1 © NOKIA

Applications of Cryptography in Wireless Communication

Bergen 18th June 2003

Kaisa NybergNokia Research Center

2 © NOKIA

OutlineMobile Networks

• GSM• 3GPP UMTS

Other RATs• Bluetooth• WLAN• Key management

“If you go underground you have got to learn to live with the rats.” — Alex Krycek (X-files)

3 © NOKIA

RAT security functions

AUTHENTICATION AND KEY AGREEMENT

SESSION KEY DERIVATION

CONFIDENTIALITY AND INTEGRITY ALGORITHMS

LINK KEY

SESSION KEYS OTHER INPUT

CONTROL DATA

USER DATA

PROTECTED CONTROL DATA

NONCES

PROTECTED USER DATA

4 © NOKIA

Lesson 1: Bluetooth

• Outline:• Bluetooth keys• Cryptographic algorithms• Bluetooth pairing, and its weaknesses• Proposed improved pairing

5 © NOKIA

Bluetooth keys

E22

PIN

LINK KEY

ENCRYPTION KEY

E3

E22

PIN

LINK KEY

ENCRYPTION KEY

E3

Encryption

Authentication

EN_RAND

First time connections

6 © NOKIA

E0—Encryption algorithm

LFSR 1

LFSR 2

LFSR 3

LFSR 4

Blend

SummationCombiner

Enc.stream

KCK’C

CLK

EN_RND

ADDR

Forminputdata

7 © NOKIA

Bluetooth Pairing • Establishing link key between two BT devices• Secret seed to the pairing procedure provided by Bluetooth PIN• If the seed (Bluetooth PIN) is given or guessed, the link key can

be derived from the public information exchanged between the devices and wire-tapped during the procedure ⇒Short or otherwise low-redundancy Bluetooth PINs

open possibilities for off-line dictionary attacks (passive attacks)

⇒ Use full length random PIN values in Bluetoothpairing !This can be facilitated by implementing PIN

generating applications in the devices; but still cumbersome !

8 © NOKIA

Bluetooth PairingCombination key

Unit A Unit B

E22

ADDR_A

PIN

RND

E22

ADDR_A

PIN

RNDADDR_A

RND

+E21

ADDR_A RND_A

E21

ADDR_B RND_B

+

+ +

+

+

KinitKinit

KAB KAB

9 © NOKIA

Using short PIN values, an attack (I)

Observing device addresses and the following communication:

RNDA1 = RND Initialisation}

}

}

Comb. Keycalculation

Authentication

Kinit + RND_AA2 = Kinit + RND_A

Kinit + RND_BA3 = Kinit + RND_B

AU_RND

SRES

A4 = AU_RND

A5 = SRES

10 © NOKIA

Using short PIN values, an attack(II)

For each possible PIN test:

E22

ADDR_A PINA1

K’init

E21

ADDR_A RND_A’

E21

RND_B’ADDR_B

RND_A’ = A2 + K’init

RND_B’ = A3 + K’init

+K’AB

Claimant ADDR

A4

E1

A5 =? SRES

SRES

11 © NOKIA

Enhanced Bluetooth PairingGehrmann-Nyberg (2000)• Use a key agreement protocol based on public key

cryptography that is secure against passive attacks such as Diffie-Hellman, RSA key transport etc…

• Protection still needed against active attacks• man-in-the-middle• impersonation

• Protection can be achieved using short passkeys!• Existing methods: password authenticated key exchange

protocols (for proposals, see IEEE P1363a study group) intended for remote client server authentication based on human memorable password

• In most Bluetooth scenarios:• passkeys are used once then discarded• devices are in close proximity

12 © NOKIA

Diffie-Hellman key exchange (non-authenticated)

Fixed public parameters: P prime and G generator

ALICE BOB

a secretA = Ga mod P

b secretB = Gb mod P

A

B

KA = Ba mod P KB = Ab mod P

KA = KB ?

