Applications of Cryptography in Wireless Communication

Transcription

1 Applications of Cryptography in Wireless Communication Bergen 18th June 2003 Kaisa Nyberg Nokia Research Center 1 NOKIA

2 Outline Mobile Networks GSM 3GPP UMTS Other RATs Bluetooth WLAN Key management If you go underground you have got to learn to live with the rats. Alex Krycek (X-files) 2 NOKIA

3 RAT security functions AUTHENTICATION AND KEY AGREEMENT NONCES USER DATA LINK KEY CONTROL DATA SESSION KEY DERIVATION SESSION KEYS OTHER INPUT CONFIDENTIALITY AND INTEGRITY ALGORITHMS PROTECTED CONTROL DATA PROTECTED USER DATA 3 NOKIA

4 Lesson 1: Bluetooth Outline: Bluetooth keys Cryptographic algorithms Bluetooth pairing, and its weaknesses Proposed improved pairing 4 NOKIA

5 Bluetooth keys PIN First time connections PIN E 22 E 22 LINK KEY Authentication LINK KEY E 3 EN_RAND E 3 ENCRYPTION KEY Encryption ENCRYPTION KEY 5 NOKIA

6 E 0 Encryption algorithm Blend K C K C LFSR 1 CLK EN_RND Form input data LFSR 2 LFSR 3 Summation Combiner Enc. stream ADDR LFSR 4 6 NOKIA

7 Bluetooth Pairing Establishing link key between two BT devices Secret seed to the pairing procedure provided by Bluetooth PIN If the seed (Bluetooth PIN) is given or guessed, the link key can be derived from the public information exchanged between the devices and wire-tapped during the procedure Short or otherwise low-redundancy Bluetooth PINs open possibilities for off-line dictionary attacks (passive attacks) Use full length random PIN values in Bluetooth pairing! This can be facilitated by implementing PIN generating applications in the devices; but still cumbersome! 7 NOKIA

8 Bluetooth Pairing Combination key Unit A PIN Unit B PIN ADDR_A RND ADDR_A ADDR_A RND E 22 RND E 22 ADDR_A RND_A K init K init ADDR_B RND_B E E K AB + + K AB 8 NOKIA

9 Using short PIN values, an attack (I) Observing device addresses and the following communication: A 1 = RND RND } Initialisation A 2 = K init + RND_A K init + RND_A A 3 = K init + RND_B K init + RND_B } Comb. Key calculation A 4 = AU_RND AU_RND A 5 = SRES SRES } Authentication 9 NOKIA

10 Using short PIN values, an attack(ii) For each possible PIN test: ADDR_A A 1 PIN RND_A = A 2 + K init RND_B = A 3 + K init E 22 ADDR_A RND_A ADDR_B RND_B K init E 21 E 21 + K AB Claimant ADDR A 4 E 1 SRES A 5 =? SRES 10 NOKIA

11 Enhanced Bluetooth Pairing Gehrmann-Nyberg (2000) Use a key agreement protocol based on public key cryptography that is secure against passive attacks such as Diffie-Hellman, RSA key transport etc Protection still needed against active attacks man-in-the-middle impersonation Protection can be achieved using short passkeys! Existing methods: password authenticated key exchange protocols (for proposals, see IEEE P1363a study group) intended for remote client server authentication based on human memorable password In most Bluetooth scenarios: passkeys are used once then discarded devices are in close proximity 11 NOKIA

12 Diffie-Hellman key exchange (non-authenticated) Fixed public parameters: P prime and G generator ALICE BOB a secret A = G a mod P A b secret B = G b mod P B K A = B a mod P K B = A b mod P K A =K B? 12 NOKIA

13 anonymous Diffie-Hellman protocol K A Alice has K A Bob has K B Is K A = K B? K B Device generates challenge P Device computes response C A = h(k A,P) Device displays check value CV = P C A to Alice Alice tells CV to Bob Bob enters CV = P C A into his device Bob tells the result to Alice Device computes response C B = h(k B,P) Device compares C B = C A? and displays the result (yes or no) to Bob 13 NOKIA

