Quantum computing poses a long-term threat to information security. This may apply to some of the current protection measures in 5G systems. These threats are studied in the present document so as to ensure that 5G systems remain secure also in the future.
The threats will impact symmetric and asymmetric cryptographic algorithms in different ways. The present document focuses on symmetric cryptographic algorithms. In particular, it focuses on the implications of introducing 256 bit cryptographic keys and algorithms.
The study allows informed decisions on why, when, where, and how symmetric cryptographic algorithms used in 3GPP systems could be strengthened to counter the identified threats.
WHY: Commercial applications (e.g., critical infrastructure, financial, medical, and pharmaceutical) and government organizations may need enhanced protection for confidential information.
WHEN: This study establishes a timeline for the introduction of enhanced protection measures. It is currently not clear when, e.g., quantum computers may pose a realistic threat. The timeline may take into account the following factors:
the number of years that data that are sent protected in 5G (over the various interfaces) need to remain secure;
the number of years it will take to introduce 256-bit keys in the 5G system (standardization and deployment);
the number of years it takes to decrypt data protected with 128-bit keys, taking into account technological progress.
The study should also seek to align the security levels and timelines for introducing new asymmetric cryptographic algorithms with those for symmetric cryptographic algorithms in 5G. The reason is that the 5G system also makes use of asymmetric cryptographic algorithms, e.g. in network domain security, in untrusted non-3GPP access, and in 5G identity privacy, and it does not make sense to have different security levels for different types of algorithms in the same release of a 5G system.
WHERE: Not all parts of the 5G system may be affected in the same way. The study should therefore investigate the impacts on UE, gNB, and core network entities separately. As an example, the study may investigate whether encryption between the UE and a gNB in an operator network (where the cleartext is available to the operator in the gNB) and encryption between the UE and a core network entity in a slice are affected by the requirements in the same way.
HOW: The focus of this proposed new work will include, but will not be limited to, supporting 256-bit keys and algorithms, bolstering integrity protection by increasing the size of MAC-I in 5G networks, key derivation, AKA key generation, key distribution, key refresh, negotiation of the key size, and processing of confidential CP/UP/MP information.
The present document details the following:
An assessment of threats and potential countermeasures posed due to quantum computing and a resulting assessment of relevant countermeasures in the 5G system.
An assessment of the timelines for the introduction of any countermeasures, in particular the increase of key lengths to 256 bits. This includes an alignment with the timeline for strengthening asymmetric cryptographic algorithms used in 5G systems.
An assessment of which parts of the 5G system will be affected and in which way.
A Study of full entropy 256 bit keys in the 5G key hierarchy, beginning with the permanent pre-shared key. Including a study into modifying the derivation algorithms in order to derive child keys from the 256-bit master key instead of the 128-bit key.
A study to determine whether a longer MAC is appropriate for 5G.
A study of the coexistence of different size keys. In 3GPP networks, 256-bit keys in 5G will need to coexist with 128-bit keys in legacy networks or earlier 5G phases. This includes storage of keys and separate key derivation algorithms both on the UE and in the core network.
A study into the desired number of 256-bit algorithms, e.g. if two 256-bit AKA key generation algorithm sets are needed.
A study of the desired performance aspects for the new 256-bit algorithms taking into account software and hardware aspects.
A study of key size negotiation.
A study into whether the current methods for distribution and refresh of security keys are equally applicable to larger key sizes and can remain the same.
A study into the Encryption and integrity algorithms that could be needed. This includes 256-bit session/intermediate keys in 5G, may, in some cases, simply entail using larger-key versions of current algorithms, while in other cases new algorithms may need to be chosen altogether.
Recommendations for suitable requirements for the needed algorithms for use with 256-bit keys and ask ETSI SAGE to provide those algorithms.
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
References are either specific (identified by date of publication, edition number, version number, etc.) or non-specific.
For a specific reference, subsequent revisions do not apply.
For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
: "Vocabulary for 3GPP Specifications".
Markus Grassl, Brandon Langenberg, Martin Roettler, Rainer Steinwandt (2015)
: "Applying Grover's algorithm to AES: quantum resource estimates". https://arxiv.org/pdf/1512.04965.pdf
Matthew Amy, Olivia Di Matteo, Vlad Gheorghiu, Michele Mosca, Alex Parent, John Schanck (2016)
: "Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3". https://arxiv.org/pdf/1603.09383.pdf
Thomas Häner, Martin Roetteler, and Krysta M. Svore: "Factoring using 2n+2 qubits with Toffoli based modular multiplication". Quantum Information and Computation, 18(7&8):673-684, 2017
: "Network Domain Security (NDS); Authentication Framework (AF)".
: "3G security; Network Domain Security (NDS); IP network layer security".
: "Security architecture and procedures for 5G system".
: "Catalogue of general security assurance requirements".
NIST Special Publication 800-38B: "Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication".
Dustin Moody (2018): "Let's Get Ready to Rumble - The NIST PQC 'Competition'".
