KASUMI explained

KASUMI
Designers:	Mitsubishi Electric
Derived From:	MISTY1
Key Size:	128 bits
Block Size:	64 bits
Structure:	Feistel network
Rounds:	8

KASUMI is a block cipher used in UMTS, GSM, and GPRS mobile communications systems.In UMTS, KASUMI is used in the confidentiality (f8) and integrity algorithms (f9) with names UEA1 and UIA1, respectively.^[1] In GSM, KASUMI is used in the A5/3 key stream generator and in GPRS in the GEA3 key stream generator.

KASUMI was designed for 3GPP to be used in UMTS security system by the Security Algorithms Group of Experts(SAGE), a part of the European standards body ETSI.^[2] Because of schedule pressures in 3GPP standardization, instead of developing a new cipher, SAGE agreed with 3GPP technical specification group (TSG) for system aspects of 3G security (SA3) to base the developmenton an existing algorithm that had already undergone some evaluation.^[2] They chose the cipher algorithm MISTY1 developed^[3] and patented^[4] by Mitsubishi Electric Corporation.The original algorithm was slightly modified for easier hardware implementation and tomeet other requirements set for 3G mobile communications security.

KASUMI is named after the original algorithm MISTY1 - 霞み (hiragana かすみ, romaji kasumi) is the Japanese word for "mist".

In January 2010, Orr Dunkelman, Nathan Keller and Adi Shamir released a paper showing that they could break Kasumi with a related-key attack and very modest computational resources; this attack is ineffective against MISTY1.^[5]

Description

KASUMI algorithm is specified in a 3GPP technical specification.^[6] KASUMI is a block cipher with 128-bit key and 64-bit input and output. The core of KASUMI is an eight-round Feistel network. The round functionsin the main Feistel network are irreversible Feistel-like networktransformations. In each round the round function uses a round keywhich consists of eight 16-bit sub keysderived from the original 128-bit key using a fixed key schedule.

Key schedule

The 128-bit key K is divided into eight 16-bit sub keys K_i:

K=K₁\|K₂\|K₃\|K₄\|K₅\|K₆\|K₇\|K₈

Additionally a modified key K, similarly divided into 16-bitsub keys K'_i, is used. The modified key is derived fromthe original key by XORing with 0x123456789ABCDEFFEDCBA9876543210 (chosen as a "nothing up my sleeve" number).

Round keys are either derived from the sub keys by bitwise rotation to leftby a given amount and from the modified sub keys (unchanged).

The round keys are as follows:

\begin{array}{lcl} KL_i,1&=&{\rmROL}(K_i,1)\\ KL_i,2&=&K'_i+2\\ KO_i,1&=&{\rmROL}(K_i+1,5)\\ KO_i,2&=&{\rmROL}(K_i+5,8)\\ KO_i,3&=&{\rmROL}(K_i+6,13)\\ KI_i,1&=&K'_i+4\\ KI_i,2&=&K'_i+3\\ KI_i,3&=&K'_i+7\end{array}

Sub key index additions are cyclic so that if i+j is greater than 8one has to subtract 8 from the result to get the actual sub key index.

The algorithm

KASUMI algorithm processes the 64-bit word in two 32-bit halves, left (

L_i

)and right (

R_i

).The input word is concatenation of the left and right halves of the first round:

{\rminput}=R_0\|L₀

In each round the right half is XOR'ed with the output of the round functionafter which the halves are swapped:

\begin{array}{rcl}L_i&=&F_i(KL_i,KO_i,KI_i,L_i-1) ⊕ R_i-1\ R_i&=&L_i-1\end{array}

where KL_i, KO_i, KI_i are round keysfor the i^th round.

The round functions for even and odd rounds are slightly different. In each casethe round function is a composition of two functions FL_i and FO_i.For an odd round

F_i(K_i,L_i-1)=FO(KO_i,KI_i,FL(KL_i,L_i-1))

and for an even round

F_i(K_i,L_i-1)=FL(KL_i,FO(KO_i,KI_i,L_i-1))

The output is the concatenation of the outputs of the last round.

{\rmoutput}=R_8\|L₈

Both FL and FO functions divide the 32-bit input data to two 16-bit halves.The FL function is an irreversible bit manipulation while the FO function isan irreversible three round Feistel-like network.

Function FL

The 32-bit input x of

FL(KL_i,x)

is divided to two 16-bit halves

x=l\|r

.First the left half of the input

is ANDed bitwise with round key

KL_i,1

and rotatedleft by one bit. The result of that is XOR'ed to the right half of the input

to get the righthalf of the output

r'={\rmROL}(l\wedgeKL_i,1,1) ⊕ r

Then the right half of the output

is ORed bitwise with the round key

KL_i,2

and rotatedleft by one bit. The result of that is XOR'ed to the left half of the input

to get the lefthalf of the output

l'={\rmROL}(r'\veeKL_i,2,1) ⊕ l

Output of the function is concatenation of the left and right halves

x'=l'\|r'

Function FO

The 32-bit input x of

FO(KO_i,KI_i,x)

is divided into two 16-bit halves

x=l_0\|r₀

, and passed through three rounds of a Feistel network.

In each of the three rounds (indexed by j that takes values 1, 2, and 3) the left half is modifiedto get the new right half and the right half is made the left half of the next round.

\begin{array}{lcl} r_j&=&FI(KI_i,j,l_j-1 ⊕ KO_i,j) ⊕ r_j-1\\ l_j&=&r_j-1\end{array}

The output of the function is

x'=l_3\|r₃

Function FI

The function FI is an irregular Feistel-like network.