13 © NOKIA

• Device generates challenge P• Device computes response CA =

h(KA,P)• Device displays check value CV

= P || CA to Alice

• Bob enters CV = P || CA into his device

• Device computes response CB= h(KB,P)

• Device compares CB = CA ? and displays the result (yes or no) to Bob

Alice tells CV to Bob

anonymous Diffie-Hellman protocol

Alice has KA – Bob has KBIs KA = KB?

KA KB

Bob tells the result to Alice

14 © NOKIA

Further MANA Developments

• A further variant recently presented by J-O Larsson, RSA (OpenGroup Conference, Amsterdam 24 Oct 2001)• only the challenge is transmitted to the devices using

human channel• verification step is automated, and consists of an

interactive proof protocol with commitments and proofs. • the method is also applicable when only keypads are

used. But it is not applicable if only displays are used.

• International Standard ISO/IEC JTC1 SC27 FCD 9798-6 (see RSA Cryptobytes, Spring 2004)

15 © NOKIA

MANA I Protocol

User reads K and MAC

Generate K , compute MAC, and output K and MAC

Output Accept or Reject

Recompute MAC and compare

User enters K and MAC

Receive Data D

Output: Data D ready

User enters: Start

16 © NOKIA

MANA II Protocol

R eceive K

O utput: D ata D ready

U ser verifies: Both components ready

G enerate K , and transmit K to second component

O utput: D ata D ready

C ompute M A C O utput K and M A C

C ompute M A C O utput K and M A C

U ser compares the tw o M A C values. U ser and enters O K or R EJECT in both components.

U ser enters: Start

17 © NOKIA

Security of MANA ProtocolsThe security of MANA protocols depends on the probability for an attacker to

replace the observed data d with some other data d’. The attacker succeeds if is accepted by the component as valid data. Since

we assume that both components are physically close to each other and we do not accept any data unless both devices actually signals that they are ready, the impersonation attack does not apply to the MANA scenario.

Only the data is sent over public channel and the attacker does not know the output of the MAC. Hence, the probability of successful substitution attack for MANA I and II can be expressed as

PS = maxd≠d’ P{ f (d,k) = f (d’,k) | d is observed}Thus, given that the key is chosen uniformly at random from the key space, K,

the probability above can be expressed asPS = maxd≠d’ (1/|K|) ⋅|{ k∈K | f (d,k) = f (d’,k)}|

where |K| denotes the cardinality of the set K.

18 © NOKIA

MANA using Reed-Solomon codes

.)()(),( 11

2210

)( −−++++=== t

td

k kdkdkddkpdvkdf K

The data (message) to be encoded as t-tuple of elements in Fq, d = d0, d1, ..dt-1, where di ∈ Fq.

Then, the RS-encoding polynomial is given by

11

2210

)( )( −−++++= t

td xdxdxddxp K

MAC function is given by the evaluating the polynomial at point k∈ Fq

19 © NOKIA

Substitution probabilities for the MANA construction using Reed-Solomon codes

log2|D| log2(n) PS

128 16 2-13-2-16

256 16 2-12-2-16 128 20 2-17-2-20 256 20 2-16-2-20

n = q = |K|

20 © NOKIA

Lesson 2: WLAN

• Outline:

• Security Extensions in IEEE 802.11i

• RSNA Establishment

• Data Encryption and Authentication

21 © NOKIA

Security Extensions in IEEE 802.11i

• allows establishment of Robust Security Network Associations (RSNAs) between Wireless Local Area Network (WLAN) stations

• RSNA enables stations to

• use the Extensible Authentication Protocol (EAP) to authenticate the peer station instead of using a pre-shared key (PSK)

• establish fresh cryptographic keys

• use better cryptographic methods for data authentication and encryption

22 © NOKIA

4-Way Handshake• both supplicant and authenticator

generate nonces (ANonce and SNonce) and exchange them

• both parties derive the same Pairwise Transient Key (PTK) from the PMK, their MAC addresses and the nonces by using a SHA-1-based algorithm

• PTK is divided into Key Confirmation Key (KCK), Key Encryption Key (KEK) and Temporal Key (TK)

