COMP128

The COMP128 algorithms are implementations of the A3 and A8 functions defined in the GSM standard. A3 is used to authenticate the mobile station to the network. A8 is used to generate the session key used by A5 to encrypt the data transmitted between the mobile station and the BTS.

There are three versions of COMP128. They were originally confidential. A partial description of the first version was leaked in 1997 and completed via reverse engineering. This led to a full publication in 1998. The second and third versions were obtained via reverse engineering of software which verifies SIM cards compliance.

Introduction
For details on the way A3 and A8 are used see Authentication Center.

A3 and A8 both take a 128-bit key (Ki) and a 128-bit challenge (RAND) as inputs. A3 produces a 32-bit response (SRES) and A8 produces a 64-bit session key (Kc). A3/A8 is the combined function with Ki and RAND as inputs and SRES and Kc as outputs.

As A3 and A8 are not further specified, operators can freely choose the concrete algorithms used for A3 and A8.

COMP128 algorithms
The COMP128 algorithms implement the A3/A8 function. There are three of them:


 * COMP128-1 – original algorithm with known weaknesses
 * COMP128-2 – stronger algorithm which still clears the 10 rightmost bits of Kc
 * COMP128-3 – same algorithm as COMP128-2 with all 64 bits of Kc generated

All of them are built around a compression function with two 128 bits inputs and one 128 bits output, hence their names. Ki and RAND are used as the inputs of the compression function. Bits from its output are then used to fill SRES and Kc.

COMP128-1 description
COMP128-1 uses a compression function with eight rounds which is based on a butterfly structure with five stages. SRES is filled with the first 32 bits of the output. Kc is filled with the last 54 bits of the output followed by ten zeroes.

For a full description of the algorithm, the reader can view the OsmocomBB implementation.

COMP128-2/3 description
The implementation of COMP128-2 and COMP128-3 is noticeably more complex than COMP128-1. For a full description of the algorithm, the reader can view the OsmocomBB implementation or FreeRADIUS implementation, both based on the Python code from the Secrets of Sim article. COMP128-2 is identical to COMP128-3 except for the fact that at the end, it clears the 10 rightmost bits of Kc.

Security
The COMP128-1 hash function is considered weak because there is insufficient diffusion of small changes in the input. Practical attacks have been demonstrated that can recover the subscriber key from the SIM.

The session keys produced by COMP128-1 and COMP128-2 intentionally have only 54 bits of entropy. This significantly weakens the A5 or A6 encryption.