# Reducing the time required by KASUMI to generate output by modifying the FL and FI functions

## Abstract

KASUMI is an eight-round Fiestel network that produces 64-bit output data from 64-bit input data using a 128-bit key. Three functions, *FL*, *FO*, *FI *, are involved in each round and each function has its respective keys *KL*, *KO*, *KI*. This work proposed the modifications in existing KASUMI block cipher, which can reduce time delay for generating 64-bit encrypted data. Also, we proposed a modification in *FL* functions: *FL(a)* and *FL(b)* of the existing KASUMI block cipher. Rijndael’s 32-bit *S*-box is introduced in *FL (a)* function of standard *FL* function so that it can only work with 16-bit data. The second modification is introduced in the *FL(b)* function by adding a third stage where *XOR* and *shift* operations are involved before the final concatenation of two 16-bit data inside the standard *FL* function. In addition, the *FI* function uses *S7* and *S9* tables only one time instead of two times in the existing KASUMI block cipher, which leads to reduce the overall time delay. The performance improvement of the proposed algorithm over the conventional algorithm is verified by simulation results.

## Keywords

KASUMI*FL*function

*FI*function

*S*\(_{R}\)- box NIST statistical suite

## 1 Introduction

The rapid growth of mobile communications has increased the requirement of having secure network/communication between the users. Multiple ways of attacking or hacking a network are used by an attacker. As the wireless mode of communications provides feasibility and ease to the users, the security of information being exchanged within two users or group of users is always a threat. Many algorithms which are used for different encryption purposes have been proposed, of which some have proved resistant toward attacks while some are attacked and, hence, proved weaker by attackers [1, 2]. For having a secure network, encryption services and algorithms involved need to be robust to provide end-to-end secure transmission of data among various users. It poses a challenge for designers to design highly secure and attack-resistant algorithm for encryption of data. We have one such algorithm used for mobile communication, KASUMI, for providing encryption services in mobile networks like 3G network. Confidentiality algorithms *f8*, encryption algorithm, and *f9*, integrity algorithm, are based on the KASUMI algorithm. KASUMI is evolved from MISTY1 algorithm to provide users a safe and secure way for exchange of data. KASUMI was slightly modified from MISTY1 to make its hardware implementation easier to meets security requirements for 3G mobile communications.

In [3, 4, 5, 6], various attacks such as boomerang attack, single-key attack, related key attack and various others related to KASUMI were discussed, which indicates that KASUMI is a weak algorithm. Though these attacks were powerful and posed a threat, they were not considered a serious threat due to impractical assumptions made as given by 3GPP in [2] and, thus, inapplicable to real-life attack on full KASUMI. But since there are chances of these or other similar attacks being carried out practically, new algorithms are designed and worked upon to provide high confidentiality and security of data.

In this paper, we have discussed a way to reduce the time taken by KASUMI using two different FL functions that are *FL1(a)* and *FL(b)*. *FL1(a)* uses *S*- box, which carries operation on one of the 16-bit data in a standard FL function. *FL(b)* function has a third round where cyclic rotation of the bits is performed on one of the 16-bit data of the *FL* function, which is then *XOR* with another 16-bit data in the *FL* function. The second important change that we have made is a reduction in the number of rounds of the *FI* function from four to two. We have eliminated the last two rounds in the *FI* function, i.e., we have taken the use of *S9* and *S7* lookup tables only once. We have kept only the first two rounds. The time consumed by the two removed rounds of *FI* function is now utilized by the *S*\(_{R}\)- box in *FL1(a)* and one added third round in the *FL(b)* function. After making out these changes, the overall time taken by KASUMI to produce the output is few seconds less than that of the conventional one.

This paper is organized in the following way. Section 2 gives briefly an overview of KASUMI. Different functions and keys used in each round for their respective functions are described. Section 3 discusses our proposed work in KASUMI. It discusses about changes and modifications proposed in the *FL* and *FI* function. After implementing these changes, the overall time taken to generate the final output is less than a conventional KASUMI algorithm. Section 4 provides the results of our proposed work where we have provided tables and graphs for making a comparison among modified and conventional KASUMI. At the end, we have Sect. 6 which provides a conclusion of the proposed work.

