An Efficient Reuse-Based Approach to Implement the 3GPP KASUMI ...

International Conference on Electrical and Electronics Engineering (ICEEE) and X Conference on Electrical Engineering (CIE 2004)

Acapulco, Guerrero; Mexico. September 8-10, 2004

An Efficient Reuse-Based Approach to Implement the 3GPP KASUMI Block Cipher Ren´e A. Cumplido-Parra Computer Science Department ´ Instituto Nacional de Astrof´ısica, Optica y Electr´onica Tonantzintla, Puebla. Postal Code: 72840, MEXICO

Tom´as Balderas-Contreras

Abstract— The KASUMI block cipher is found at the core of both the f8 data confidentiality algorithm and the f9 data integrity algorithm, which play an important role in the security architecture of modern third generation (3G) cellular communications networks. This paper describes a technique to design and implement the KASUMI block cipher using a principle based on the iteration over a minimum number of hardware components. The features of the technique include strategies to reduce and simplify KASUMI’s regular Feistel structure, the use of frequency division and the exploitation of the facilities provided by the implementation technology: Field Programmable Logic Array (FPGA). The result is a digital system that reaches a higher throughput with fewer resources.

I. INTRODUCTION The recent advances in the field of cellular communications have led to the appearance of the third generation of cellular communications technology (3G). 3G is concerned with the transmission of both data and voice at data rates never seen before in any other cellular system and the provision of sophisticated and advanced services. In addition, 3G also allows cellular networks to access IP-based networks like Virtual Private Networks and the Internet. The most successful and promising kind of 3G network is called Universal Mobile Telecommunications System (UMTS) and has been in use for some years. UMTS’ security architecture specifies that both its data confidentiality algorithm and its data integrity algorithm be based on a block cipher called KASUMI [2]. This paper presents an efficient FPGA implementation of this cipher that follows the principle of reusing components. A. The KASUMI block cipher KASUMI’s specifications were developed by the Third Generation Partnership Program (3GPP) consortium [1] based on previous work carried out for MISTY [6], an algorithm that has proven its security against the most advanced cryptanalysis techniques and is suitable for hardware implementation. KASUMI has a Feistel structure comprising eight rounds, operates on 64-bit data blocks, and the processing is controlled by a 128-bit encryption key K. Additionally, KASUMI has the following features derived from its Feistel nature: input plaintext is the input to the first round, ciphertext is the last round’s output, the encryption key is used to generate a set of round keys {KLi , KOi , KIi } for each round i, each round computes a different function as

IEEE Catalog Number: 04EX865 ISBN: 0-7803-8532-2 ©2004 IEEE

long as the round keys are different, and the same algorithm is used both for encryption and decryption. Figure 1 shows the structure and components of the KASUMI block cipher. For odd rounds the round-function is computed by applying the FL function followed by the FO function. For even rounds the FO function is applied before FL. FL, shown in figure 1d, is a 32-bit function made up of simple AND, OR, XOR and left rotation operations. FO, depicted in figure 1b, is also a 32-bit function having a threeround Feistel organization which contains one FI block per round. FI, see figure 1c, is a non-linear 16-bit function having itself a four-round Feistel structure; it is made up of two ninebit substitution boxes (S-boxes) and two seven-bit S-boxes. Figure 1c shows that data in the FI function flow along two different paths: a nine-bit long path (thick lines) and a sevenbit path (thin lines). Notice that in Feistel structures, such as the ones used in this algorithm, each round’s output is twisted before being applied as input to the following round. After completing eight rounds KASUMI produces a 64-bit long ciphertext block corresponding to the plaintext input block. B. Related work Several principles to implement a Feistel block cipher in hardware are described in [3]. The first choice is to implement only a small number N of rounds and then iterate over them, feeding back the output of the N th round to the input of the first round until the required number of rounds have been executed. Improvements to this technique include the addition of inner- and outer-round pipeline registers. The second scheme consists in unrolling the whole number of rounds and adding inner- and outer-round pipeline stages to the design. While the first strategy is aimed to be used when area restrictions are strong, the second strategy is used to reach the maximum throughput possible without space restrictions. The following proposals implement KASUMI using FPGAs and the reuse approach. The highest performance proposal in [4] implements a FO module having a four-stage inner-round pipeline and the rest of the logic needed to perform only one round. Eight iterations over these components, as well as 32 cycles, are needed in order to complete the block ciphering process. The system may process four blocks each iteration due to its pipelined design. The proposal in [5] that uses the reuse approach implements the logic to perform an odd round followed by an even round and

113

64 L0 32

R0 32 KL1

KO1 KI1

FL

FO

KO2 KI2

KL2

FO

FL

KL3

KO3 KI3

FL

FO

KO4 KI4

KL4

FO

FL

32 16

16 KOi,1

FIi1

16

KIi,1

9

7

S9 KL5

S7

KO5 KI5

KOi,2 FL

KIij1

FO

FIi2 KO6 KI6

KL6

FO

FL

KL7

KO7 KI7

FL

FO

KIij2 32

KL8

FO

FL

L8

S7

S9 KOi,3

16

16 KLi1

FIi3 KO8 KI8

KIi,2

KIi,3

AND