On the correctness of security proofs for the 3GPP confidentiality and integrity algorithms

Abstract

f8 and f9 are standardized by 3GPP to provide confidentiality and integrity, respectively. It was claimed that f8 and f9′ are secure if the underlying block cipher is a PseudoRandom Permutation (PRP), where f9′ is a slightly modified version of f9. In this paper, however, we disprove both claims by showing a counterexample. We first construct a PRP F with the following property: There is a constant Cst such that for any key K, FK(·) = FK⊕Cst-1(·). We then show that f8 and f9′ are completely insecure if F is used as the underlying block cipher. Therefore, PRP assumption does not necessarily imply the security of f8 and f9′, and it is impossible to prove their security under PRP assumption. It should be stressed that these results do not imply the original f8 and f9 (with KASUMI as the underlying block cipher) are insecure, or broken. They simply undermine their provable security. © Springer-Verlag Berlin Heidelberg 2003.