## 2 Literature survey

Many works related to KASUMI are presented and mostly deal with performance analysis of KASUMI. Various attacks are published related to the security of KASUMI and prove that attack on all eight rounds of algorithm can be done. Few papers have discussed about increasing the number of rounds in KASUMI from the present eight to more rounds to improve its security, while some have proved that KASUMI is rather weaker than the MISTY algorithm [3, 4]. People came with KASUMI’s alternative like XXTEA, SMS4 and others to make data more secure than using KASUMI. As discussed in [7], the first serious attack on KASUMI was the “related key” attack done on the fifth and sixth round and succeeded in obtaining the key (Blunden & Escott, 2002). After that, a new attack based on KASUMI was differential cryptanalysis which used efficiently chosen plain texts for five rounds of KASUMI. Another study done by a group of researchers came up with “related-key rectangle” attack on full round KASUMI, but this type of attack was successful theoretically only.

In 2010, the entire 128-bit key used in all rounds of KASUMI was taken out by using only 4 related key with a new attack called ‘sandwich attack’ by Dunkelman, Keller and Shamir. Some of the modifications were also proposed to optimize the functioning of KASUMI [8]. In 2014, Wang et al. DFA attacked KASUMI-64, which is the base of the A5/3 cryptosystem. Through this attack it was shown that only one 16-bit word fault was enough to perform a successful key recovery attack. Emphasis was made on the last two rounds of KASUMI and was proposed that these two rounds should be specially designed to protect against fault injection [9]. Many algorithms have been proposed and are used for different encryption purposes [10, 11, 12, 13]. Some have proved resistant toward attacks, while some have high security issue with them and, hence, prove to be weaker by attackers.

## 3 Overview of KASUMI

*FI*,

*FO*and

*FL*, performed by them are completely different from each other and they use key values for doing their operations. The key values are

*KI*for

*FI*function,

*KO*for

*FO*function and,

*KL*for

*FL*function for all eight rounds. Figure 1. provides the Fiestel structure of the eight- round KASUMI algorithm. For odd numbered rounds, the function

*FL*comes before

*FO*,

*FI*functions, while in even numbered rounds,

*FO*,

*FI*comes before the

*FL*function. A brief description of the three functions of the algorithm is given below along with the key-value operations done with them. The FO, FI and FL functions are shown in Figs. 2, 3 and 4, respectively.

### 3.1 FL function

*KL*to produce a 32-bit output. In each round, the key and

*KL*is divided into two 16-bit values as shown below:

*R’*and

*L’*are each 16-bit value obtained after performing operations on

*L*and

*R*. Values obtained are then concatenated to make a 32-bit output which is passed further for operations on it.

### 3.2 FO function

*KO*, and another 48-bit sub-key

*KI*is used in

*FI*function. The

*FO*function is shown in Fig. 2. The 48-bit sub-keys are subdivided into three 16-bit sub-keys, where:

*j*(number of rounds within

*FO*) with

*1*\(\le \) j \(\le \) 3,

*R*\(_{j}\) and

*L*\(_{j }\)are given as:

*L*\(_{3}{\vert }{\vert }\)

*R*\(_{3}\)) after completion of the

*FO*function. The

*FL*function is used three times in the

*FO*function. In the

*FLi1*function, ‘

*i*’ indicates the \(\;n\mathrm{th}\) round value and ‘1’ indicates one of the three rounds of FL inside the FO function.

### 3.3 FI function

This function involves four rounds of operation. The *FI* function takes 16 bits of input data and gives an output of 16 bits. The data is split into 9 bits, say *L*\(_{0}\), which goes to the left side of the *FI* function, and a 7-bit value, say *R*\(_{0}\), which goes to the right side of the *FI* function. *S9* box is used when the 9-bit data is operated and *S7* box is used when the 7-bit data is operated. The *FI* box is shown in Fig. 3.

