|
|
| Line 1: |
Line 1: |
| '''A5/1''' is a [[stream cipher]] used to provide over-the-air communication [[privacy]] in the [[Global System for Mobile Communications|GSM]] [[Cell phone|cellular telephone]] standard. It is one of seven algorithms which were specified for GSM use.<ref name=ChangeReq>{{cite web|url=http://www.3gpp.org/ftp/tsg_sa/TSG_SA/TSGS_37/Docs/SP-070671.zip|title=Prohibiting A5/2 in mobile stations and other clarifications regarding A5 algorithm support}}</ref> It was initially kept secret, but became public knowledge through leaks and [[reverse engineering]]. A number of serious weaknesses in the cipher have been identified.
| | {{About|observables in physics|the use of the term "observable" in [[control theory]]|Observability}} |
|
| |
|
| ==History and usage==
| | {{Cleanup|date=July 2010}} |
| A5/1 is used in [[Europe]] and the United States. [[A5/2]] was a deliberate weakening of the algorithm for certain export regions.<ref>{{cite web
| | {{No footnotes|date=May 2009}} |
| | archiveurl = http://web.archive.org/web/20040712061808/www.ausmobile.com/downloads/technical/Security+in+the+GSM+system+01052004.pdf
| |
| | first = Jeremy | last = Quirke | archivedate = 2004-07-12
| |
| | title = Security in the GSM system | publisher = AusMobile
| |
| | date = 2004-05-01 | url = http://www.ausmobile.com/downloads/technical/Security+in+the+GSM+system+01052004.pdf
| |
| }}</ref> A5/1 was developed in 1987, when GSM was not yet considered for use outside Europe, and [[A5/2]] was developed in 1989. Though both were initially kept secret, the general design was leaked in 1994 and the algorithms were entirely reverse engineered in 1999 by [[Marc Briceno]] from a GSM telephone. In 2000, around 130 million GSM customers relied on A5/1 to protect the confidentiality of their voice communications; by 2011, it was 4 billion.{{Citation needed|date=March 2011}}. | |
|
| |
|
| Security researcher [[Ross J. Anderson|Ross Anderson]] reported in 1994 that "there was a terrific row between the [[NATO]] [[SIGINT|signal intelligence agencies]] in the mid-1980s over whether GSM encryption should be strong or not. The Germans said it should be, as they shared a long border with the [[Warsaw Pact]]; but the other countries didn't feel this way, and the algorithm as now fielded is a French design."<ref name="Ross94">{{cite newsgroup
| | In [[physics]], particularly in [[quantum physics]], a system '''observable''' is a measurable operator, or gauge, where the property of the [[Quantum state|system state]] can be determined by some sequence of physical [[operational definition|operations]]. For example, these operations might involve submitting the system to various [[electromagnetic field]]s and eventually reading a value off some gauge. In systems governed by [[classical mechanics]], any [[experiment]]ally observable value can be shown to be given by a [[real number|real]]-valued [[function (mathematics)|function]] on the set of all possible system states. |
| | title = A5 (Was: HACKING DIGITAL PHONES) | |
| | author = [[Ross J. Anderson|Ross Anderson]]
| |
| | date = 1994-06-17
| |
| | newsgroup = uk.telecom
| |
| |message-id= 2ts9a0$95r@lyra.csx.cam.ac.uk
| |
| | url = http://groups.google.com/groups?selm=2ts9a0%2495r%40lyra.csx.cam.ac.uk
| |
| }}</ref>
| |
|
| |
|
| ==Description==
| | Physically meaningful observables must also satisfy [[transformation law]]s which relate observations performed by different [[observation|observer]]s in different [[frames of reference]]. These transformation laws are [[automorphism]]s of the state space, that is [[bijective]] [[Transformation (mathematics)|transformation]]s which preserve some mathematical property. |
| [[Image:A5-1 GSM cipher.svg|thumbnail|350px|right|The A5/1 stream cipher uses three LFSRs. A register is clocked if its clocking bit (orange) agrees with one or both of the clocking bits of the other two registers.]] | |
| A GSM transmission is organised as sequences of ''bursts''. In a typical channel and in one direction, one burst is sent every 4.615 milliseconds and contains 114 bits available for information. A5/1 is used to produce for each burst a 114 bit sequence of [[keystream]] which is [[XOR]]ed with the 114 bits prior to modulation. A5/1 is initialised using a 64-bit [[key (cryptography)|key]] together with a publicly known 22-bit frame number. Older fielded GSM implementations using Comp128v1 for key generation, had 10 of the key bits fixed at zero, resulting in an effective [[key length]] of 54 bits. This weakness was rectified with the introduction of Comp128v2 which yields proper 64 bits keys. When operating in GPRS / EDGE mode, higher bandwidth radio modulation allows for larger 348 bits frames, and [[A5/3]] is then used in a stream cipher mode to maintain confidentiality.
