Pseudorandomness of Basic Structures in the Block Cipher KASUMI

Ju-Sung Kang, Bart Preneel, Heuisu Ryu, Kyo Il Chung, and Chee Hang Park

The notion of pseudorandomness is the theoretical I. INTRODUCTION foundation on which to consider the soundness of a basic structure used in some block ciphers. We examine the A block cipher is a family of permutations on a message pseudorandomness of the block cipher KASUMI, which space indexed by a secret key. Luby and Rackoff [1] will be used in the next-generation cellular phones. First, we introduced a theoretical model for the security of block ciphers prove that the four-round unbalanced MISTY-type by using the notion of pseudorandom and super-pseudorandom transformation is pseudorandom in order to illustrate the permutations. A pseudorandom permutation can be interpreted pseudorandomness of the inside round function FI of as a block cipher that cannot be distinguished from a truly KASUMI under an adaptive distinguisher model. Second, random permutation regardless of how many polynomial we show that the three-round KASUMI-like structure is not encryption queries an attacker makes. A super-pseudorandom pseudorandom but the four-round KASUMI-like structure permutation can be interpreted as a block cipher that cannot be is pseudorandom under a non-adaptive distinguisher model. distinguished from a truly random permutation regardless of how many polynomial encryption and decryption queries an attacker makes. Luby and Rackoff used a Feistel-type transformation defined by the typical two-block structure of the block cipher DES in order to construct pseudorandom and super-pseudorandom permutations from pseudorandom functions [1]. They showed that the Feistel-type transformation with three rounds yields a 2n-bit pseudorandom permutation and with four rounds it yields a 2n-bit super-pseudorandom permutation under the assumption that each round function is an n-bit pseudorandom function. Patarin [2] proved that one could obtain similar results by using only a single pseudorandom function. Naor and Reingold [3] revisited the revised constructions of Luby and Rackoff and simplified their proofs of security. There were also some noticeable results for the pseudorandomness of a MISTY-type transformation defined by another typical two-block structure of the block cipher Manuscript received Mar. 22, 2002; revised Feb. 3, 2003. Ju-Sung Kang (phone: +82 42 860 5326, e-mail: [email protected]), Heuisu Ryu (e-mail: MISTY [4], [5] different from the Feistel-type. Sakurai and [email protected]), Kyo Il Chung (e-mail: [email protected]), and Chee Hang Park (e-mail: Zheng [6] showed that the three-round MISTY-type [email protected]) are with Information Security Technology Division, ETRI, Daejeon, Korea. transformation does not give a pseudorandom permutation and Bart Preneel (e-mail: [email protected]) is with the Electrical Engineering Department, Kathorieke Universitat Leuven, Belgium. the four-round does not give a super-pseudorandom

ETRI Journal, Volume 25, Number 2, April 2003 Ju-Sung Kang et al. 89 permutation. Gilbert and Minier [7] and Kang et al. [8] showed size. The pseudorandomness criteria can be used in the independently that the four-round MISTY-type transformation theoretical study of the soundness of a basic structure used in yields a pseudorandom permutation. Iwata et al. [9] and Gilbert some block ciphers. and Minier [7] also independently proved that the five-round On the other hand, Knudsen [15] proved that any Feistel MISTY-type yields a super-pseudorandom permutation. cipher with a bijective round function has the impossible Recently, Iwata et al. [10] provided an improved result on the characteristics of five rounds, which allows us to distinguish super-pseudorandomness of the MISTY-type transformation the five-round cipher from a randomly chosen permutation. by proving that the second round permutation in the five-round Recently, Patarin [16] also discussed a generic distinguishing MISTY-type transformation did not need to be cryptographic at attack on five-round Feistel-type permutations. This all. distinguishing attack can be applied to KASUMI since the The overall structure of KASUMI [11] is of a Feistel-type, round functions FO and FL are permutations. Patarin’s attack but its round function FO is composed of a three-round requires O(23n/2) chosen plaintext/ciphertext pairs and O(23n/2) MISTY-type transformation; this is not a pseudorandom computations to distinguish a five-round 2n-bit Feistel-type function according to the result in [6]. Thus, we cannot permutation from a 2n-bit random permutation. The mixed 4n- straightforwardly apply the Luby-Rackoff result to KASUMI. bit block KASUMI-like structure, which is studied in this paper, The FO function within KASUMI has the FI function as its is different from the 2n-bit block Feistel-type structure, so the component function; it consists of a four-round unbalanced structures of Patarin’s attack and our analysis are different from MISTY-type transformation. We show that the structure of the each other. Note that the number of queries in the practical FI function is a pseudorandom permutation. Based on the distinguishing attack is exponential in its block size. This point pseudorandomness of the FI function, we prove that the three- is different from an analysis of pseudorandomness. round KASUMI-like structure is not a pseudorandom permutation, but a four-round KASUMI-like structure is a II. THE BLOCK CIPHER KASUMI pseudorandom permutation. A KASUMI-like structure is a mixed structure, while Feistel- The block cipher KASUMI [11] produces a 64-bit output type and MISTY-type transformations are compounded. In this from a 64-bit input under the control of a 128-bit key. paper, we define a KASUMI-like structure as a simplified 4n- KASUMI is a modified version of the block cipher MISTY1 bit block structure with its round functions being n-bit [5], and we can classify the structure of KASUMI into the permutations. In order to investigate the properties of the round following three stages: function, we consider a security model for adaptive • The overall structure of KASUMI is a 64-bit permutation distinguishers similar to that in the approach of Naor and composed of eight rounds of a Feistel-type permutation. The Reingold [3]. This provides more detail than previous results round function consists of a non-linear mixing function FO and such as [7] and [8]. However we consider the non-adaptive a linear mixing function FL. distinguisher model to examine the pseudorandomness of the • The FO function is a 32-bit permutation composed of overall KASUMI-like structure, since under the adaptive three rounds of a MISTY-type transformation with round distinguisher model there are so many factors involved in permutation FI. controlling a 4n-bit block structure. We found some flaws in • The FI function is a 16-bit permutation which is composed the proof of Theorem 1 of [12] and revise them in this paper. of a four-round unbalanced MISTY-type transformation Within the security architecture of the 3rd Generation obtained from the 7-bit S-box S7 and the 9-bit S-box S9. Partnership Project (3GPP) system [11], there are two standardized functions, the confidentiality function f8 and the The structure of KASUMI is depicted in Fig. 1. integrity function f9. These two functions are based on the A security evaluation of KASUMI was primarily performed block cipher KASUMI [11]. Thus, the pseudorandomness of by the 3GPP Security Algorithms Group of Experts (SAGE) KASUMI is the main assumption on which to examine the [17]. The general conclusion of [17] was that KASUMI is provable security of f8 and f9 [13], [14]. The results of this based on sound design principles and no practical attacks were paper provide support for this assumption. found. We believe that the notion of pseudorandomness is An analysis of pseudorandomness does not directly lead to theoretical evidence of the soundness of the basic structure of a an attack or a proof of security for the block cipher itself, since block cipher. However there was no mention in [17] about the the security is asymptotically evaluated in terms of its block pseudorandomness criteria. This provided the motivation of size, and the attacker's information is limited to a number of our study, in which we examine the pseudorandomness of the queries and computational time that is polynomial in its block block structures used in KASUMI.

