Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3
Identifieur interne : 000E71 ( Hal/Corpus ); précédent : 000E70; suivant : 000E72Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3
Auteurs : Thomas Fuhr ; Henri Gilbert ; Jean-René Reinhard ; Marion VideauSource :
Abstract
In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery at- tack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and the same initial vector with a success probability 1/2. We then briefly analyse the tweaked version of the al- gorithm that was introduced in January 2011 to circumvent this attack. We give some evidence that while this new version offers a provable re- sistance against similar forgery attacks under the assumption that (key, IV) pairs are never reused by any legitimate sender or receiver, some of its design features limit its resilience against IV reuse.
Url:
DOI: 10.1007/978-3-642-28496-0
Links to Exploration step
Hal:inria-00619235Le document en format XML
<record><TEI><teiHeader><fileDesc><titleStmt><title xml:lang="en">Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3</title><author><name sortKey="Fuhr, Thomas" sort="Fuhr, Thomas" uniqKey="Fuhr T" first="Thomas" last="Fuhr">Thomas Fuhr</name><affiliation><hal:affiliation type="laboratory" xml:id="struct-167155" status="VALID"><orgName>Laboratoire de cryptographie de l'ANSSI</orgName><orgName type="acronym">LCR</orgName><desc><address><addrLine>51 boulevard de La Tour-Maubourg 75007 Paris</addrLine><country key="FR"></country></address><ref type="url">http://www.ssi.gouv.fr/</ref></desc><listRelation><relation active="#struct-325006" type="direct"></relation></listRelation><tutelles><tutelle active="#struct-325006" type="direct"><org type="institution" xml:id="struct-325006" status="INCOMING"><orgName>Agence nationale de la sécurité des systèmes d'information</orgName><desc><address><country key="FR"></country></address></desc></org></tutelle></tutelles></hal:affiliation></affiliation></author><author><name sortKey="Gilbert, Henri" sort="Gilbert, Henri" uniqKey="Gilbert H" first="Henri" last="Gilbert">Henri Gilbert</name><affiliation><hal:affiliation type="laboratory" xml:id="struct-167155" status="VALID"><orgName>Laboratoire de cryptographie de l'ANSSI</orgName><orgName type="acronym">LCR</orgName><desc><address><addrLine>51 boulevard de La Tour-Maubourg 75007 Paris</addrLine><country key="FR"></country></address><ref type="url">http://www.ssi.gouv.fr/</ref></desc><listRelation><relation active="#struct-325006" type="direct"></relation></listRelation><tutelles><tutelle active="#struct-325006" type="direct"><org type="institution" xml:id="struct-325006" status="INCOMING"><orgName>Agence nationale de la sécurité des systèmes d'information</orgName><desc><address><country key="FR"></country></address></desc></org></tutelle></tutelles></hal:affiliation></affiliation></author><author><name sortKey="Reinhard, Jean Rene" sort="Reinhard, Jean Rene" uniqKey="Reinhard J" first="Jean-René" last="Reinhard">Jean-René Reinhard</name><affiliation><hal:affiliation type="laboratory" xml:id="struct-167155" status="VALID"><orgName>Laboratoire de cryptographie de l'ANSSI</orgName><orgName type="acronym">LCR</orgName><desc><address><addrLine>51 boulevard de La Tour-Maubourg 75007 Paris</addrLine><country key="FR"></country></address><ref type="url">http://www.ssi.gouv.fr/</ref></desc><listRelation><relation active="#struct-325006" type="direct"></relation></listRelation><tutelles><tutelle active="#struct-325006" type="direct"><org type="institution" xml:id="struct-325006" status="INCOMING"><orgName>Agence nationale de la sécurité des systèmes d'information</orgName><desc><address><country key="FR"></country></address></desc></org></tutelle></tutelles></hal:affiliation></affiliation></author><author><name sortKey="Videau, Marion" sort="Videau, Marion" uniqKey="Videau M" first="Marion" last="Videau">Marion Videau</name><affiliation><hal:affiliation type="laboratory" xml:id="struct-167155" status="VALID"><orgName>Laboratoire de cryptographie de l'ANSSI</orgName><orgName type="acronym">LCR</orgName><desc><address><addrLine>51 