We consider the 3GPP confidentiality and integrity schemes that were adopted by Universal Mobile Telecommunication System, an emerging standard for third generation wireless communications. The schemes, known as f8 and f9, are based on the block cipher KASUMI. Although previous works claim security proofs for f8 and f9′, where f9′ is a generalized version of f9, it was shown that these proofs are incorrect; it is impossible to prove f8 and f9′ secure under the standard PRP assumption on the underlying block cipher. Following the results, it was shown that it is possible to prove f8′ and f9′ secure if we make the assumption that the underlying block cipher is a secure PRP-RKA against a certain class of related-key attacks; here f8′ is a generalized version of f8. Needless to say, the assumptions here are stronger than the standard PRP assumptions, and it is natural to seek a practical way to modify f8′ and f9′ to establish security proofs under the standard PRP assumption. In this paper, we propose f8~+ and f9~+, slightly modified versions of f8′ and f9′, but they allow proofs of security under the standard PRP assumption. Our results are practical in the sense that we insist on the minimal modifications; f8~+ is obtained from f8′ by setting the key modifier to all-zero, and f9~+ is obtained from f9′ by setting the key modifier to all-zero, and using the encryptions of two constants in the CBC MAC computation.
展开▼