| |
|
| |
|
| A5/1 is based around a combination of three [[linear feedback shift register]]s (LFSRs) with irregular clocking. The three shift registers are specified as follows:
| | == Quantum mechanics == |
| {| class="wikitable"
| |
| !LFSR<br>number
| |
| !Length in <br>bits
| |
| !Feedback<br> polynomial
| |
| !Clocking <br>bit
| |
| !Tapped <br>bits
| |
| |-
| |
| |1 || 19 || <math>x^{19} + x^{18} + x^{17} + x^{14} + 1</math> || 8 || 13, 16, 17, 18
| |
| |-
| |
| |2 || 22 || <math>x^{22} + x^{21} + 1</math> || 10 || 20, 21
| |
| |-
| |
| |3 || 23 || <math>x^{23} + x^{22} + x^{21} + x^{8} + 1</math> || 10 || 7, 20, 21, 22
| |
| |}
| |
| The bits are indexed with the [[least significant bit]] (LSB) as 0.
| |
|
| |
|
| The registers are clocked in a stop/go fashion using a majority rule. Each register has an associated clocking bit. At each cycle, the clocking bit of all three registers is examined and the majority bit is determined. A register is clocked if the clocking bit agrees with the majority bit. Hence at each step at least two or three registers are clocked, and each register steps with probability 3/4.
| | In [[quantum physics]], the relation between system state and the value of an observable requires some basic [[linear algebra]] for its description. In the [[mathematical formulation of quantum mechanics]], states are given by non-zero [[vector (geometry)|vector]]s in a [[Hilbert space]] ''V'' (where two vectors are considered to specify the same state if, and only if, they are scalar multiples of each other) and observables are given by [[self-adjoint operator]]s on ''V''. However, as indicated below, not every self-adjoint operator corresponds to a physically meaningful observable. For the case of a system of [[Elementary particle|particle]]s, the space ''V'' consists of functions called [[wave function]]s or [[state vector]]s. |
|
| |
|
| Initially, the registers are set to zero. Then for 64 cycles, the 64-bit secret key is mixed in according to the following scheme: in cycle <math>0\leq{i}<64</math>, the ''i''th key bit is added to the least significant bit of each register using XOR —
| | In the case of transformation laws in quantum mechanics, the requisite automorphisms are [[unitary operator|unitary]] (or [[antiunitary]]) linear transformations of the [[Hilbert space]] ''V''. Under [[Galilean relativity]] or [[special relativity]], the mathematics of frames of reference is particularly simple, and in fact restricts considerably the set of physically meaningful observables. |
| :<math>R[0] = R[0] \oplus K[i].</math>
| |
| Each register is then clocked.
| |
|
| |
|
| Similarly, the 22-bits of the frame number are added in 22 cycles. Then the entire system is clocked using the normal majority clocking mechanism for 100 cycles, with the output discarded. After this is completed, the cipher is ready to produce two 114 bit sequences of output keystream, first 114 for downlink, last 114 for uplink.