14 Further MANA Developments A further variant recently presented by J-O Larsson, RSA (OpenGroup Conference, Amsterdam 24 Oct 2001) only the challenge is transmitted to the devices using human channel verification step is automated, and consists of an interactive proof protocol with commitments and proofs. the method is also applicable when only keypads are used. But it is not applicable if only displays are used. International Standard ISO/IEC JTC1 SC27 FCD (see RSA Cryptobytes, Spring 2004) 14 NOKIA

15 MANA I Protocol Output: Data D ready User enters: Start Generate K, compute MAC, and output K and MAC User reads K and MAC Receive Data D User enters K and MAC Recompute MAC and compare Output Accept or Reject 15 NOKIA

16 MANA II Protocol Output: Data D ready Output: Data D ready User enters: Start User verifies: Both components ready Generate K, and transmit K to second component Compute MAC Output K and MAC Receive K Compute MAC Output K and MAC User compares the two MAC values. User and enters OK or REJECT in both components. 16 NOKIA

17 Security of MANA Protocols The security of MANA protocols depends on the probability for an attacker to replace the observed data d with some other data d. The attacker succeeds if is accepted by the component as valid data. Since we assume that both components are physically close to each other and we do not accept any data unless both devices actually signals that they are ready, the impersonation attack does not apply to the MANA scenario. Only the data is sent over public channel and the attacker does not know the output of the MAC. Hence, the probability of successful substitution attack for MANA I and II can be expressed as P S = max d d P{ f (d,k) = f (d,k) d is observed} Thus, given that the key is chosen uniformly at random from the key space, K, the probability above can be expressed as P S = max d d (1/ K ) { k K f (d,k) = f (d,k)} where K denotes the cardinality of the set K. 17 NOKIA

18 18 NOKIA MANA using Reed-Solomon codes. ) ( ) ( ), ( ) ( = = = t t d k k d k d k d d k p d v k d f K The data (message) to be encoded as t-tuple of elements in F q, d = d 0, d 1,..d t-1, where d i F q. Then, the RS-encoding polynomial is given by ) ( ) ( = t t d x d x d x d d x p K MAC function is given by the evaluating the polynomial at point k F q

19 Substitution probabilities for the MANA construction using Reed-Solomon codes log 2 D log 2 (n) P S n = q = K 19 NOKIA

20 Lesson 2: WLAN Outline: Security Extensions in IEEE i RSNA Establishment Data Encryption and Authentication 20 NOKIA

21 Security Extensions in IEEE i allows establishment of Robust Security Network Associations (RSNAs) between Wireless Local Area Network (WLAN) stations RSNA enables stations to use the Extensible Authentication Protocol (EAP) to authenticate the peer station instead of using a pre-shared key (PSK) establish fresh cryptographic keys use better cryptographic methods for data authentication and encryption 21 NOKIA

22 4-Way Handshake both supplicant and authenticator generate nonces (ANonce and SNonce) and exchange them both parties derive the same Pairwise Transient Key (PTK) from the PMK, their MAC addresses and the nonces by using a SHA-1-based algorithm PTK is divided into Key Confirmation Key (KCK), Key Encryption Key (KEK) and Temporal Key (TK) the MICs shown in the figure are based on the KCK TK is used to protect unicast traffic between the parties authenticator provides the supplicant with an additional key, Group Temporal Key (GTK) that is used to protect multicast and broadcast traffic GTK is encrypted using the KEK 22 NOKIA

23 Data Encryption and Authentication IEEE i defines one mandatory data encryption and authentication mode for RSNAs: the Counter-Mode/CBC-MAC Protocol (CCMP) CCMP uses AES in CCM mode, providing both encryption and strong authentication TK and GTK obtained during the 4-way handshake are used as keys 23 NOKIA

24 24 NOKIA CBC-MAC Calculation

25 25 NOKIA Counter Mode Encryption and MIC Calculation

26 Link Key Management with EAP Outline EAP Tunnelled EAP Man-in-the-Middle problems and solutions 26 NOKIA

27 Remote MN Authentication Methods - EAP Extensible Authentication Protocol (EAP) is a general protocol framework that supports multiple authentication mechanisms allows a back-end server to implement the actual mechanism authenticator simply passes authentication signaling through EAP was initially designed for use with PPP network access But has been adapted by for other types of access authentication WLAN (IEEE 802.1X) EAP consists of several Request/Response pairs; Requests are sent by network 27 NOKIA

