KASUMI
KASUMI is a symmetric-key block cipher with a 64-bit block size and a 128-bit key length, designed specifically for use in 3GPP (Third Generation Partnership Project) standards to provide confidentiality and integrity protection in UMTS (Universal Mobile Telecommunications System) mobile networks.[1] It serves as the core primitive for the f8 stream cipher algorithm, which ensures confidentiality of user data and signaling, and the f9 message authentication code algorithm, which provides integrity protection against tampering.[2] Developed by the ETSI/SAGE (Security Algorithms Group of Experts) under the 3GPP framework, KASUMI employs an 8-round Feistel network structure derived from the earlier MISTY cipher family, incorporating alternating layers of linear diffusion (FL functions) and nonlinear mixing (FO functions that employ FI substitution layers) to achieve resistance against cryptanalytic attacks.[1] The cipher's design prioritizes efficiency for hardware implementation in resource-constrained mobile devices, with its key schedule generating round subkeys through a series of permutations and exclusive-OR operations on the master key.[1] KASUMI was standardized in the early 2000s as part of the transition from 2G to 3G security, replacing weaker algorithms like A5/1 in GSM networks while maintaining backward compatibility through variants such as A5/3.[2] Although it has faced some theoretical vulnerabilities, such as related-key attacks, no practical breaks have been demonstrated, and as of 2025, it remains integral to remaining legacy 3G deployments—though many networks are undergoing shutdowns—despite the shift toward AES-based algorithms in 4G and beyond.[1][3] Essential patents for KASUMI are held by Mitsubishi Electric Corporation, reflecting its origins in Japanese cryptographic research.[1]Overview and History
Design Origins and Development
KASUMI, a block cipher integral to 3GPP mobile security, originated as a modification of the MISTY1 cipher developed by Mitsuru Matsui at Mitsubishi Electric in 1997. MISTY1 was designed with provable security against differential and linear cryptanalysis, emphasizing hardware efficiency for embedded applications. In the late 1990s, the European Telecommunications Standards Institute (ETSI) Security Algorithms Group of Experts (SAGE) adapted MISTY1 to create KASUMI, tailoring it to the specific needs of the 3rd Generation Partnership Project (3GPP) for Universal Mobile Telecommunications System (UMTS) security. This derivation preserved MISTY1's core structure while incorporating adjustments for compatibility with international standards.[4][5][6] The primary design goals for KASUMI centered on delivering 64-bit security for both confidentiality (via algorithm f8) and integrity (via algorithm f9) in UMTS/3G networks, ensuring resistance to cryptanalytic attacks while optimizing for resource-constrained mobile devices. It was engineered to withstand workloads exceeding exhaustive key search, with an expected lifespan of over 20 years against emerging threats. Efficiency was paramount, targeting hardware implementations under 10,000 gates and encryption rates of approximately 2 Mbit/s at clock speeds above 20 MHz, making it suitable for low-power environments without compromising security margins. These objectives balanced provable security principles from MISTY1 with practical deployment constraints in global mobile infrastructure.[7][6] Development commenced in mid-August 1999 under the ETSI SAGE 3GPP Task Force, which evaluated several candidates including the original MISTY1 before selecting and refining KASUMI. The design and full specification documents were completed by mid-November 1999, followed by independent evaluations to verify security and performance. KASUMI was formally adopted by 3GPP in late 1999, with its initial specification outlined in 3GPP Technical Specification (TS) 35.202 (version 3.1.2, Release 1999, published August 2001). The standard has evolved through multiple revisions to address minor clarifications and compatibility updates, reaching version 19.0.0 in October 2025.