A Concrete Security Analysis for 3GPP-MAC

  • Dowon Hong
  • Ju-Sung Kang
  • Bart Preneel
  • Heuisu Ryu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2887)


The standardized integrity algorithm f9 of the 3GPP algorithm computes a MAC (Message Authentication Code) to establish the integrity and the data origin of the signalling data over a radio access link of W-CDMA IMT-2000. The function f9 is based on the block cipher KASUMI and it can be considered as a variant of CBC-MAC. In this paper we examine the provable security of f9. We prove that f9 is a secure pseudorandom function by giving a concrete bound on an adversary’s inability to forge a MAC value in terms of her inability to distinguish the underlying block cipher from a random permutation.


Message authentication code 3GPP-MAC Provable security Pseudo-randomness 


  1. 1.
    Bellare, M., Kilian, J., Rogaway, P.: The security of cipher block chaining. In: CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994), Google Scholar
  2. 2.
    Berendschot, A., et al.: Integrity Primitives for Secure Information Systems. Final Report of RACE Integrity Primitives Evaluation (RIPE-RACE 1040). LNCS, vol. 1007. Springer, Heidelberg (1995)Google Scholar
  3. 3.
    Black, J., Rogaway, P.: CBC-MACs for arbitrary-length messages: the three-key constructions. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 197–215. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Black, J., Rogaway, P.: A Block-Cipher Mode of Operation for Parallelizable it Message Authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  5. 5.
    Carter, L., Wegman, M.: Universal hash functions. J. of Computer and System Sciences 18, 143–154 (1979)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Gligor, V., Donescu, P.: Fast encryption and authentication: XCBC encryption and XECB authentication modes, Contribution to NIST, April 20 (2001), Available at
  7. 7.
    Jaulmes, É., Joux, A., Valette, F.: On the security of Randomized CBC-MAC Beyond the Birthday Paradox Limit: A New Construction. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 237–251. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  8. 8.
    Kurosawa, K., Iwata, T.: TMAC: Two-Key CBC-MAC, Contribution to NIST, June 21 (2002), Available at
  9. 9.
    Kang, J., Shin, S., Hong, D., Yi, O.: Provable security of KASUMI and 3GPP encryption mode f8. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 255–271. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Kang, J., Yi, O., Hong, D., Cho, H.: Pseudorandomness of MISTY-type transformations and the block cipher KASUMI. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 60–73. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Knudsen, L.R., Mitchell, C.J.: Analysis of 3gpp-MAC and two-key 3gpp-MAC. Discrete Applied Mathematics (to appear)Google Scholar
  12. 12.
    Knudsen, L.: Analysis of RMAC, Contribution to NIST, November 10 (2002), Available at
  13. 13.
    Kohno, T.: Related-Key and Key-Collision Attacks Against RMAC, Contribution to NIST (2002), Available at
  14. 14.
    Lloyd, J.: An Analysis of RMAC, Contribution to NIST, November 18 (2002), Available at
  15. 15.
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations and pseudorandom functions, SIAM J. SIAM J. Comput. 17, 189–203 (1988)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Petrank, E., Rackoff, C.: CBC-MAC for Real-Time Data Source. J. of Cryptology 13, 315–338 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Preneel, B., van Oorschot, P.C.: MDx-MAC and building fast MACs from hash functions. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 1–14. Springer, Heidelberg (1995)Google Scholar
  18. 18.
    Rogaway, P.: PMAC: A parallelizable message authentication code, Contribution to NIST, April 17 (2001), Available at
  19. 19.
    Rogaway, P.: Comments on NIST’s RMAC Proposal, Contribution to NIST, December 2 (2002), Available at
  20. 20.
    Wegman, M., Carter, L.: New hash functions and their use in authentication and set equality. J. of Computer and System Sciences 22, 265–279 (1981)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    3GPP TR 33.909, Report on the evaluation of 3GPP standard confidentiality and integrity algorithms, V1.0.0, 2002-12Google Scholar
  22. 22.
    3GPP TS 35.201 Specification of the 3GPP confidentiality and integrity algorithm; Document 1: f8 and f9 specificationsGoogle Scholar
  23. 23.
    ISO/IEC 9797-1:1999(E) Information technology - Security techniques - Message Authentication Codes(MACs) - Part 1Google Scholar
  24. 24.

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Dowon Hong
    • 1
  • Ju-Sung Kang
    • 1
  • Bart Preneel
    • 2
  • Heuisu Ryu
    • 1
  1. 1.ETRIInformation Security Technology DivisionTaejonKorea
  2. 2.ESAT/COSICKatholieke Universiteit LeuvenLeuven-HeverleeBelgium

Personalised recommendations