| | In quantum mechanics, measurement of observables exhibits some seemingly unintuitive properties. Specifically, if a system is in a state described by a vector in a [[Hilbert space]], the measurement process affects the state in a non-deterministic, but statistically predictable way. In particular, after a measurement is applied, the state description by a single vector may be destroyed, being replaced by a [[statistical ensemble]]. The [[reversible process|irreversible]] nature of measurement operations in quantum physics is sometimes referred to as the [[measurement problem]] and is described mathematically by [[quantum operation]]s. By the structure of quantum operations, this description is mathematically equivalent to that offered by [[relative state interpretation]] where the original system is regarded as a subsystem of a larger system and the state of the original system is given by the [[partial trace]] of the state of the larger system. |
|
| |
|
| ==Security==
| | In quantum mechanics each dynamical variable (e.g. position, translational momentum, orbital angular momentum, spin, total angular momentum, energy, etc.) is associated with a [[Hermitian operator]] that acts on the [[Quantum state|state]] of the quantum system and whose [[eigenvalues]] correspond to the possible values of the dynamical variable. For example, suppose <math>|a\rangle</math> is an eigenket ([[eigenvector]]) of the observable <math>\mathbf{A}</math>, with eigenvalue <math>a</math>, and exists in a d-dimensional [[Hilbert space]]. Then |
| [[File:CipheringNotProvided.jpg|right|thumb|200 px|The message on the screen of a mobile phone with the warning about lack of ciphering]]A number of attacks on A5/1 have been published, and the American [[National Security Agency]] is able to routinely decrypt A5/1 messages according to released internal documents.<ref>[http://yro.slashdot.org/story/13/12/14/0148251/nsa-able-to-crack-a51-cellphone-crypto NSA Able To Crack A5/1 Cellphone Crypto - Slashdot]</ref> | |
|
| |
|
| Some attacks require an expensive preprocessing stage after which the cipher can be broken in minutes or seconds. Until recently, the weaknesses have been passive attacks using the [[known plaintext]] assumption. In 2003, more serious weaknesses were identified which can be exploited in the [[ciphertext only attack|ciphertext-only scenario]], or by an active attacker. In 2006 Elad Barkan, [[Eli Biham]] and Nathan Keller demonstrated attacks against A5/1, [[A5/3]], or even GPRS that allow attackers to tap GSM mobile phone conversations and decrypt them either in real-time, or at any later time.
| | :<math>\mathbf{A}</math><math>|a\rangle</math> = <math>a</math> <math>|a\rangle.</math> |
|
| |
|
| According to professor Jan Arild Audestad, at the standardization process which started in 1982, A5/1 was originally proposed to have a key length of 128 bits. At that time, 128 bits was projected to be secure for at least 15 years. It is now estimated that 128 bits would in fact also still be secure as of 2014. Audestad, Peter van der Arend, and [[Thomas Haug]] says that the British insisted on weaker encryption, with Haug saying he was told by the British delegate that this was to allow the British secret service to eavesdrop more easily. The British proposed a key length of 48 bits, while the West Germans wanted stronger encryption to protect against East German spying, so the compromise became a key length of 56 bits.<ref>http://www.aftenposten.no/nyheter/uriks/Sources-We-were-pressured-to-weaken-the-mobile-security-in-the-80s-7413285.html#.UtBeNpD_sQs</ref>
| | This eigenket equation says that if a [[measurement]] of the observable <math>\scriptstyle \mathbf{A}</math> is made while the system of interest is in the state <math>\scriptstyle |a\rangle</math>, then the observed value of that particular measurement must return the eigenvalue <math>a</math> with certainty. However, if the system of interest is in the general state <math>\scriptstyle |\phi\rangle\in\mathcal{H}</math>, then the eigenvalue <math>a</math> is returned with probability <math>\scriptstyle |\langle a|\phi\rangle|^2</math> ([[Born rule]]). One must note that the above definition is somewhat dependent upon our convention of choosing real numbers to represent real physical quantities. Indeed, just because dynamical variables are "real" and not "unreal" in the metaphysical sense does not mean that they must correspond to real numbers in the mathematical sense. |
|
| |
|
| ===Known-plaintext attacks===
| | To be more precise, the dynamical variable/observable is a (not necessarily bounded) Hermitian operator in a Hilbert Space and thus is represented by a Hermitian matrix if the space is finite-dimensional. In an infinite-dimensional Hilbert space, the observable is represented by a [[Symmetric operator#Symmetric operators|symmetric operator]], which may not be ''defined everywhere'' (i.e. its [[Domain (mathematics)|domain]] is not the whole space - there exist some states that are not in the domain of the operator). The reason for such a change is that in an infinite-dimensional Hilbert space, the operator becomes [[unbounded]], which means that it no longer has a largest eigenvalue. This is not the case in a finite-dimensional Hilbert space, where every operator is bounded - it has a largest eigenvalue. For example, if we consider the position of a point particle moving along a line, this particle's position variable can take on any number on the real-line, which is [[uncountably]] infinite. Since the eigenvalue of an observable represents a real physical quantity for that particular dynamical variable, then we must conclude that there is no largest eigenvalue for the position observable in this uncountably infinite-dimensional Hilbert space, since the [[Field (mathematics)|field]] we're working over consists of the real-line. Nonetheless, whether we are working in an infinite-dimensional or finite-dimensional Hilbert space, the role of an observable in quantum mechanics is to assign real numbers to outcomes of ''particular measurements''; this means that only certain measurements can determine the value of an observable for some state of a quantum system. In classical mechanics, ''any'' measurement can be made to determine the value of an observable. |
| The first attack on the A5/1 was proposed by [[Ross J. Anderson|Ross Anderson]] in 1994. Anderson’s basic idea was to guess the complete content of the registers R1 and R2 and about half of the register R3. In this way the clocking of all three registers is determined and the second half of R3 can be computed.<ref name="Ross94"/>
| |
|
| |
|
| In 1997, Golic presented an attack based on solving sets of linear equations which has a time complexity of 2<sup>40.16</sup> (the units are in terms of number of solutions of a system of linear equations which are required).
