ETSI/SAGE Version: 1.1 Technical report Date: 6 th September 2006 Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. Document 5: Design and Evaluation Report 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. page 1 of 40 Document 5: Design and Evaluation report. Version 1.1 Document History V1.0 6th February 2006 Publication V1.1 6th September 2006 No change to the technical content at all, just removal of an unwanted page header 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. page 2 of 40 Document 5: Design and Evaluation report. Version 1.1 Reference Keywords 3GPP, security, SAGE, algorithm ETSI Secretariat Postal address F-06921 Sophia Antipolis Cedex - FRANCE Office address 650 Route des Lucioles - Sophia Antipolis Valbonne - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 X.400 c= fr; a=atlas; p=etsi; s=secretariat Internet [email protected] http://www.etsi.fr Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 2006. All rights reserved. 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. page 3 of 40 Document 5: Design and Evaluation report. Version 1.1 Contents 1 Scope ..................................................................................................................................8 2 References ..........................................................................................................................8 3 Abbreviations......................................................................................................................8 4 Structure of this report......................................................................................................10 5 Background to the design and evaluation work................................................................10 6 Summary of algorithm requirements................................................................................11 6.1 f8 – Confidentiality algorithm ..................................................................................11 6.2 f9 – Integrity algorithm.............................................................................................11 6.3 Generic requirements for 3GPP cryptographic functions and algorithms ................12 7 3GPP confidentiality and integrity algorithms .................................................................13 7.1 SNOW 3G.................................................................................................................13 7.2 Confidentiality function UEA2.................................................................................13 7.3 Integrity function UIA2 ............................................................................................14 8 Rationale for the chosen design........................................................................................16 8.1 General comments ....................................................................................................16 8.1.1 Use of AES in UMTS .................................................................................................16 8.1.2 Selection of SNOW 2.0...............................................................................................17 8.2 Design Policy of SNOW 2.0.....................................................................................17 8.3 Changes from SNOW 2.0 to SNOW 3G ..................................................................18 8.4 Choice of integrity mechanism.................................................................................18 9 Algorithm evaluation........................................................................................................18 9.1 Evaluation criteria.....................................................................................................18 9.1.1 General principles .......................................................................................................18 9.1.2 Implementation aspects...............................................................................................19 9.1.3 Mathematical evaluation.............................................................................................19 9.1.4 Statistical evaluation ...................................................................................................19 9.1.5 IPR investigations .......................................................................................................19 9.2 Principles of algorithm evaluation............................................................................19 9.2.1 Analysis of various components of SNOW 3G ..........................................................20 9.2.2 Analysis of SNOW 3G as a stream cipher ..................................................................20 9.2.3 Analysis of the encryption and integrity modes..........................................................20 9.3 Security principles of UEA2 and UIA2....................................................................21 9.3.1 Supporting arguments for the UEA2 construction......................................................21 9.3.2 Rationale behind the Construction of UIA2................................................................22 9.4 Mathematical analysis of SNOW 3G........................................................................24 9.4.1 Properties of components............................................................................................24 9.4.2 Resistance against attacks ...........................................................................................25 9.5 Implementation attacks.............................................................................................30 9.5.1 Evaluation of SNOW 3G ............................................................................................30 9.5.2 Conclusion on implementation attacks .......................................................................31 9.6 Results from complexity evaluation .........................................................................31 9.6.1 KASUMI HW performance........................................................................................32 9.6.2 SNOW HW performance............................................................................................32 9.6.3 UIA2 complexity ........................................................................................................33 9.6.4 SW performance .........................................................................................................33 9.7 Results from independent evaluation........................................................................33 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. page 4 of 40 Document 5: Design and Evaluation report. Version 1.1 9.7.1 Evaluator 1..................................................................................................................33 9.7.2 Evaluator 2..................................................................................................................35 9.8 Results from IPR investigations ...............................................................................37 9.9 Conclusion of evaluation ..........................................................................................37 10 Annex A - External references .........................................................................................39 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. page 5 of 40 Document 5: Design and Evaluation report. Version 1.1 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards" , which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http://www.etsi.org/ipr). At the time of writing of this report, no information of any Intellectual Property Rights (IPRs) has been drawn to the attention neither to the Task Force nor to ETSI. See Section 9.8 of this report for further information about IPR investigations conducted by the Task Force. No guarantee can be given as to the existence of other IPRs not referenced in SR 000 314 (or the updates on the ETSI Web server (http://www.etsi.org/ipr) which are, or may be, or may become, essential to the present document. 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. page 6 of 40 Document 5: Design and Evaluation report. Version 1.1 Foreword This Report has been produced by ETSI SAGE Task Force 278 on Design of the second UMTS encryption and integrity protection algorithms UEA2 and UIA2 (SAGE TF 3GPP). The work described in this report was undertaken in response to a request made by 3GPP. Version 1 of this report was submitted to the 3GPP SA3 group in January 2006. 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. page 7 of 40 Document 5: Design and Evaluation report. Version 1.1 1 Scope This public report contains a detailed summary of the design and evaluation