[Cfrg] 5G Encryption and the SNOW-V stream cipher
John Mattsson <john.mattsson@ericsson.com> Thu, 04 April 2019 15:25 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08F74120443 for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2019 08:25:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uBV-Bxocj5fS for <cfrg@ietfa.amsl.com>; Thu, 4 Apr 2019 08:25:20 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30074.outbound.protection.outlook.com [40.107.3.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44EEA1200D6 for <cfrg@irtf.org>; Thu, 4 Apr 2019 08:25:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ZV04xugvm9Dy2OH7gHtSNn5S75rmUCHOACqeYWq2j4=; b=jD9oD2c3ZA8s49EZmypyPv1I0gVKHw/F5Af17pOGHqfP9llw6NkL08RWAkvpiGqUS3KFUvFEq5pgWesFhDy4G7rnsyRLrtjTJXpAdKcYiZdBmicx8OwK5OPqn46t3zlh3pLfA7laL3N/69a6YIFflk2yy2Ykz4cG+oSO37OnWPw=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.166.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.6; Thu, 4 Apr 2019 15:25:17 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc%5]) with mapi id 15.20.1771.007; Thu, 4 Apr 2019 15:25:17 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: cfrg <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: 5G Encryption and the SNOW-V stream cipher
Thread-Index: AQHU6vqbZJbLGOsrjkuyZPSHogAdRw==
Date: Thu, 04 Apr 2019 15:25:17 +0000
Message-ID: <AA59140C-84DB-479B-925C-43F5C0E70D76@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.1.190326
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9ee8870d-9884-417d-5b9c-08d6b911be52
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600139)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB4172;
x-ms-traffictypediagnostic: HE1PR07MB4172:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <HE1PR07MB417280B44EE4DD802D087E6B89500@HE1PR07MB4172.eurprd07.prod.outlook.com>
x-forefront-prvs: 0997523C40
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(366004)(396003)(376002)(346002)(39860400002)(189003)(199004)(44832011)(25786009)(86362001)(66066001)(58126008)(110136005)(68736007)(14444005)(256004)(316002)(53936002)(6512007)(6306002)(82746002)(97736004)(33656002)(5660300002)(7736002)(305945005)(3846002)(6116002)(966005)(14454004)(2906002)(478600001)(486006)(476003)(2616005)(71200400001)(71190400001)(2501003)(81166006)(81156014)(6486002)(8676002)(8936002)(83716004)(6436002)(106356001)(105586002)(99286004)(36756003)(102836004)(6506007)(26005)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4172; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: AT3pcVMXv+LbR6m9f+aGzHXNrryE1FrBHlf/RSOAKDUdTwSVguFvVhkWn8UMq8gtgBtp2uWEnbYtX5utZU6I7iEixp2p4U1pY3Cf0xmrLd92O9SIMEpHOaliF11zh21budz52dG+JTkklsH0CbkDu/Q7bO8olr5mmY/4ttC0MdOptDcoX9x6+YnQowSqwBA4Ez2u/ywZV6EySoqFwc8I8YhR74muGkiqTCWcfgoNU0BMq+sT2bcPJQYTrlb60WDGe066VJGMVRXKWfJqQCDqThPf8fQp405bM1h8JSPDEPVBFC+1MpcNbFJ14hFT8nUTgKL6nhdzP2/XQpt8O8crsRkvbBoK+/IL8Ef/3r4NYCaA6qtqyXFYNH02RbLePhAotWfEvsNCEmQ3aQM/YJnorheiKa8hy3/vMo9It1r3G6E=
Content-Type: text/plain; charset="utf-8"
Content-ID: <F13BC8AEFB88C848A3DAD7DDDC1B7690@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ee8870d-9884-417d-5b9c-08d6b911be52
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Apr 2019 15:25:17.6533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4172
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-yL39pD3yYRpvMKwNf0_mAvDb5U>
Subject: [Cfrg] 5G Encryption and the SNOW-V stream cipher
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 15:25:24 -0000
Hi,
I presented this in SAAG at IETF 104 as CFRGs agenda was completely full. In the end SAAG may have been a better place for a short high level presentation. Thanks for all the good feedback and suggestions during and after the presentation! Sending this email for people that did not attend SAAG.
