Abstract
f8 and f9 are standardized by 3GPP to provide confidentiality and integrity, respectively. It was claimed that f8 and f9′ are secure if the underlying block cipher is a PseudoRandom Permutation (PRP), where f9′ is a slightly modified version of f9. In this paper, however, we disprove both claims by showing a counterexample. We first construct a PRP F with the following property: There is a constant Cst such that for any key K, F K(·)=\(F{^{-1}_{K\oplus{\tt cst}}}(\cdot)\). We then show that f8 and f9′ are completely insecure if F is used as the underlying block cipher. Therefore, PRP assumption does not necessarily imply the security of f8 and f9′, and it is impossible to prove their security under PRP assumption. It should be stressed that these results do not imply the original f8 and f9 (with KASUMI as the underlying block cipher) are insecure, or broken. They simply undermine their provable security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
3GPP TS 35.201 v 3.1.1. Specification of the 3GPP confidentiality and integrity algorithms, Document 1: f8 and f9 specification, Available at, http://www.3gpp.org/tb/other/algorithms.htm
3GPP TS 35.202 v 3.1.1. Specification of the 3GPP confidentiality and integrity algorithms, Document 2: KASUMI specification, Available at, http://www.3gpp.org/tb/other/algorithms.htm
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of the 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, pp. 394–405. IEEE, Los Alamitos (1997)
Bellare, M., Kilian, J., Rogaway, P.: The security of the cipher block chaining message authentication code. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 341–358. Springer, Heidelberg (1994)
Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs, and applications. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)
Bellare, M., Rogaway, P., Wagner, D.: A conventional authenticated-encryption mode. See Cryptology ePrint Archive, Report 2003/069., http://eprint.iacr.org/
Black, J., Rogaway, P.: A block-cipher mode of operation for parallelizable message authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 384–397. Springer, Heidelberg (2002)
Evaluation report (version 2.0). Specification of the 3GPP confidentiality and integrity algorithms, Report on the evaluation of 3GPP confidentiality and integrity algorithms, Available at http://www.3gpp.org/tb/other/algorithms.htm
Jutla, C.S.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 529–544. Springer, Heidelberg (2001)
Hong, D., Kang, J.-S., Preneel, B., Ryu, H.: A concrete security analysis for 3GPP-MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 163–178. Springer, Heidelberg (2003)
Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 137–162. Springer, Heidelberg (2003), See http://crypt.cis.ibaraki.ac.jp/
Kang, J.-S., Shin, S.-U., Hong, D., Yi, O.: Provable security of KASUMI and 3GPP encryption mode f8. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 255–271. Springer, Heidelberg (2001)
Knudsen, L.R., Mitchell, C.J.: Analysis of 3gpp-MAC and two-key 3gpp-MAC. Discrete Applied Mathematics 128(1), 181–191 (2003)
Kohno, T., Viega, J., Whiting, D.: The CWC authenticated encryption (associated data) mode. See Cryptology ePrint Archive, Report 2003/106, http://eprint.iacr.org/
Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput. 17(2), 373–386 (1988)
Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: a block-cipher mode of operation for efficient authenticated encryption. In: Proceedings of ACM Conference on Computer and Communications Security, ACM CCS 2001, ACM, New York (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Iwata, T., Kurosawa, K. (2003). On the Correctness of Security Proofs for the 3GPP Confidentiality and Integrity Algorithms. In: Paterson, K.G. (eds) Cryptography and Coding. Cryptography and Coding 2003. Lecture Notes in Computer Science, vol 2898. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-40974-8_25
Download citation
DOI: https://doi.org/10.1007/978-3-540-40974-8_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-20663-7
Online ISBN: 978-3-540-40974-8
eBook Packages: Springer Book Archive