• the MICs shown in the figure are based on the KCK

• TK is used to protect unicast traffic between the parties

• authenticator provides the supplicant with an additional key, Group Temporal Key (GTK) that is used to protect multicast and broadcast traffic

• GTK is encrypted using the KEK

23 © NOKIA

Data Encryption and Authentication

• IEEE 802.11i defines one mandatory data encryption and authentication mode for RSNAs: the Counter-Mode/CBC-MAC Protocol (CCMP)

• CCMP uses AES in CCM mode, providing both encryption and strong authentication

• TK and GTK obtained during the 4-way handshake are used as keys

24 © NOKIA

CBC-MAC Calculation

25 © NOKIA

Counter Mode Encryption and MIC Calculation

26 © NOKIA

Link Key Management with EAP

• Outline• EAP• Tunnelled EAP• Man-in-the-Middle problems and solutions

27 © NOKIA

Remote MN Authentication Methods -EAP

• Extensible Authentication Protocol (EAP) is a general protocol framework that supports

• multiple authentication mechanisms • allows a back-end server to implement the actual mechanism

• authenticator simply passes authentication signaling through

• EAP was initially designed for use with PPP network access

• But has been adapted by for other types of access authentication

• WLAN (IEEE 802.1X)

• EAP consists of several Request/Response pairs; Requests are sent by network

28 © NOKIA

Station Authentication with EAP• EAP supports various authentication

mechanisms, e.g. passwords, public keys and token cards

• if authentication is performed with an AP, the other station always acts as the supplicant

• after EAP authentication, the supplicant and the authenticator share a common secret value, the Pairwise Master Key (PMK)

• using EAP is not obligatory, a PSK may also be used as the PMK (since the possession of the correct PMK is verified during the 4-way handshake)

29 © NOKIA

Protecting EAP – the PEAP approach

+ - + - + - + - + - + + - + - + - + - + - + | | | | | | | | | C i p h e r - | | C i p h e r - | | S u i t e | | S u i t e | | | | | + - + - + - + - + - + + - + - + - + - + - + ^ ^ | | | | | | V V + - + - + - + - + - + + - + - + - + - + - + T r u s t + - + - + - + - + - + | | E A P | | < = = = = = = > | | | | C o n v e r s a t i o n | | | | | | < = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = > | B a c k e n d | | C l i e n t | ( o v e r P P P , | | | S e r v e r | | | 8 0 2 . 1 1 , e t c . ) | | < = = = = = = = | | | | | N A S | K e y s | | | | | | | | + - + - + - + - + - + + - + - + - + - + - + + - + - + - + - + - + ^ ^ | | | E A P A P I | E A P A P I | | V V + - + - + - + - + - + + - + - + - + - + - + | | | | | | | | | E A P | | E A P | | M e t h o d | | M e t h o d | | | | | + - + - + - + - + - + + - + - + - + - + - +

������������ ���� �������� �������������������� ������������������������������������������� �� ���� ����� �!���� ������� �"#��!���� ���$��%""%�

30 © NOKIA

PEAP/AKA- How it works

Secured by TLS tunnel

2. TLS(EAP-Response/AKA-challenge (RES))

Establishing a PEAP tunnel (server authenticated)

Term inal W LAN Server

HSS

2. TLS(EAP-Response/Identity (IMSI))

1. (… , EAP-Request/Identity message, )

2a. MAP(Send_Auth Params: IMSI) [or DIAMETER]

2b. MAP (AKA authentication quintuplets) 3. TLS(EAP-Request/AKA-challenge (RAND, AUTN))

TLS-protocol based on network certificate

AP

W LAN_Master_session_keys (based on TLS tunnel keys)

31 © NOKIA

PEAP/AKA- How it can fail

Secured by TLS tunnel (only server authenticated)

2. TLS(EAP-Response/AKA-challenge (RES))

Establishing a PEAP tunnel (server authenticated)

Terminal W LAN Server

HSS

2. TLS(EAP-Response/Identity (IMSI))

1. (… , EAP-Request/Identity message, )

