TS 55.251
Specification of the
GPRS Confidentiality and Integrity Algorithms GEA5 and GIA5 –
GEA5 and GIA5 Algorithm Specification
V18.0.0 (PDF)
2024/03 17 p.
V17.0.0
2022/03 17 p.
V16.0.0
2020/06 17 p.
V15.0.0
2018/06 17 p.
V14.0.1
2018/06 17 p.
V13.0.1
2018/06 17 p.
- Rapporteur:
- Mr. Evans, Tim P.
VODAFONE Group Plc
Content for TS 55.251 Word version: 18.0.0
0 Introduction
1 Scope
2 References
3 Definitions, symbols and abbreviations
4 Introductory information
5 Confidentiality algorithm GEA5
6 Integrity algorithm GIA5
A Mathematical background of some operations of the GIA5 Algorithm
B Implementation options for some operations of the GIA5 algorithm
C Figures of the GEA5 and GIA5 algorithms
D Simulation program listing
$ Change History
0 Introduction p. 5
This specification has been prepared by the 3GPP Task Force, and gives a detailed specification of the 3GPP confidentiality algorithm GEA5 and the 3GPP integrity algorithm GIA5.
This document is the first of three, which between them form the entire specification of the 3GPP confidentiality algorithm GEA5 and the 3GPP integrity algorithm GIA5:
- 3GPP TS 55.251: "Specification of the GEA5 and GIA5 encryption algorithms for GPRS; GEA5 and GIA4 algorithm specification".
- 3GPP TS 55.252: "Specification of the GEA5 and GIA5 encryption algorithms for GPRS; Implementers' test data".
- 3GPP TS 55.253: "Specification of the GEA5 and GIA5 encryption algorithms for GPRS; Design conformance test data".
1 Scope p. 6
The present document defines the technical details of the 3GPP confidential algorithm GEA5 and the 3GPP integrity algorithm GIA5.
2 References p. 6
The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
- References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
- For a specific reference, subsequent revisions do not apply.
- For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
3 Definitions, symbols and abbreviations p. 6
3.1 Definitions p. 6
For the purposes of the present document, the terms and definitions given in TR 21.905 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in TR 21.905.
(none)
3.2 Symbols p. 6
For the purposes of the present document, the following symbols apply:
=
The assignment operator.
⊕
The bitwise exclusive-OR operation.
||
The concatenation of the two operands.
KASUMI[x]k
The output of the KASUMI algorithm applied to input value x using the key k.
X[i]
The ith bit of the variable X. (X = X[0] || X[1] || X[2] || …).
Yi
The ith block of the variable Y. (Y = Y0 || Y1 || Y2 || …).
ceiling(x)
The smallest integer greater than or equal to the real number x.
&n
The bitwise AND operation in an n-bit register.
<<n t
t-bit left shift in an n-bit register.
>>n t
t-bit right shift in an n-bit register.
3.3 Abbreviations p. 7
For the purposes of the present document, the abbreviations given in TR 21.905 and the following apply. An abbreviation defined in the present document takes precedence over the definition of the same abbreviation, if any, in TR 21.905.
CBC-MAC
Cipher Block Chaining Message Authentication Code
MAC
Message Authentication Code
4 Introductory information p. 7
4.1 Introduction p. 7
The confidentiality algorithm GEA5 is a stream cipher that is used to encrypt/decrypt blocks of data under a confidentiality key KC128. The block of data may be between 1 and 65536 octets long. The algorithm uses SNOW 3G [2] as a keystream generator.
The integrity algorithm GIA5 computes a 32-bit MAC (Message Authentication Code) of a given input message using an integrity key KI128. The approach adopted uses SNOW 3G.
4.2 Notation p. 7
4.2.1 Radix p. 7
The prefix "0x" indicates hexadecimal numbers.
4.2.2 Conventions p. 7
The assignment operator "=", as used in several programming languages.
<variable> = <expression>
means that <variable> assumes the value that <expression> had before the assignment took place. For instance,
x = x + y + 3
means
(new value of x) becomes (old value of x) + (old value of y) + 3.
4.2.3 Bit/byte ordering p. 7
All data variables in this specification are presented with the most significant bit (or byte) on the left hand side and the least significant bit (or byte) on the right hand side. Where a variable is broken down into a number of sub-strings, the left most (most significant) sub-string is numbered 0, the next most significant is numbered 1 and so on through to the least significant.
For example an n-bit MESSAGE is subdivided into 64-bit substrings MB0, MB1 … MBi so if the message is:
0x0123456789ABCDEFFEDCBA987654321086545381AB594FC28786404C50A37…
then:
MB0 = 0x0123456789ABCDEF
MB1 = 0xFEDCBA9876543210
MB2 = 0x86545381AB594FC2
MB3 = 0x8786404C50A37…
In binary this is:
000000010010001101000101011001111000100110101011110011011110111111111110…
with
MB0 = 0000000100100011010001010110011110001001101010111100110111101111
MB1 = 1111111011011100101110101001100001110110010101000011001000010000
MB2 = 1000011001010100010100111000000110101011010110010100111111000010
MB3 = 1000011110000110010000000100110001010000101000110111…
4.3 List of variables p. 8
CONSTANT-F
a 32-bit parameter which is constant for any given FRAMETYPE input.
