KASUMI

KASUMI is a block cipher , which serves as a building block for cryptographic algorithms in GSM - and UMTS - Mobile networks are used. KASUMI is used in the stream ciphers A5 / 3 and A5 / 4 (GSM) as well as GEA3 and GEA4 (GPRS) in order to encrypt communication over a radio link and thus guarantee confidentiality . In the UMTS network, KASUMI is used to generate all keys for authentication and encryption. For example, the algorithm serves as a component of a message authentication code to ensure the integrity of data.

KASUMI is a modification of MISTY1 , which is what the name suggests with kasumi being the Japanese word for “fog; Haze "and misty English for" foggy; hazy". The developers at KASUMI have made MISTY1 faster and more hardware-friendly. In addition, the key management has been simplified and some internal parameters have been changed. As a result, Kasumi is prone to related-key attacks.

Cryptanalysis

In 2001 an “impossible differential” attack against six rounds of the KASUMI cipher was presented by Ulrich Kühn.

In 2003 Elad Barkan, Eli Biham and Nathan Keller presented a man-in-the-middle attack against GSM that made it possible to bypass the A5 / 3 encryption algorithm. This attack is an attack against the GSM protocol and not an attack against KASUMI itself. A longer version of the paper was published in 2006. Further details are provided in the section on security deficits in the article GSM.

In 2005 a “related key boomerang” and a “related key rectangle” attack against KASUMI were presented. Both crack faster than the brute force method . The “related key rectangle” attack requires 2 ^54.6 selected plain texts, each of which must be encrypted by one of four “related keys”. This attack has a time complexity of 2 ^76.1 KASUMI encryptions. This is an impractical time complexity and prevents practical attacks. The “related key boomerang” attack takes place within the first six rounds of KASUMI. As a result, the attack found 16 bits of the key with only 768 selected plain and ciphertexts. The paper doubts the statements of the 3GPP experts regarding the security of KASUMI and recommends a review of the security of the 3GPP protocols.

In 2010 a much more practical attack was presented by Orr Dunkelman, Nathan Keller, and Adi Shamir . The "sandwich" attack enables an attacker to extract the entire 128-bit key. First, a “distinguisher” takes on the first seven of eight rounds. The last lap is then analyzed. This requires four "related keys" and complexities of 2 ⁵⁶ data, 2 ³⁰ (approx. 1 GB) of memory and 2 ³² of time. The simulated attacks could be carried out on an Intel Core Duo T7200 with 2 GB RAM in 50% of the tests in less than 112 minutes. In contrast to KASUMI, no faster attack than the brute force method with a complexity of 2 ^{128 is} known against the reference algorithm MISTY . The paper shows that KASUMI is a much weaker algorithm than MISTY. However, no statement can be made about the effectiveness of the attacks against the implementation of KASUMI in the A5 / 3 algorithm for GSM networks.

Individual evidence

^ ^A ^b Orr Dunkelman, Nathan Keller, Adi Shamir: A Practical-Time Attack on the A5 / 3 Cryptosystem Used in Third Generation GSM Telephony. (PDF; 243 kB) January 10, 2010, accessed on February 5, 2014 (English).
^ Ulrich Kühn: Cryptanalysis of Reduced Round MISTY . In: Advances in Cryptology - EUROCRYPT 2001
↑ Elad Barkan, Eli Biham, Nathan Keller: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. (PDF; 240 kB) Journal of Cryptology, Volume 21 Issue 3, March 2008. Pages 392-429. January 10, 2003, accessed February 5, 2014 .
↑ Elad Barkan, Eli Biham, Nathan Keller: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. (PDF; 351 kB) July 2006, accessed on February 5, 2014 (English).
^ Eli Biham, Orr Dunkelman, Nathan Keller: A Related-Key Rectangle Attack on the Full KASUMI. (PS; 265 kB) Advances in Cryptology - ASIACRYPT 2005. (No longer available online.) December 2005, archived from the original on October 11, 2013 ; accessed on February 5, 2014 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[DunkelmanKellerShamir2010-1] A ^b Orr Dunkelman, Nathan Keller, Adi Shamir: A Practical-Time Attack on the A5 / 3 Cryptosystem Used in Third Generation GSM Telephony. (PDF; 243 kB) January 10, 2010, accessed on February 5, 2014 (English).

[2] Ulrich Kühn: Cryptanalysis of Reduced Round MISTY . In: Advances in Cryptology - EUROCRYPT 2001

[3] Elad Barkan, Eli Biham, Nathan Keller: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. (PDF; 240 kB) Journal of Cryptology, Volume 21 Issue 3, March 2008. Pages 392-429. January 10, 2003, accessed February 5, 2014 .

[BarkanBihamKeller-2006-4] Elad Barkan, Eli Biham, Nathan Keller: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. (PDF; 351 kB) July 2006, accessed on February 5, 2014 (English).

[5] Eli Biham, Orr Dunkelman, Nathan Keller: A Related-Key Rectangle Attack on the Full KASUMI. (PS; 265 kB) Advances in Cryptology - ASIACRYPT 2005. (No longer available online.) December 2005, archived from the original on October 11, 2013 ; accessed on February 5, 2014 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

KASUMI

Cryptanalysis

See also

Individual evidence