2a. MAP(Send_Auth Params: IMSI) [or DIAMETER]

2b. MAP (AKA authentication quintuplets) 3. TLS(EAP-Request/AKA-challenge (RAND, AUTN))

MitM

3. RAND, AUTN

2. RES

TLS-protocol based on network certificate

IMSI_Request

IMSI

AP

W LAN_Master_session_keys (based on TLS tunnel keys)

Stolen W LAN link

32 © NOKIA

Analysis of the problem• Inner protocol is a legacy remote client authentication protocol

(EAP/SIM, EAP/AKA) –typically used also without TLS tunnelling, also without ANY tunnelling

• MitM can set up a false cellular base station to ask for IMSI and subsequently, for RES.

• Even if EAP protocol is used exclusively in tunnelled mode, authentication of tunnel relies solely upon the terminal. Terminal user may accept an unknown certificate! This is not acceptable to network operators.

• Session keys are derived from TLS Master Key generated using tunnel protocol (same key as used to create tunnel).

• Keys derived in the EAP protocol (EAP SIM or UMTS AKA Master Keys) are not used.

33 © NOKIA

Lessions learnt• Composing two secure protocols may result in an insecure

protocol• Using tunnelling to “improve” a remote authentication protocol

is very common• Known vulnerable combinations:

• HTTP Digest authentication and TLS• PEAP and any EAP subtype• PIC and any EAP subtype• …

• There are solutions that can be used to fix the problem• the exact fix needs to be tailored to the specific protocols

�����������N. Asokan, V. Niemi, K. Nyberg, Man-in-the-Middle inTunnelled Authentication Protocols, International Workshop on Security Protocols 2-4 April 2003, Cambridge, England

34 © NOKIA

Some solutions• Create cryptographic binding between tunneling protocol and

MN authentication protocol:METHOD 1: Use a one-way function to compute session keys

from tunnel secrets (e.g.TLS master key) and EAP secrets (e.g. IK,CK).

METHOD 2: Compute a MAC over the protected EAP-response and credential request, using a MAC key derived as session key in Method 1. MAC is verified by AAAL or AAAH. Now tunnel is secure for handling of session keys or credentials.

• In both methods, EAP secrets must be sent from AAAH to AAAL (or tunnel secrets must be sent from AAAL to AAAH)

• Both methods rely on the MN authentication protocol producing a session key as well.

35 © NOKIA

Lesson 3: Cryptography in GSM

OutlineSecurity goals in GSM NetworksAuthentication and Key AgreementCryptographic algorithmsAttacks and countermeasures

36 © NOKIA

Trust model

• Each operator shares long term security association (SA) with its subscriber

• Security association credentials stored in tamper-resistant identity module issued to subscriber called the UICC ( = SIM or USIM)

• Operators may enter roaming agreements with other operators in which case a certain level of trust exists between the respective domains

37 © NOKIA

Security goals in GSM• Secure business for operators

• subscribers pay their bills • subscribers do not avoid using GSM because of privacy threats

• accommodate to regulators’ and LEAs’ requirements

⇒ System requirements:

• call authentication and integrity• privacy protection over the air interface• support for LI

38 © NOKIA

Mobile Network

MOBILE TERMINAL BASE STATION HOME LOCATION REGISTER

39 © NOKIA

GSM – Securing access and radio path MOBILE (SIM) VISITOR LOCATION REGISTER HOME LOCATION

IMSI, K AND BASE STATION REGISTER {IMSI,K}

IMSI IMSI

RAND RAND, XRES, Kc

SRESSRES=XRES ?

radio path encrypted using Kc

K RAND

Kc SRES

K RAND

Kc XRES

40 © NOKIA

One-way function on the SIM cardfor authentication and key agreement

K RAND

SRES / XRES Kc

41 © NOKIA

Authentication and Key Agreement

SRES/XRES Kc

RAND Ki

A8A3

42 © NOKIA

A3/A8 Algorithms

Operator specific – need not be standardized

• COMP128-1 • Originally secret, completely reverse-engineered, subsequently

broken, instant cloning devices known to exist

• COMP128-2 and COMP128-3 • secret, strength not known, cloning devises not known