| | ==Incompatibility of observables in quantum mechanics== |
| | A crucial difference between classical quantities and quantum mechanical observables is that the latter may not be simultaneously measurable. This is mathematically expressed by non-[[commutativity]] of the corresponding operators, to the effect that |
|
| |
|
| In 2000, [[Alex Biryukov]], [[Adi Shamir]] and [[David A. Wagner|David Wagner]] showed that A5/1 can be [[cryptanalysis|cryptanalysed]] in real time using a time-memory tradeoff attack,<ref>{{cite journal
| | :<math>\mathbf{A}\mathbf{B} - \mathbf{B}\mathbf{A} \neq \mathbf{0}.</math> |
| | authorlink = Alex Biryukov | first = Alex | last = Biryukov |author2= [[Adi Shamir]]|author3= [[David A. Wagner|David Wagner]]
| |
| | title = Real Time Cryptanalysis of A5/1 on a PC
| |
| | journal = [[Fast Software Encryption]]—FSE 2000 | pages = 1–18 | url = http://cryptome.info/0001/a51-bsw/a51-bsw.htm
| |
| }}</ref> based on earlier work by Jovan Golic.<ref>{{cite journal | |
| | first = Jovan Dj. | last = Golic | title = Cryptanalysis of Alleged A5 Stream Cipher
| |
| | work = [[EUROCRYPT]] 1997 | year = 1997 | pages = 239–55 | url = http://jya.com/a5-hack.htm
| |
| }}</ref> One tradeoff allows an attacker to reconstruct the key in one second from two minutes of known plaintext or in several minutes from two seconds of known plain text, but he must first complete an expensive preprocessing stage which requires 2<sup>48</sup> steps to compute around 300 GB of data. Several tradeoffs between preprocessing, data requirements, attack time and memory complexity are possible. | |
|
| |
|
| The same year, [[Eli Biham]] and [[Orr Dunkelman]] also published an attack on A5/1 with a total work complexity of 2<sup>39.91</sup> A5/1 clockings given 2<sup>20.8</sup> bits of [[known plaintext]]. The attack requires 32 GB of data storage after a [[precomputation]] stage of 2<sup>38</sup>.<ref>{{cite journal
| | This inequality expresses a dependence of measurement results on the order in which measurements of observables <math>\scriptstyle \mathbf{A}</math> and <math>\scriptstyle \mathbf{B}</math> are performed. Observables corresponding to non-commutative operators are called ''incompatible''. |
| | first = Eli | last = Biham |author2= Orr Dunkelman
| |
| | title = Cryptanalysis of the A5/1 GSM Stream Cipher | year = 2000
| |
| | journal = [[Indocrypt]] 2000 | pages =43–51
| |
| }}</ref>
| |
| | |
| Ekdahl and Johannson published an attack on the initialisation procedure which breaks A5/1 in a few minutes using two to five minutes of conversation plaintext.<ref>{{cite journal
| |
| | first = Patrik | last = Ekdahl |author2= Thomas Johansson
| |
| | title = Another attack on A5/1
| |
| | journal = IEEE Transactions on Information Theory | volume = 49 | issue = 1
| |
| | pages = 284–89 | year = 2003 | url = http://www.it.lth.se/patrik/papers/a5full.pdf (
| |
| | doi = 10.1109/TIT.2002.806129
| |
| }}</ref> This attack does not require a preprocessing stage. In 2004, Maximov et al. improved this result to an attack requiring "less than one minute of computations, and a few seconds of known conversation". The attack was further improved by [[Elad Barkan]] and [[Eli Biham]] in 2005.<ref>{{cite journal
| |
| | first = Elad | last = Barkan |author2= Eli Biham
| |
| | title = Conditional Estimators: An Effective Attack on A5/1
| |
| | journal = Selected Areas in Cryptography 2005 | year = 2005 | pages = 1–19
| |
| }}</ref>
| |
| | |
| ===Attacks on A5/1 as used in GSM===
| |
| | |
| In 2003, Barkan ''et al.'' published several attacks on GSM encryption.<ref>{{cite journal
| |
| | first = Elad | last = Barkan |author2= [[Eli Biham]]|author3= Nathan Keller
| |
| | title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication | year = 2003
| |
| | journal = [[Crypto]] 2003 | pages = 600–16 | url = http://cryptome.org/gsm-crack-bbk.pdf
