Cryptology ePrint Archive: Report 2004/019

New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms

Tetsu Iwata and Tadayoshi Kohno

Abstract: This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as $f8$ and $f9$, are based on the block cipher KASUMI. Although previous works claim security proofs for $f8$ and $f9'$, where $f9'$ is a generalized versions of $f9$, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is \emph{impossible} to prove $f8$ and $f9'$ secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove $f8'$ and $f9'$ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here $f8'$ is a generalized version of $f8$. Our results clarify the assumptions necessary in order for $f8$ and $f9$ to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure.

Category / Keywords: secret-key cryptography / Modes of operation, PRP-RKA, $f8$, $f9$, KASUMI, security proofs.

Publication Info: An extended abstract of this paper appears in Fast Software Encryption, FSE 2004. This is the full version.

Date: received 27 Jan 2004

Contact author: iwata at cis ibaraki ac jp

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20040201:185356 (All versions of this report)

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]