Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 35.909  Word version:  18.0.0

Top   Top   Up   Prev   None
0…   2…
2 References3 Abbreviations4 Structure of this report5 Background to the design and evaluation work6 Summary of algorithm requirements7 Design criteria8 The 3GPP MILENAGE algorithms9 Rationale for the chosen design10 Evaluation11 Conclusions$ Change History

 

2  Referencesp. 6

3  Abbreviationsp. 7

4  Structure of this reportp. 8

5  Background to the design and evaluation workp. 8

6  Summary of algorithm requirementsp. 9

6.1  General requirements for 3GPP cryptographic functions and algorithmsp. 9

6.2  Authentication and key agreement functionsp. 9

6.2.1  Implementation and operational considerationsp. 9

6.2.2  Type of algorithmp. 9

6.2.2.1  f1p. 9

6.2.2.2  f1*p. 10

6.2.2.3  f2p. 10

6.2.2.4  f3p. 10

6.2.2.5  f4p. 10

6.2.2.6  f5p. 10

6.2.2.7  f5*p. 10

7  Design criteriap. 11

7.1  Cryptographic Criteriap. 11

7.2  Implementation Criteriap. 11

7.3  The need for an Operator Variant Algorithm Configuration Fieldp. 11

7.4  Criteria for the cryptographic kernelp. 11

7.4.1  Implementation and operational considerationsp. 12

7.4.2  Functional requirementsp. 12

7.4.3  Types and parameters for the kernelp. 12

8  The 3GPP MILENAGE algorithmsp. 13

9  Rationale for the chosen designp. 13

9.1  Block ciphers vs. hash functionsp. 13

9.2  The choice of Rijndaelp. 14

9.3  The MILENAGE architecturep. 15

9.3.1  Use of OPp. 15

9.3.2  Rotations and constantsp. 15

9.3.3  Protection against side-channel attacksp. 15

9.3.4  The number of kernel operationsp. 15

9.3.5  Mode of operationp. 15

10  Evaluationp. 16

10.1  Evaluation criteriap. 16

10.2  Operational Contextp. 17

10.3  Analysisp. 17

10.3.1  A formal proof of the soundness of the f2-f5* constructionp. 17

10.3.2  On the f1-f1* construction and its separation from f2-f5*p. 19

10.3.2.1  Soundness of the f1-f1* constructionp. 19

10.3.2.2  Separation between f1-f1* and f2-f5*p. 19

10.3.3  Investigation of forgery or distinguishing attacks with 264 queriesp. 20

10.3.3.1  An internal collision attack against f1 (or f1*)p. 20

10.3.3.2  Forgery or distinguishing attacks against combinations of several modesp. 20

10.3.3.2.1  Attacks against combinations of f2-f5p. 21
10.3.3.2.2  Attacks against combinations of f1-f1* and f2-f5*p. 21

10.3.3.3  Conclusion about the identified forgery or distinguishing attacksp. 21

10.4  Statistical evaluationp. 22

10.5  Published attacks on Rijndaelp. 22

10.6  Complexity evaluationp. 23

10.6.1  Complexity of draft Rijndael implementationp. 23

10.6.2  Estimate complexity of modesp. 23

10.6.3  Estimate of total MILENAGEp. 23

10.6.4  SPA/DPA, Timing attack countermeasuresp. 23

10.6.5  Conclusion on algorithm complexityp. 24

10.7  External complexity evaluationsp. 24

10.8  Evaluation of side channel attacksp. 25

10.8.1  Evaluation of the kernel algorithmp. 25

10.8.1.1  Timing Attacksp. 25

10.8.1.2  Simple Power Analysisp. 25

10.8.1.3  Differential Power Analysisp. 25

10.8.1.4  Other side channelsp. 26

10.8.2  Evaluation of the f1-f5 modesp. 26

10.8.2.1  Operator Constants (OP or OPc)p. 26

10.8.2.2  Rotations and constantsp. 26

10.8.3  Conclusion on side channel attacksp. 26

11  Conclusionsp. 27

$  Change Historyp. 28

Up   Top