| |
| }}</ref> The first is an active attack. GSM phones can be convinced to use the much weaker [[A5/2]] cipher briefly. A5/2 can be broken easily, and the phone uses the same key as for the stronger A5/1 algorithm. A second attack on A5/1 is outlined, a [[ciphertext-only]] time-memory tradeoff attack which requires a large amount of precomputation.
| |
| | |
| In 2006, [[Elad Barkan]], [[Eli Biham]], [[Nathan Keller]] published the full version of their 2003 paper, with attacks against A5/X Ciphers. The authors claim:<ref>{{cite web
| |
| | url = http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf
| |
| | title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by Barkan and Biham of Technion (Full Version)
| |
| | first = Elad | last = Barkan |author2= Eli Biham|author3= Nathan Keller
| |
| }}</ref> {{quotation|We present a very practical ciphertext-only cryptanalysis of GSM encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use "unbreakable" ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS. These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time.}}
| |
| | |
| In 2007 [[University of Bochum|Universities of Bochum]] and Kiel started a research project to create a massively parallel [[FPGA]]-based cryptographic accelerator [http://www.sciengines.com/copacobana/ COPACOBANA]. COPACOBANA was the first commercially available solution<ref>{{cite journal
| |
| | first = Tim | last = Gueneysu |author2= Timo Kasper|author3= Martin Novotný|author4= Christof Paar|author5= Andy Rupp
| |
| | title = Cryptanalysis with COPACOBANA
| |
| | url = http://www.sciengines.com/copacobana/paper/TC_COPACOBANA.pdf
| |
| | journal = [[Transactions on Computers]] Nov. 2008 | year = 2008 | pages = 1498–1513
| |
| | volume = 57
| |
| }}</ref> using fast time-memory trade-off techniques that could be used to attack the popular A5/1 and A5/2 algorithms, used in GSM voice encryption, as well as the [[Data Encryption Standard]] (DES). It also enables [[brute force attack]]s against GSM eliminating the need of large precomputated lookup tables.
| |
| | |
| In 2008, the group [[The Hackers Choice]] launched a project to develop a practical attack on A5/1. The attack requires the construction of a large look-up table of approximately 3 terabytes. Together with the scanning capabilities developed as part of the sister project, the group expected to be able to record any GSM call or SMS encrypted with A5/1, and within about 3–5 minutes derive the encryption key and hence listen to the call and read the SMS in clear. But the tables weren't released.<ref name="nohl26c3"/>
| |
| | |
| A similar effort, the [http://reflextor.com/trac/a51/wiki A5/1 Cracking Project], was announced at the [[Black Hat Briefings|2009 Black Hat security conference]] by cryptographers [[:de:Karsten Nohl|Karsten Nohl]] and Sascha Krißler. It created the look-up tables using [[Nvidia]] [[GPGPU]]s via a [[peer-to-peer]] [[distributed computing]] architecture. Starting in the middle of September 2009, the project ran the equivalent of 12 Nvidia GeForce GTX 260. According to the authors, the approach can be used on any cipher with key size up to 64-bits.<ref name=nohl/>
| |
| | |
| In December 2009, the A5/1 Cracking Project attack tables for A5/1 were announced by Chris Paget and Karsten Nohl. The tables use a combination of compression techniques, including [[rainbow table]]s and distinguished point chains. These tables constituted only parts of the 2TB completed table, and had been computed during three months using 40 distributed [[CUDA]] nodes, and then published over [[BitTorrent (protocol)|BitTorrent]].<ref name="nohl26c3">{{Cite conference
| |
| | conference = 26th Chaos Communication Congress (26C3):
| |
| | last = Nohl
| |
| | first = Karsten
| |
| |author2= Chris Paget
| |
| | title = GSM: SRSLY?