90 Ju-Sung Kang et al. ETRI Journal, Volume 25, Number 2, April 2003 32 32 RK1 16 16 9 7 FL FO KO S9 RK2 FI KI zero-extend FO FL

S7 RK3 truncate KO FL FO FI KI KI RK4

FO FL S9 zero-extend KO RK5 FI KI FL FO S7 truncate RK6

FO FL

RK7

FL FO 16 16

RK8 KL1 KL2 FO FL

Fig. 1. Structure of KASUMI.

Kühn [18] showed that KASUMI with six rounds can be computationally unbounded distinguisher with an oracle O . breakable by impossible differential attack with complexity of The oracle O chooses randomly a permutation π from the 255 data and 2100 times, which is less than an exhaustive search. UPE Ωn or from a permutation ensemble Λ n ⊂ Ωn . For an Kühn’s attack shows that KASUMI with six rounds is not n-bit block cipher, Λ n is the multiset of permutations practically secure, whereas we theoretically show that the determined by all the secret keys. Since two or more different simplified KASUMI with four rounds is pseudorandom where keys may define the same permutation, here we use the term the number of queries is polynomially bounded. multiset in which some elements can be found two or more times. The purpose of the distinguisher D is to distinguish III. PRELIMINARIES FOR whether the oracle O implements the UPE Ωn or Λ n . PSEUDORANDOMNESS Definition 2. Let D be a distinguisher, Ωn be the UPE, Let I denote the set of all n-bit strings and Ω be the set n n and Λ n be a permutation ensemble obtained from a block of all permutations from I to itself where n is a positive n cipher. Then the advantage ADVD of D is defined by integer, that is, Ωn = {π : I n → I n | π is a bijection }. We define an n-bit perfect random permutation as a uniformly ADV = Pr(D outputs 1 O ← Ω ) D n drawn element of Ωn . − Pr(D outputs 1 O ← Λ n ) ,

Definition 1. Ωn is called the uniform permutation ensemble (UPE) if all permutations in Ωn are uniformly where O ← Ωn and O ← Λ n denote that O implements distributed, that is, for any permutation π ∈ Ωn , Ωn and Λ n , respectively. n Pr(π ) = 1 (2 !). Assume that the distinguisher D is restricted to make at We consider the following security model. Let D be a most poly(n) queries to the oracle O , where poly(n) is

ETRI Journal, Volume 25, Number 2, April 2003 Ju-Sung Kang et al. 91 some polynomial in n. We call D a pseudorandom the pseudorandomness of Feistel-type and MISTY-type distinguisher if it queries x and the oracle answers y = π (x) , transformations. Note that a pseudorandom function ensemble where π is a randomly chosen permutation by O . We say (PFE) can be similarly defined as in Definition 4 by that D is a super-pseudorandom distinguisher if it is a considering a function space instead of a permutation space. pseudorandom distinguisher and it also can make a query −1 • F F is not a 2n-bit PPE and F F F is not a y and receives x = π (y) from the oracle O. f 2 o f1 f3 o f 2 o f1 2n-bit SPPE, even if all f 's ( i = 1,2,3 ) are independently Definition 3. A function h : N → ℜ is called negligible if i chosen from an n-bit PFE [1]. for any constant c > 0 and all sufficiently large n ∈ N , c • F F F is a 2n-bit PPE and F F F F h(n) < 1 n . f3 o f 2 o f1 f 4 o f3 o f 2 o f1 is a 2n-bit SPPE if all f 's ( i = 1,2,3,4 ) are independently Definition 4. Let Λ be an efficiently computable i n chosen from an n-bit PFE [1]. permutation ensemble. Then Λ n is called a pseudorandom • M M M is not a 2n-bit PPE and f3 o f 2 o f1 permutation ensemble (PPE) if ADVD is negligible for any M M M M is not a 2n-bit SPPE, even if each pseudorandom distinguisher D. f 4 o f3 o f 2 o f1

fi (i = 1,2,3,4 ) is chosen independently from an n-bit PPE [6], [7]. Definition 5. Let Λ n be an efficiently computable • M M M M is a 2n-bit PPE and permutation ensemble. Then we call Λ a super- f 4 o f3 o f 2 o f1 n M M M M M is a 2n-bit SPPE, where all f5 o f 4 o f3 o f 2 o f1 pseudorandom permutation ensemble (SPPE) if ADVD is negligible for any super-pseudorandom distinguisher D . fi 's ( i = 1,2,3,4,5 ) are independently chosen from an n-bit PPE [7]-[9]. In Definition 4 and 5, a permutation ensemble is efficiently computable if all permutations in the ensemble can be We first show that the structure of the FI function of computed efficiently. See [3] for a rigorous definition of this. It KASUMI is a PPE by examining the pseudorandomness of an is reasonable to assume that Λ n is an efficiently computable unbalanced MISTY-type transformation. Second, on the basis permutation ensemble if it is obtained from an n-bit block of the first result, we prove that a three-round KASUMI-like cipher. Hence we assume that any permutation ensemble structure is not a PPE but a four-round KASUMI-like structure obtained from a block cipher is efficiently computable. Now is a PPE. Note that the structure of the FO function of we define a family of permutations to be (q,a) -secure in KASUMI is not a PPE, so it seems that unlike the Luby- order to make a clear description of our results. Rackoff cipher, the three-round Feistel-type permutation of a KASUMI-like structure is not a PPE. Since the FL function is Definition 6. Let Λ be an efficiently computable n used to mix in the round key, we consider in this paper a permutation ensemble. Then Λ is a (q,a) -secure PPE, if n simplified version of KASUMI without the FL function. the distinguisher D asks at most q queries, which are restricted to ADVD ≤ a . We define two transformations, Feistel-type and MISTY- IV. PSEUDORANDOMNESS OF THE type, which are obtained from two representative structures of UNBALANCED MISTY-TYPE TRANSFORMATION current block ciphers. Let Ψn denote the set of all functions from I n to itself. We say f is an n-bit function (resp. We describe two simple but useful lemmas, the proofs of permutation) where f ∈ Ψn (resp. f ∈ Ωn ). which are given in [8]. Definition 7. For any n-bit function f ∈ Ψ , the 2n-bit n Lemma 1. Let π be a permutation chosen from the UPE Feistel-type permutation Ff ∈ Ω2n is defined by Ωn . Then for any x1 ≠ x2 , y ∈ I n ,