boulevard de La Tour-Maubourg 75007 Paris</addrLine><country key="FR"></country></address><ref type="url">http://www.ssi.gouv.fr/</ref></desc><listRelation><relation active="#struct-325006" type="direct"></relation></listRelation><tutelles><tutelle active="#struct-325006" type="direct"><org type="institution" xml:id="struct-325006" status="INCOMING"><orgName>Agence nationale de la sécurité des systèmes d'information</orgName><desc><address><country key="FR"></country></address></desc></org></tutelle></tutelles></hal:affiliation></affiliation></author></titleStmt><publicationStmt><idno type="wicri:source">HAL</idno><idno type="RBID">Hal:inria-00619235</idno><idno type="halId">inria-00619235</idno><idno type="halUri">https://hal.inria.fr/inria-00619235</idno><idno type="url">https://hal.inria.fr/inria-00619235</idno><idno type="doi">10.1007/978-3-642-28496-0</idno><date when="2011-08-11">2011-08-11</date><idno type="wicri:Area/Hal/Corpus">000E71</idno></publicationStmt><sourceDesc><biblStruct><analytic><title xml:lang="en">Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3</title><author><name sortKey="Fuhr, Thomas" sort="Fuhr, Thomas" uniqKey="Fuhr T" first="Thomas" last="Fuhr">Thomas Fuhr</name><affiliation><hal:affiliation type="laboratory" xml:id="struct-167155" status="VALID"><orgName>Laboratoire de cryptographie de l'ANSSI</orgName><orgName type="acronym">LCR</orgName><desc><address><addrLine>51 boulevard de La Tour-Maubourg 75007 Paris</addrLine><country key="FR"></country></address><ref type="url">http://www.ssi.gouv.fr/</ref></desc><listRelation><relation active="#struct-325006" type="direct"></relation></listRelation><tutelles><tutelle active="#struct-325006" type="direct"><org type="institution" xml:id="struct-325006" status="INCOMING"><orgName>Agence nationale de la sécurité des systèmes d'information</orgName><desc><address><country key="FR"></country></address></desc></org></tutelle></tutelles></hal:affiliation></affiliation></author><author><name sortKey="Gilbert, Henri" sort="Gilbert, Henri" uniqKey="Gilbert H" first="Henri" last="Gilbert">Henri Gilbert</name><affiliation><hal:affiliation type="laboratory" xml:id="struct-167155" status="VALID"><orgName>Laboratoire de cryptographie de l'ANSSI</orgName><orgName type="acronym">LCR</orgName><desc><address><addrLine>51 boulevard de La Tour-Maubourg 75007 Paris</addrLine><country key="FR"></country></address><ref type="url">http://www.ssi.gouv.fr/</ref></desc><listRelation><relation active="#struct-325006" type="direct"></relation></listRelation><tutelles><tutelle active="#struct-325006" type="direct"><org type="institution" xml:id="struct-325006" status="INCOMING"><orgName>Agence nationale de la sécurité des systèmes d'information</orgName><desc><address><country key="FR"></country></address></desc></org></tutelle></tutelles></hal:affiliation></affiliation></author><author><name sortKey="Reinhard, Jean Rene" sort="Reinhard, Jean Rene" uniqKey="Reinhard J" first="Jean-René" last="Reinhard">Jean-René Reinhard</name><affiliation><hal:affiliation type="laboratory" xml:id="struct-167155" status="VALID"><orgName>Laboratoire de cryptographie de l'ANSSI</orgName><orgName type="acronym">LCR</orgName><desc><address><addrLine>51 boulevard de La Tour-Maubourg 75007 Paris</addrLine><country key="FR"></country></address><ref type="url">http://www.ssi.gouv.fr/</ref></desc><listRelation><relation active="#struct-325006" type="direct"></relation></listRelation><tutelles><tutelle active="#struct-325006" type="direct"><org type="institution" xml:id="struct-325006" status="INCOMING"><orgName>Agence nationale de la sécurité des systèmes d'information</orgName><desc><address><country key="FR"></country></address></desc></org></tutelle></tutelles></hal:affiliation></affiliation></author><author><name sortKey="Videau, Marion" sort="Videau, Marion" uniqKey="Videau M" first="Marion" last="Videau">Marion Videau</name><affiliation><hal:affiliation type="laboratory" xml:id="struct-167155" status="VALID"><orgName>Laboratoire de cryptographie de l'ANSSI</orgName><orgName type="acronym">LCR</orgName><desc><address><addrLine>51 