## 4 32 X 32-bit S-Box

The *S*-box maps the 32-bit input to produce the 32-bit output. Let \({\textit{w = w}}_{0}{\vert }{\vert }{\textit{w}}_{1}{\vert }{\vert }{\textit{w}}_{2} {\vert }{\vert }{\textit{w}}_{3},\) where *w* is the 32-bit input data and \(\hbox {w}_{0}\) is the most significant byte and \({\textit{w}}_{3}\) is the least significant byte. Then we have \({\textit{S}}_{1}{\textit{(w) =r}}_{0}{\vert }{\vert }{\textit{r}}_{1}{\vert } {\vert }{\textit{r}}_{2}{\vert }{\vert }{\textit{r}}_{3},\) where *r*\(_{0}\) is the most and *r*\(_{3}\) is the least significant byte. The values corresponding to *r*\(_{0}\), *r*\(_{1}\), *r*\(_{2}\), *r*\(_{3}\) are obtained using equations as described in [20]. These 8-bit *r* values involve the use of *S*\(_{R}\)-box which is briefly described in the next part. In this paper, we have considered using Rijndael’s *S*-box for computing values of the input bits in *FL* function. We have taken the use of the 16-bit S-box by converting the 32-bit *S*-box. Instead of using all 8-bit r values (*r*\(_{0}\) *, r*\(_{1}\) *, r*\(_{2}\) *, r*\(_{3}\)), we used only two *r* values to get the 16-bit data with small modification in them. This is given in Sect. 6 of this paper.

### 4.1 Rijndael S \(_{R}\) -box

*S*-box table can be computed.

## 5 Proposed work on KASUMI

In this paper, we have made modifications in the *FL* function by making two separate *FL* functions. The second change which we made is in the *FI* function, where we removed the last two rounds of operations and, so, used *S9* and *S7 *tables only once.

In this paper, we have suggested modifications in the *FL* function. Two *FL* functions are used after modifying the original *FL* function, which are *FL1(a)* and *FL(b)* functions.

*FL1(a)*function uses a 16-bit

*S*\(_{R}\)- box. Its diagram is shown in Fig. 5. Functioning of

*FL1(a)*is the same as that of the original

*FL*function except for the inclusion of the

*S*\(_{R}\)- box. This

*S*- box performs operation on the 16-bit data entering

*FL*function from the right side. This

*FL1(a)*function is used four times in eight rounds of KASUMI (i.e., 1st, 3rd, 5th and 7th round).

*FL*function by adding a third round to it, naming it

*FL(b)*. Its diagram is shown in Fig. 6. We have done a cyclic shift of the bits present on the right side of the

*FL*function and then

*XOR*it with the 16-bit data from the left side, which is shown in Fig. 6. This

*FL(b)*function is used four times in the 2nd, 4th, 6th, and 8th round of KASUMI.

*FL1(a)*and

*FL(b)*functions in the eight-round structure of KASUMI. The

*FL1(a)*function and

*FL(b)*function have

*KL*keys in them, which are used in a different pattern. For the

*FL1(a)*function, both the

*KL*keys (

*KL*\(_{i,1 }\)and

*KL*\(_{i,2})\) used over here are of \(n\mathrm{th}\) round value, i.e.,

*FL(b)*function

*KL*the keys use \((n+1)\mathrm{{th}}\) round key value, i.e.,

*FL*functions do not use the same key value.

*S*\(_{R}\)- box used in the

*FL1(a)*function use the following operations:

*srw2*’ and ‘

*srw3*’ are 8-bit values and are computed as shown in [20] and ‘

*r0*’, and ‘

*r1*’ are each 8-bit values, which take input data, perform certain operations on input data and produce output data. The output values produced from these two equations are then concatenated. After concatenating the above two 8-bit values ‘

*r0*’ and ‘

*r1*’, we will get a 16-bit value as an output from the

*S*\(_{R}\)- box. In traditional KASUMI, we have

*KLi,1 [(index)]*as a key present in the first stage of the

*FL*function, which is present in each of the eight rounds of KASUMI. In our case, we have just done masking operation, in case the index value becomes greater than 7. The

*KLi,1 [(index) & 0x7]*is the same as the

*KLi,1 [(index)].*

As given in [1, 2], the FL function is not seen from the point of security and *FO* & *FI* provide security features to KASUMI. The *FL* is a linear function, and the security of the algorithm does not depend on this function. The main purpose is to be a low cost additional scrambling, making individual bits harder to track through the rounds. So, we proposed a change in the *FL* function using 16-bit *S*\(_{R}\)- box to make *FL* one of the security components in the algorithm. Using this *S*\(_{R}\)- box, we can introduce some non-linearity in the *FL* function, which can, hence, make it difficult to track the output bits from the FL function. The *S*\(_{R}\)- box is used in many algorithms like in AES, SNOW-3G is one of the main components of security.

