SAGE Activity Report 2023
Chair: Patrik Ekdahl, Ericsson
Responsible for specifying cryptographic algorithms for telecommunications standards.
Our Security Algorithms Group of Experts (SAGE) Special Committee responds to the needs of other ETSI committees for cryptographic algorithms as well as organizations with whom ETSI has a formal relationship, including other European standards bodies. In particular it specifies authentication, encryption and key agreement mechanisms for a range of different standardized technologies.
In recent years most of the group’s work has been for mobile telephone standards – the Global System for Mobile Communication (GSM™), the General Packet Radio Service (GPRS), the Universal Mobile Telecommunications System (UMTS™), Long Term Evolution (LTE™), and most recently 5G – all radio technologies specified by the Third Generation Partnership Project (3GPP™). Indeed, all the standardized 3GPP-specific security algorithms in 3G, 4G and 5G mobile telecommunications, as well as more recent 2G algorithms, have been specified by SAGE.
In 2023 the group’s activity has focused on a request by 3GPP SA3 to develop 256-bit algorithms for 5G. This spans new radio interface encryption and integrity algorithms for use in both user plane traffic (data) and control plane traffic. Providing long-term resistance to possible future quantum computing attacks in 5G systems, these same 256-bit algorithms could also be potentially retrofitted to previous-generation mobile systems if required. Specifically, the requirement has been to accommodate a 256-bit secret master key and to produce 256-bit session keys.
This work has culminated in the completion of a new Authentication and Key Agreement (AKA) algorithm for 3GPP. The new algorithm was finished during the summer and was submitted to ETSI Office for further distribution to the 3GPP SA3 group.
SAGE has provided two instantiations of the cryptographic kernel, leading to two variations of MILENAGE-256 as follows:
• MILENAGE-256-R, based on the Rijndael block cipher with 256-bit key- and block-size.
• MILENAGE-256-A, based on the AES block cipher with 256-bit key-size (and standard 128-bit block-size).
Conceptually, the new algorithm represents a ‘scaled-up’ version of the original MILENAGE, where Rijndael-256-256 acts a drop-in replacement for AES-128. This version gives the best performance.
The MILENAGE-256-A design was added mainly to meet SA3 requirements on the possibility to re-use an existing AES implementation. To simultaneously meet the demanding requirements on an overall 256-bit security level, while relying on a 128-bit output-size primitive, the cryptographic kernel by necessity gets somewhat more complex. SAGE chose a construction based on the so call Message Digest with Permutation and Hirose compression (MDPH) construction.
Both variants are also accompanied by formal security proofs, showing indistinguishability from a random function. Quantitatively, the security bounds established allows an attacker to make close to 2^128 chosen queries to a black-box implementation of MILENAGE-256 without leaking information about the long term key. A noteworthy improvement is that the MAC-functions (f1/f1*) are now also included in this proof.