boulevard de La Tour-Maubourg 75007 Paris</addrLine><country key="FR"></country></address><ref type="url">http://www.ssi.gouv.fr/</ref></desc><listRelation><relation active="#struct-325006" type="direct"></relation></listRelation><tutelles><tutelle active="#struct-325006" type="direct"><org type="institution" xml:id="struct-325006" status="INCOMING"><orgName>Agence nationale de la sécurité des systèmes d'information</orgName><desc><address><country key="FR"></country></address></desc></org></tutelle></tutelles></hal:affiliation></affiliation></author></analytic><idno type="DOI">10.1007/978-3-642-28496-0</idno></biblStruct></sourceDesc></fileDesc><profileDesc><textClass></textClass></profileDesc></teiHeader><front><div type="abstract" xml:lang="en">In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery at- tack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and the same initial vector with a success probability 1/2. We then briefly analyse the tweaked version of the al- gorithm that was introduced in January 2011 to circumvent this attack. We give some evidence that while this new version offers a provable re- sistance against similar forgery attacks under the assumption that (key, IV) pairs are never reused by any legitimate sender or receiver, some of its design features limit its resilience against IV reuse.</div></front></TEI><hal api="V3"><titleStmt><title xml:lang="en">Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3</title><author role="aut"><persName><forename type="first">Thomas</forename><surname>Fuhr</surname></persName><email></email><idno type="halauthor">638790</idno><affiliation ref="#struct-167155"></affiliation></author><author role="aut"><persName><forename type="first">Henri</forename><surname>Gilbert</surname></persName><email></email><idno type="halauthor">174014</idno><affiliation ref="#struct-167155"></affiliation></author><author role="aut"><persName><forename type="first">Jean-René</forename><surname>Reinhard</surname></persName><email></email><idno type="halauthor">638791</idno><affiliation ref="#struct-167155"></affiliation></author><author role="aut"><persName><forename type="first">Marion</forename><surname>Videau</surname></persName><email>marion.videau@loria.fr</email><idno type="halauthor">638792</idno><affiliation ref="#struct-167155"></affiliation><affiliation ref="#struct-119560"></affiliation></author><editor role="depositor"><persName><forename>Marion</forename><surname>Videau</surname></persName><email>marion.videau@loria.fr</email></editor></titleStmt><editionStmt><edition n="v1" type="current"><date type="whenSubmitted">2012-02-29 20:32:27</date><date type="whenModified">2015-12-16 01:09:21</date><date type="whenReleased">2012-03-01 10:28:21</date><date type="whenProduced">2011-08-11</date><date type="whenEndEmbargoed">2012-02-29</date><ref type="file" target="https://hal.inria.fr/inria-00619235/document"><date notBefore="2012-02-29"></date></ref><ref type="file" subtype="author" n="1" target="https://hal.inria.fr/inria-00619235/file/forgery.pdf"><date notBefore="2012-02-29"></date></ref></edition><respStmt><resp>contributor</resp><name key="107760"><persName><forename>Marion</forename><surname>Videau</surname></persName><email>marion.videau@loria.fr</email></name></respStmt></editionStmt><publicationStmt><distributor>CCSD</distributor><idno type="halId">inria-00619235</idno><idno type="halUri">https://hal.inria.fr/inria-00619235</idno><idno type="halBibtex">fuhr:inria-00619235</idno><idno type="halRefHtml">Miri, Ali and Vaudenay, Serge. 18th International Workshop on Selected Areas in Cryptography SAC 2011, Aug 2011, Toronto, Canada. Springer, 7118, pp.230-242, 2011, Lecture Notes in Computer Science,; Selected Areas in Cryptography. <10.1007/978-3-642-28496-0></idno><idno type="halRef">Miri, Ali and Vaudenay, Serge. 