28 Station Authentication with EAP EAP supports various authentication mechanisms, e.g. passwords, public keys and token cards if authentication is performed with an AP, the other station always acts as the supplicant after EAP authentication, the supplicant and the authenticator share a common secret value, the Pairwise Master Key (PMK) using EAP is not obligatory, a PSK may also be used as the PMK (since the possession of the correct PMK is verified during the 4-way handshake) 28 NOKIA

29 Protecting EAP the PEAP approach Cipher- Cipher- Suite Suite ^ ^ V V Trust EAP <======> Conversation <================================> Backend Client (over PPP, Server ,etc.) <======= NAS Keys ^ ^ EAP API EAP API V V EAP EAP Method Method NOKIA

30 PEAP/AKA- How it works Terminal AP WLAN Server HSS Establishing a PEAP tunnel (server authenticated) TLS-protocol based on network certificate 1. (, EAP-Request/Identity message, ) Secured by TLS tunnel 2. TLS(EAP-Response/Identity (IMSI)) 2a. MAP(Send_Auth Params: IMSI) [or DIAMETER] 3. TLS(EAP-Request/AKA-challenge (RAND, AUTN)) 2b. MAP (AKA authentication quintuplets) 2. TLS(EAP-Response/AKA-challenge (RES)) WLAN_Master_session_keys (based on TLS tunnel keys) 30 NOKIA

31 PEAP/AKA- How it can fail Terminal MitM AP WLAN Server HSS Establishing a PEAP tunnel (server authenticated) TLS-protocol based on network certificate IMSI_Request 1. (, EAP-Request/Identity message, ) IMSI Secured by TLS tunnel (only server authenticated) 2. TLS(EAP-Response/Identity (IMSI)) 2a. MAP(Send_Auth Params: IMSI) [or DIAMETER] 3. TLS(EAP-Request/AKA-challenge (RAND, AUTN)) 2b. MAP (AKA authentication quintuplets) 3. RAND, AUTN 2. RES 2. TLS(EAP-Response/AKA-challenge (RES)) Stolen WLAN link WLAN_Master_session_keys (based on TLS tunnel keys) 31 NOKIA

32 Analysis of the problem Inner protocol is a legacy remote client authentication protocol (EAP/SIM, EAP/AKA) typically used also without TLS tunnelling, also without ANY tunnelling MitM can set up a false cellular base station to ask for IMSI and subsequently, for RES. Even if EAP protocol is used exclusively in tunnelled mode, authentication of tunnel relies solely upon the terminal. Terminal user may accept an unknown certificate! This is not acceptable to network operators. Session keys are derived from TLS Master Key generated using tunnel protocol (same key as used to create tunnel). Keys derived in the EAP protocol (EAP SIM or UMTS AKA Master Keys) are not used. 32 NOKIA

33 Lessions learnt Composing two secure protocols may result in an insecure protocol Using tunnelling to improve a remote authentication protocol is very common Known vulnerable combinations: HTTP Digest authentication and TLS PEAP and any EAP subtype PIC and any EAP subtype There are solutions that can be used to fix the problem the exact fix needs to be tailored to the specific protocols N. Asokan, V. Niemi, K. Nyberg, Man-in-the-Middle in Tunnelled Authentication Protocols, International Workshop on Security Protocols 2-4 April 2003, Cambridge, England 33 NOKIA

34 Some solutions Create cryptographic binding between tunneling protocol and MN authentication protocol: METHOD 1: Use a one-way function to compute session keys from tunnel secrets (e.g.tls master key) and EAP secrets (e.g. IK,CK). METHOD 2: Compute a MAC over the protected EAP-response and credential request, using a MAC key derived as session key in Method 1. MAC is verified by AAAL or AAAH. Now tunnel is secure for handling of session keys or credentials. In both methods, EAP secrets must be sent from AAAH to AAAL (or tunnel secrets must be sent from AAAL to AAAH) Both methods rely on the MN authentication protocol producing a session key as well. 34 NOKIA