• GSM-MILENAGE • Published by GSM Association• based on 3G MILENAGE and AES

• Operator and manufacturer algorithms

43 © NOKIA

A5 and GEA AlgorithmsAir interface encryption – must be standardized• A5/1

• originally secret• moderate strength (online breaking devices not known to exist)

• A5/2 • originally secret• weak and broken (online breaking devices known to exist)

• A5/3 • Published by GSM Association• Based on 3GPP f8 encryption algorithm

• GEA1 and GEA2• Secret

• GEA3• Published by GSM Association• Based on 3GPP f8 encryption algorithm

44 © NOKIA

Lack of confidence in GSM Security • lack of openness in design and publication of A5/1• misplaced belief by regulators in the effectiveness of control

on the export or (in some countries) the use of cryptography• key length too short, but implementation faults make increase

of encryption key length difficult• need to replace A5/1, but poor design of support for

simultaneous use of more than one encryption algorithm is making replacement difficult

• ill advised use of COMP 128

Source: Mike Walker (Vodafone and RH, chair of SA3 of 3GPP) Invited talk at Eurocrypt 2000

45 © NOKIA

Magic Sim

• A smart design of the MAGIC SIM can now solve problems for people who own several mobile numbers. With the MAGIC SIM, you can integrate all your mobile numbers in only one card.

• The operating process is very easy, with the software and the manual provided, you will be able to operate it and switch it to the number or network that you wish. This way, the problem of changing SIM cards and paying large amount of phone bill will both be avoided.

• With an exclusive “look up table”, Magic Sim can make 100% successful in cracking COMP128-1 SIM cards. Currently Magic Sim is planning to develop COMP128 V2 cracking algorithm for future applications.

�������������� �����������������������

46 © NOKIA

GSM System $420,000.00 GSM Interceptor Pro

FeaturesThe system can target specific numbers or randomly screen GSM mobile Communication. Conversations are monitored and logged simultaneously to voice and data logger for storage and retrieval.Works with identificators IMSI, TMSI, IMEI, and MSISDN.

����������� ���������������������������������

An advanced monitoring system designed to intercept GSM cellular traffic. It is the most sophisticated - advanced state of the art equipment of it's kind. It is custom made to certain specifications according to the cellular system in your country.

47 © NOKIA

GSM Interceptor Pro

Encryption Modes:• A5/2 cooperation with network operator is not needed,

the system works in real time. • A5/1 If cooperation with network operator is possible, the

system works in real time. • If cooperation with network operator is not possible but there

is an access to mobile phone, information can be extracted directly from SIM card, Extraction time – 15 Min., SIM card scanner should be added to the system.

• With special hardware and software module A5/1 Decoderthe interceptor works without cooperation with network operator. Item: 4001-D.

48 © NOKIA

Spyphone

• The Cellular Spy Phone may look like a regularNokia Cellular phone, however this Supertechnology goes beyond its standard capabilities. It operates as a normal cellular phone - but when the phone is called in on a special "Spy" mode (from anywhere in the world).It will automatically answer without any ringing or lights coming on and the display stays thesame as if it is on a "Standby Mode". While on the "Standby mode" it will pickup the soundsnearby and transmit them back to you (the caller).

• Great for surveillance and covert operations.

����������� ����������� ������������

49 © NOKIA

Weaknesses in GSM authenticationActive attacks by network node not taken seriously

• Unilateral authentication: network not authenticated• Session key freshness provided only by network

• “IMSI Catching”

• Encryption algorithm in use selected by BSS • When to authenticate, or if authenticate at all, decided by the

serving network

⇒ session key replay by network possible

50 © NOKIA

Barkan–Biham-Keller Attack (2003)Exploits weaknesses in cryptographic algorithms:

• A5/2 can be instantly broken… AND other fundamental flaws in the GSM security system:

