The new encryption code for 3G GSM phone calls has been cracked by researchers at the Weizmann Institute of Science in Israel.
In a paper published in the Cryptology ePrint archive, Orr Dunkelman, Nathan Keller and Adi Shamir spelled out a PC-based attack on the 128-bit A5/3 cryptosystem used in third-generation GSM telephony that yielded results in just two hours.
The privacy of most GSM phone conversations is currently protected by the 20-year-old A5/1 and A5/2 stream ciphers, which have been shown repeatedly to be cryptographically weak, they said.
They are being replaced in third-generation networks by a new A5/3 block cipher called Kasumi, which is a modified version of the Misty cryptosystem.
The authors described a new attack called a sandwich attack, and used it to construct a simple distinguisher for seven of the eight rounds of Kasumi. This produced "an amazingly high probability of 2−14," they said.
"By using this distinguisher and analysing the single remaining round, we can derive the complete 128-bit key of the full Kasumi by using only four related keys, 226 data, 230 bytes of memory, and 232 time.
"These complexities are so small that we have actually simulated the attack in less than two hours on a single PC and experimentally verified its correctness and complexity," they said.
They said that the changes made by the GSM Association in moving from Misty to Kasumi has resulted in a much weaker cryptosystem. "Neither our technique nor any other published attack can break Misty in less than the 2128 complexity of exhaustive search," they said.