F (L, R) = (R, L ⊕ f (R)), n f 1 (2 −1) if y ≠ 0, Pr(π (x1 ) ⊕π (x2 ) = y) =  0 otherwise. where L, R ∈ I n . 

Definition 8. For any n-bit function f ∈ Ωn , the 2n-bit Lemma 2. Let π 1 and π 2 be two permutations MISTY-type permutation M f ∈ Ω2n is defined by independently chosen from the UPE Ωn . Then for any

a,b,c,d, y ∈ I n , M f (L, R) = (R, f (L) ⊕ R), 1 where L, R ∈ I . Pr(π 1 (a) ⊕π 1 (b) ⊕π 2 (c) ⊕π 2 (d) = y) < n−1 , n 2 Now we can formally describe several important results on for n ≥ 2 .

92 Ju-Sung Kang et al. ETRI Journal, Volume 25, Number 2, April 2003 Now we define two unbalanced MISTY-type transformations Definition 11. D is called an adaptive pseudorandom (1) (1) (q) (q) in order to examine accurately the pseudorandomness of the FI distinguisher if it has a transcript {(x , y ),K,(x , y )} function. and a function CD of the D -transcript such that for every Definition 9. Let n and m be two positive integers such 2 ≤ i ≤ q , that m ≤ n . Then for any n-bit permutation f and m-bit x(i) = C ({(x (1) , y (1) ), ,(x(i−1) , y (i−1) )}) permutation g , two (n + m) -bit unbalanced MISTY-type D K ˆ transformations M f ∈ Ωn+m and M g ∈ Ωn+m are defined (1) (1) (q) (q) and the output of D = CD ({(x , y ),K,(x , y )}) . for any (L, R) ∈ I n × I m , Under the adaptive distinguisher model, the i-th query of D by M (L, R) = (R, f (L) ⊕ R) ∈ I × I , f m n is determined by the first i–1 query-answer pairs and D’s output is a function of its transcript. Throughout this paper we and for any (L, R) ∈ I × I , m n assume that all queries are distinct. ˆ ˆ For the proof of Theorem 1, we consider an (n + m)-bit by M g (L, R) = (R, g(L) ⊕ R) ∈ I n × I m (i) ensemble Bn+m on the i-th query x ∈ I n+m of D , when where for any n-bit vector x , xˆ denotes the m-bit value the oracle O implements Bn+m , its corresponding answer (i) (i) (i) obtained by discarding the n-m leftmost bits and for any m-bit y = (yL , yR ) ∈ I n × I m is as follows: vector y , y denotes the n-bit value obtained by adding n-m 1. y (i) is the uniformly chosen (n+m)-bit vector under the zero bits to the left. (i) ( j) condition that y ≠ y for all 1 ≤ j < i . (i) ( j) (i) ( j) (i) (i) ( j) ( j) Note that the FI function of KASUMI can be represented as 2. yL ≠ yL , yL ≠ yL , and yˆ L ⊕ yR ≠ yˆ L ⊕ yR a 16-bit permutation Mˆ M Mˆ M , where f , f f 4 o f3 o f 2 o f1 1 3 for all 1 ≤ j < i . are 9-bit permutations and f 2 , f 4 are 7-bit permutations. We (1) (1) (q) (q) define the permutation ensemble based on the FI function as Definition 12. Let σ = {(x , y ),K,(x , y )} be a follows. D -transcript. (i) σ is called separately distinct if y (i) ≠ y ( j) and Definition 10. Λ n+m is the (n + m)-bit permutation L L (i) ( j) ensemble obtained from the four-round unbalanced MISTY- yL ≠ yL for all 1 ≤ i ≠ j ≤ q . (i) (i) ( j) ( j) type transformation Mˆ M Mˆ M , where (ii) σ is called XOR-distinct if yˆ L ⊕ yR ≠ yˆ L ⊕ yR f 4 o f3 o f 2 o f1 for all 1 ≤ i ≠ j ≤ q . f1, f3 ∈ Ωn and f 2 , f 4 ∈ Ωm are independently chosen from the n-bit and m-bit UPEs, respectively. Note that the UPE Ωn+m can provide answers that are not The pseudorandomness of the FI function is guaranteed by separately distinct or not XOR-distinct, but Bn+m always the following theorem. provides answers that are separately distinct and XOR-distinct. Theorem 1. Let for any positive integers n and m with We first prove that the advantage of D in distinguishing

2 ≤ m ≤ n , f1, f3 ∈ Ωn , and f 2 , f 4 ∈ Ωm be independently between the process UPE Ωn+m and the process Bn+m is chosen from two n-bit and m-bit PPEs, respectively. Then the negligible. The next step of the proof will be an estimation for four-round unbalanced MISTY-type transformation the advantage of D in distinguishing between the process Mˆ M Mˆ M is a (q,a) -secure PPE, where B and the process Λ . Now we consider the different f 4 o f3 o f 2 o f1 n+m n+m distributions on the transcript of D induced by different q 2 − q  3 12  a =  + . ensembles which are implemented by the oracle O . 2  2n−1 2m −1 Definition 13. T , T , and T are defined by the Ωn+m Bn+m Λ n+m following random variables: T is the D-transcript when Recall that a pseudorandom distinguisher D can make a Ωn+m the oracle O implements the UPE Ω , T is the D- query x and the oracle O answers y = π (x) , where π n+m Bn+m transcript when the oracle O implements B , and T is a randomly chosen permutation by O . Now we assume that n+m Bn+m D makes exactly q queries and refer to the sequence is the D-transcript when the oracle O implements Λ n+m , (1) (1) (q) (q) respectively. {(x , y ),K,(x , y )} of all query-answer pairs as the D -transcript, where q = poly(n) . We consider the following The following lemma confirms that the advantage of D in adaptive pseudorandom distinguisher. distinguishing between the process UPE Ωn+m and the