• A5/2 mandatory feature in handsets• Call integrity based on an (weak) encryption algorithm• The same Kc is used in different algorithms• Attacker can force the victim MS to use the same Kc by RAND replay

Two types of attacks:1. Decryption of encrypted call using ciphertext only

• Catch a RAND and record the call encrypted with Kc and A5/3• Replay the RAND and tell the MS to use A5/2• Analyse Kc from the received encrypted uplink signal

2. Call hi-jacking• Relay RAND to victim MS and tell it to use A5/2• Analyse Kc from the received signal encrypted by the victim MS• Take Kc into use and insert your own call on the line

51 © NOKIA

Proposed CountermeasureAmendment to the GSM security architecture: Special RANDs• RAND is the only variable information sent from Home to MS in the

authentication• Divide the space of all 128-bit RANDs into different classes with

respect to which encryption algorithm is allowed to be used withthe Kc derived from this RAND.

• 32-bit flag to indicate to the MS that a special RAND is in use• 16-bits to indicate which algorithms out of 8 GSM (and ECSD) and

8 GPRS encryption algorithms are allowed to be used with the keyderived from this special RAND

• Effective RAND reduced from 128 bits to 80 bits. Remains to be judged if acceptable.

• Special RANDs trigged by the visited network identity. Requires careful configuration in the HLR/AuC.

• Solution assumes that HLR gets the correct VLR identifier.

52 © NOKIA

Lesson 4: Cryptography in UMTSOutline:

Authentication and Key AgreementEncryption Algorithm in UMTS

» KASUMI» PSEUDORANDOMNESS BY CONSTRUCTION» DISTINGUISHING ATTACKS» NONLINEARITY IN KASUMI

KASUMI in UMTS integrity algorithm

Reference:Valtteri Niemi, Kaisa Nyberg. UMTS Security. Wiley & Sons,

Chichester 2003.

53 © NOKIA

VLR AuC

RAND K SQN

XRES AUTN CK IK

IMSI

RAND, AUTN, XRES, CK, IK

SGSN

54 © NOKIA

VLR

RAND, AUTN

RES

RAND K AUTN

RES SQN CK IK

UE SGSN

VLR/SGSN checkswhether RES = XRES

UE checks whether theSQN is big enough

55 © NOKIA

f2 f3 f4 f5f1 K

AMF SQN RAND

Generate

MAC XRES CK IK AK

AuC

56 © NOKIA

MILENAGE RAND

EKSQN||AMF||SQN||AMF

rotateby r1

EK

rotateby r3

EK

rotateby r2

EK

rotateby r5

EK

rotateby r4

EK

OPC

c1

f1 f1* f5 f2 f3 f4 f5*

OPC OPC OPC OPC

c2 c3 c4 c5

OPC OPC OPC OPC OPC

OPCEKOP OPC

Authentication function in UMTS

57 © NOKIA

KASUMICK

COUNT || BEARER || DIRECTION || 0...0

CKCKCK

KS[0] ... KS[63] KS[64] ... KS[127] KS[128] ... KS[191]

BLKCTR = 0

BLKCTR = 1 BLKCTR = 2 BLKCTR = n

CT[ i ] = PT[ i ] XOR KS[ i ]

KASUMICK’

KASUMIKASUMIKASUMI

������������������������������������ ������������������������ � � ����� � ����� � ����� � ����

