How do A3 and A8 work via COMP128, and how is the 64-bit Kc actually built?
COMP128 takes RAND and Ki as input and outputs a 128-bit result split into SRES (32 bits) and Kc (54 bits, plus 42 unused bits); the 54-bit Kc is then padded with ten zero bits to form the nominal 64-bit session key.
* COMP128 output split, and the padding that makes Kc only 54-bit entropy. *
The formal relationship:
(SRES, Kc) = COMP128(RAND, Ki)
The output bit-split:
| Field | Bits | Use |
|---|---|---|
| SRES | 32 | Signed response (sent to the network for authentication) |
| Kc | 54 | The actual session key material |
| unused | 42 | discarded |
The critical detail — the "64-bit" key isn't really 64 bits: COMP128 only produces 54 bits of key, which is then extended to 64 bits by appending ten zero bits. So the nominal 64-bit Kc has only 54 bits of entropy — a deliberately (or carelessly) weakened key. This is one of the most important GSM security findings: the effective key is far smaller than advertised.
A5 key stream: the symmetric A5 key is regenerated for every frame — A5 works with Kc and a 22-bit frame number, producing a 114-bit key stream per frame.
Memory anchor: "64 but really 54" captures the key issue: the ten zero bits are padding, not entropy.
Go deeper:
COMP128 (Wikipedia) — confirms COMP128-1/-2 produce a session key with only 54 bits of entropy, the exact source of the "64 but really 54" weakness.