ETRI Journal, Volume 25, Number 2, April 2003 Ju-Sung Kang et al. 93 process Bn+m is small enough. distinguishing between Bn+m and Λ n+m is also small enough. Lemma 3. To prove this fact, we first formally define a bad event and estimate its probability. | Pr(C (T ) = 1) − Pr(C (T ) = 1) | D Ωn+m D Bn+m Definition 14. For any n-bit permutation f1 and m-bit q 2 − q 1 2   permutation f , BAD( f , f ) is defined as the set of all <  n + m . 2 1 2 2  2 −1 2 −1 (1) (1) (q) (q) D-transcripts σ = {(x , y ),K,(x , y )} satisfying, Proof. Let G(T ) be the event of T being separately for some 1 ≤ i ≠ j ≤ q , Ωn+m Ωn+m distinct and XOR-distinct. Then for any separately distinct and (i) (i) ( j) ( j) XOR-distinct D-transcript σ , f1 (xL ) ⊕ xR = f1 (xL ) ⊕ xR

n+m or (2 − q)! Pr(TΩ = σ | G(TΩ )) = n+m n+m n+m 2 ! (i) ˆ (i) (i) ( j) ˆ ( j) ( j) f 2 (xR ) ⊕ f1 (xL ) ⊕ xR = f 2 (xR ) ⊕ f1 (xL ) ⊕ xR and or 1 Pr(T = σ ) = . y (i) ⊕ f (x(i) ) ⊕ f (x (i) ) ⊕ x (i) Bn+m 2n+m (2n+m −1) (2n+m − q +1) L 2 R 1 L R L ( j) ( j) ( j) ( j) = yL ⊕ f 2 (xR ) ⊕ f1 (xL ) ⊕ xR , Hence the distribution of T conditioned on T Ωn+m Ωn+m being separately distinct and XOR-distinct is exactly the (i) (i) (i) where x = (xL , xR ) ∈ I n × I m for all 1 ≤ i ≤ q. distribution of T . Furthermore, we can estimate the Bn+m c probability of the event G(T ) , the complement of Lemma 4. Let f1 and f 2 be chosen independently from Ωn+m UPE Ωn and UPE Ωm , respectively. Then for any D- G(TΩ ) , as follows: n+m (1) (1) (q) (q) transcript σ = {(x , y ),K,(x , y )} and n ≥ m ≥ 2, c Pr(G(TΩ n + m ) ) (i) ( j) (i) ( j) 1 1 = Pr y = y or y = y or 2   ( L L R R Pr(σ ∈ BAD( f1, f 2 )) < (q − q) n + m−1 . (i) (i) ( j) ( j)  2 2  yˆ L ⊕ yR = yˆ L ⊕ yR for some 1 ≤ i ≠ j ≤ q) ≤ {Pr(y (i) = y ( j) ) + Pr(y (i) = y ( j) ) ∑ L L R R Proof. By definition, σ ∈ BAD( f1, f 2 ) if there exists i≠ j (i) (i) ( j) ( j) 1 ≤ i ≠ j ≤ q such that + Pr(yˆ L ⊕ yR = yˆ L ⊕ yR )} q 2m −1 2n −1 2n −1  f (x(i) ) ⊕ x (i) = f (x ( j) ) ⊕ x ( j) = + + 1 L R 1 L R   n+m n+m n+m  2 2 −1 2 −1 2 −1 or q 2 − q 1 2 <  + .  n m  (i) ˆ (i) (i) ( j) ˆ ( j) ( j) 2  2 −1 2 −1 f 2 (xR ) ⊕ f1 (xL ) ⊕ xR = f 2 (xR ) ⊕ f1 (xL ) ⊕ xR

Therefore the assertion follows by or

y (i) ⊕ f (x(i) ) ⊕ f (x (i) ) ⊕ x (i) | Pr(C (T ) = 1) − Pr(C (T ) = 1) | L 2 R 1 L R D Ωn+m D Bn+m = y ( j) ⊕ f (x ( j) ) ⊕ f (x ( j) ) ⊕ x ( j) . ≤ Pr(G(T )) L 2 R 1 L R Ωn+m ⋅ Pr(C (T ) = 1G(T )) − Pr(C (T ) = 1) D Ωn+m Ωn+m D Bn+m For any fixed i ≠ j , we estimate probabilities of these three + Pr(G(T )c ) events. We have the following three cases. Ωn+m (i) ( j) (i) ( j) c Case 1: xL ≠ xL and xR = xR . Since f1 is a ⋅ Pr(CD (TΩ ) = 1G(TΩ ) ) − Pr(CD (TB ) = 1) n+m n+m n+m permutation, ≤ Pr(G(T )c ) Ωn+m 2 (i) (i) ( j) ( j) q − q 1 2 Pr( f1 (xL ) ⊕ xR = f1 (xL ) ⊕ xR ) <  + .  n m  (i) ( j) 2  2 −1 2 −1 = Pr()f1 (xL ) = f1 (xL ) = 0.

