Advertisement

Journal of Cryptology

, Volume 27, Issue 4, pp 824–849 | Cite as

A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony

  • Orr Dunkelman
  • Nathan Keller
  • Adi Shamir
Article

Abstract

Over the last 20 years, the privacy of most GSM phone conversations was protected by the A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They are being replaced now by the new A5/3 and A5/4 algorithms, which are based on the block cipher KASUMI. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple related-key distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2−14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128-bit key of the full KASUMI with a related-key attack which uses only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These completely practical complexities were experimentally verified by performing the attack in less than two hours on a single-core of a PC. Interestingly, neither our technique nor any other published attack can break the original MISTY block cipher (on which KASUMI is based) significantly faster than exhaustive search. Our results thus indicate that the modifications made by ETSI’s SAGE group in moving from MISTY to KASUMI made it extremely weak when related-key attacks are allowed, but do not imply anything about its resistance to single-key attacks. Consequently, there is no indication that the way KASUMI is implemented in GSM and 3G networks is practically vulnerable in any realistic attack model.

Key words

KASUMI Sandwich attack GSM/3G security Related-key Boomerang attack 

Notes

Acknowledgements

We would like to thank Steve Babbage and Kaisa Nyberg for their help concerning the status of KASUMI in the GSM/UMTS arena. We would also like to thank Daniel Loebenberger, as well as the referees of both the CRYPTO 2010 version of this paper and of this full version, for their useful comments.

