Lecture Notes in Computer Science vol:2887 pages:154-169
FSE 2003 date:February 24-26, 2003
The standardized integrity algorithm f9 of the 3GPP algorithm computes a MAC (Message Authentication Code) to establish the integrity and the data origin of the signalling data over a radio access link of W-CDMA IMT-2000. The function f9 is based on the block cipher KASUMI and it can be considered as a variant of CBC-MAC. In this paper we examine the provable security of f9. We prove that f9 is a secure pseudorandom function by giving a concrete bound on an adversary's inability to forge a MAC value in terms of her inability to distinguish the underlying block cipher from a random permutation.