Mihir Bellare, Björn Tackmann (2017): "The Multi-User Security of Authenticated Encryption: AES-GCM in TLS 1.3".
Report ITU-R M.2410-0: "Minimum requirements related to technical performance for IMT-2020 radio interface(s)", 2017.
: "Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA)".
"HMAC-based Extract-and-Expand Key Derivation Function (HKDF)".
: "Secured packet structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications".
ETSI TS 102 225: "Smart Cards; Secured packet structure for UICC based applications".
ETSI TS 102 226: "Smart Cards; Remote APDU structure for UICC based applications".
GlobalPlatform: "Card Specification, Amendment B".
For the purposes of the present document, the terms and definitions given in TR 21.905
and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905
a computer which makes use of quantum-mechanical effects
For the purposes of the present document, the abbreviations given in TR 21.905
and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905
Authentication and Key Agreement
Extensible Authentication Protocol
Elliptic Curve Diffie-Hellman Ephemeral
Elliptic Curve Integrated Encryption Scheme
Generic Key Derivation Function
HMAC-based Extract-and-Expand Key Derivation Function
Internet Key Exchange version 2
Key Derivation Function
Non Access Stratum
Network Domain Security
Over The Air
Radio Resource Control
Service Based Architecture
Security Anchor Function
Security Edge Protection Proxy
SUbscription Concealed Identifier
SUbscription Permanent Identifier
Transport Layer Security
A quantum computer is a computer which makes use of quantum-mechanical effects. These effects include superposition, which allows quantum bits (qubits) to exist in a combination of several states at once, and entanglement, which allows connections between separate quantum systems such that they cannot be described independently. There exist quantum algorithms that use these effects to solve certain cryptographic problems more efficiently than they could be solved on a classical computer. However, due to the reliance on physical effects quantum computing is inherently error prone, meaning that circuits for quantum algorithms require extra qubits for error correction. This quantum error correction means that the complexity of the quantum computer required to carry out certain quantum algorithms is greater in practice than in theory. With the advances in quantum computing, the security community feels it is important to start preparing our information security systems to be resilient to this potential threat.
Determining how to cost an attack with a quantum computer is difficult. The number of qubits needs be taken into account, along with the number of quantum gates in the circuit, and the number of sequential evaluations of the gates, called the depth of the circuit. Depth governs how long the calculation will take. With a gate-time of a few nano-seconds, a depth of around 250 would take one year to evaluate.
Shor's quantum algorithm for integer factorization runs in polynomial time on a quantum computer. As the security of RSA relies on the hardness of factorizing large integers, the system's security is terminally undermined by quantum computation. A variant of Shor's algorithm enables a quantum computer to calculate discrete logarithms in polynomial time, both over finite fields and elliptic curves. This variant renders several other public-key cryptosystems insecure, including Diffie-Hellman and Elliptic Curve Diffie-Hellman.
To counter the threat of quantum computing to asymmetric cryptography it is necessary to swap existing algorithms for new, quantum-resistant algorithms. However, it should be noted that all quantum-resistant key-exchange algorithms currently being considered are much less studied than traditional public key systems such as RSA and Diffie-Hellman. As such, a balance will need to be struck between countering the quantum threat and ensuring the use of stable and tested systems.
Grover's search algorithm offers a theoretical quadratic speed-up on unstructured search problems. This is applicable to symmetric key cryptography as, with use of Grover's algorithm, the N-bit key for a cipher is recovered with O(2N/2) serial quantum operations.
The real speed up offered by Grover's algorithm is difficult to evaluate and depends on a variety of factors including the scheme being analysed, the precise functionality of a quantum computer and the necessity for error-correction codes. There has been limited analysis of the effect of Grover's algorithm on 128-bit block ciphers, but various papers  and  have calculated that, while the security of AES-128 would be reduced with the development of a quantum computer, it would not fall to 64 bits. However, there has not been any concrete study quantitatively examining the impact of quantum computing on stream ciphers. It should also be noted that Grover's algorithm does not parallelise efficiently, suggesting that the security assumptions to apply in this scenario may be different to those in classical computing. It may be more appropriate to consider attacks that run in bounded time, taking into account the likely capabilities of an attacker and the amount of likely parallelisation .
To counter this threat to symmetric cryptography from a quantum computer it would certainly suffice to double the key-size of an algorithm, thus doubling the number of bits of classical security. As discussed above there is an ongoing discussion as to whether this response is overly conservative, as the changes would have other business, interoperability and security consequences.
Grover's algorithm also poses a threat to the security of hash algorithms. As for symmetric algorithms, the theoretical speed-up is quadratic, but it is difficult to evaluate this in a real world scenario.  estimates that a single pre-image attack on SHA-256 would take ~2166 operations, rather than the theoretical 2128. Looking at another measure of cryptographic hash security, there is no known quantum algorithm which finds collisions in general hash functions more efficiently than the most efficient classical algorithms .