*S9* and *S7* are lookup tables only which have no operations involved, like the one present in Rijndael’s *S*- box that computes output bits. But as given in [2], *S9 *and *S7* also provide some non-linearity to the data, and we have not discarded them completely or made any change in their operation/function. Instead of using both *S9 *and *S7* tables two times in four rounds of the standard *FI* function, we have used both of them once in two rounds of the *FI* function. The *FI* function is now reduced to two rounds rather than four rounds, and the time consumed, when we used *S9 *and *S7* twice in *FI *function, is now used over in two new different *FL* functions. In fact, the time is consumed lesser by few seconds in the new design proposed. The *FI* function is shown in Figs. 7, 8.

## 6 Simulation results

Proposed modified KASUMI algorithm (using FL1(a) and FL(b) function)

No. of iterations | Encryption time taken | Encryption speed (Mbps) |
---|---|---|

9 \(\times \) 10\(^{6}\) | 4 s | 2.25 |

1 \(\times \) 10\(^{7}\) | 4 s | 2.5 |

2 \(\times \) 10\(^{7}\) | 9 s | 2.22 |

3 \(\times \) 10\(^{7}\) | 14 s | 2.1428 |

4 \(\times \) 10\(^{7}\) | 19 s | 2.1052 |

5 \(\times \) 10\(^{7}\) | 23 s | 2.1739 |

6 \(\times \) 10\(^{7}\) | 28 s | 2.1428 |

7 \(\times \) 10\(^{7}\) | 33 s | 2.1212 |

8 \(\times \) 10\(^{7}\) | 38 s | 2.1052 |

9 \(\times \) 10\(^{7}\) | 42 s | 2.1428 |

1 \(\times \) 10\(^{8}\) | 47 s | 2.1276 |

The original KASUMI algorithm

No. of iterations | Encryption time taken | Encryption speed (Mbps) |
---|---|---|

9 \(\times \) 10\(^{6}\) | 4 s | 2.25 |

1 \(\times \) 10\(^{7}\) | 5 s | 2.00 |

2 \(\times \) 10\(^{7}\) | 10 s | 2.00 |

3 \(\times \) 10\(^{7}\) | 15 s | 2.00 |

4 \(\times \) 10\(^{7}\) | 20 s | 2.00 |

5 \(\times \) 10\(^{7}\) | 25 s | 2.00 |

6 \(\times \) 10\(^{7}\) | 30 s | 2.00 |

7 \(\times \) 10\(^{7}\) | 35 s | 2.00 |

8 \(\times \) 10\(^{7}\) | 40 s | 2.00 |

9 \(\times \) 10\(^{7}\) | 45 s | 2.00 |

1 \(\times \) 10\(^{8}\) | 50 s | 2.00 |

Figures. 9 and 10 illustrate the comparison between modified KASUMI and conventional KASUMI in terms of time (in seconds) and encryption speed (in Mbps). We can observe from the results that the modified algorithm consumes less time and has better encryption speed than conventional KASUMI.

## 7 Conclusion and future works

In this paper, we have proposed modifications in the *FL* function by, firstly, adding a third round to it and, secondly, adding Rijndael’s *S*- box. By the use of *S*\(_{R}\)- box, we have made the *FL* function produce non-linear bits in output, which can make it difficult to track down bits in the output. We have reduced the use of *S7* and *S9* box lookup tables in the *FI* function using both of them once each, i.e., in the first round of the *FI* function, only the *S9* box will be used and the second round will have only the *S7* box. After making these changes in the *FI* and *FL* functions, we have reduced the total time consumption of the algorithm to produce the output by a few seconds. In future, it is possible to make the *FL* function more secure by adding security elements, as it has no role in providing security, according to the conventional KASUMI algorithm. It is also possible to modify *S7* and *S9* boxes in the *FI* function to make them more robust toward attacks. This work considers only using *S7* and *S9* boxes in the *FI* function in the first two rounds while eliminating the third and fourth round operations.

