Advertisement

How to Enhance the Security of the 3GPP Confidentiality and Integrity Algorithms

  • Tetsu Iwata
  • Kaoru Kurosawa
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3557)

Abstract

We consider the 3GPP confidentiality and integrity schemes that were adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f9′, where f9′ is a generalized version of f9, it was shown that these proofs are incorrect; it is impossible to prove f8 and f9′ secure under the standard PRP assumption on the underlying block cipher. Following the results, it was shown that it is possible to prove f8′ and f9′ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f8′ is a generalized version of f8. Needless to say, the assumptions here are stronger than the standard PRP assumptions, and it is natural to seek a practical way to modify f8′ and f9′ to establish security proofs under the standard PRP assumption. In this paper, we propose f8 +  and f9 + , slightly modified versions of f8′ and f9′, but they allow proofs of security under the standard PRP assumption. Our results are practical in the sense that we insist on the minimal modifications; f8 +  is obtained from f8′ by setting the key modifier to all-zero, and f9 +  is obtained from f9′ by setting the key modifier to all-zero, and using the encryptions of two constants in the CBC MAC computation.

Keywords

Encryption Algorithm Message Authentication Code Universal Mobile Telecommunication System Random String Security Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    3GPP TS 35.201 v 3.1.1. Specification of the 3GPP confidentiality and integrity algorithms, Document 1: f8 and f9 specification, Available at http://www.3gpp.org/tb/other/algorithms.htm
  2. 2.
    3GPP TS 35.202 v 3.1.1. Specification of the 3GPP confidentiality and integrity algorithms, Document 2: KASUMI specification, Available at http://www.3gpp.org/tb/other/algorithms.htm
  3. 3.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of The 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, pp. 394–405. IEEE, Los Alamitos (1997)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P., Wagner, D.: The EAX mode of operation. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 389–407. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Biham, E.: New types of cryptanalytic attacks using related keys. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 398–409. Springer, Heidelberg (1994)Google Scholar
  8. 8.
    Black, J., Rogaway, P.: CBC mACs for arbitrary-length messages:The three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Blunden, M., Escott, A.: Related key attacks on reduced round KASUMI. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, pp. 277–285. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Berlin (2002)zbMATHGoogle Scholar
  12. 12.
    Evaluation report (version 2.0). Specification of the 3GPP confidentiality and integrity algorithms, Report on the evaluation of 3GPP confidentiality and integrity algorithms, Available at http://www.3gpp.org/tb/other/algorithms.htm
  13. 13.
    Hong, D., Kang, J.-s., Preneel, B., Ryu, H.: A concrete security analysis for 3GPP-MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 154–169. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Iwata, T., Kohno, T.: New security proofs for the 3GPP confidentiality and integrity algorithms. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 427–445. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  15. 15.
    Iwata, T., Kohno, T.: New security proofs for the 3GPP confidentiality and integrity algorithms. Full version of [14], available at IACR Cryptology ePrint Archive, Report 2004/019 (2004), http://eprint.iacr.org/
  16. 16.
    Iwata, T., Kurosawa, K.: OMAC: One-key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 129–153. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Iwata, T., Kurosawa, K.: On the correctness of security proofs for the 3GPP confidentiality and integrity algorithms. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 306–318. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Iwata, T., Kurosawa, K.: How to enhance the security of the 3GPP confidentiality and integrity algorithms. Full version of this paper, available from the authors (2005)Google Scholar
  19. 19.
    Jonsson, J.: On the security of CTR + CBC-MAC. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 76–93. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Kang, J.-s., Shin, S.-U., Hong, D., Yi, O.: Provable security of KASUMI and 3GPP encryption mode f8. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 255–271. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Knudsen, L.R., Mitchell, C.J.: Analysis of 3gpp-MAC and two-key 3gpp-MAC. Discrete Applied Mathematics 128(1), 181–191 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  23. 23.
    Kohno, T., Viega, J., Whiting, D.: CWC: A high-performance conventional authenticated encryption mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode of operation. IACR Cryptology ePrint Archive, Report 2004/193 (2004), http://eprint.iacr.org/
  25. 25.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Proceedings of ACM Conference on Computer and Communications Security, ACM CCS 2001. ACM, New York (2001)Google Scholar
  27. 27.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). Submission to NIST, Available at http://csrc.nist.gov/CryptoToolkit/modes/

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Tetsu Iwata
    • 1
  • Kaoru Kurosawa
    • 1
  1. 1.Dept. of Computer and Information SciencesIbaraki UniversityHitachi, IbarakiJapan

Personalised recommendations