35 Lesson 3: Cryptography in GSM Outline Security goals in GSM Networks Authentication and Key Agreement Cryptographic algorithms Attacks and countermeasures 35 NOKIA

36 Trust model Each operator shares long term security association (SA) with its subscriber Security association credentials stored in tamperresistant identity module issued to subscriber called the UICC ( = SIM or USIM) Operators may enter roaming agreements with other operators in which case a certain level of trust exists between the respective domains 36 NOKIA

37 Security goals in GSM Secure business for operators subscribers pay their bills subscribers do not avoid using GSM because of privacy threats accommodate to regulators and LEAs requirements System requirements: call authentication and integrity privacy protection over the air interface support for LI 37 NOKIA

38 Mobile Network MOBILE TERMINAL BASE STATION HOME LOCATION REGISTER 38 NOKIA

39 GSM Securing access and radio path MOBILE (SIM) VISITOR LOCATION REGISTER HOME LOCATION IMSI, K AND BASE STATION REGISTER {IMSI,K} IMSI IMSI K RAND K RAND RAND RAND, XRES, Kc Kc SRES SRES SRES=XRES? radio path encrypted using Kc Kc XRES 39 NOKIA

40 One-way function on the SIM card for authentication and key agreement K RAND SRES / XRES Kc 40 NOKIA

41 Authentication and Key Agreement RAND Ki A3 A8 SRES/XRES Kc 41 NOKIA

42 A3/A8 Algorithms Operator specific need not be standardized COMP128-1 Originally secret, completely reverse-engineered, subsequently broken, instant cloning devices known to exist COMP128-2 and COMP128-3 secret, strength not known, cloning devises not known GSM-MILENAGE Published by GSM Association based on 3G MILENAGE and AES Operator and manufacturer algorithms 42 NOKIA

43 A5 and GEA Algorithms Air interface encryption must be standardized A5/1 originally secret moderate strength (online breaking devices not known to exist) A5/2 originally secret weak and broken (online breaking devices known to exist) A5/3 Published by GSM Association Based on 3GPP f8 encryption algorithm GEA1 and GEA2 Secret GEA3 Published by GSM Association Based on 3GPP f8 encryption algorithm 43 NOKIA

44 Lack of confidence in GSM Security lack of openness in design and publication of A5/1 misplaced belief by regulators in the effectiveness of control on the export or (in some countries) the use of cryptography key length too short, but implementation faults make increase of encryption key length difficult need to replace A5/1, but poor design of support for simultaneous use of more than one encryption algorithm is making replacement difficult ill advised use of COMP 128 Source: Mike Walker (Vodafone and RH, chair of SA3 of 3GPP) Invited talk at Eurocrypt NOKIA

45 Magic Sim A smart design of the MAGIC SIM can now solve problems for people who own several mobile numbers. With the MAGIC SIM, you can integrate all your mobile numbers in only one card. The operating process is very easy, with the software and the manual provided, you will be able to operate it and switch it to the number or network that you wish. This way, the problem of changing SIM cards and paying large amount of phone bill will both be avoided. With an exclusive look up table, Magic Sim can make 100% successful in cracking COMP128-1 SIM cards. Currently Magic Sim is planning to develop COMP128 V2 cracking algorithm for future applications. 45 NOKIA

46 GSM System $420, GSM Interceptor Pro An advanced monitoring system designed to intercept GSM cellular traffic. It is the most sophisticated - advanced state of the art equipment of it's kind. It is custom made to certain specifications according to the cellular system in your country. Features The system can target specific numbers or randomly screen GSM mobile Communication. Conversations are monitored and logged simultaneously to voice and data logger for storage and retrieval. Works with identificators IMSI, TMSI, IMEI, and MSISDN. 46 NOKIA

47 GSM Interceptor Pro Encryption Modes: A5/2 cooperation with network operator is not needed, the system works in real time. A5/1 If cooperation with network operator is possible, the system works in real time. If cooperation with network operator is not possible but there is an access to mobile phone, information can be extracted directly from SIM card, Extraction time 15 Min., SIM card scanner should be added to the system. With special hardware and software module A5/1 Decoder the interceptor works without cooperation with network operator. Item: 4001-D. 47 NOKIA