We now have to show that the advantage of D in Observe that, by a similar result to Lemma 1,

94 Ju-Sung Kang et al. ETRI Journal, Volume 25, Number 2, April 2003 (i) ˆ (i) (i) since n ≥ m ≥ 2 . If y (i) = y ( j) , by Lemma 2, the probability Pr( f 2 (xR ) ⊕ f1 (xL ) ⊕ xR L L ( j) ˆ ( j) ( j) of the third event is estimated as = f 2 (xR ) ⊕ f1 (xL ) ⊕ xR ) ˆ (i) ˆ (i) Pr f (x(i) ) ⊕ f (x ( j) ) ⊕ f (x (i) ) ⊕ f (x( j) ) = x (i) ⊕ x ( j) = Pr( f1 (xL ) = f1 (xL )) ( 1 L 1 L 2 R 2 R R R ) n−m n n−m 1 n 2 ⋅(2 − 2)! 2 < . = 2 ⋅ = . m−1 2n! 2n −1 2 (i) ( j) (i) ( j) If yL ≠ yL , the probability of the third event is also bounded If yL = yL , then above by 1/ 2m−1. (i) (i) (i) (i) Therefore, for any case, we obtain that Pr(yL ⊕ f 2 (xR ) ⊕ f1 (xL ) ⊕ xR ( j) ( j) ( j) ( j) = yL ⊕ f 2 (xR ) ⊕ f1 (xL ) ⊕ xR ) (i) (i) ( j) ( j) 1 Pr( f1 (xL ) ⊕ xR = f1 (xL ) ⊕ xR ) < , (i) ( j) 2n−1 = Pr( f1 (xL ) = f1 (xL )) = 0. (i) ˆ (i) (i) (i) ( j) Pr(f 2 (xR ) ⊕ f1 (xL ) ⊕ xR Otherwise, that is, if yL ≠ yL , by Lemma 1, = f (x ( j) ) ⊕ fˆ (x ( j) ) ⊕ x( j) ) Pr(y (i) ⊕ f (x(i) ) ⊕ f (x (i) ) ⊕ x (i) 2 R 1 L R L 2 R 1 L R 1 ( j) ( j) ( j) ( j) = y ⊕ f (x ) ⊕ f (x )⊕ x < m−1 , L 2 R 1 L R ) 2 (i) ( j) (i) ( j) = Pr( f1 (xL ) ⊕ f1 (xL ) = yL ⊕ yL ) and 1 Pr(y (i) ⊕ f (x(i) ) ⊕ f (x(i) ) ⊕ x (i) = . L 2 R 1 L R 2n −1 ( j) ( j) ( j) ( j) = yL ⊕ f 2 (xR ) ⊕ f1 (xL ) ⊕ xR ) Case 2: x(i) = x ( j) and x(i) ≠ x( j) . In this case the 1 L L R R < . (i) ( j) m−1 probability of the first event is equal to Pr()xR = xR = 0 . By 2 Lemma 1, the probability of the second event is estimated as Hence q 1 2  Pr(σ ∈ BAD( f1, f 2 )) <   n−1 + m−1  (i) ( j) (i) ( j) 1  2 2 2  Pr( f 2 (xR ) ⊕ f 2 (xR ) = xR ⊕ xR ) = m . 2 −1 1 1 = (q 2 − q) + .  n m−1  (i) ( j)  2 2  If yL = yL , the probability of the third event is also equal to Throughout this section we assume that n ≥ m ≥ 2 for the sake of freely using Lemma 4. (i) ( j) (i) ( j) 1 Lemma 5. For any XOR-distinct D-transcript Pr( f 2 (xR ) ⊕ f 2 (xR ) = xR ⊕ xR ) = . 2m −1 (1) (1) (q) (q) σ = {(x , y ),K,(x , y )} , Otherwise, the probability of the third event is equal to Pr(T = σ | σ ∉ BAD( f , f )) = Pr(T = σ ). Λ n+m 1 2 Bn+m Pr f (x(i) ) ⊕ f (x( j) ) = x (i) ⊕ x ( j) ⊕ y (i) ⊕ y ( j) ()2 R 2 R R R L L Proof. For any XOR-distinct D-transcript σ , we obtain that 1 1 = ⋅ . 2m −1 2n−m 1 Pr()TBn+m = σ = n n n 2 (2 −1)L(2 − q +1) Case 3: x(i) ≠ x( j) and x(i) ≠ x( j) . By Lemma 1, the L L R R 1 probability of the first event is estimated as ⋅ m m m . 2 (2 −1)L(2 − q +1)

(i) ( j) (i) ( j) 1 Pr( f (x ) ⊕ f (x ) = x ⊕ x ) = . Consider any specific n-bit permutation f1 and m-bit 1 L 1 L L L 2n −1 permutation f 2 such that σ ∉ BAD( f1, f 2 ). Note that T = σ if and only if for all 1 ≤ i ≤ q , y (i) = Λ (x(i) ). Similarly, by Lemma 2, the probability of the second event is Λ n+m n+m also estimated as Since Λ = Mˆ M Mˆ M , ˆ (i) ˆ ( j) (i) ( j) (i) ( j) n+m f 4 o f3 o f 2 o f1 Pr(f1 (xL ) ⊕ f1 (xL ) ⊕ f 2 (xR ) ⊕ f 2 (xR ) = xR ⊕ xR ) y (i) = Λ (x(i) ) ⇔ f (L(i) ) = y (i) ⊕ R (i) ∈ I 1 n+m 3 2 L 2 n < m−1 , (i) (i) (i) 2 and f 4 (R2 ) = yL ⊕ yR ∈ I m ,

