Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x
Top   in Index   Prev   Next

TS 55.251
Specification of the
GPRS Confidentiality and Integrity Algorithms GEA5 and GIA5 –
GEA5 and GIA5 Algorithm Specification

V17.0.0 (PDF)  2022/03  17 p.
V16.0.0  2020/06  17 p.
V15.0.0  2018/06  17 p.
V14.0.1  2018/06  17 p.
V13.0.1  2018/06  17 p.
Rapporteur:
Mr. Evans, Tim P.
VODAFONE Group Plc

Content for  TS 55.251  Word version:  17.0.0

Here   Top

 

0  IntroductionWord‑p. 5

This specification has been prepared by the 3GPP Task Force, and gives a detailed specification of the 3GPP confidentiality algorithm GEA5 and the 3GPP integrity algorithm GIA5.
This document is the first of three, which between them form the entire specification of the 3GPP confidentiality algorithm GEA5 and the 3GPP integrity algorithm GIA5:
  • 3GPP TS 55.251: "Specification of the GEA5 and GIA5 encryption algorithms for GPRS; GEA5 and GIA4 algorithm specification".
  • 3GPP TS 55.252: "Specification of the GEA5 and GIA5 encryption algorithms for GPRS; Implementers' test data".
  • 3GPP TS 55.253: "Specification of the GEA5 and GIA5 encryption algorithms for GPRS; Design conformance test data".
Up

1  ScopeWord‑p. 6

The present document defines the technical details of the 3GPP confidential algorithm GEA5 and the 3GPP integrity algorithm GIA5.

2  ReferencesWord‑p. 6

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
[1]
TR 21.905: "Vocabulary for 3GPP Specifications".
[2]
TS 33.216: "Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2; Document 2: SNOW 3G specification".
Up

3  Definitions, symbols and abbreviationsWord‑p. 6

3.1  DefinitionsWord‑p. 6

For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
(none)

3.2  SymbolsWord‑p. 6

For the purposes of the present document, the following symbols apply:
=
The assignment operator.
The bitwise exclusive-OR operation.
||
The concatenation of the two operands.
KASUMI[x]k
The output of the KASUMI algorithm applied to input value x using the key k.
X[i]
The ith bit of the variable X. (X = X[0] || X[1] || X[2] || …).
Yi
The ith block of the variable Y. (Y = Y0 || Y1 || Y2 || …).
ceiling(x)
The smallest integer greater than or equal to the real number x.
&n
The bitwise AND operation in an n-bit register.
<<n t
t-bit left shift in an n-bit register.
>>n t
t-bit right shift in an n-bit register.
Up

3.3  AbbreviationsWord‑p. 7

For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
CBC-MAC
Cipher Block Chaining Message Authentication Code
MAC
Message Authentication Code

4  Introductory informationWord‑p. 7

4.1  IntroductionWord‑p. 7

The confidentiality algorithm GEA5 is a stream cipher that is used to encrypt/decrypt blocks of data under a confidentiality key KC128. The block of data may be between 1 and 65536 octets long. The algorithm uses SNOW 3G [2] as a keystream generator.
The integrity algorithm GIA5 computes a 32-bit MAC (Message Authentication Code) of a given input message using an integrity key KI128. The approach adopted uses SNOW 3G.

4.2  NotationWord‑p. 7

4.2.1  RadixWord‑p. 7

The prefix "0x" indicates hexadecimal numbers.

4.2.2  ConventionsWord‑p. 7

The assignment operator "=", as used in several programming languages.
<variable> = <expression>
means that <variable> assumes the value that <expression> had before the assignment took place. For instance,
x = x + y + 3
means
(new value of x) becomes (old value of x) + (old value of y) + 3.

4.2.3  Bit/byte orderingWord‑p. 7

All data variables in this specification are presented with the most significant bit (or byte) on the left hand side and the least significant bit (or byte) on the right hand side. Where a variable is broken down into a number of sub-strings, the left most (most significant) sub-string is numbered 0, the next most significant is numbered 1 and so on through to the least significant.
For example an n-bit MESSAGE is subdivided into 64-bit substrings MB0, MB1 … MBi so if the message is:
0x0123456789ABCDEFFEDCBA987654321086545381AB594FC28786404C50A37…
then:
MB0 = 0x0123456789ABCDEF
MB1 = 0xFEDCBA9876543210
MB2 = 0x86545381AB594FC2
MB3 = 0x8786404C50A37…
In binary this is:
000000010010001101000101011001111000100110101011110011011110111111111110…
with
MB0 = 0000000100100011010001010110011110001001101010111100110111101111
MB1 = 1111111011011100101110101001100001110110010101000011001000010000
MB2 = 1000011001010100010100111000000110101011010110010100111111000010
MB3 = 1000011110000110010000000100110001010000101000110111…
Up