18th International Workshop on Selected Areas in Cryptography SAC 2011, Aug 2011, Toronto, Canada. Springer, 7118, pp.230-242, 2011, Lecture Notes in Computer Science,; Selected Areas in Cryptography. <10.1007/978-3-642-28496-0></idno></publicationStmt><seriesStmt><idno type="stamp" n="CNRS">CNRS - Centre national de la recherche scientifique</idno><idno type="stamp" n="INRIA">INRIA - Institut National de Recherche en Informatique et en Automatique</idno><idno type="stamp" n="LORIA2">Publications du LORIA</idno><idno type="stamp" n="INRIA-NANCY-GRAND-EST">INRIA Nancy - Grand Est</idno><idno type="stamp" n="LORIA-ACGI" p="LORIA">Algorithmique, calcul, image et géométrie</idno><idno type="stamp" n="LORIA">LORIA - Laboratoire Lorrain de Recherche en Informatique et ses Applications</idno><idno type="stamp" n="UNIV-LORRAINE">Université de Lorraine</idno><idno type="stamp" n="INRIA-LORRAINE">INRIA Nancy - Grand Est</idno><idno type="stamp" n="INRIA_TEST">INRIA - Institut National de Recherche en Informatique et en Automatique</idno><idno type="stamp" n="LORIA-ALGO-TEST5">LORIA-ALGO-TEST5 </idno><idno type="stamp" n="INRIA2">INRIA 2</idno></seriesStmt><notesStmt><note type="audience" n="2">International</note><note type="invited" n="0">No</note><note type="popular" n="0">No</note><note type="peer" n="1">Yes</note><note type="proceedings" n="1">Yes</note></notesStmt><sourceDesc><biblStruct><analytic><title xml:lang="en">Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3</title><author role="aut"><persName><forename type="first">Thomas</forename><surname>Fuhr</surname></persName><idno type="halAuthorId">638790</idno><affiliation ref="#struct-167155"></affiliation></author><author role="aut"><persName><forename type="first">Henri</forename><surname>Gilbert</surname></persName><idno type="halAuthorId">174014</idno><affiliation ref="#struct-167155"></affiliation></author><author role="aut"><persName><forename type="first">Jean-René</forename><surname>Reinhard</surname></persName><idno type="halAuthorId">638791</idno><affiliation ref="#struct-167155"></affiliation></author><author role="aut"><persName><forename type="first">Marion</forename><surname>Videau</surname></persName><email>marion.videau@loria.fr</email><idno type="halAuthorId">638792</idno><affiliation ref="#struct-167155"></affiliation><affiliation ref="#struct-119560"></affiliation></author></analytic><monogr><meeting><title>18th International Workshop on Selected Areas in Cryptography SAC 2011</title><date type="start">2011-08-11</date><date type="end">2011-08-12</date><settlement>Toronto</settlement><country key="CA">Canada</country></meeting><editor>Miri, Ali and Vaudenay, Serge</editor><imprint><publisher>Springer</publisher><biblScope unit="serie"></biblScope><biblScope unit="volume">7118</biblScope><biblScope unit="pp">230-242</biblScope><date type="datePub">2011</date></imprint></monogr><idno type="doi">10.1007/978-3-642-28496-0</idno></biblStruct></sourceDesc><profileDesc><langUsage><language ident="en">English</language></langUsage><textClass><classCode scheme="halDomain" n="info.info-cr">Computer Science [cs]/Cryptography and Security [cs.CR]</classCode><classCode scheme="halTypology" n="COMM">Conference papers</classCode></textClass><abstract xml:lang="en">In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery at- tack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and the same initial vector with a success probability 1/2. We then briefly analyse the tweaked version of the al- gorithm that was introduced in January 2011 to circumvent this attack. We give some evidence that while this new version offers a provable re- sistance against similar forgery attacks under the assumption that (key, IV) pairs are never reused by any legitimate sender or receiver, some of its design features limit its resilience against IV reuse.</abstract></profileDesc></hal></record>Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/Hal/Corpus
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 000E71 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/Hal/Corpus/biblio.hfd -nk 000E71 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien
|wiki= Wicri/Lorraine
|area= InforLorV4
|flux= Hal
|étape= Corpus
|type= RBID
|clé= Hal:inria-00619235
|texte= Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3
}}
| This area was generated with Dilib version V0.6.33. |  |