ETRI Journal, Volume 25, Number 2, April 2003 Ju-Sung Kang et al. 95 where (L(i) , R (i) ) = Mˆ M (x (i) , x(i) ). By definition of 2 2 f 2 o f1 L R {}Pr()()T = σ − Pr T = σ (i) ( j) ∑ Bn+m Λ n+m BAD( f1, f 2 ), if σ ∉ BAD( f1, f 2 ), then L2 ≠ L2 , σ∈Θ (i) ( j) (i) (i) ( j) ( j) R2 ≠ R2 , and yL ⊕ R2 ≠ yL ⊕ R2 , for all ≤ ∑ Pr()σ ∉ BAD( f1, f 2 ) (i) (i) ( j) ( j) σ∈Θ 1 ≤ i ≠ j ≤ q. Moreover, yˆ L ⊕ yR ≠ yˆ L ⊕ yR for all ⋅ Pr(T = σ |σ ∉ BAD( f , f ))(− Pr T = σ ) (3) XOR-distinct σ. Therefore, for any XOR-distinct σ , we Λ n+m 1 2 Bn+m obtain that + Pr T = σ ,σ ∈ BAD( f , f ) (4) ∑ ( Λ n+m 1 2 ) σ∈Θ Pr(T = σ |σ ∉ BAD( f , f )) Λ n+m 1 2 + Pr(σ ∈ BAD( f , f ))⋅Pr T = σ . (5) ∑ 1 2 ()Bn+m (2n − q)! (2m − q)! σ∈Θ = n ⋅ m , 2 ! 2 ! By Lemma 5, the term (3) is zero and by Lemma 4, the which completes the assertion. value of (5) is bounded by The next lemma guarantees that the advantage of D in max Pr(σ ∈ BAD( f1, f 2 ))⋅Pr( ∪ {TB = σ}) distinguishing between B and Λ is negligible. σ∈Θ σ∈Θ n+m n+m n+m 2  1 1  Lemma 6. < (q − q) + .  2n 2m−1  Pr()()C (T ) = 1 − Pr C (T ) = 1 D Bn+m D Λ n+m By Lemma 4, the value of (4) is also estimated as 2  1 5  < (q − q) + . 2n−1 2m Pr T = σ ,σ ∈ BAD( f , f )   ∑ ( Λ n+m 1 2 ) σ∈Θ Proof. Let Θ be the set of all XOR-distinct D-transcripts = Pr()T = σ ⋅ Pr(σ ∈ BAD( f , f ) T = σ ) ∑ Λ n+m 1 2 Λ n+m σ∈Θ σ such that the output of D is CD (σ ) = 1. Then we 2  1 1  obtain that < (q − q) + ,  2n 2m−1  Pr()C (T ) = 1 − Pr(C (T ) = 1) D Bn+m D Λ n+m (1) since we can easily check that under the condition that ≤ {Pr()TB = σ − Pr ()T Λ = σ } T = σ , the probability of event σ ∈ BAD( f , f ) has ∑ n+m n+m Λ n+m 1 2 σ∈Θ the same upper bound as Lemma 4. + Pr(T is not XOR-distinct) . (2) Λ n+m Proof of Theorem 1: By using Lemma 3 and 6, we complete the proof as follows:

We first estimate the term (2). Note that TΛ is not XOR- n+m ADV = Pr(C (T ) = 1)(− Pr C (T ) = 1 ) distinct if and only if for some 1 ≤ i ≠ j ≤ q, D D Λ n+m D Ωn+m yˆ (i) ⊕ y (i) = yˆ ( j) ⊕ y ( j) , where ≤ Pr()()C (T ) = 1 − Pr C (T ) = 1 L R L R D Λ n+m D Bn+m

(i) (i) (i) (i) + Pr()()C (T ) = 1 − Pr C (T ) = 1 D Bn+m D Ωn+m Λ n+m (x ) = y = (yL , yR ) ∈ I n × I m . q 2 − q  3 12  <  + . Now we can see that 2  2n−1 2m −1

yˆ (i) ⊕ y (i) = yˆ ( j) ⊕ y ( j) ⇔ f (R (i) ) = f (R ( j) ) L R L R 4 2 4 2 ⇔ R (i) = R ( j) . V. PSEUDORANDOMNESS OF THE 2 2 SIMPLIFIED KASUMI From the proof of Lemma 4, we know that From Theorem 1, it is reasonable to assume that the FI 1 function of KASUMI is a PPE. In order to investigate the Pr(R (i) = R ( j) ) = . 2 2 2m−1 pseudorandomness of KASUMI, we use a simplified figure of KASUMI. The four-round simplified KASUMI is illustrated in Thus r Fig. 2, where x = (x1, x2 , x3 , x4 ) denotes a 4n-bit input value, 1 Pr(T is not XOR-distinct) < (q 2 − q)⋅ . r r Λ n+m m y = (y , y , y , y ), w = (w , w , w , w ), 2 1 2 3 4 1 2 3 4 r On the other hand, the term (1) is bounded above as follows: and z = (z1, z2 , z3 , z4 ) denotes the corresponding output of

96 Ju-Sung Kang et al. ETRI Journal, Volume 25, Number 2, April 2003 (1) (2) (3) (4) x1 x2 x3 x4 y3 ⊕ y3 ⊕ y3 ⊕ y3 = 0.

If the oracle implements the UPE Ω4n , then we obtain that

f1 f2 f3 Pr(D outputs 1O ← Ω4n ) 24n (24n −1)(24n − 2)23n (24n − 4)! = 24n! 23n 1 = < . f f f 4n n 4 5 6 2 − 3 2 −1

On the other hand, if O implements Λ 4n , then for the four w r (1) r (2) r (3) r (4) w1 w2 w3 4 queries x , x , x , and x , we can see from Fig. 2 that

(1) y3 = x1 ⊕ f 4 (α1 ) ⊕ f5 (α 2 ) ⊕α 2 , (2) f f f y3 = x1 ⊕ f 4 (α1 ⊕ x3 ) ⊕ f5 (α 2 ) ⊕α 2 , 7 8 9 (3) y3 = x1 ⊕ f 4 (α1 ) ⊕ f5 (α 2 ⊕ x4 ) ⊕α 2 ⊕ x4 , (4) y3 = x1 ⊕ f 4 (α1 ⊕ x3 ) ⊕ f5 (α 2 ⊕ x4 ) ⊕α 2 ⊕ x4 , y4 y1 y2 y3

where (α1,α 2 ) is the 2n-bit output of the first-round function

corresponding to the input (x1, x2 ) . Hence we obtain by an f f f 10 11 12 argument similar to that of Sakurai and Zheng [6] that

(1) (2) (3) (4) y3 ⊕ y3 ⊕ y3 ⊕ y3 = 0 z2 z z z1 3 4 with probability 1. Consequently we obtain that Fig. 2. Simplified four-round KASUMI.

ADVD = Pr(D outputs 1| O ← Ω 4n ) the second, third, and fourth round of KASUMI, respectively. − Pr(D outputs 1| O ← Λ 4n ) Each xi , wi , yi , and zi is an n-bit value. By the following theorem, we obtain the fact that three 1 > 1− n , rounds of KASUMI is insufficient to be a PPE. 2 −1 Theorem 2. The three-round simplified KASUMI is not a which is non-negligible.

4n-bit PPE even if the fi ’s (i = 1,K,9) of Fig. 2 are At this point, we consider the non-adaptive distinguisher independently chosen from an n-bit PPE. security model, which is diff erent from the one in section IV. Proof. Let Λ be the set of all permutations over I The non-adaptive distinguisher sends all queries to the oracle at 4n 4n the same time, whereas the adaptive distinguisher determines obtained from the three-round simplified KASUMI. Consider the i-th query from the first i–1 query-answer pairs. We have a distinguisher D such as follows: experienced that under the adaptive distinguisher model, there 1. D chooses four 4n-bit queries xr (1) , xr (2) , xr (3) , and xr (4) are many factors involved in controlling a 4n-bit block such that structure. The following theorem guarantees that KASUMI with four or more rounds is a pseudorandom permutation xr (1) = (x , x ,0,0), xr (2) = (x , x , x ,0), 1 2 1 2 3 ensemble under the security model with a non-adaptive r (3) r (4) x = (x1, x2 ,0, x4 ), x = (x1, x2 , x3 , x4 ), distinguisher.