[8][7][9][10] KASUMI's roots in MISTY1 also connect it to Japanese cryptographic standards, where MISTY1 was recommended by the CRYPTREC project for its robust design paradigm focused on higher-order differential security. Matsui's foundational work on MISTY1 influenced KASUMI's iterative Feistel-like structure, ensuring it met both European 3GPP requirements and the broader legacy of secure, efficient ciphers in constrained systems.[11][12][7]Specifications and Parameters
KASUMI is a block cipher that processes 64-bit input blocks to produce 64-bit output blocks under the control of a 128-bit key.[13] It employs an 8-round Feistel-like structure, making it suitable for symmetric encryption in resource-constrained devices.[13] The cipher forms the core of two standardized modes of operation within 3GPP security protocols: the f8 algorithm for confidentiality and the f9 algorithm for integrity.[14] The f8 mode functions as an output feedback (OFB)-like stream cipher, generating a 64-bit keystream by iteratively applying KASUMI to counter blocks derived from a frame sequence number, bearer identity, direction, and length; this keystream is then XORed with plaintext data blocks of variable length (up to 20,000 bits), with partial blocks truncated as needed.[14] In contrast, the f9 mode operates as a truncated CBC-MAC, processing padded input messages in 64-bit blocks through multiple KASUMI invocations with a modified key for the final round, yielding a 64-bit intermediate result from which the leftmost 32 bits serve as the message authentication code (MAC).[14] KASUMI is optimized for low-resource environments, such as those in mobile handsets and smart cards, through its simple key schedule and use of combinational logic for S-boxes, enabling efficient hardware implementations with minimal gate count and power consumption.[13] This design supports backward compatibility with the GSM A5/3 confidentiality algorithm, which employs a truncated 64-bit key version of KASUMI in OFB mode for voice and signaling encryption.[13] It also extends forward to GPRS and EDGE packet data services via the GEA3 algorithm, utilizing the full 128-bit key in the f8 mode for data confidentiality.[13]Key Schedule
Key Expansion Process
The key expansion in KASUMI derives a set of round subkeys from the 128-bit master key to support the cipher's eight rounds. The master key K is first unpacked into eight 16-bit words denoted K_1, K_2, ..., K_8. Each word K_j is then modified by XORing it with a fixed 16-bit constant C_j to produce K_j' for j = 1 to 8, where the constants are defined as C_1 = 0x0123, C_2 = 0x4567, C_3 = 0x89AB, C_4 = 0xCDEF, C_5 = 0xFEDC, C_6 = 0xBA98, C_7 = 0x7654, and C_8 = 0x3210. This initial XOR step introduces nonlinearity and helps diversify the subkey material.[1] For each round i = 1 to 8, the subkeys are generated using circular left rotations (denoted <<<) on the 16-bit words and modular indexing (with indices taken modulo 8, adjusted to 1-8 range). The 32-bit subkey KL_i for the FL/FL^{-1} functions is formed by concatenating two 16-bit parts: KL_{i,1} = K_i <<< 1 and KL_{i,2} = K'{i+2 \mod 8} (with indices cycling from 1 to 8). The 48-bit subkey KO_i for the FO function is composed of three 16-bit parts: KO{i,1} = K_{i+1 \mod 8} <<< 5, KO_{i,2} = K_{i+5 \mod 8} <<< 8, and KO_{i,3} = K_{i+6 \mod 8} <<< 13. Similarly, the 48-bit subkey KI_i for the FI functions within FO is formed as KI_{i,1} = K'{i+4 \mod 8}, KI{i,2} = K'{i+3 \mod 8}, and KI{i,3} = K'_{i+7 \mod 8}. All rotations are performed on 16-bit values.[1] The resulting subkeys—eight 32-bit KL_i, eight 48-bit KO_i, and eight 48-bit KI_i—are stored for use in the cipher rounds. This design ensures efficient key-dependent diffusion without requiring additional computations during encryption or decryption, while the fixed constants and rotations prevent simple related-key vulnerabilities. No explicit weak key checks are performed, as the structure inherently avoids known weak key classes through the derivation process.[1]Subkey Generation