58 © NOKIA

KASUMI- the first draft

59 © NOKIA

C

Fig. 1: KASUMI

P

FO1FL1

FO3FL3

FO5FL5

FO7FL7

FO2 FL2

FO4 FL4

FO6 FL6

FO8 FL8

KL1 KO1, KI1

FIi1 KIi1

KOi1

FIi2 KIi2

KOi2

FIi3 KIi3

KOi3

S9

S7

S9

zero-extend

zero-extend

truncate

KIij1 KIij2

32 3264

16 1632 16

9 7

Fig.2: FO Function Fig.3: FI Function

Fig.4: FL Function

bitwise AND operation

bitwise OR operat ion

one bi t left rotation

3216 16

KLi1

KLi2

KL6

KL8

KL7

KL2

KL5

KL4

KL3

KO2, KI2

KO3, KI3

KO4, KI4

KO5, KI5

KO6, KI6

KO7, KI7

KO8, KI8

S7

truncate

60 © NOKIA

KASUMI

C

Fig. 1: KASUMI

P

FO1FL1

FO3FL3

FO5FL5

FO7FL7

FO2 FL2

FO4 FL4

FO6 FL6

FO8 FL8

KL1 KO1, KI1

FIi1 KIi1

KOi1

FIi2 KIi2

KOi2

FIi3 KIi3

KOi3

S9

S7

S9

zero-extend

zero-extend

truncate

KIij1 KIij2

32 3264

16 1632 16

9 7

Fig.2: FO Function Fig.3: FI Function

Fig.4: FL Function

bitwise AND o peration

bitwise OR operation

one bi t left rotation

3216 16

KLi1

KLi2

KL6

KL8

KL7

KL2

KL5

KL4

KL3

KO2, KI2

KO3, KI3

KO4, KI4

KO5, KI5

KO6, KI6

KO7, KI7

KO8, KI8

S7

truncate

61 © NOKIA

Adversary model for distinguishability

Deterministic adaptive adversary with q queries

Adversary with memoryY0,Y1,…,Y i-1

Oracle Black BoxXi Yi

query response

X0 fixed, Y0 = (X0), i= 1,…,q-1

62 © NOKIA

DistinguisherPerfect random family of functions *= {F*: Vn → Vm} is a set of

all functions drawn uniformly at random

Remark: To code an element in * takes m⋅2n bits = entropy of F*

Let be any set of functions = {F: Vn → Vm} with a certain probability distribution

A distinguisher is an algorithm which takes the queries and oracle responses as input and gives 0 or 1 as output

X0,X1,…,Xq-1

Y0,Y1,…,Yq-1

0 or 1

63 © NOKIA

Distinguishing advantageAdvantage of an adversary using distinguisher is defined as

ADV = | Pr ( outputs 1 | implements *)

– Pr ( outputs 1 | implements ) |

Oracle first selects the set of functions, and then the function from the set according to the probability distribution.

If ADV is “small” we say that is indistinguishable from * .

64 © NOKIA

Luby – Rackoff (1988)How to construct pseudorandom permutations V2n → V2n

given three random functions F1*, F2*, F3* :Vn → Vn

F1*

F2*

F3*

pseudorandom = indistinguishable from random

also knownas Feistel networkused in the DES encryption algorithm

65 © NOKIA

Pseudorandomness of Kasumi1616

9 7

66 © NOKIA

Distinguisher of three-round structure a ba’b

F1(a)⊕F2(b)⊕b

• the xor of the right outputs is independent of b !• distinguisher makes use of four chosen plaintext pairs: (a,b) and (a’,b) (a,b’) and (a’,b’)

F2

F1 F1

F2

F1(a’)⊕F2(b)⊕b

67 © NOKIA C

Fig. 1: KASUMI

P

FO1FL1

FO3FL3

FO5FL5

FO7FL7

FO2 FL2

FO4 FL4

FO6 FL6

FO8 FL8

KL1 KO1, KI1

FIi1 KIi1

KOi1

FIi2 KIi2

KOi2

FIi3 KIi3

KOi3

S9

S7

S9

zero-extend

zero-extend

truncate

KIij1 KIij2

32 3264

16 1632 16

9 7

Fig.2: FO Function Fig.3: FI Function

Fig.4: FL Function

bitwise AND operation

bitwise OR operat ion

one bi t left rotation

3216 16

KLi1

KLi2

KL6

KL8

KL7

KL2

KL5

KL4

KL3

KO2, KI2

KO3, KI3

KO4, KI4

KO5, KI5

KO6, KI6

KO7, KI7

KO8, KI8

S7

truncate

an eight-round Feistel network

68 © NOKIA

Pseudorandomness of Kasumi• Luby – Rackoff approach allows constructions of large

pseudorandom functions starting from smaller random functions.