The background is that 3GPP SA3 has given ETSI SAGE the task to analyse and suggest suitable radio encryption algorithms for later 5G releases (the first releases reuse the 4G/LTE algorithms). The 3GPP radio algorithms are used from the UE to the network:
- In 2G, the encryption is terminated in the base station.
- In 3G, it is was decided to terminated encryption deep in the core network (for security reasons).
- In 4G, it was decided to once again terminated the encryption in the base station (for performance reasons).
- In 5G, the encryption is formally terminated in the base station, but due to Network Functions Virtualization (NFV) it will in practice be terminated deep in the core network.
[1] gives an overview of the current 3GPP/GSMA Cryptographic Algorithms that all of you all rely on every single day. 5G puts a lot of requirements on the encryption algorithms.
- First, ITM-2020 requires technologies to support at least 20 Gbps downlink to be called 5G. While this will likely not be supported in the first devices, it will very likely be surpassed by later 5G specifications (at least that is what happened with 4G). Optimally the algorithms should work also for future generations of cellular networks.
- Secondly, Network Functions Virtualization (NFV) means that the encryption will be terminated in data centers with various amount of specialized hardware. The current 3GPP algorithms like AES-CTR + AES-CMAC and SNOW 3G does not meet the performance requirements.
Another reason for 3GPP to standardize new algorithms are requirements on 256-bit algorithms from governments wanting to use 5G. A third reason is future proofing, but 3GPP recently concluded that there is no imminent need to replace 128-bit symmetric cryptography. A current working assumption is that ETSI SAGE will recommend algorithms based on AES, SNOW, and ZUC.
Thanks Yoav Nir for pointing out that the performance numbers from 2017 was already significantly outdated. Amazing how fast encryption is on modern CPUs and that Both GCM and OCB really offers integrity protection for free. The numbers for authenticated encryption are the relevant ones in practice. Numbers below from OpenSSL 1.1.1b on and i7-6700K.
1024 bytes 16384 bytes
aes-256-ctr 32.23 Gbps 36.59 Gbps
aes-256-gcm 28.48 Gbps 36.01 Gbps
aes-256-ocb 31.02 Gbps 36.24 Gbps
chacha20 26.17 Gbps 27.72 Gbps
chacha20-poly1305 17.61 Gbps 19.29 Gbps
AES-256-GCM will very likely be a main candidate as its performance even on a single core is well above the current requirements. Another candidate is an update [2] to the SNOW family of algorithms (SNOW 3G is used in 2G, 3G, 4G, and 5G). When the SNOW team tried to see how fast SNOW 3G could be on modern CPU they realized that a slightly updated version designed for modern CPUs could be extremely fast. The current C++ code of SNOW-V significantly outperforms even optimized assembly implementations of AES-CTR and AES-GCM on modern x64 processors. An optimized assembly implementation of SNOW-V-GCM would likely be even faster, but it is hard to say how much.
SNOW-V 64.01 Gbps C++, Alexander Maximov
SNOW-V-GCM 42.40 Gbps C++, Alexander Maximov
AES-256-CTR 35.75 Gbps C++, Alexander Maximov
AES-256-GCM 25.50 Gbps C++, Alexander Maximov
AES-256-CTR 34.78 Gbps Assembly, OpenSSL 1.1.1
AES-256-GCM 34.58 Gbps Assembly, OpenSSL 1.1.1
SNOW-V is also extremely fast in hardware with quite small and efficient implementations. 3GPP has traditionally standardized and deployed more than one algorithm to be able to immediately switch in case any serious weaknesses are found.
Any suggestion or comments on anything of the above are very welcome! I assume the are many people trying to get fast enough encryption in both software and hardware.
(As Hannes Tschofenig pointed out, 7 mm in the presentation should be 7 nm. A 7 mm process would lead to very large, slow, and power hungry chipsets ;)
Cheers,
John
[1] https://datatracker.ietf.org/meeting/104/materials/slides-104-saag-snow-v-stream-cipher-00
[2] https://eprint.iacr.org/2018/1143.pdf
[3] https://www.eit.lth.se/fileadmin/eit/home/hs.tjo/presentation.pdf
- [Cfrg] 5G Encryption and the SNOW-V stream cipher John Mattsson