COMP128

COMP128 is an implementation of the specified for the GSM network algorithms A3 and A8. A3 is required for authentication of the mobile station to the network or AuC (Authentication Center ), while A8 serves a session key for encrypted communication between mobile station / mobile and the BTS (for voice calls ), respectively. SGSN ( GPRS ) to generate.

Technical details of the implementation confidential originally arrived in 1998 by reverse engineering to the public.

COMP128 uses 9 rounds, wherein the central core of the algorithm is a hash function. This hash function produces a 128- bit hash value for 256-bit input. It is based on a butterfly structure. The output of the algorithm includes the response used for authentication and session key for the stream cipher A5, which is used for encryption of the voice transfer.

Let X [0 .31 ] 32 byte input of the hash function, with K: = X [ 0 to 15] the key of the target sim card and X [ 16, 31] the sent by the station Challenge. Be still the tables T0 [0 .511 ], T1 [ 0 .255 ], T2 [0 .127 ], T3 [0 .63 ] and T4 [0 .31 ] the secret permutation tables. Then the input first goes through the following 8 times compression (see [ HP00 ], see Related links ):

For i = 0 to 4 do:    For j = 0 to 2i- 1 do:      For k = 0 to 24 -i - 1 do:        s = k j * 25 -i        t = s 24 -i        x = (X [s ] 2X [t ] ) mod 29 -i        y = ( 2X [s ] X [ t] ) mod 29 -i        X [ s] = T [ x]        X [ t] = Ti [y ] After each permutation, the 16 bytes output in X [ 16, 31] and K [ 0 to 15] are stored again in X.

COMP128 is uncertain because the hash does not sufficiently scattered small changes in the input. Due to the birthday problem, this can be exploited in a Chosen Challenge attack such that within queries the SIM card of the entire key can be extracted.