TR 33.909
3G Security; Report on the design and evaluation of the MILENAGE algorithm set;
Deliverable 5: an example algorithm for the 3GPP authentication and key generation functions

3GPP‑Page ETSI‑search

V4.0.1 (Wzip) 2001/07 30 p.

Rapporteur:: Prof. Walker, Michael

full Table of Contents for TR 33.909 Word version: 4.0.1

Scope p. 6

References p. 6

Abbreviations p. 7

Structure of this report p. 8

Background to the design and evaluation work p. 8

Summary of algorithm requirements p. 9

6.1

General requirements for 3GPP cryptographic functions and algorithms p. 9

6.2

Authentication and key agreement functions p. 9

6.2.1

Implementation and operational considerations p. 9

6.2.2

Type of algorithm p. 9

6.2.2.1	f1 p. 9
6.2.2.2	f1* p. 10
6.2.2.3	f2 p. 10
6.2.2.4	f3 p. 10
6.2.2.5	f4 p. 10
6.2.2.6	f5 p. 10
6.2.2.7	f5* p. 10

Design criteria p. 11

7.1

Cryptographic Criteria p. 11

7.2

Implementation Criteria p. 11

7.3

The need for an Operator Variant Algorithm Configuration Field p. 11

7.4

Criteria for the cryptographic kernel p. 11

7.4.1	Implementation and operational considerations p. 12
7.4.2	Functional requirements p. 12
7.4.3	Types and parameters for the kernel p. 12

The 3GPP MILENAGE algorithms p. 13

Rationale for the chosen design p. 13

9.1

Block ciphers vs. hash functions p. 13

9.2

The choice of Rijndael p. 14

9.3

The MILENAGE architecture p. 15

9.3.1	Use of OP p. 15
9.3.2	Rotations and constants p. 15
9.3.3	Protection against side-channel attacks p. 15
9.3.4	The number of kernel operations p. 15
9.3.5	Mode of operation p. 15

Evaluation p. 16

10.1

Evaluation criteria p. 16

10.2

Operational Context p. 17

10.3

Analysis p. 17

10.3.1

A formal proof of the soundness of the f2-f5* construction p. 17

10.3.2

On the f1-f1* construction and its separation from f2-f5* p. 19

10.3.2.1	Soundness of the f1-f1* construction p. 19
10.3.2.2	Separation between f1-f1* and f2-f5* p. 19

10.3.3

Investigation of forgery or distinguishing attacks with 264 queries p. 20

10.3.3.1

An internal collision attack against f1 (or f1*) p. 20

10.3.3.2

Forgery or distinguishing attacks against combinations of several modes p. 21

10.3.3.2.1	Attacks against combinations of f2-f5 p. 21
10.3.3.2.2	Attacks against combinations of f1-f1* and f2-f5* p. 21

10.3.3.3

Conclusion about the identified forgery or distinguishing attacks p. 22

10.4

Statistical evaluation p. 22

10.5

Published attacks on Rijndael p. 22

10.6

Complexity evaluation p. 23

10.6.1	Complexity of draft Rijndael implementation p. 23
10.6.2	Estimate complexity of modes: p. 23
10.6.3	Estimate of total MILENAGE p. 23
10.6.4	SPA/DPA, Timing attack countermeasures p. 24
10.6.5	Conclusion on algorithm complexity p. 24

10.7

External complexity evaluations p. 24

10.8

Evaluation of side channel attacks p. 25

10.8.1

Evaluation of the kernel algorithm p. 25

10.8.1.1	Timing Attacks p. 25
10.8.1.2	Simple Power Analysis p. 25
10.8.1.3	Differential Power Analysis p. 26
10.8.1.4	Other side channels p. 26

10.8.2

Evaluation of the f1-f5 modes p. 26

10.8.2.1	Operator Constants (OP or OPc) p. 26
10.8.2.2	Rotations and constants p. 27

10.8.3

Conclusion on side channel attacks p. 27

Conclusions p. 27

Change history p. 28

TR 33.909 3G Security; Report on the design and evaluation of the MILENAGE algorithm set; Deliverable 5: an example algorithm for the 3GPP authentication and key generation functions

full Table of Contents for TR 33.909 Word version: 4.0.1

TR 33.909
3G Security; Report on the design and evaluation of the MILENAGE algorithm set;
Deliverable 5: an example algorithm for the 3GPP authentication and key generation functions