4.3  List of variablesWord‑p. 8

CONSTANT-F
a 32-bit parameter which is constant for any given FRAMETYPE input.
DIRECTION
the 1-bit input to both the GEA5 and GIA5 functions indicating the direction of transmission (uplink or downlink).
FRAMETYPE
an 8-bit input to the GEA5 and GIA5 functions indicating the type of frame to be protected.
INPUT
the 32-bit time variant input to the GEA5 function
INPUT-I
the 32-bit time variant input to the GIA5 function
KC128
the 128-bit confidentiality key.
KI128
the 128-bit integrity key.
KS[i]
the ith bit of keystream produced by the keystream generator.
L
the number of 32-bit words of SNOW 3G keystream that are generated by GEA5 (equal to ceiling(M/4) ).
LENGTH
a 64 bit parameter defined within GIA5 which specifies the number of bits of message to be MAC'd (equal to 8 times M).
M
the input to the GEA5 function which specifies the number of octets of output required (1-65536); also the input to the GIA5 function which specifies the number of octets of message to be MAC'd (1-65536).
MAC
the 32-bit message authentication code (MAC) produced by the integrity function GIA5.
MESSAGE
the input bitstream of LENGTH bits that is to be processed by the GIA5 function.
OUTPUT
the output octets from the GEA5 function.
S1, S2, …
a sequence of 64-bit words derived from MESSAGE and LENGTH which is used within GIA5 to construct the MAC
z1, z2, …
the 32-bit words forming the keystream sequence of SNOW 3G. The word produced first is z1, the next word z2 and so on.
Up

5  Confidentiality algorithm GEA5Word‑p. 9

5.1  IntroductionWord‑p. 9

The confidentiality algorithm GEA5 is a stream cipher that encrypts/decrypts blocks of data between 1 and 65536 octets in length.

5.2  Inputs and outputsWord‑p. 9

The inputs to the algorithm are given in Table 5.2.1, the output in Table 5.2.2:
Parameter Size (bits) Comment
INPUT32Frame dependent input INPUT[0]…INPUT[31]
DIRECTION1Direction of transmission DIRECTION[0]
FRAMETYPE8Input value signifying the type of frame to be protected
KC128128Confidentiality key KC128[0]….KC128[127]
MThe number of octets of output required in the range 1 to 65536 inclusive
Parameter Size (bits) Comment
OUTPUT8MKeystream octets OUTPUT{0}….OUTPUT{M-1}
Up

5.3  Components and architectureWord‑p. 9

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

5.4  InitialisationWord‑p. 9

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

5.5  Keystream generationWord‑p. 9

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

5.6  Output octetsWord‑p. 9

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

6  Integrity algorithm GIA5Word‑p. 10

6.1  IntroductionWord‑p. 10

The integrity algorithm GIA5 computes a Message Authentication Code (MAC) on an input message under an integrity key KI128. The message may be between 1 and 65536 octets long.
For ease of implementation the algorithm is based on the same stream cipher (SNOW 3G) [2] as is used by the confidentiality algorithm GEA5.

6.2  Inputs and outputsWord‑p. 10

The inputs to the algorithm are given in Table 6.2.1, the output in Table 6.2.2:
Parameter Size (bits) Comment
INPUT-I32Frame dependent input INPUT-I[0]…INPUT-I[31]
MThe length of MESSAGE in octets (1-65536)
MESSAGE8MInput octet stream MESSAGE{0}….MESSAGE{M-1}
DIRECTION1Direction of transmission DIRECTION[0]
FRAMETYPE8Input value signifying the type of frame to be protected
KI128128Integrity key KI128[0]…KI128[127]
Parameter Size (bits) Comment
MAC32Message authentication code MAC[0]…MAC[31]
Up

6.3  Components and architectureWord‑p. 10

6.3.1  SNOW 3GWord‑p. 10

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

6.3.2  MULxWord‑p. 10

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

6.3.3  MULxPOWWord‑p. 10

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

6.3.4  MULWord‑p. 10

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

6.4  InitializationWord‑p. 11

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

6.5  CalculationWord‑p. 11

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

A  Mathematical background of some operations of the GIA5 AlgorithmWord‑p. 12

A.1  The function EVAL_SWord‑p. 12

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

A.2  The function MUL(V, P, c)Word‑p. 12

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

B  Implementation options for some operations of the GIA5 algorithmWord‑p. 13

B.1  OverviewWord‑p. 13

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
B.2. Procedure Pre_Mul_P
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

B.2  Procedure Pre_Mul_PWord‑p. 13

B.3  Function Mul_PWord‑p. 13

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

C  Figures of the GEA5 and GIA5 algorithmsWord‑p. 14

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

D  Simulation program listingWord‑p. 15

D.1  GEA5Word‑p. 15

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

D.2  GIA5Word‑p. 15

This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.

$  Change HistoryWord‑p. 16


Up   Top