References

  1. [1]
    A5/1 Security Project, Creating A5/1 rainbow tables (2009). Available online at http://reflextor.com/trac/a51
  2. [2]
    E. Barkan, E. Biham, Conditional estimators: an effective attack on A5/1, in Proceedings of Selected Areas in Cryptology 2005. Lecture Notes in Computer Science, vol. 3897 (Springer, Berlin, 2006), pp. 1–19 Google Scholar
  3. [3]
    E. Barkan, E. Biham, N. Keller, Instant ciphertext-only cryptanalysis of GSM encrypted communication, in Advances in Cryptology, Proceedings of CRYPTO 2003. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 600–616 CrossRefGoogle Scholar
  4. [4]
    E. Biham, New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994) zbMATHGoogle Scholar
  5. [5]
    E. Biham, O. Dunkelman, N. Keller, New results on boomerang and rectangle attacks, in Proceedings of Fast Software Encryption 2002. Lecture Notes in Computer Science, vol. 2365 (Springer, Berlin, 2002), pp. 1–16 CrossRefGoogle Scholar
  6. [6]
    E. Biham, O. Dunkelman, N. Keller, Related-key boomerang and rectangle attacks, in Advances in Cryptology, Proceedings of EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin, 2005), pp. 507–525 CrossRefGoogle Scholar
  7. [7]
    E. Biham, O. Dunkelman, N. Keller, A related-key rectangle attack on the full KASUMI, in Advances in Cryptology, Proceedings of ASIACRYPT 2005. Lecture Notes in Computer Science, vol. 3788 (Springer, Berlin, 2005), pp. 443–461 CrossRefGoogle Scholar
  8. [8]
    A. Biryukov, C. De Cannière, G. Dellkrantz, Cryptanalysis of SAFER++, in Advances in Cryptology, Proceedings of CRYPTO 2003. Lecture Notes in Computer Science, vol. 2729 (Springer, Berlin, 2003), pp. 195–211 CrossRefGoogle Scholar
  9. [9]
    A. Biryukov, D. Khovratovich, Related-key cryptanalysis of the full AES-192 and AES-256, in Advances in Cryptology, Proceedings of ASIACRYPT 2009. Lecture Notes in Computer Science, vol. 5912 (Springer, Berlin, 2009), pp. 1–18 CrossRefGoogle Scholar
  10. [10]
    A. Biryukov, A. Shamir, D. Wagner, Real time cryptanalysis of A5/1 on a PC, in Proceedings of Fast Software Encryption 2000. Lecture Notes in Computer Science, vol. 1978 (Springer, Berlin, 2001), pp. 1–18 CrossRefGoogle Scholar
  11. [11]
    M. Blunden, A. Escott, Related key attacks on reduced round KASUMI, in Proceedings of Fast Software Encryption 2001. Lecture Notes in Computer Science, vol. 2355 (Springer, Berlin, 2002), pp. 277–285 CrossRefGoogle Scholar
  12. [12]
    M. Briceno, I. Goldverg, D. Wagner, A pedagogical implementation of the GSM A5/1 and A5/2 “voice privacy” encryption algorithms (1999). Available online at http://cryptome.org/gsm-a512.htm
  13. [13]
    P. Ekdahl, T. Johansson, Another attack on A5/1. IEEE Trans. Inf. Theory 49(1), 284–289 (2003) CrossRefzbMATHMathSciNetGoogle Scholar
  14. [14]
    S. Hong, J. Kim, G. Kim, S. Lee, B. Preneel, Related-key rectangle attacks on reduced versions of SHACAL-1 and AES-192, in Proceedings of Fast Software Encryption 1999. Lecture Notes in Computer Science, vol. 3557 (Springer, Berlin, 2005), pp. 368–383 CrossRefGoogle Scholar
  15. [15]
    K. Jia, J. Chen, M. Wang, X. Wang, Practical attack on the full MMB block cipher, in Proceedings of Selected Areas in Cryptology 2011. Lecture Notes in Computer Science, vol. 7118 (Springer, Berlin, 2011), pp. 185–199 Google Scholar
  16. [16]
    K. Jia, H. Yu, X. Wang, A meet-in-the-middle attack on the full KASUMI. IACR ePrint report 2011/466 Google Scholar
  17. [17]
    J. Kelsey, B. Schneier, D. Wagner, Key schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES, in Advances in Cryptology, Proceedings of CRYPTO 1996. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin, 1996), pp. 237–251 Google Scholar
  18. [18]
    J. Kim, G. Kim, S. Hong, D. Hong, The related-key rectangle attack—application to SHACAL-1, in Proceedings of Australasian Conference on Information Security and Privacy 2004. Lecture Notes in Computer Science, vol. 3108 (Springer, Berlin, 2004), pp. 123–136 Google Scholar
  19. [19]
    J. Kim, S. Hong, B. Preneel, E. Biham, O. Dunkelman, N. Keller, Related-key boomerang and rectangle attacks: theory and experimental analysis. IEEE Trans. Inf. Theory 58(7), 4948–4966 (2012) CrossRefMathSciNetGoogle Scholar
  20. [20]
    M. Matsui, Block encryption algorithm MISTY, in Proceedings of Fast Software Encryption 1997. Lecture Notes in Computer Science, vol. 1267 (Springer, Berlin, 1997), pp. 64–74 Google Scholar
  21. [21]
    S. Murphy, The return of the cryptographic boomerang. IEEE Trans. Inf. Theory 57(4), 2517–2521 (2011) CrossRefGoogle Scholar
  22. [22]
    K. Nyberg, Perfect nonlinear S-boxes, in Advances in Cryptology, Proceedings of EUROCRYPT 1991. Lecture Notes in Computer Science, vol. 547 (Springer, Berlin, 1991), pp. 378–386 Google Scholar
  23. [23]
    K. Nyberg, L.R. Knudsen, Provable security against differential cryptanalysis, in Advances in Cryptology, Proceedings of CRYPTO 1992. Lecture Notes in Computer Science, vol. 740 (Springer, Berlin, 1993), pp. 566–578 Google Scholar
  24. [24]
    3rd Generation Partnership Project, Technical specification group services and system aspects, 3G security. Specification of the 3GPP Confidentiality and Integrity Algorithms; Document 2: KASUMI Specification, V3.1.1 (2001) Google Scholar
  25. [25]
    3rd Generation Partnership Project, Technical specification group services and system aspects, 3G security. Specification of the A5/3 Encryption Algorithms for GSM and ECSD, and the GEA3 Encryption Algorithm for GPRS; Document 4: Design and Evaluation Report, V6.1.0 (2002) Google Scholar
  26. [26]
    D. Wagner, The boomerang attack, in Proceedings of Fast Software Encryption 1999. Lecture Notes in Computer Science, vol. 1636 (Springer, Berlin, 1999), pp. 156–170 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Computer Science DepartmentUniversity of HaifaHaifaIsrael
  2. 2.Faculty of Mathematics and Computer ScienceWeizmann Institute of ScienceRehovotIsrael
  3. 3.Department of MathematicsBar Ilan UniversityRamat GanIsrael

Personalised recommendations