Theorem 3. If fi ’s (i = 1,2,K,12) in Fig. 2 are where x1 and x2 are two fixed n-bit values and independently chosen from an n-bit PPE, then the four-round x3 ≠ 0 ≠ x4 . simplified KASUMI is a (q,a)-secure PPE, where 2. D sends these four queries to the oracle O and a = (q 2 − q) 2n . receives the corresponding answers Proof. Assume that fi ’s are independently chosen from the r (i) (i) (i) (i) (i) y = (y1 , y2 , y3 , y4 ) (i = 1,2,3,4 ) from the oracle. UPE Ωn . It suffices to prove the assertion under this

3. D outputs 1 if and only if assumption [1]. Let Λ 4n be the set of all permutations over

ETRI Journal, Volume 25, Number 2, April 2003 Ju-Sung Kang et al. 97 I 4n obtained from the simplified four-round KASUMI. x2 → f 2 → f 4 → f 6 → w2 . Suppose that the distinguisher D makes q calls to the Then we can see that w(i) and w( j) are completely oracle O . In the i-th oracle call, D sends a 4n-bit query 2 2 random. By considering the path x → f → f → w , we xr (i) = (x(i) , x(i) , x (i) , x (i) ) to O and receives the 2 2 5 1 1 2 3 4 also know that w(i) and w( j) are completely random. corresponding output 1 1 Hence we obtain that zr (i) = (z (i) , z (i) , z (i) , z (i) ) = π (x(i) , x(i) , x (i) , x (i) ), 1 2 3 4 1 2 3 4 (i) (i) 1 (i) (i) 1 Pr(w1 = w1 ) ≤ n and Pr(w2 = w2 ) ≤ n . where π is the randomly chosen permutation by O from 2 2

Ω4n or Λ 4n . (i) ( j) Case 3: x3 ≠ x3 . By considering the path Let A denote the event that the j-th block of the output of w j (1) (q) x → f → f → w , two-round KASUMI w j ,K, w j is all distinct for 3 4 6 2 j = 1,2,3,4 (Fig. 2). If A occurs, then we can see that w1 we can see that w(i) and w( j) are completely random. z (1) , , z (q) are completely random since the output of f 2 2 4 K 4 7 And by considering the path x → f → w , we also and f is completely random. Furthermore we also see that 3 4 1 9 obtain that w(i) and w( j) are completely random. Hence z (1) , , z (q) are completely random because the output of 1 1 1 K 1 we obtain that f11 is also completely random. Similarly, if Aw occurs, then 2 (i) (i) 1 (i) (i) 1 (1) (q) (1) (q) Pr()w1 = w1 ≤ n and Pr()w2 = w2 ≤ n . z3 ,K, z3 and z2 ,K, z2 are completely random due to 2 2 f and f , respectively. Therefore, if A and A occur, 8 10 w1 w2 (i) ( j) Case 4: x4 ≠ x4 . Consider the path x4 → f5 → w1. then ADVD is bounded above as follows: (i) ( j) Then w1 and w1 are completely random. Thus

ADVD ≤ 1− Pr(Aw ∩ Aw ) 1 2 (i) (i) 1 (i) ( j) (i) ( j) Pr()w1 = w1 ≤ n ≤ ∑Pr()w1 = w1 ) + ∑ Pr(w2 = w2 . 2 1≤i< j≤q 1≤i< j≤q holds. Similarly we obtain that (i) (i) We estimate the summands Pr()w1 = w1 and (i) (i) 1 (i) (i) Pr()w2 = w2 ≤ n , Pr()w2 = w2 for any 1 ≤ i ≠ j ≤ q . Fix 2

r (i) (i) (i) (i) (i) by considering the path x → f → w . x = (x1 , x2 , x3 , x4 ) 4 5 1 and Therefore, for any case, we obtain that

r ( j) ( j) ( j) ( j) ( j) x = (x , x , x , x ) (i) (i) 1 (i) (i) 1 1 2 3 4 Pr()w = w ≤ and Pr()w = w ≤ . 1 1 2n 2 2 2n arbitrarily. We separate the following four cases. n This implies that ADVD ≤ q(q −1) 2 . (i) ( j) Case 1: x1 ≠ x1 . In this case by considering the two paths VI. CONCLUSION

x1 → f1 → f3 → f5 → w1 In this work we examined the pseudorandomness of the and 3GPP block cipher KASUMI. We have proved that the structure of the FI function within a KASUMI composed of a x1 → f1 → f 4 → f6 → w2 , four-round unbalanced MISTY-type structure is a we obtain that pseudorandom permutation under a security model with an adaptive distinguisher. We have shown that the simplified 1 1 Pr(w(i) = w(i) ) ≤ and Pr(w(i) = w(i) ) ≤ , KASUMI with three rounds is not a pseudorandom 1 1 2n 2 2 2n permutation ensemble, but a four-round simplified KASUMI is since for any n-bit vector b , Pr(a ⊕ a = b) = 1 2n , where a pseudorandom permutation ensemble under a non-adaptive 1 2 distinguisher model. Under an adaptive distinguisher model it a and a are randomly chosen n-bit vectors. 1 2 is necessary to consider many factors to control a 4n-bit block (i) ( j) Case 2: x2 ≠ x2 . Consider the path structure. Thus, we set aside the pseudorandomness of the