48 Spyphone The Cellular Spy Phone may look like a regular Nokia Cellular phone, however this Super technology goes beyond its standard capabilities. It operates as a normal cellular phone - but when the phone is called in on a special "Spy" mode (from anywhere in the world). It will automatically answer without any ringing or lights coming on and the display stays the same as if it is on a "Standby Mode". While on the "Standby mode" it will pickup the sounds nearby and transmit them back to you (the caller). Great for surveillance and covert operations. 48 NOKIA

49 Weaknesses in GSM authentication Active attacks by network node not taken seriously Unilateral authentication: network not authenticated Session key freshness provided only by network session key replay by network possible IMSI Catching Encryption algorithm in use selected by BSS When to authenticate, or if authenticate at all, decided by the serving network 49 NOKIA

50 Barkan Biham-Keller Attack (2003) Exploits weaknesses in cryptographic algorithms: A5/2 can be instantly broken AND other fundamental flaws in the GSM security system: A5/2 mandatory feature in handsets Call integrity based on an (weak) encryption algorithm The same Kc is used in different algorithms Attacker can force the victim MS to use the same Kc by RAND replay Two types of attacks: 1. Decryption of encrypted call using ciphertext only Catch a RAND and record the call encrypted with Kc and A5/3 Replay the RAND and tell the MS to use A5/2 Analyse Kc from the received encrypted uplink signal 2. Call hi-jacking Relay RAND to victim MS and tell it to use A5/2 Analyse Kc from the received signal encrypted by the victim MS Take Kc into use and insert your own call on the line 50 NOKIA

51 Proposed Countermeasure Amendment to the GSM security architecture: Special RANDs RAND is the only variable information sent from Home to MS in the authentication Divide the space of all 128-bit RANDs into different classes with respect to which encryption algorithm is allowed to be used with the Kc derived from this RAND. 32-bit flag to indicate to the MS that a special RAND is in use 16-bits to indicate which algorithms out of 8 GSM (and ECSD) and 8 GPRS encryption algorithms are allowed to be used with the key derived from this special RAND Effective RAND reduced from 128 bits to 80 bits. Remains to be judged if acceptable. Special RANDs trigged by the visited network identity. Requires careful configuration in the HLR/AuC. Solution assumes that HLR gets the correct VLR identifier. 51 NOKIA

52 Outline: Lesson 4: Cryptography in UMTS Authentication and Key Agreement Encryption Algorithm in UMTS» KASUMI» PSEUDORANDOMNESS BY CONSTRUCTION» DISTINGUISHING ATTACKS» NONLINEARITY IN KASUMI KASUMI in UMTS integrity algorithm Reference: Valtteri Niemi, Kaisa Nyberg. UMTS Security. Wiley & Sons, Chichester NOKIA

53 VLR SGSN AuC IMSI RAND K SQN XRES AUTN CK IK RAND, AUTN, XRES, CK, IK 53 NOKIA

54 UE VLR SGSN RAND, AUTN RAND K AUTN RES SQN CK IK RES UE checks whether the SQN is big enough VLR/SGSN checks whether RES = XRES 54 NOKIA

55 AuC Generate AMF SQN RAND f1 K f2 f3 f4 f5 MAC XRES CK IK AK 55 NOKIA

56 Authentication function in UMTS MILENAGE OP C RAND OP E K OP C SQN AMF SQN AMF E K OP C OP C OP C OP C OP C rotate by r1 rotate by r2 rotate by r3 rotate by r4 rotate by r5 c1 c2 c3 c4 c5 E K E K E K E K E K OP C OP C OP C OP C OP C f1 f1* f5 f2 f3 f4 f5* 56 NOKIA

57 COUNT BEARER DIRECTION CK KASUMI BLKCTR = 1 BLKCTR = 2 BLKCTR = n BLKCTR = 0 CK KASUMI CK KASUMI CK KASUMI CK KASUMI KS[0]... KS[63] KS[64]... KS[127] KS[128]... KS[191] CT[ i ] = PT[ i ] XOR KS[ i ] 57 NOKIA

