A group of cryptographers has developed a new attack that has broken Kasumi, the encryption algorithm used to secure traffic on 3G GSM wireless networks. The technique enables them to recover a full key by using a tactic known as a related-hey attack, but experts say it is not the end of the world for Kasumi.
Kasumi, also known as A5/3, is the standard cipher used to encrypt communications on 3G GSM networks, and it's a modified version of an older algorithm called Misty. The paper describing the new attack is not yet public, but the Emergent Chaos blog has a good description of the attack, including an excerpt from the abstract:
In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2−14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity. Interestingly, neither our technique nor any other published attack can break MISTY in less than the 2128 complexity of exhaustive search, which indicates that the changes made by the GSM Association in moving from MISTY to KASUMI resulted in a much weaker cryptosystem.As Emergent Chaos points out, this is not necessarily a sky-is-falling moment, but it's not good news either. The group of researchers who developed the new attack includes Orr Dunkelman, Nathan Keller and Adi Shamir, one of the creators of the RSA algorithm.
The news of the Kasumi crack comes just a couple of weeks after researchers published a method for attacking the older A5/1 GSM algorithm.