International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms

Tetsu Iwata
Tadayoshi Kohno
Search ePrint
Search Google
Abstract: This paper analyses the 3GPP confidentiality and integrity schemes adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as $f8$ and $f9$, are based on the block cipher KASUMI. Although previous works claim security proofs for $f8$ and $f9'$, where $f9'$ is a generalized versions of $f9$, it was recently shown that these proofs are incorrect. Moreover, Iwata and Kurosawa (2003) showed that it is \emph{impossible} to prove $f8$ and $f9'$ secure under the standard PRP assumption on the underlying block cipher. We address this issue here, showing that it is possible to prove $f8'$ and $f9'$ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here $f8'$ is a generalized version of $f8$. Our results clarify the assumptions necessary in order for $f8$ and $f9$ to be secure and, since no related-key attacks are known against the full eight rounds of KASUMI, lead us to believe that the confidentiality and integrity mechanisms used in real 3GPP applications are secure.
  title={New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms},
  booktitle={IACR Eprint archive},
  keywords={secret-key cryptography / Modes of operation, PRP-RKA, $f8$, $f9$, KASUMI, security proofs.},
  note={An extended abstract of this paper appears in Fast Software Encryption, FSE 2004. This is the full version. 12444 received 27 Jan 2004},
  author={Tetsu Iwata and Tadayoshi Kohno},