| |
| | accessdate = 2009-12-30
| |
| | date = 2009-12-27
| |
| | url = http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html
| |
| | archiveurl= http://web.archive.org/web/20100106084817/http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html| archivedate= 6 January 2010 <!--DASHBot-->| deadurl= no}}</ref><ref name=nohl>https://har2009.org/program/attachments/119_GSM.A51.Cracking.Nohl.pdf Subverting the security base of GSM. Karsten Nohl and Sascha Krißler</ref><ref>{{cite news|url=http://www.nytimes.com/2009/12/29/technology/29hack.html|title=Cellphone Encryption Code Is Divulged|first=Kevin|last=O'Brien|date=2009-12-28|accessdate=2009-12-29|work=New York Times| archiveurl= http://web.archive.org/web/20100101130022/http://www.nytimes.com/2009/12/29/technology/29hack.html| archivedate= 1 January 2010 <!--DASHBot-->| deadurl= no}}</ref><ref>{{cite news |url=http://www.pcworld.com/article/185542/hackers_show_its_easy_to_snoop_on_a_gsm_call.html |title=Hackers Show It's Easy to Snoop on a GSM Call |first=Robert |last=McMillan |work=IDG News Service }}</ref> More recently the project has announced a switch to faster ATI [[Evergreen (GPU family)|Evergreen]] code, together with a change in the format of the tables and [[Frank A. Stevenson]] announced [http://web.archive.org/web/20120306125406/http://lists.lists.reflextor.com/pipermail/a51/2010-May/000605.html breaks of A5/1] using the ATI generated tables.
| |
| | |
| Documents leaked by Edward Snowden in 2013 states that NSA "can process encrypted A5/1".<ref>http://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html</ref>
| |
|
| |
|
| ==See also== | | ==See also== |
| * [[A5/2]] | | * [[Observable universe]] |
| * [[KASUMI (block cipher)|KASUMI]], also known as A5/3 | | * [[Observer (quantum physics)]] |
| * [[Cellular Message Encryption Algorithm]]
| |
| | |
| ==Notes==
| |
| {{Reflist|2}}
| |
|
| |
|
| ==References== | | == Further reading == |
| * {{cite web
| | {{refbegin}} |
| | first = Greg | last = Rose
| | * S. Auyang, ''How is Quantum Field Theory Possible'', Oxford University Press, 1995. |
| | title = A precis of the new attacks on GSM encryption | publisher = [[QUALCOMM]] Australia | date = 2003-09-10
| | * G. Mackey, ''Mathematical Foundations of Quantum Mechanics'', W. A. Benjamin, 1963. |
| | url = http://www.qualcomm.com.au/PublicationsDocs/GSM_Attacks.pdf | | * V. Varadarajan, ''The Geometry of Quantum Mechanics'' vols 1 and 2, Springer-Verlag 1985. |
| }}
| | * Leslie E. Ballentine, "Quantum Mechanics: A Modern Development", World Scientific, 1998 |
| * {{cite journal
| | * R. Blume-Kohout, "Lecture 14: <math>L^2(\reals)</math> and Hilbert space. Wavefunctions, unbounded operators, and rigged Hilbert space.", www.am473.ca, 10/26/08 |
| | first = Alexander | last = Maximov |author2= Thomas Johansson|author3= Steve Babbage
| | {{refend}} |
| | title = An Improved Correlation Attack on A5/1
| |
| | journal = [[Selected Areas in Cryptography]] 2004 | year = 2004 | pages = 1–18
| |
| }} | |
|
| |
|
| ==External links==
| | [[Category:Quantum mechanics]] |
| * {{cite web
| |
| | first = Marc | last = Briceno |author2= Ian Goldberg|author3= David Wagner | date = 1999-10-23
| |
| | url = http://edipermadi.files.wordpress.com/2008/03/pedagogical_implementation_of_a5_cipher.pdf
| |
| | title = A pedagogical implementation of the GSM A5/1 and A5/2 "voice privacy" encryption algorithms
| |
| }}
| |
| * {{cite web
| |
| | date = 2009-08-25
| |
| | url = http://www.neowin.net/news/main/09/08/25/huge-gsm-flaw-allows-hackers-to-listen-in-on-voice-calls
| |
| | title = Huge GSM flaw allows hackers to listen in on voice calls
| |
| }}
| |
| * {{cite news
| |
| | url = http://www.cs.technion.ac.il/%7Ebarkan/GSM-Media/HaaretzInternetEnglish.pdf
