Security Assessment of TUAK Algorithm Set

The 3rd Generation Partnership Project (3GPP) aims at the development of the specifications for the next generation cellular system. The TUAK algorithm set, which contains authentication and key generation algorithms, is proposed as an alternative to MILENAGE for the 3GPP. The design of algorithms in TUAK is based upon the winner of the SHA-3 competition, Keccak’s permutation Keccak-f [1600]. It contains eight different algorithms, namely TOPC , f1, f ∗ 1 , f2, f3, f4, f5, f ∗ 5 . The f1 (and f ∗ 1 that is used as re-synchronisation message authentication) algorithm ensures the authenticity of messages, f2 is used for generating responses and f3 to f5 (f ∗ 5 ) are used as key derivation functions. In this report, we provide a comprehensive security appraisement of the TUAK algorithm set. In summary, our security assessment on TUAK consists of three phases. First, we analyze the security of TUAK algorithms by performing various relevant cryptanalytic attacks on authentication and key derivation functions. We show the attack resistant properties of the TUAK algorithm set by providing the complexity of the attacks. Second, we present the security proofs on the soundness of the algorithms in TUAK when they are used as message authentication codes and key derivation algorithms. Finally, to further explore the security properties of TUAK, we develop a new cryptanalytic method, called multi-output filtering model, and apply it on TUAK. We study the algorithm f1 in more detail since it is the MAC generating function and more suitable for our attacking scenario. To better measure the performance of TUAK algorithms under this new attack, we also apply this technique on AES,KASUMI and PRESENT. Our study shows that f1 has very good randomness properties and performs similarly to AES under the same model.

[1]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[2]  Martin Stanek,et al.  On Cryptographic Properties of Random Boolean Functions , 1998, J. Univers. Comput. Sci..

[3]  Guang Gong,et al.  Signal Design for Good Correlation: For Wireless Communication, Cryptography, and Radar , 2005 .

[4]  Anne Canteaut,et al.  Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 , 2010, Selected Areas in Cryptography.

[5]  Thomas Peyrin,et al.  Slide Attacks on a Class of Hash Functions , 2008, IACR Cryptol. ePrint Arch..

[6]  Marian Srebrny,et al.  Security margin evaluation of SHA-3 contest finalists through SAT-based attacks , 2012, IACR Cryptol. ePrint Arch..

[7]  Kan Yasuda,et al.  Multilane HMAC - Security beyond the Birthday Limit , 2007, INDOCRYPT.

[8]  Joan Daemen,et al.  Differential Propagation Analysis of Keccak , 2012, FSE.

[9]  Thomas Peyrin,et al.  Generic Related-Key Attacks for HMAC , 2012, ASIACRYPT.

[10]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[11]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[12]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[13]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[14]  J. Uspensky Introduction to mathematical probability , 1938 .

[15]  Gaëtan Leurent,et al.  Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 , 2007, CRYPTO.

[16]  Gaëtan Leurent,et al.  Boomerang Attacks on Hash Function Using Auxiliary Differentials , 2012, CT-RSA.

[17]  Guido Bertoni,et al.  Sponge-Based Pseudo-Random Number Generators , 2010, CHES.

[18]  Nicolas Courtois Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[19]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[20]  Harald Niederreiter,et al.  On the expected value of the linear complexity and the k-error linear complexity ofperiodic sequences , 2002, IEEE Trans. Inf. Theory.

[21]  Scott Contini,et al.  Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions , 2006, ASIACRYPT.

[22]  Alex Biryukov,et al.  Slide Attacks , 1999, FSE.

[23]  Adi Shamir,et al.  Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials , 2013, FSE.

[24]  Edwin L. Key,et al.  An analysis of the structure and complexity of nonlinear binary sequence generators , 1976, IEEE Trans. Inf. Theory.

[25]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[26]  Anne Canteaut,et al.  Higher-Order Differential Properties of Keccak and Luffa , 2011, FSE.

[27]  David A. Wagner,et al.  The Boomerang Attack , 1999, FSE.

[28]  Xuejia Lai,et al.  Improved zero-sum distinguisher for full round Keccak-f permutation , 2011, IACR Cryptol. ePrint Arch..

[29]  Guido Bertoni,et al.  Keccak sponge function family main document , 2009 .

[30]  Marian Srebrny,et al.  Practical Complexity Cube Attacks on Round-Reduced Keccak Sponge Function , 2014, IACR Cryptol. ePrint Arch..

[31]  Kan Yasuda,et al.  A Double-Piped Mode of Operation for MACs, PRFs and PROs: Security beyond the Birthday Barrier , 2009, EUROCRYPT.

[32]  Amr M. Youssef,et al.  On the Interpolation Attacks on Block Ciphers , 2000, FSE.

[33]  María Naya-Plasencia,et al.  Practical Analysis of Reduced-Round Keccak , 2011, INDOCRYPT.

[34]  R. A. Rueppel Analysis and Design of Stream Ciphers , 2012 .

[35]  Lars R. Knudsen,et al.  The Interpolation Attack on Block Ciphers , 1997, FSE.

[36]  Thomas Peyrin,et al.  Hash Functions and the (Amplified) Boomerang Attack , 2007, CRYPTO.

[37]  B Guido,et al.  Cryptographic sponge functions , 2011 .

[38]  Guido Bertoni,et al.  Sakura: A Flexible Coding for Tree Hashing , 2014, ACNS.

[39]  Adi Shamir,et al.  New Attacks on Keccak-224 and Keccak-256 , 2012, FSE.

[40]  Jongsung Kim,et al.  Second Preimage Attack on 3-Pass HAVAL and Partial Key-Recovery Attacks on HMAC/NMAC-3-Pass HAVAL , 2008, FSE.

[41]  Joel Lathrop Cube attacks on cryptographic hash functions , 2009 .

[42]  Gregor Leander,et al.  A Cryptanalysis of PRINTcipher: The Invariant Subspace Attack , 2011, CRYPTO.

[43]  Mitsuru Matsui,et al.  A New Method for Known Plaintext Attack of FEAL Cipher , 1992, EUROCRYPT.

[44]  F. MacWilliams,et al.  The Theory of Error-Correcting Codes , 1977 .

[45]  Willi Meier,et al.  Cube Testers and Key Recovery Attacks on Reduced-Round MD6 and Trivium , 2009, FSE.