3GPP Publishes Specifications for New High-Performance 256-Bit Algorithms

[John Preuß Mattsson]

Hi,

3GPP has published specifications for its new high-performance 256-bit algorithms NEA4/5/6, NIA4/5/6, and NCA4/5/6, designed by ETSI SAGE. The algorithms are specified in TS 33.240–33.248. The detailed algorithm definitions are provided in 33.240 [1], 33.243 [2], and 33.246 [3]. With the exception of IV/nonce formation, all other design details were already publicly available in [4].

Publishing and presenting GCM-SST [4] in CFRG and at NIST was very successful. Lindell observed that, without replay protection, the security of GCM-SST reduces to that of standard GCM. Subsequent work by Inoue, Jha, Mennink, Minematsu, Naito, Sasaki, and Sugawara established single- and multi-key security bounds for the construction. I plan to submit an updated version of [4] and request CFRG adoption.

I believe both GCM-SST [4] and SNOW 5G [5] are of interest for IETF protocols. Assuming a sufficiently large key size such that brute-force key-recovery attacks are negligible, the expected number of successful forgeries against a strong integrity mechanism should, for practical values of v, be approximately v/2^t, where v is the number of forgery attempts and t is the tag length. This is achieved by GCM-SST. SNOW 5G in GCM-SST mode offers performance comparable to AES-GCM on modern CPUs, while providing significantly higher efficiency than AES-GCM in hardware implementations. In hardware, SNOW 5G can achieve throughput rates above 1 Tbps with substantial energy savings compared to AES. This makes it particularly suitable for hardware-oriented protocols such as IPsec and MACsec.

Historically, 3GPP/ETSI SAGE algorithms such as MILENAGE and SNOW 3G were published by GSMA in the UK. France has now implemented the Wassenaar Arrangement’s mass-market exemption, and 3GPP and ETSI are planning to publish additional algorithm specifications, including the original ETSI SAGE specifications. I am very pleased that the IETF and NIST have taken a strong stance against paywalled cryptography. Ericsson has now removed all paywalled cryptography from our internal recommendations, and we are strongly against the use of paywalled cryptography in new specifications in all SDOs.

Cheers,

John Preuß Mattsson

[1] Specification of the SNOW 5G based NEA4, NIA4, and NCA4

https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4220

[2] Specification of the AES-256 based NEA5, NIA5, and NCA5

https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4221

[3] Specification of the ZUC-256 based NEA6, NIA6, and NCA6

https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=4224

[4] Galois Counter Mode with Strong Secure Tags (GCM-SST)

https://www.ietf.org/archive/id/draft-mattsson-cfrg-aes-gcm-sst-18.html

[5] SNOW-Vi: An Extreme Performance Variant of SNOW-V for Lower Grade CPUs

https://eprint.iacr.org/2021/236.pdf

[6] Generic Security of GCM-SST

https://link.springer.com/chapter/10.1007/978-3-031-95764-2_14

[7] The Multi-user Security of GCM-SST and Further Enhancements

https://link.springer.com/chapter/10.1007/978-3-032-08124-7_3