On the Correctness of Security Proofs for the 3GPP Confidentiality and Integrity Algorithms(<Special Section>Discrete Mathematics and Its Applications)

概要

論文の詳細を見る
f8 and f9 are standardized by 3GPP to provide confidentiality and integrity, respectively. It was claimed that f8 and f9' are secure if the underlying block cipher is a PseudoRandom Permutation (PRP), where f9' is a slightly modified version of f9. In this paper, however, we disprove both claims by showing a counterexample. We first construct a PRP F with the following property: There is a non-zero constant Cst such that for any key K, F_K(・) = F^<-1>_<K⊕Cst>(・). We then show that f8 and f9' are completely insecure if F is used as the underlying block cipher. Therefore, PRP assumption does not necessarily imply the security of f8 and f9', and it is impossible to prove their security under PRP assumption. It should be stressed that these results do not imply the original f8 and f9 (with KASUMI as the underlying block cipher) are insecure, or broken. They simply undermine their provable security.
社団法人電子情報通信学会の論文
2004-05-01