In KASUMI, the subkey generation process assembles round-specific subkeys from the components derived in the key expansion phase, ensuring each of the eight rounds receives unique key material tailored to the FL and FO/FI functions. The 128-bit master key is first expanded into eight 16-bit values K_1, K_2, \dots, K_8 and their modified counterparts K_j' = K_j \oplus C_j (where C_j are fixed 16-bit constants), providing the basis for all subkeys. These components are then rotated and combined to form the per-round subkeys, with circular left shifts applied to promote diffusion and avoid predictable linear relationships between subkeys across rounds.[13] The subkey KL_i is a 32-bit value used in the FL function for each round i, assembled as the concatenation KL_i = KL_{i,1} || KL_{i,2}, where each part is 16 bits. Specifically, KL_{i,1} is obtained by rotating the appropriate K_j left by 1 bit, and KL_{i,2} uses the unmodified K_{j+2}' (indices modulo 8). Within the FL function, KL_i is split into these 16-bit parts for bitwise AND operations, with additional 16-bit rotations applied to the data inputs for further mixing. The subkeys KO_i and KI_i consist of two 48-bit values, each split into three 16-bit segments (KO_{i,1}, KO_{i,2}, KO_{i,3} and similarly for KI_i) for use in the FO function's three internal FI layers. The KO_i components incorporate left rotations by 5, 8, and 13 bits on selected K_j, while KI_i draws directly from the K_j' values without additional shifts. These rotations and selections prevent fixed linear approximations in the subkeys, contributing to the cipher's resistance against related-key attacks.[13] The following table summarizes the assembly of subkeys for each round i, based on the standardized mappings (indices cycle modulo 8, and <<< denotes left circular shift):| Subkey Component | Round 1 | Round 2 | Round 3 | Round 4 | Round 5 | Round 6 | Round 7 | Round 8 |
|---|---|---|---|---|---|---|---|---|
| KL_{i,1} | K_1 \lll 1 | K_2 \lll 1 | K_3 \lll 1 | K_4 \lll 1 | K_5 \lll 1 | K_6 \lll 1 | K_7 \lll 1 | K_8 \lll 1 |
| KL_{i,2} | K_3' | K_4' | K_5' | K_6' | K_7' | K_8' | K_1' | K_2' |
| KO_{i,1} | K_2 \lll 5 | K_3 \lll 5 | K_4 \lll 5 | K_5 \lll 5 | K_6 \lll 5 | K_7 \lll 5 | K_8 \lll 5 | K_1 \lll 5 |
| KO_{i,2} | K_6 \lll 8 | K_7 \lll 8 | K_8 \lll 8 | K_1 \lll 8 | K_2 \lll 8 | K_3 \lll 8 | K_4 \lll 8 | K_5 \lll 8 |
| KO_{i,3} | K_7 \lll 13 | K_8 \lll 13 | K_1 \lll 13 | K_2 \lll 13 | K_3 \lll 13 | K_4 \lll 13 | K_5 \lll 13 | K_6 \lll 13 |
| KI_{i,1} | K_5' | K_6' | K_7' | K_8' | K_1' | K_2' | K_3' | K_4' |
| KI_{i,2} | K_4' | K_5' | K_6' | K_7' | K_8' | K_1' | K_2' | K_3' |
| KI_{i,3} | K_8' | K_1' | K_2' | K_3' | K_4' | K_5' | K_6' | K_7' |
Algorithm Structure
Feistel Network Overview
KASUMI operates as an 8-round generalized Feistel cipher on 64-bit blocks. The input block is divided into two 32-bit halves, denoted as L_0 (left) and R_0 (right). The core data flow follows a balanced Feistel structure across the eight rounds. For each round i (where $1 \leq i \leq 8), the halves are updated as follows: R_i = L_{i-1}, L_i = R_{i-1} \oplus f_i(L_{i-1}, RK_i), where f_i denotes the round function parameterized by round-specific subkeys RK_i. This iterative swapping and XOR operation ensures that each bit influences both halves progressively, promoting avalanche effects. The round function f_i alternates between two forms to introduce structural irregularity: for odd-numbered rounds (1, 3, 5, 7), it employs f_i = \text{FO}(\text{FL}(L_{i-1}, KL_i), KO_i, KI_i); for even-numbered rounds (2, 4, 6, 8), it uses f_i = \text{FL}(\text{FO}(L_{i-1}, KO_i, KI_i), KL_i).[1][15] After the eighth round, the output is the 64-bit block L_8 || R_8. The overall transformation can be sketched as: \begin{align*} \text{Rounds 1-8:} &\quad R_i = L_{i-1}, \quad L_i = R_{i-1} \oplus f_i(L_{i-1}, RK_i) \end{align*} This structure balances security and efficiency, drawing from the MISTY1 design while adapting for hardware constraints in mobile systems.[1]Round Function Details
