Paper 2004/019

New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms

Tetsu Iwata and Tadayoshi Kohno


This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as $f8$ and $f9$, are based on the block cipher KASUMI. Although previous works claim security proofs for $f8$ and $f9'$, where $f9'$ is a generalized versions of $f9$, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is \emph{impossible} to prove $f8$ and $f9'$ secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove $f8'$ and $f9'$ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here $f8'$ is a generalized version of $f8$. Our results clarify the assumptions necessary in order for $f8$ and $f9$ to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. An extended abstract of this paper appears in Fast Software Encryption, FSE 2004. This is the full version.
Modes of operationPRP-RKA$f8$$f9$KASUMIsecurity proofs.
Contact author(s)
iwata @ cis ibaraki ac jp
2004-02-01: received
Short URL
Creative Commons Attribution


      author = {Tetsu Iwata and Tadayoshi Kohno},
      title = {New Security Proofs for the {3GPP} Confidentiality and Integrity Algorithms},
      howpublished = {Cryptology ePrint Archive, Paper 2004/019},
      year = {2004},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.