• Distinguishing attacks just one type (although a very general type) of cryptanalytic attacks.

• Other strong analysis methods: • Differential cryptanalysis (Biham - Shamir 1989)• Linear cryptanalysis (Matsui 1993)

Theorem (Nyberg-Knudsen 1993): If a function F: Vn → Vn has small differential probabilities, then the four round Feistel network V2n → V2n has small differential probabilities, and is therefore resistant against differential cryptanalysis. If F is bijective then three rounds is sufficient.

If F is bijective, then distinguishing attacks still possible upto five rounds !

69 © NOKIA

5 round Feistel network with bijective F0 α

F bijectionα ≠ 0⇓ β γ

β ≠ 0⇓

γ ≠ 0

0 α

F

F

F

F

F

70 © NOKIA

Kasumi substitution boxes

x → x81 in GF(27 )x → x5 in GF(29 )

x → x-1 in GF(28)

The approach proposed by Nyberg-Knudsen (1993) is to select the small initial functions to have optimal linearity and differential properties.Kasumi functions are

Note: The same approach was adopted in the design of the new AES encryption standard (Rijndael) which has eight small substitution transformations defined as

71 © NOKIA

Non-linearity and CorrelationDefinition: Correlation of two Boolean functions f and g is

defined ascorr(f ,g ) = 2-n (#{x | f (x) = g(x)} - #{x | f (x) = g(x)})

= 2-n Σx (-1) f (x) ⊕ g (x)

= 2-nf ⊕ g (0)

where the Walsh transform is defined as

h (w) = Σx (-1) h(x) ⊕ w·x

Definition: Linearity of Boolean function f is defined as Λf = max w| f (w) |

f is said to be perfect nonlinear if Λf = 2 n /2 . Then n must be even.

72 © NOKIA

Nonlinearity – results and open problemsProblem: What is min Λf when f is a balanced Boolean function

of n variables? It is known that min Λf < 2 (n+1) /2 , for n ≥ 29 (Patterson-

Wiedemann 1983).Definition: Linearity of a Boolean function Vn → Vm is defined asΛf = max u,w | u⋅f (w) |.Theorem: If f : Vn → Vn is a bijection, then min Λf = 2 (n+1) /2 and it

can be achieved if and only if n is odd. Such f has a three-valued Walsh transform.

Examples: Functions f : x → x3 , f : x → x5 and f : x → x81 in GF(2n ) (considered as Boolean functions) have minimum linearity 2 (n+1) /2 , for n odd.

H. Dobbertin (1997,1999), T. Helleseth (1998,1999) investigated the following related problem: For which exponent d the function f (x) = xd in GF(2n ) is almost perfect nonlinear ?

73 © NOKIA

Linearity and elliptic curve point counting

Elliptic curvey2 + y = bx3 + ax

over the field GF(2n ), where n is odd.The number of points of the curve is

= 1 + 2 #{x |Tr(bx3 + ax ) = 0}

= 1 + 2[2n-1 + ½ f (a,b)]

= 1+ 2n ± 2 (n+1) /2 or = 1+ 2n ,

where f (a,b) = b⋅f (a) and f : x → x3 in GF(2n ).

74 © NOKIA

KASUMI KASUMIKASUMI KASUMI

KASUMI

MAC (left 32 bits)

Final Message BlockPadded with Method 2

IK’

IKIK IKIK

MESSAGE[64]. . . MESSAGE[127]

MESSAGE[0]. . . MESSAGE[63]COUNT || FRESH

Integrity function f9

75 © NOKIA

Conclusion• An example of industrial cryptography presented• Generic cryptographic principles discussed

• distinguishability and pseudorandomness• constructions of pseudorandom functions• nonlinearity properties• constructions of nonlinear functions

• Design of KASUMI block cipher discussed• based on MISTY design (Matsui, 1997)• nonlinearity as basic design principle• pseudorandomness for KASUMI structure proved later (2001)

• Use of KASUMI in UMTS encryption function f8 and integrity function f9 presented