58 58 NOKIA KASUMI- the first draft

59 P KL1 KO1, KI1 FL1 FO FIi1 KOi1 KIi1 S9 zero-extend FO2 KO2, KI2 FL2 KL2 FIi2 KOi2 KIi2 S7 truncate KIij1 KIij2 KL3 KO3, KI3 FL3 FO3 KOi3 S9 KO4, KI4 KL4 FIi3 KIi3 zero-extend FO4 FL4 S7 KL5 KO5, KI5 truncate FL5 FO5 KO6, KI6 KL6 Fig.2: FO Function Fig.3: FI Function FO6 FL KL7 KO7, KI7 KLi1 FL7 FO7 KLi2 KO8, KI8 KL8 FO8 FL8 bitwise AND operation bitwise OR operation 59 NOKIA C Fig. 1: KASUMI one bit left rotation Fig.4: FL Function

60 P FL1 KL1 FO1 KASUMI KO1, KI FIi1 KOi1 KIi1 S9 zero-extend FO2 KO2, KI2 FL2 KL2 FIi2 KOi2 KIi2 S7 truncate KIij1 KIij2 KL3 KO3, KI3 FL3 FO3 KOi3 S9 KO4, KI4 KL4 FIi3 KIi3 zero-extend FO4 FL4 S7 KL5 KO5, KI5 truncate FL5 FO5 KO6, KI6 KL6 Fig.2: FO Function Fig.3: FI Function FO6 FL KL7 KO7, KI7 KLi1 FL7 FO7 KLi2 KO8, KI8 KL8 FO8 FL8 bitwise AND operation bitwise OR operation C Fig. 1: KASUMI one bit left rotation Fig.4: FL Function 60 NOKIA

61 Adversary model for distinguishability Deterministic adaptive adversary with q queries Adversary with memory Y 0,Y 1,,Y i-1 X 0 fixed, Y 0 = (X 0 ), i= 1,,q-1 X i query Oracle Black Box Y i response 61 NOKIA

62 Distinguisher Perfect random family of functions *= {F*: V n V m } is a set of all functions drawn uniformly at random Remark: To code an element in * takes m 2 n bits = entropy of F* Let be any set of functions = {F: V n V m } with a certain probability distribution A distinguisher is an algorithm which takes the queries and oracle responses as input and gives 0 or 1 as output X 0,X 1,,X q-1 Y 0,Y 1,,Y q-1 0 or 1 62 NOKIA

63 Distinguishing advantage Advantage of an adversary using distinguisher is defined as ADV = Pr ( outputs 1 implements *) Pr ( outputs 1 implements ) Oracle first selects the set of functions, and then the function from the set according to the probability distribution. If ADV is small we say that is indistinguishable from *. 63 NOKIA

64 Luby Rackoff (1988) How to construct pseudorandom permutations V 2n V 2n given three random functions F 1 *, F 2 *, F 3 * :V n V n also known as Feistel network used in the DES encryption algorithm F 1 * F 2 * F 3 * pseudorandom = indistinguishable from random 64 NOKIA

65 Pseudorandomness of Kasumi NOKIA

66 Distinguisher of three-round structure a b a F 1 F 1 F 2 b F 2 the xor of the right outputs is independent of b! distinguisher makes use of four chosen plaintext pairs: (a,b) and (a,b) (a,b ) and (a,b ) F 1 (a) F 2 (b) b F 1 (a ) F 2 (b) b 66 NOKIA

67 P KL1 KO1, KI1 FL1 FO FIi1 KOi1 KIi1 S9 zero-extend FO2 KO2, KI2 FL2 KL2 FIi2 KOi2 KIi2 S7 truncate KIij1 KIij2 KL3 KO3, KI3 FL3 FO3 KOi3 S9 an eightround Feistel network KO4, KI4 KL4 FO4 FL4 KL5 KO5, KI5 FL5 FO5 FIi3 KIi3 S7 zero-extend truncate KO6, KI6 KL6 Fig.2: FO Function Fig.3: FI Function FO6 FL KL7 KO7, KI7 KLi1 FL7 FO7 KLi2 KO8, KI8 KL8 FO8 FL8 67 NOKIA C Fig. 1: KASUMI bitwise AND operation bitwise OR operation one bit left rotation Fig.4: FL Function