KASUMI employs a Feistel network with eight rounds, where each round processes a 64-bit block divided into two 32-bit halves, denoted as the left half L_{i-1} and the right half R_{i-1} entering round i. The update rule follows the standard Feistel construction: the new right half is set to the previous left half, R_i = L_{i-1}, while the new left half is the previous right half XORed with the output of the round function f_i applied to the previous left half, L_i = R_{i-1} \oplus f_i(L_{i-1}).[1] The round function f_i alternates between compositions involving the nonlinear FO function and the linear FL function, using round-specific subkeys derived from the 128-bit master key: 32-bit KL_i for FL, and 48-bit each KO_i and KI_i for FO. In odd-numbered rounds (i = 1, 3, 5, 7), FL is applied first to the 32-bit input L_{i-1} using KL_i, and the result is fed into FO using KO_i and KI_i, yielding f_i(L_{i-1}) = \text{FO}(\text{FL}(L_{i-1}, KL_i), KO_i, KI_i). Conversely, in even-numbered rounds (i = 2, 4, 6, 8), FO is applied first to L_{i-1} using KO_i and KI_i, followed by FL using KL_i, giving f_i(L_{i-1}) = \text{FL}(\text{FO}(L_{i-1}, KO_i, KI_i), KL_i). This alternation ensures a balanced integration of linear mixing and nonlinear diffusion across rounds.[1] After eight iterations, the final output is the 64-bit block L_8 || R_8. The subkeys KL_i, KO_i, and KI_i (for i=1 to $8) are generated via the key schedule, with the full process operating on the unmodified 64-bit plaintext input split into initial L_0 || R_0.[1]Core Components
FL Layering Function
The FL layering function serves as a key-dependent linear diffusion layer in the KASUMI block cipher, contributing to the mixing of bits within the Feistel network rounds. It processes a 32-bit input block alongside a 32-bit subkey derived from the overall 128-bit key schedule, utilizing only bitwise logical operations and rotations to ensure efficient implementation.[1] The input to the FL function is a 32-bit value I, treated as two 16-bit halves L (left, high-order bits) and R (right, low-order bits), so I = L \parallel R, and a 32-bit subkey \mathrm{KL}_i = \mathrm{KL}_{i,1} \parallel \mathrm{KL}_{i,2}, where each \mathrm{KL}_{i,j} is 16 bits. The computation is as follows: first, compute R' = R \oplus \mathrm{ROL}(L \land \mathrm{KL}_{i,1}, 1), where \land denotes bitwise AND, \oplus bitwise XOR, and ROL is left rotation by 1 bit. Then, L' = L \oplus \mathrm{ROL}(R' \lor \mathrm{KL}_{i,2}, 1), where \lor denotes bitwise OR. The output is L' \parallel R'.[1] This structure imparts an involutory property to the FL function, meaning it is its own inverse under the same subkey: applying FL twice returns the original input. The reliance on bit-level operations—primarily AND, OR, XOR, and single-bit rotations—optimizes the function for hardware efficiency, requiring minimal logic gates and no table lookups or arithmetic beyond bits. In KASUMI's round structure, FL alternates with the FO function to propagate changes across the 64-bit block.[1][16]FO Multiplicative Function
