On the Correctness of Security Proofs for the 3GPP Confidentiality and Integrity Algorithms

f8 and f9 are standardized by 3GPP to provide confidentiality and integrity, respectively. It was claimed that f8 and f9′ are secure if the underlying block cipher is a PseudoRandom Permutation (PRP), where f9′ is a slightly modified version of f9. In this paper, however, we disprove both claims by showing a counterexample. We first construct a PRP F with the following property: There is a constant Cst such that for any key K, F K(·)=\(F{^{-1}_{K\oplus{\tt cst}}}(\cdot)\). We then show that f8 and f9′ are completely insecure if F is used as the underlying block cipher. Therefore, PRP assumption does not necessarily imply the security of f8 and f9′, and it is impossible to prove their security under PRP assumption. It should be stressed that these results do not imply the original f8 and f9 (with KASUMI as the underlying block cipher) are insecure, or broken. They simply undermine their provable security.

[1]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[2]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[3]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[4]  Chris J. Mitchell,et al.  Analysis of 3gpp-MAC and Two-key 3gpp-MAC , 2003, Discret. Appl. Math..

[5]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[6]  Mihir Bellare,et al.  A Theoretical Treatment of Related-Key Attacks: RKA-PRPs, RKA-PRFs, and Applications , 2003, EUROCRYPT.

[7]  Tadayoshi Kohno,et al.  The CWC Authenticated Encryption (Associated Data) Mode , 2003 .

[8]  Mihir Bellare,et al.  EAX: A Conventional Authenticated-Encryption Mode , 2003, IACR Cryptol. ePrint Arch..

[9]  Sang-Uk Shin,et al.  Provable Security of KASUMI and 3GPP Encryption Mode f8 , 2001, ASIACRYPT.

[10]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[11]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[12]  Bart Preneel,et al.  A Concrete Security Analysis for 3GPP-MAC , 2003, FSE.

[13]  Charanjit S. Jutla Encryption Modes with Almost Free Message Integrity , 2001, EUROCRYPT.

[14]  Mihir Bellare,et al.  The Security of Cipher Block Chaining , 1994, CRYPTO.