INTERNATIONAL WORKSHOP ON INFORMATION SECURITY

IN WIRELESS NETWORKS

CONFIDENTIALITY AND INTEGRITY ALGORITHMS

IN 3G MOBILE COMMUNICATIONS

CIOBANU Bogdan-Mihai

SUCEAVA
SEPTEMBER 4-8 2006 1
• there are two standardized algorithms:
- a confidentiality algorithm, f8,
- an integrity algorithm, f 9;
• each of these algorithms is based on KASUMI
algorithm;
• KASUMI – a block cipher that produces a 64-bit
output from a 64-bit input under the control of a
128-bit key.

2
Confidentiality algorithm, f 8

• stream cipher that encrypts/decrypts blocks

of data under a confidentiality key CK;
• the block of data may be between 1 and
20.000 bits long;
• f8 uses KASUMI algorithm in a form of
output feedback mode as a keystream
generator.

3
 Frame dependent input
COUNT
COUNT[0]…COUNT[31]
Bearer identity
BEARER
BEARER[0]…BEARER[4]
Direction of transmission
DIRECTION
DIRECTION[0]
Confidentiality key
CK
CK[0]….CK[127]
The number of bits to be
LENGTH encrypted/decrypted
(1-20000)
Input bit stream
IBS
IBS[0]….IBS[LENGTH-1]

f8 algorithm f8 inputs

OBS Output bit stream OBS[0]…OBS[LENGTH-1]

f8 output 4
 Architecture and components

• the keystream generator is

based on the KASUMI block
cipher;

• for the 64-bit A register, we set:

A=COUNT[0]...COUNT[31] BEARER[0]...BEARER[4] DIRECTION[0] 0…0

5
• we set the counter BLKCNT
to 0;
• the key modifier KM will be
set to
0x55555555555555555555555
555555555;
• the KSB0 (the initial block of
keystream produced by the
keystream generator) will be set
to 0;
• for the A register we apply
one operation KASUMI:

A = KASUMI [A] CK ⊕ KM

6
Keystream Generation
• the plaintext/ciphertext to
be encrypted/decrypted
consists of LENGTH bits
(1-20.000);
• the Keystream Generator
produces keystream bits
in multiples of 64 bits;
• let BLOCKS to be equal
to LENGTH/64 rounded
up to the nearest integer.
7
• for any integer n
(1≤n≤BLOCKS), we obtain:
KSBn =
KASUMI[A⊕BLKCNT⊕KSBn-1 ]CK,
where BLKCNT = n-1;
• the individual bits of the
keystream are extracted from
KSB1 to KSBBLOCKS;

• we define KSBn [i]= KS [((n – 1)*64) + i] , for

any i integer with 0≤i≤63 and n=1 to BLOCKS.
8
Encryption/Decryption

• these operations are identical and are performed

by the exclusive OR of the input data (IBS) with
the generated keystream (KS);
• for any integer i with 0≤i≤ LENGTH–1 we have:
OBS [i] = IBS [i] ⊕ KS [i]

9
Integrity algorithm f9

• compute a Message Authentication Code

(MAC) for an input message under an
integrity key IK;
• there is no limitation on the input message
length of the f9 algorithm;
• is based on the block cipher KASUMI.

10
 f9 algorithm

COUNT-I Frame dependent input COUNT-I[0]…COUNT-I[31]

FRESH Random number FRESH[0]… FRESH[31]
DIRECTION Direction of transmission DIRECTION[0]
f9 inputs
IK Integrity key IK[0]…IK[127]
LENGTH The number of bits to be ’MAC’d
MESSAGE Input bit stream

MAC-I Message authentication code MAC-I[0]…MAC-I[31] f9 output

11
 Initialisation
• the integrity function is
initialized with the key
variables before the
calculation commences
• the working variable are:
- A=0
- B=0
• the modifier KM is set to:
KM = 0x AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

12
 •we concatenate COUNT, FRESH, MESSAGE and DIRECTION;
•the total length of the resulting string PS (padded string) is an
integral multiple of 64 bits;
•PS=COUNT[0]…COUNT[31]FRESH[0]…FRESH[31]MESSAGE
[0]… MESSAGE[LENGTH-1] DIRECTION[0]10*

0* - indicates between 0 and 63 ”0” bits 13

 Calculation
• we split the padded string PS into 64-bit blocks, PSi:
PS=PS0||PS1||PS2||.||PSBLOCKS-1
• for each integer n, we have:
- A = KASUMI [A⊕PSn]IK
- B = B ⊕A,where 0≤n≤BLOCKS-1
• we perform one more application of
KASUMI using a modified form of
the integrity key IK:
B=KASUMI[B]IK ⊕KM
• the 32-bit MAC-I comprises the left
most 32 bits of the result:
MAC-I=lefthalf [B]
• for each integer i, we have:
MAC-I[i]=B[i]
bits B[32]...B[63] are discarded 14
KASUMI algorithm
• block cipher that forms the heart of the
confidentiality algorithm f8, and integrity
algorithm f9;
• decomposes into a number of subfunctions
(FL, FO, FI) which are used in conjunction
with associated subkeys (KL, KO, KI);
• block cipher with 8 rounds;
• produces a 64-bit output from a 64-bit input,
I, under the control of 128-bit key, K;