The 16-bit input

of the function

FI(Ki,x)

is divided to two halves

x=l_0\|r₀

of which

l₀

is 9 bits wide and

r₀

is 7 bits wide.

Bits in the left half

l₀

are first shuffled by 9-bit substitution box (S-box) S9 and the result is XOR'ed withthe zero-extended right half

r₀

to get the new 9-bit right half

r₁

r_1=S9(l_{0) ⊕}(00\|r₀₎

Bits of the right half

r₀

are shuffled by 7-bit S-box S7 and the result is XOR'ed withthe seven least significant bits (LS7) of the new right half

r₁

to get the new 7-bit left half

l₁

l_1=S7(r_{0) ⊕}LS7(r₁₎

The intermediate word

x_1=l_1\|r₁

is XORed with the round key KI to get

x_2=l_2\|r₂

of which

l₂

is 7 bits wide and

r₂

is 9 bits wide.

x_{2=KI ⊕}x₁

Bits in the right half

r₂

are then shuffled by 9-bit S-box S9 and the result is XOR'ed withthe zero-extended left half

l₂

to get the new 9-bit right half of the output

r₃

r_3=S9(r_{2) ⊕}(00\|l₂₎

Finally the bits of the left half

l₂

are shuffled by 7-bit S-box S7 and the result is XOR'ed withthe seven least significant bits (LS7) of the right half of the output

r₃

to get the 7-bit lefthalf

l₃

of the output.

l_3=S7(l_{2) ⊕}LS7(r₃₎

The output is the concatenation of the final left and right halves

x'=l_3\|r₃

Substitution boxes

The substitution boxes (S-boxes) S7 and S9 are defined by both bit-wise AND-XOR expressions and look-up tables in the specification.The bit-wise expressions are intended to hardware implementation but nowadays it is customary to usethe look-up tables even in the HW design.

S7 is defined by the following array:

int S7[128] = ;

S9 is defined by the following array:

int S9[512] = ;

Cryptanalysis

In 2001, an impossible differential attack on six rounds of KASUMI was presented by Kühn (2001).^[7]

In 2003 Elad Barkan, Eli Biham and Nathan Keller demonstrated man-in-the-middle attacks against the GSM protocol which avoided the A5/3 cipher and thus breaking the protocol. This approach does not attack the A5/3 cipher, however.^[8] The full version of their paper was published later in 2006.^[9]

In 2005, Israeli researchers Eli Biham, Orr Dunkelman and Nathan Keller published a related-key rectangle (boomerang) attack on KASUMI that can break all 8 rounds faster than exhaustive search.^[10] The attack requires 2^54.6 chosen plaintexts, each of which has been encrypted under one of four related keys, and has a time complexity equivalent to 2^76.1 KASUMI encryptions. While this is obviously not a practical attack, it invalidates some proofs about the security of the 3GPP protocols that had relied on the presumed strength of KASUMI.

In 2010, Dunkelman, Keller and Shamir published a new attack that allows an adversary to recover a full A5/3 key by related-key attack. The time and space complexities of the attack are low enough that the authors carried out the attack in two hours on an Intel Core 2 Duo desktop computer even using the unoptimized reference KASUMI implementation. The authors note that this attack may not be applicable to the way A5/3 is used in 3G systems; their main purpose was to discredit 3GPP's assurances that their changes to MISTY wouldn't significantly impact the security of the algorithm.

External links

Nathan Keller's homepage

Notes and References

Web site: 3GPP . Draft Report of SA3 #38 . 2005.
Web site: 3GPP . General Report on the Design, Speification and Evaluation of 3GPP Standard Confidentiality and Integrity Algorithms . 2009.
Matsui . Mitsuru . Tokita . Toshio . MISTY, KASUMI and Camellia Cipher Algorithm Development . Mitsubishi Electric Advance . 100 . 2 - 8 . Mitsubishi Electric corp. . Dec 2000 . 1345-3041 . 2010-01-06 . https://web.archive.org/web/20080724210408/http://global.mitsubishielectric.com/company/rd/advance/pdf/vol100/vol100.pdf . 2008-07-24 . dead .
Matsui . Mitsuru . Tokita . Toshio . Sep. 19, 2002 . Aug. 22, 2006 . Data Transformation Apparatus and Data Transformation Method . US . 7096369.
Orr Dunkelman . Nathan Keller . Adi Shamir . 2010-01-10 . A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony .
Web site: 3GPP . 3GPP TS 35.202: Specification of the 3GPP confidentiality and integrity algorithms; Document 2: Kasumi specification . 2009.
Kühn . Ulrich . Cryptanalysis of Reduced Round MISTY . EUROCRYPT 2001 . 10.1.1.59.7609 .
Elad Barkan, Eli Biham, Nathan Keller . Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication . 600–616 . CRYPTO 2003 . 2019-09-15 . 2020-01-25 . https://web.archive.org/web/20200125081932/http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf . dead .
Web site: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by Barkan and Biham of Technion (Full Version) . Elad Barkan, Eli Biham, Nathan Keller . 2019-09-15 . 2020-01-25 . https://web.archive.org/web/20200125081932/http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf . dead .
Eli Biham, Orr Dunkelman, Nathan Keller . A Related-Key Rectangle Attack on the Full KASUMI . 443–461 . ASIACRYPT 2005 . ps . dead . https://web.archive.org/web/20131011053531/http://www.ma.huji.ac.il/~nkeller/kasumi.ps . 2013-10-11.