98 Ju-Sung Kang et al. ETRI Journal, Volume 25, Number 2, April 2003 KASUMI-like structure as an open problem. [11] 3G TS 35.201, Specification of the 3GPP Confidentiality and The results of this paper disclose the soundness of the basic Integrity Algorithm; Document 1: f8 and f9 specifications, block structure of KASUMI from the viewpoint of available at http://www.3gpp.org. pseudorandomness. Within the security architecture of the [12] J.S. Kang, S.U. Shin, D.W. Hong, and O.Y. Yi, “Provable Security 3GPP system there are two standardized functions, the of KASUMI and 3GPP Encryption mode f8,” ASIACRYPT 2001, LNCS 2248, Springer-Verlag, 2001, pp. 255-271. confidentiality function f8 and the integrity function f9. These [13] M. Bellare, J. Kilian, and P. Rogaway, “The Security of Cipher two functions are based on the block cipher KASUMI. Thus Block Chaining Message Authentication Codes,” Advances in the pseudorandomness of KASUMI is the main assumption on Cryptology-Crypto'94, LNCS 839, Springer-Verlag, 1994, pp. which to examine the provable security of f8 and f9. The 341-358. results of this paper provide support for this assumption. [14] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, “A Concrete Security Treatment of Symmetric Encryption: Analysis of the ACKNOWLEDGEMENTS DES Modes of Operation,” 38th Symp. on Foundations of Computer Science (FOCS), IEEE Computer Society, 1997, pp. Thanks to Tetsu Iwata for pointing out some flaws in the 394-403. proof of Theorem 1 of [12]. We also appreciate the anonymous [15] L.R. Knudsen, DEAL-A 128-Bit Block Cipher, Technical report referees’ valuable comments. 151, Univ. of Bergen, February 1998, available at http://www.ii.uib.no/\~larsr/newblock.html. [16] J. Patarin, “Generic Attacks on Feistel Schemes,” ASIACRYPT REFERENCES 2001, LNCS 2248, Springer-Verlag, 2001, pp. 222-238. [17] 3GPP SAGE, Report on the Evaluation of 3GPP Standard [1] M. Luby and C. Rackoff, “How to Construct Pseudorandom Confidentiality and Integrity Algorithms, SAGE version 2.0, 2001, Permutations and Pseudorandom Functions,” SIAM J. Comput., available at http://www.3gpp.org. vol. 17, 1988, pp. 189-203. [18] U. Kühn, “Cryptanalysis of Reduced-Round MISTY,” Advances [2] J. Patarin, “How to Construct Pseudorandom and Super in Cryptology-Eurocrypt 2001, LNCS 2045, Springer-Verlag, Pseudorandom Permutations from one Single Pseudorandom 2001, pp. 325-339. Function,” Advances in Cryptology-Eurocrypt’92, LNCS 658,

Springer-Verlag, 1992, pp. 256-266.

[3] M. Naor and O. Reingold, “On the Construction of Pseurandom Permutations: Luby-Rackoff Revisited,” J. Cryptology, vol. 12, 1999, pp. 29-66. [4] M. Matsui, “New Permutation of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis,” Fast Software Encryption, LNCS 1039, Springer-Verlag, 1996, pp. Ju-Sung Kang received the BS, MS, and PhD 205-218. degrees in mathematics from Korea University, [5] M. Matsui, “New Block Encryption Algorithm MISTY,” Fast Seoul, Korea in 1989, 1991, and 1996. He Software Encryption'97, LNCS 1267, Springer-Verlag, 1997, pp. joined ETRI in 1997, and he is currently with 54-68. the Information Security Division of ETRI. In [6] K. Sakurai and Y. Zheng, “On Non-Pseudorandomness from 2001-2002, he was a Visiting Researcher of the Block Ciphers with Provable Immunity against Linear COSIC, Research Group of Katholieke Cryptanalysis,” IEICE Trans. Fundamentals, vol. E80-A, no. 1, 1997, pp. 19-24. Universiteit Leuven in Belgium. His current research interests include [7] H. Gilbert and M. Minier, “New Results on the cryptographic algorithms and protocols. Pseudorandomness of Some Block Cipher Constructions,” FSE 2001, LNCS 2355, Springer-Verlag, 2002, pp. 248-266. Bart Preneel is a Professor in the Electrical [8] J.S. Kang, O.Y. Yi, D.W. Hong, and H.S. Cho, Engineering Department of the Katholieke “Pseudorandomness of MISTY-Type Transformations and the Universiteit Leuven in Belgium. He is also a Block Cipher KASUMI,” ACISP2001, LNCS 2119, Springer- Visiting Professor at the Ruhr-Universitaet Verlag, 2001, pp. 60-73. Bochum in Germany and at the University of [9] T. Iwata, T. Yoshino, T. Yuasa, and K. Kurosawa, “Round Security Ghent in Belgium. In 1993-1994 he was and Super-Pseudorandomness of MISTY Type Structure,” Research Fellow at the University of California FSE2001, LNCS 2355, Springer-Verlag, 2002, pp. 233-247. [10] T. Iwata, T. Yoshino, and K. Kurosawa, “Non-Cryptographic at Berkeley. He heads the COSIC Research Group. He is the Vice Primitive for Pseudorandom Permutation,” FSE 2002, LNCS President of the International Association of Cryptologic Research 2365, Springer-Verlag, 2002, pp. 149-163. (IACR) and Chairman of L-SEC.

ETRI Journal, Volume 25, Number 2, April 2003 Ju-Sung Kang et al. 99 Heuisu Ryu received his MS and BS degrees in mathematics from Korea University in 1990 and 1992. He received his PhD in mathematics from Johns Hopkins University in the USA in 1999. He joined ETRI in 2000 and has been working on cryptography. Currently, he is the Team Leader of the Information Security Basic Research Team and Senior Engineering Staff. His research interests are elliptic curve cryptography, information security algorithms, information security protocols, and information security in mobile environments.

Kyo Il Chung received the PhD, MS, and BS degrees in electronic engineering from Hanyang University in 1997, 1983, and 1981. He joined ETRI in 1982 and has been involved with COMSEC systems. Currently, he is a Principal Member of Engineering Staff and the Director of the Information Security Basic Department. His research interests are IC cards, biometrics and information warfare.

Chee Hang Park received the BS degree in applied physics from Seoul National University, Korea, in 1974, the MS degree from Korea Advanced Institute of Science and Technology, Korea, in 1980, and the PhD degree in computer science from University of Paris 6, France, in 1987. During the last 10 years, he has been involved as Project Leader in several large projects such as Multimedia Computer System Development and High Speed Parallel Computer System Development. His research interests include multimedia systems, distributed systems, middleware, group-ware, network virtual computing, and mobile agent architecture. He is currently the Executive Director of the Information Security Technology Division at ETRI.

100 Ju-Sung Kang et al. ETRI Journal, Volume 25, Number 2, April 2003