 76.1 , which are impractical but better than exhaustive search. In this paper we develop a new attack, which requires only 4 related keys, 2 26 data, 2 30 bytes of memory, and 2 32 time. Since these complexities are so low, we could verify our attack experimentally, and our unoptimized implementation on a single PC recovered about 96 key bits in a few minutes, and the complete 128 bit key in less than two hours. Careful analysis of our attack technique indicates that it can not be applied against the original MISTY, since it exploits a sequence of coincidences and lucky strikes which were created when MISTY was changed to KASUMI by ETSI's SAGE group. This calls into question both the design of KASUMI and its security evaluation against related-key attacks. However, we
doi:10.1007/s00145-013-9154-9 fatcat:frtnebudwbgspclghn7i7cwkka