The FO function serves as the core nonlinear component of the KASUMI block cipher, operating on 32-bit inputs to provide substitution through S-boxes and diffusion via key-dependent mixing, ensuring that changes in input bits propagate widely across the output. It is designed to enhance security by integrating the key material directly into the transformation process, drawing from the MISTY architecture while optimizing for 3GPP mobile standards.[1] The input to the FO function is a 32-bit value denoted as I, partitioned into two 16-bit halves I = L_0 \parallel R_0. The function employs subkeys from the key schedule: 48-bit \mathrm{KO}_i = \mathrm{KO}_{i,1} \parallel \mathrm{KO}_{i,2} \parallel \mathrm{KO}_{i,3} and 48-bit \mathrm{KI}_i = \mathrm{KI}_{i,1} \parallel \mathrm{KI}_{i,2} \parallel \mathrm{KI}_{i,3}, where each \mathrm{KO}_{i,j} and \mathrm{KI}_{i,j} is 16 bits. This key-dependent design ensures that the transformation varies with the round subkeys, contributing to resistance against differential and linear cryptanalysis.[1] The structure of FO is a three-round unbalanced Feistel network using the FI function recursively. For j = [1](/page/1) to $3: compute R_j = \mathrm{FI}(L_{j-1} \oplus \mathrm{KO}_{i,j}, \mathrm{KI}_{i,j}) \oplus R_{j-1}, and set L_j = R_{j-1}. The output is the 32-bit value L_3 \parallel R_3. This recursive approach leverages the involutory property of FI for efficient computation while promoting avalanche effects across all 32 bits. Each FI call is key-dependent, receiving 16-bit subkeys \mathrm{KO}_{i,j} and \mathrm{KI}_{i,j} to modulate the nonlinear substitution and mixing within FI, thereby embedding the round key deeply into the computation. This construction provides robust nonlinear diffusion over the 32 bits, critical for KASUMI's overall security margin against known attacks.[1]FI Involutory Function
The FI function serves as the fundamental nonlinear component within the KASUMI block cipher, implementing substitution through S-boxes and key mixing via XOR operations, while incorporating diffusion through bit manipulations. It processes a 16-bit input divided into an upper 9-bit portion (L₀) and a lower 7-bit portion (R₀), along with a 16-bit subkey split into a 9-bit portion (KI_{i,j,2}) and a 7-bit portion (KI_{i,j,1}). This design forms a compact, unbalanced four-round Feistel network that contributes to KASUMI's overall resistance to cryptanalytic attacks by ensuring rapid mixing of data and key material.[1] The computation proceeds in four iterative steps, leveraging two specialized S-boxes: S₉ for 9-bit inputs and S₇ for 7-bit inputs. Auxiliary operations include zero-extension (ZE), which appends two zero bits to a 7-bit value to produce a 9-bit result, and truncation (TR), which discards the two most significant bits of a 9-bit value to yield a 7-bit result. The rounds are defined as:- Round 1: L₁ = R₀; R₁ = S₉(L₀) ⊕ ZE(R₀).
- Round 2: L₂ = R₁ ⊕ KI{i,j,2}; R₂ = S₇(L₁) ⊕ TR(R₁) ⊕ KI{i,j,1}.
- Round 3: L₃ = R₂; R₃ = S₉(L₂) ⊕ ZE(R₂).
- Round 4: L₄ = S₇(L₃) ⊕ TR(R₃); R₄ = R₃.
S-Box Definitions
KASUMI utilizes two substitution boxes, S7 and S9, within the FI function to introduce nonlinearity and confusion. These S-boxes are adaptations of the corresponding components from the MISTY1 block cipher, with adjustments made to bolster resistance against emerging cryptanalytic techniques during the 3GPP standardization process. S7 operates on 7-bit inputs to produce 7-bit outputs, while S9 handles 9-bit inputs and outputs. Although specified via lookup tables in the official documentation, their underlying construction leverages power functions defined over finite fields for efficient implementation and strong cryptographic characteristics.[18][12] The S7 S-box is realized through a 128-entry lookup table, where each entry maps an input value (0 to 127 in decimal) to an output. Representative values include:| Input (decimal) | Output (decimal) |
|---|---|
| 0 | 54 |
| 1 | 50 |
| 2 | 62 |
| 3 | 56 |
| 4 | 22 |
| 5 | 34 |
| 6 | 94 |
| 7 | 96 |
| Input (decimal) | Output (decimal) |
|---|---|
| 0 | 167 |
| 1 | 239 |
| 2 | 161 |
| 3 | 379 |
| 4 | 391 |
| 5 | 334 |
| 6 | 340 |
| 7 | 238 |