15
• the input I is divided into
two 32-bit strings L0 and
R0, where
I = L0||R0
• for each integer i, we
define:
Ri = Li-1,
Li = Ri-1 ⊕ fi (Li-1, RKi)
• this constitutes the ith round
function of KASUMI
- fi denotes the round
function with Li-1 and round
key RKi as inputs;
• the result OUTPUT is
equal to the 64-bit string
(L8||R8) offered at the end
of the 8th round.
16
Components of KASUMI
fi function
• this function takes a 32-bit input, I, and returns a 32-bit
output, O, under the control of a round key RKi, where
the round key comprises the subkey triplet of (KLi, KOi,
KIi).
• the function itself is constructed from two subfunctions:
FL and FO with associated subkeys KLi (used with FL)
and subkeys KOi şi KIi (used with FO);
• it has two different forms depending on whether it is an
even round or an odd round;

17
• for rounds 1,3,5 and 7, we define:
f i (I, RKi) = FO (FL (I, KLi), KOi, KIi)
• for rounds 2, 4, 6, and 8, we define
f i (I, RKi) = FL (FO (I, KOi, KIi), KLi)

• for odd rounds the round data is passed

through FL function and then FO function;
• for even rounds it is passed through FO
function and then FL function.

18
Function FL • comprises a 32-bit data
input I and a 32-bit
subkey KLi;
• the subkey is split into
two 16 bit subkeys, KLi,1
and KLi,2, where:
KLi = Kli,1 || KLi,2
• the input data is split in
two 16-bit halves, L and
R, where I = L||R.
• now we have:
R' = R ⊕ ROL(L ∩ KLi,1)
∩ - bitwise AND operation L' = L ⊕ ROL(R' U KLi,2)
U - bitwise OR operation • the output value is (L'||R')
<<< - one bit left rotation - 32 bits 19
Function FO • comprises a 32-bit data input, I, and
two sets of subkeys, KOi and KIi (both
of 48 bits)
• the 32-bit data input is split in two
halves, L0 and R0, where I = L0||R0;
• the 48-bit subkeys are subdivided into
three 16-bit subkeys:
KOi = KOi,1||KOi,2||KOi,3 and
KIi = KIi 1||KIi 2||KIi 3
• now we define:
RJ = FI (LJ-1 ⊕ KOi, J, KIi, J) ⊕ RJ-1
and LJ = RJ-1,
for each integer j, where 1 ≤ j ≤ 3
• finally we obtain the output value,
(L3||R3)-32 bits
20
Function FI • takes a 16-bit data input I and 16-bit
subkey KIi,j;
• the input I is split in two unequal
components: L0 (9bits) and R0 (7bits),
where I=L0||R0;
• the key KIi,j is split into a 7-bit
component KIi,j,1 and a 9-bit
component KIi,j,2, where
KIi,j = KIi,j,1||KIi,j,2;
• uses two S boxes S7 and S9;
• S7 transforms a 7-bit input to a 7-bit
output;
• S9 transforms a 9-bit input to a 9-bit
output;

* the thick and thin lines are used to make the difference
between the 9-bit and 7-bit data paths 21
• we have two additional functions:
- ZE (x) converts a 7-bit value
x into a 9-bit value (by adding two
0 bits to the most significant end);
- TR (x) converts a 9-bit value
x into a 7-bit value (by discarding
the two most significant bits);
• to obtain the output, we apply
these operations:
L1= R0;
R1= S9 [L0] ⊕ ZE (R0)
L2 = R1 ⊕ KIi,j,2;
R2 = S7[ L1] ⊕TR(R1) ⊕KIi,j,1
L3 = R2;
R3 = S9[L2] ⊕ZE(R2)
L4 = S7[L3] ⊕TR(R3)
R4= R3
• the output has this form: (L4||R4)-
16bits. 22
 S boxes
• they may be easily implemented in combinational logic;
• the input x comprises either 7 or 9 bits with a
coresponding number of bits in the output y
• x = x8||x7||x6||x5||x4||x3||x2||x1||x0
and
y = y8||y7||y6||y5||y4||y3||y2||y1||y0,

- the x8, y8 and x7, y7 only apply to S9, and x0

and y0 bits are the least significant bits.

23
 Key Schedule

• KASUMI has a 128-bit key K;

• each round of KASUMI uses 128 bits of key, that are derived
from K;
• before the round keys, are calculated two 16-bit arrays Kj and
Kj' (j = 1 to 8) in the following manner:
- the 128-bit key K is subdivided into eight 16-bit values,
K1,…, K8, where
K = K1||K2||K3|| ........... ||K8

- a second array of subkeys Kj' is derived from Kj by

applying:
Kj' = Kj ⊕ Cj, for 1 ≤ j ≤ 8
Cj are predefined constants. 24