68 Pseudorandomness of Kasumi Luby Rackoff approach allows constructions of large pseudorandom functions starting from smaller random functions. Distinguishing attacks just one type (although a very general type) of cryptanalytic attacks. Other strong analysis methods: Differential cryptanalysis (Biham - Shamir 1989) Linear cryptanalysis (Matsui 1993) Theorem (Nyberg-Knudsen 1993): If a function F: V n V n has small differential probabilities, then the four round Feistel network V 2n V 2n has small differential probabilities, and is therefore resistant against differential cryptanalysis. If F is bijective then three rounds is sufficient. If F is bijective, then distinguishing attacks still possible upto five rounds! 68 NOKIA

69 5 round Feistel network with bijective F F bijection α 0 0 α β γ β 0 γ 0 F F F F F 0 α 69 NOKIA

70 Kasumi substitution boxes The approach proposed by Nyberg-Knudsen (1993) is to select the small initial functions to have optimal linearity and differential properties. Kasumi functions are x x 5 in GF(2 9 ) x x 81 in GF(2 7 ) Note: The same approach was adopted in the design of the new AES encryption standard (Rijndael) which has eight small substitution transformations defined as x x -1 in GF(2 8 ) 70 NOKIA

71 Non-linearity and Correlation Definition: Correlation of two Boolean functions f and g is defined as corr(f,g ) = 2 -n (#{x f (x) = g(x)} - #{x f (x) = g(x)}) = 2 -n Σ x (-1) = 2 -n f g (0) f (x) g (x) where the Walsh transform is defined as h (w) = Σ x (-1) h(x) w x Definition: Linearity of Boolean function f is defined as Λ f = max w f (w) f is said to be perfect nonlinear if Λ f = 2 n /2. Then n must be even. 71 NOKIA

72 Nonlinearity results and open problems Problem: What is min Λ f when f is a balanced Boolean function of n variables? It is known that min Λ < 2 (n+1) /2 f, for n 29 (Patterson- Wiedemann 1983). Definition: Linearity of a Boolean function V n V m is defined as Λ f = max u,w u f (w). Theorem: If f : V n V n is a bijection, then min Λ = 2 (n+1) /2 f and it can be achieved if and only if n is odd. Such f has a threevalued Walsh transform. Examples: Functions f : x x 3, f : x x 5 and f : x x 81 in GF(2 n ) (considered as Boolean functions) have minimum linearity 2 (n+1) /2, for n odd. H. Dobbertin (1997,1999), T. Helleseth (1998,1999) investigated the following related problem: For which exponent d the function f (x) = x d in GF(2 n ) is almost perfect nonlinear? 72 NOKIA

73 Elliptic curve Linearity and elliptic curve point counting y 2 + y = bx 3 + ax over the field GF(2 n ), where n is odd. The number of points of the curve is = #{x Tr(bx 3 + ax ) = 0} = 1 + 2[2 n-1 + ½ f (a,b)] = 1+ 2 n ± 2 (n+1) /2 or = 1+ 2 n, where f (a,b) = b f (a) and f : x x 3 in GF(2 n ). 73 NOKIA

74 Integrity function f9 COUNT FRESH MESSAGE[0]... MESSAGE[63] MESSAGE[64]... MESSAGE[127] Final Message Block Padded with Method 2 IK KASUMI IK KASUMI IK KASUMI IK KASUMI IK KASUMI MAC (left 32 bits) 74 NOKIA

75 Conclusion An example of industrial cryptography presented Generic cryptographic principles discussed distinguishability and pseudorandomness constructions of pseudorandom functions nonlinearity properties constructions of nonlinear functions Design of KASUMI block cipher discussed based on MISTY design (Matsui, 1997) nonlinearity as basic design principle pseudorandomness for KASUMI structure proved later (2001) Use of KASUMI in UMTS encryption function f8 and integrity function f9 presented 75 NOKIA