## References

- 1.Iwata, T., Kohno, T.: New security proofs for the 3GPP confidentiality and integrity algorithms. In: Roy, B., Meier, W. (eds.) Fast Software Encryption. FSE 2004. Lecture Notes in Computer Science, vol. 3017. Springer, Berlin (2004)Google Scholar
- 2.3GPP TS 35.201 v 3.1.1.: Specification of the 3GPP confidentiality and integrity algorithms, Document 1: f8 and f9 specification. Available at https://portal.etsi.org/new3g/tb/other/algorithms/35201-311.pdf
- 3.Biham, E., Dunkelman, O., Keller, N.: A related–key rectangle attack on the full KASUMI. In: Roy, B. (eds.) Advances inCryptology–ASIACRYPT 2005. ASIACRYPT 2005. Lecture Notes in Computer Science, vol. 3788. Springer, Berlin (2005)Google Scholar
- 4.Dunkelman, O., Keller, N., Shamir, A.: A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony. In: Cryptology ePrint Archive, Report 2010/013 (2010)Google Scholar
- 5.Saito, T.: A single-key attack on 6-round KASUMI. pp. 1–13Google Scholar
- 6.Zongyue, W., Xiaoyang, D., Keting, J., Jingyuan, Z.: Differential fault attack on KASUMI cipher used in GSM telephony. Math. Probl. Eng.
**2014**, 7 (2014) (Article ID 251853)Google Scholar - 7.Akgün, F., Buluş, E.: Comparison of encryption algorithms strength used in 3G mobile communication. Trakya Univ. J. Eng. Sci.
**17**(1), 1–11 (2016)Google Scholar - 8.Fang, R., Ying-jian, Y., Xiao-bing, F.: A small and efficient hardware implementation of the KASUMI. In: Proceedings of WASE International Conference on Information Engineering, Taiyuan, Chanxi, 2009, pp. 377–380. IEEE (2009). https://doi.org/10.1109/ICIE.2009.187
- 9.Wang, Z., Dong, X., Jia, K., Zhao, J.: Differential fault attack on KASUMI cipher used in GSM telephony. Math Probl Eng.
**2014**, 7 (2014). Art ID 251853. https://doi.org/10.1155/2014/251853 - 10.Chetioui, K., Orhanou, G., El Hajji, S.: New protocol E-DNSSEC to enhance DNSSEC security. Int. J. Netw. Secur.
**20**(1), 19–24 (2018)Google Scholar - 11.Zhu, H., Zhang, Y., Sun, Y.: Provably secure multi-server privacy-protection system based on Chebyshev Chaotic maps without using symmetric cryptography. Int. J. Netw. Secur.
**18**(5), 803–815 (2016)Google Scholar - 12.Chen, C.-S., Xi, Y., Xiang, Y.-X., Li, X., Li, T.: An improved DPA attack on DES with forth and back random round algorithm. Int. J. Netw. Secur.
**19**(2), 285–294 (2017)Google Scholar - 13.Raja, M., Jain, S.: Modifying LFSR of ZUC to reduce time for key-stream generation. J. Cyber Secur. Mobil.
**5–4**, 257–268 (2017)Google Scholar - 14.3GPP TS 35.202 v 3.1.1.: Specification of the 3GPP confidentiality and integrity algorithms, Document 2: KASUMI specification. Available at https://portal.etsi.org/new3g/tb/other/algorithms/35202-311.pdf
- 15.Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Banks, D., Heckert, A., Dray, J., Vo, S.: A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications. NIST special publication 800-22, Revision 1a. National Institute of Standards and Technology (NIST), Gaithersburg, MD, USA (2001). https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf
- 16.Yi, W., Chen, S.: Multidimensional zero-correlation linear cryptanalysis of the block cipher KASUMI. IET Inf. Secur.
**10**(4), 215–221 (2016). https://doi.org/10.1049/iet-ifs.2014.0543 - 17.Yingsong, W., Wei, C.: f8 keystream generator with SMS4 as core algorithm. In: Proceedings of Fifth International Conference on Information Assurance and Security Xi’an, 2009, pp. 23–26. IEEE (2009). https://doi.org/10.1109/IAS.2009.290
- 18.Shi, H., Deng, Y., Guan, Y., Jia, P., Ma, F.: Analysis of the avalanche property of the KASUMI algorithm. In: Proceedings of International Conference on Automatic Control and Artificial Intelligence (ACAI 2012), Xiamen, pp. 500–503. IEEE (2012). https://doi.org/10.1049/cp.2012.1025
- 19.Sima, I., Tarmurean, D., Greu, V., Diaconu, A.: XXTEA, an alternative replacement of KASUMI cipher algorithm in A5/3 GSM and f8, f9 UMTS data security functions In: Proceedings of 9th International Conference on Communications (COMM), Bucharest, pp. 323–326. IEEE (2012). https://doi.org/10.1109/ICComm.2012.6262617
- 20.ETSI/SAGE: The SNOW 3G algorithm is the core of the standardised 3GPP Confidentiality and Integrity algorithms UEA2 & UIA2. In: Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. Document 2: SNOW 3G Specification, Version 1.1 (2006)Google Scholar