Editing Cellular Message Encryption Algorithm

{{Short description|Block cipher}}
{{Infobox block cipher
| name          = CMEA
| image         =
| caption       =
| designers     = [[James A. Reeds III]]
| publish date  = 1991
| derived from  =
| derived to    =
| key size      = 64 bits
| block size    = 16–64 bits
| structure     =
| rounds        = 3
| cryptanalysis = 338 chosen plaintexts break all block sizes, 40-80 known plaintexts break 24-bit blocks, and 4 known plaintexts break 16-bit blocks
}}
In [[cryptography]], the '''Cellular Message Encryption Algorithm''' ('''CMEA''') is a [[block cipher]] which was used for securing [[mobile phone]]s in the [[United States]]. CMEA is one of four [[Cryptography|cryptographic]] primitives specified in a [[Telecommunications Industry Association]] (TIA) standard, and is designed to [[encrypt]] the control channel, rather than the voice data. In 1997, a group of cryptographers published attacks on the [[cipher]] showing it had several weaknesses which give it a trivial effective strength of a 24-bit to 32-bit cipher.<ref name="crypto97_cmea">{{cite conference
    | author = [[David A. Wagner|David Wagner]], [[Bruce Schneier]], [[John Kelsey (cryptanalyst)|John Kelsey]]
    | title = Cryptanalysis of the Cellular Message Encryption Algorithm
    | conference = Advances in Cryptology – [[CRYPTO]] '97, 17th Annual International Cryptology Conference
    | pages = 526&ndash;537
    | date = August 1997
    | location = [[Santa Barbara, California]]
    | url = http://www.schneier.com/paper-cmea.html
    | format = [[PDF]]/[[PostScript]]
    | access-date = 2007-02-07 }}
</ref>
Some accusations were made that the [[NSA]] had pressured the original designers into crippling CMEA, but the NSA has denied any role in the design or selection of the algorithm. The [[ECMEA]] and [[SCEMA]] ciphers are derived from CMEA.

CMEA is described in {{US patent|5159634}}. It is [[byte-oriented]], with variable [[block size (cryptography)|block size]], typically 2 to 6 bytes. The [[key size]] is only 64 bits. Both of these are unusually small for a modern cipher. The algorithm consists of only 3 passes over the data: a non-linear left-to-right diffusion operation, an unkeyed linear mixing, and another non-linear diffusion that is in fact the inverse of the first. The non-linear operations use a keyed [[lookup table]] called the ''T-box'', which uses an unkeyed lookup table called the ''CaveTable''. The algorithm is [[Involution (mathematics)|self-inverse]]; re-encrypting the ciphertext with the same key is equivalent to decrypting it.

CMEA is severely insecure. There is a [[chosen-plaintext attack]], effective for all block sizes, using 338 chosen plaintexts. For 3-byte blocks (typically used to encrypt each dialled digit), there is a [[known-plaintext attack]] using 40 to 80 known plaintexts. For 2-byte blocks, 4 known plaintexts suffice.

The "improved" CMEA, CMEA-I, is not much better: chosen-plaintext attack of it requires less than 850 plaintexts in its adaptive version.<ref name="url_eprint_2008_445">{{cite web |url=http://eprint.iacr.org/2008/445.pdf |format=PDF|title=Cryptanalysis of the Improved Cellular Message Encryption Algorithm |author1=Thomas Chardin |author2=Raphaël Marinier }}</ref>

==See also==
* [[A5/1]], the broken encryption algorithm used in the [[GSM]] cellular telephone standard
* [[ORYX]]
* [[Cellular Authentication and Voice Encryption|CAVE]]

==References==
{{reflist}}

==External links==
* [http://www.schneier.com/cmea.html The attack on CMEA]
* [https://web.archive.org/web/20040617095418/http://www.snapshield.com/www_problems/United_States/New_Digital.htm Press release and the NSA response]
* [http://www.cs.berkeley.edu/~daw/papers/cmea-crypto97-www/paper10.html Cryptanalysis of the Cellular Message Encryption Algorithm David Wagner Bruce Schneier 1997]

{{Cryptography navbox | block}}

[[Category:Broken block ciphers]]