| |
| | title = Technion team cracks GSM cellular phone encryption | work = [[Haaretz]]
| |
| | first = Hadar | last = Horesh | date = 2003-09-03
| |
| }}
| |
| * {{cite web
| |
| | url = http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-info.cgi?2006/CS/CS-2006-07
| |
| | title = Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication (Technical Report CS-2006-07)
| |
| | first = Elad | last = Barkan |author2= Eli Biham|author3= Nathan Keller |date=July 2006
| |
| }}
| |
| * {{cite web
| |
| | url = http://www.ma.huji.ac.il/~nkeller
| |
| | title = Nathan Keller's Homepage
| |
| }}
| |
| * {{cite web
| |
| | url = http://l-system.net.pl/crypto/A5_1_stream_cipher.svg
| |
| | title = Animated SVG showing A5/1 stream cypher
| |
| }}
| |
| * {{cite web
| |
| | url = http://ipsec.pl/files/ipsec/security_in_the_gsm_network.pdf
| |
| | title = Security in the GSM network
| |
| | first = Marcin | last = Olawski | date = May 2011 | publisher = IPSec.pl
| |
| }}
| |
| {{Cryptography navbox | stream}}
| |
|
| |
|
| {{DEFAULTSORT:A5 1}}
| | [[ca:Observable]] |
| [[Category:Stream ciphers]] | | [[cs:Pozorovatelná veličina]] |
| [[Category:Broken stream ciphers]] | | [[de:Observable]] |
| [[Category:Mobile telecommunications standards]] | | [[es:Observable]] |
| [[Category:3GPP standards]] | | [[eo:Videbla (fiziko)]] |
| [[Category:GSM standard]] | | [[fr:Observable]] |
| | [[it:Osservabile]] |
| | [[hu:Megfigyelhető mennyiség]] |
| | [[nl:Observabele]] |
| | [[ja:オブザーバブル]] |
| | [[pl:Obserwabla]] |
| | [[pt:Observável]] |
| | [[ru:Квантовая наблюдаемая]] |
| | [[fi:Observaabeli]] |
| | [[zh:可觀察量]] |
29 yr old Orthopaedic Surgeon Grippo from Saint-Paul, spends time with interests including model railways, top property developers in singapore developers in singapore and dolls. Finished a cruise ship experience that included passing by Runic Stones and Church.
Template:Cleanup
Template:No footnotes
In physics, particularly in quantum physics, a system observable is a measurable operator, or gauge, where the property of the system state can be determined by some sequence of physical operations. For example, these operations might involve submitting the system to various electromagnetic fields and eventually reading a value off some gauge. In systems governed by classical mechanics, any experimentally observable value can be shown to be given by a real-valued function on the set of all possible system states.
Physically meaningful observables must also satisfy transformation laws which relate observations performed by different observers in different frames of reference. These transformation laws are automorphisms of the state space, that is bijective transformations which preserve some mathematical property.
Quantum mechanics
In quantum physics, the relation between system state and the value of an observable requires some basic linear algebra for its description. In the mathematical formulation of quantum mechanics, states are given by non-zero vectors in a Hilbert space V (where two vectors are considered to specify the same state if, and only if, they are scalar multiples of each other) and observables are given by self-adjoint operators on V. However, as indicated below, not every self-adjoint operator corresponds to a physically meaningful observable. For the case of a system of particles, the space V consists of functions called wave functions or state vectors.
In the case of transformation laws in quantum mechanics, the requisite automorphisms are unitary (or antiunitary) linear transformations of the Hilbert space V. Under Galilean relativity or special relativity, the mathematics of frames of reference is particularly simple, and in fact restricts considerably the set of physically meaningful observables.
