## New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms (2003)

### Cached

### Download Links

- [eprint.iacr.org]
- [www.cs.washington.edu]
- [homes.cs.washington.edu]
- [www.sysnet.ucsd.edu]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Venue: | Fast Software Encryption, FSE 2004 |

Citations: | 14 - 3 self |

### BibTeX

@INPROCEEDINGS{Iwata03newsecurity,

author = {Tetsu Iwata and Tadayoshi Kohno},

title = {New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms},

booktitle = {Fast Software Encryption, FSE 2004},

year = {2003},

pages = {306--318},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f9 ′ , where f9 ′ is a generalized versions of f9, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is impossible to prove f8 and f9 ′ secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove f8 ′ and f9 ′ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f8 ′ is a generalized version of f8. Our results clarify the assumptions necessary in order for f8 and f9 to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure.

### Citations

352 | A concrete security treatment of symmetric encryption: Analysis of DES modes of operation
- Bellare, Desai, et al.
(Show Context)
Citation Context ...cipher modes of operations are provably secure assuming that the underlying block cipher is a secure pseudorandom permutation, or a super-pseudorandom permutation [21]. For example, we have: CTR mode =-=[3]-=- and CBC encryption mode [3] for symmetric encryption schemes, PMAC [8] and OMAC [14] for message authentication codes, and IAPM [17], OCB mode [22], CCM mode [23, 16], EAX mode [6] and CWC mode [20] ... |

281 | How to construct pseudorandom permutations from pseudorandom functions - Luby, Rackoff - 1988 |

196 |
The Design of Rijndael
- Daemen, Rijmen
- 2002
(Show Context)
Citation Context ...XOR∆ : {0, 1} k → {0, 1} k denote the function which on input K ∈ {0, 1} k returns K ⊕ ∆. We define Φ ⊕ def k as Φ⊕ k = { XOR∆ : ∆ ∈ {0, 1} k }. We briefly remark that modern block ciphers, e.g., AES =-=[10]-=-, are designed to be secure PRP-RKAs under Φ ⊕ k -restricted relatedkey attacks. Additionally, the best-known Φ ⊕ k -restricted related-key attack against the block cipher KASUMI, which was designed f... |

193 | The security of the cipher block chaining message authentication code
- Bellare, Kilian, et al.
- 2000
(Show Context)
Citation Context ... an implicit big-O surrounding all such time references. PRP-RKAs. The PRP-RKA notion was introduced in [5], and is based on the pseudorandomness notions introduced in [21] and later made concrete in =-=[4]-=-. The notion was designed to model block ciphers secure against related-key attacks [7]. Let Perm(k, n) denote the set of all block ciphers with domain {0, 1} n and keys {0, 1} k . The notation G R ← ... |

158 | New types of cryptanalytic attacks using related keys
- Biham
- 1994
(Show Context)
Citation Context ...e constructions are actually secure, then the minimum assumption on the block cipher must be that the block cipher is secure against some class of xor-restricted related-key attacks, as introduced in =-=[7]-=- and formalized in [5]. We prove that the above hypotheses are in fact correct and, in doing so, we clarify what assumptions are actually necessary in order for the f8 and f9 modes to be secure. In mo... |

106 | Encryption modes with almost free message integrity - Jutla - 2001 |

58 | A block-cipher mode of operation for parallelizable message authentication
- Black, Rogaway
(Show Context)
Citation Context ...ying block cipher is a secure pseudorandom permutation, or a super-pseudorandom permutation [21]. For example, we have: CTR mode [3] and CBC encryption mode [3] for symmetric encryption schemes, PMAC =-=[8]-=- and OMAC [14] for message authentication codes, and IAPM [17], OCB mode [22], CCM mode [23, 16], EAX mode [6] and CWC mode [20] for authenticated encryption schemes. Therefore, it is natural to ask w... |

53 |
The EAX mode of operation
- Bellare, Rogaway, et al.
- 2004
(Show Context)
Citation Context ... we have: CTR mode [3] and CBC encryption mode [3] for symmetric encryption schemes, PMAC [8] and OMAC [14] for message authentication codes, and IAPM [17], OCB mode [22], CCM mode [23, 16], EAX mode =-=[6]-=- and CWC mode [20] for authenticated encryption schemes. Therefore, it is natural to ask whether f8 and f9 are provably secure if the underlying block cipher is a secure pseudorandom permutation. Maki... |

48 | A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications
- Bellare, Kohno
- 2003
(Show Context)
Citation Context ...tually secure, then the minimum assumption on the block cipher must be that the block cipher is secure against some class of xor-restricted related-key attacks, as introduced in [7] and formalized in =-=[5]-=-. We prove that the above hypotheses are in fact correct and, in doing so, we clarify what assumptions are actually necessary in order for the f8 and f9 modes to be secure. In more detail, we first co... |

31 | CWC: A high-performance conventional authenticated encryption mode - Kohno, Viega, et al. - 2004 |

22 |
and Kaoru Kurosawa, “OMAC: One-key CBC
- Iwata
(Show Context)
Citation Context ...pher is a secure pseudorandom permutation, or a super-pseudorandom permutation [21]. For example, we have: CTR mode [3] and CBC encryption mode [3] for symmetric encryption schemes, PMAC [8] and OMAC =-=[14]-=- for message authentication codes, and IAPM [17], OCB mode [22], CCM mode [23, 16], EAX mode [6] and CWC mode [20] for authenticated encryption schemes. Therefore, it is natural to ask whether f8 and ... |

14 | Provable Security of KASUMI and 3GPP Encryption Mode f8 - Kang, Shin, et al. - 2001 |

11 | Related key attacks on reduced round KASUMI
- Blunden, Escott
- 2001
(Show Context)
Citation Context ...related by a fixed known xor difference. Since both f8 ′ and f9 ′ are generalized versions of f8 and f9, and, since the best known relatedkey attack against KASUMI breaks only six out of eight rounds =-=[9]-=-, our results show that unless a novel new attack is discovered against KASUMI, the 3GPP confidentiality and integrity mechanisms are actually secure. We view this as an important practical corollary ... |

10 | On the Security of CTR + CBC-MAC - Jonsson - 2002 |

3 | Analysis of 3gpp-MAC and two-key 3gpp-MAC - Knudsen, Mitchell - 2002 |

1 |
A concrete security analysis for 3GPP-MAC
- Hong, Kang, et al.
- 2003
(Show Context)
Citation Context ... f8 ′ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.3 3GPP Integrity Algorithm f9 [1] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.4 A Generalized Version of f9: f9 ′ =-=[12, 19, 15]-=- . . . . . . . . . . . . . . . . . . . . . . . 5 4 Security of f8 ′ 6 5 Security of f9 ′ 9 References 12 A Proof of Lemma 4.1 13 A.1 Discussion of the Previous Work [18] . . . . . . . . . . . . . . . ... |