DIRECTION
the 1-bit input to both the GEA5 and GIA5 functions indicating the direction of transmission (uplink or downlink).
FRAMETYPE
an 8-bit input to the GEA5 and GIA5 functions indicating the type of frame to be protected.
INPUT
the 32-bit time variant input to the GEA5 function
INPUT-I
the 32-bit time variant input to the GIA5 function
KC128
the 128-bit confidentiality key.
KI128
the 128-bit integrity key.
KS[i]
the ith bit of keystream produced by the keystream generator.
L
the number of 32-bit words of SNOW 3G keystream that are generated by GEA5 (equal to ceiling(M/4) ).
LENGTH
a 64 bit parameter defined within GIA5 which specifies the number of bits of message to be MAC'd (equal to 8 times M).
M
the input to the GEA5 function which specifies the number of octets of output required (1-65536); also the input to the GIA5 function which specifies the number of octets of message to be MAC'd (1-65536).
MAC
the 32-bit message authentication code (MAC) produced by the integrity function GIA5.
MESSAGE
the input bitstream of LENGTH bits that is to be processed by the GIA5 function.
OUTPUT
the output octets from the GEA5 function.
S1, S2, …
a sequence of 64-bit words derived from MESSAGE and LENGTH which is used within GIA5 to construct the MAC
z1, z2, …
the 32-bit words forming the keystream sequence of SNOW 3G. The word produced first is z1, the next word z2 and so on.
5 Confidentiality algorithm GEA5 p. 9
5.1 Introduction p. 9
The confidentiality algorithm GEA5 is a stream cipher that encrypts/decrypts blocks of data between 1 and 65536 octets in length.
5.2 Inputs and outputs p. 9
The inputs to the algorithm are given in Table 5.2.1, the output in Table 5.2.2:
| Parameter | Size (bits) | Comment |
|---|---|---|
| INPUT | 32 | Frame dependent input INPUT[0]…INPUT[31] |
| DIRECTION | 1 | Direction of transmission DIRECTION[0] |
| FRAMETYPE | 8 | Input value signifying the type of frame to be protected |
| KC128 | 128 | Confidentiality key KC128[0]….KC128[127] |
| M | The number of octets of output required in the range 1 to 65536 inclusive |
| Parameter | Size (bits) | Comment |
|---|---|---|
| OUTPUT | 8M | Keystream octets OUTPUT{0}….OUTPUT{M-1} |
5.3 Components and architecture p. 9
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
5.4 Initialisation p. 9
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
5.5 Keystream generation p. 9
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
5.6 Output octets p. 9
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
6 Integrity algorithm GIA5 p. 10
6.1 Introduction p. 10
The integrity algorithm GIA5 computes a Message Authentication Code (MAC) on an input message under an integrity key KI128. The message may be between 1 and 65536 octets long.
For ease of implementation the algorithm is based on the same stream cipher (SNOW 3G) [2] as is used by the confidentiality algorithm GEA5.
6.2 Inputs and outputs p. 10
The inputs to the algorithm are given in Table 6.2.1, the output in Table 6.2.2:
| Parameter | Size (bits) | Comment |
|---|---|---|
| INPUT-I | 32 | Frame dependent input INPUT-I[0]…INPUT-I[31] |
| M | The length of MESSAGE in octets (1-65536) | |
| MESSAGE | 8M | Input octet stream MESSAGE{0}….MESSAGE{M-1} |
| DIRECTION | 1 | Direction of transmission DIRECTION[0] |
| FRAMETYPE | 8 | Input value signifying the type of frame to be protected |
| KI128 | 128 | Integrity key KI128[0]…KI128[127] |
| Parameter | Size (bits) | Comment |
|---|---|---|
| MAC | 32 | Message authentication code MAC[0]…MAC[31] |
6.3 Components and architecture p. 10
6.3.1 SNOW 3G p. 10
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
6.3.2 MULx p. 10
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
6.3.3 MULxPOW p. 10
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
6.3.4 MUL p. 10
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
6.4 Initialization p. 11
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
6.5 Calculation p. 11
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
A Mathematical background of some operations of the GIA5 Algorithm p. 12
A.1 The function EVAL_S p. 12
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
A.2 The function MUL(V, P, c) p. 12
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
B Implementation options for some operations of the GIA5 algorithm p. 13
B.1 Overview p. 13
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
B.2. Procedure Pre_Mul_P
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
B.2 Procedure Pre_Mul_P p. 13
B.3 Function Mul_P p. 13
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
C Figures of the GEA5 and GIA5 algorithms p. 14
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
D Simulation program listing p. 15
D.1 GEA5 p. 15
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
D.2 GIA5 p. 15
This clause only available under licence.
See http://www.etsi.org/about/what-we-do/security-algorithms-and-codes/cellular-algorithm-licences.
$ Change History p. 16