In quantum mechanics, measurement of observables exhibits some seemingly unintuitive properties. Specifically, if a system is in a state described by a vector in a Hilbert space, the measurement process affects the state in a non-deterministic, but statistically predictable way. In particular, after a measurement is applied, the state description by a single vector may be destroyed, being replaced by a statistical ensemble. The irreversible nature of measurement operations in quantum physics is sometimes referred to as the measurement problem and is described mathematically by quantum operations. By the structure of quantum operations, this description is mathematically equivalent to that offered by relative state interpretation where the original system is regarded as a subsystem of a larger system and the state of the original system is given by the partial trace of the state of the larger system.
In quantum mechanics each dynamical variable (e.g. position, translational momentum, orbital angular momentum, spin, total angular momentum, energy, etc.) is associated with a Hermitian operator that acts on the state of the quantum system and whose eigenvalues correspond to the possible values of the dynamical variable. For example, suppose 
is an eigenket (eigenvector) of the observable 
, with eigenvalue 
, and exists in a d-dimensional Hilbert space. Then
- =
This eigenket equation says that if a measurement of the observable 
is made while the system of interest is in the state 
, then the observed value of that particular measurement must return the eigenvalue with certainty. However, if the system of interest is in the general state 
, then the eigenvalue is returned with probability 
(Born rule). One must note that the above definition is somewhat dependent upon our convention of choosing real numbers to represent real physical quantities. Indeed, just because dynamical variables are "real" and not "unreal" in the metaphysical sense does not mean that they must correspond to real numbers in the mathematical sense.
To be more precise, the dynamical variable/observable is a (not necessarily bounded) Hermitian operator in a Hilbert Space and thus is represented by a Hermitian matrix if the space is finite-dimensional. In an infinite-dimensional Hilbert space, the observable is represented by a symmetric operator, which may not be defined everywhere (i.e. its domain is not the whole space - there exist some states that are not in the domain of the operator). The reason for such a change is that in an infinite-dimensional Hilbert space, the operator becomes unbounded, which means that it no longer has a largest eigenvalue. This is not the case in a finite-dimensional Hilbert space, where every operator is bounded - it has a largest eigenvalue. For example, if we consider the position of a point particle moving along a line, this particle's position variable can take on any number on the real-line, which is uncountably infinite. Since the eigenvalue of an observable represents a real physical quantity for that particular dynamical variable, then we must conclude that there is no largest eigenvalue for the position observable in this uncountably infinite-dimensional Hilbert space, since the field we're working over consists of the real-line. Nonetheless, whether we are working in an infinite-dimensional or finite-dimensional Hilbert space, the role of an observable in quantum mechanics is to assign real numbers to outcomes of particular measurements; this means that only certain measurements can determine the value of an observable for some state of a quantum system. In classical mechanics, any measurement can be made to determine the value of an observable.
Incompatibility of observables in quantum mechanics
A crucial difference between classical quantities and quantum mechanical observables is that the latter may not be simultaneously measurable. This is mathematically expressed by non-commutativity of the corresponding operators, to the effect that
This inequality expresses a dependence of measurement results on the order in which measurements of observables and 
are performed. Observables corresponding to non-commutative operators are called incompatible.
See also
Further reading
Template:Refbegin
- S. Auyang, How is Quantum Field Theory Possible, Oxford University Press, 1995.
- G. Mackey, Mathematical Foundations of Quantum Mechanics, W. A. Benjamin, 1963.
- V. Varadarajan, The Geometry of Quantum Mechanics vols 1 and 2, Springer-Verlag 1985.
- Leslie E. Ballentine, "Quantum Mechanics: A Modern Development", World Scientific, 1998
- R. Blume-Kohout, "Lecture 14:
and Hilbert space. Wavefunctions, unbounded operators, and rigged Hilbert space.", www.am473.ca, 10/26/08
Template:Refend
ca:Observable
cs:Pozorovatelná veličina
de:Observable
es:Observable
eo:Videbla (fiziko)
fr:Observable
it:Osservabile
hu:Megfigyelhető mennyiség
nl:Observabele
ja:オブザーバブル
pl:Obserwabla
pt:Observável
ru:Квантовая наблюдаемая
fi:Observaabeli
zh:可觀察量