Encryption in virtualized 5G environments
The new 5G system brings high demands on cryptographic algorithms used for air encryption. Ericsson Research together with Lund University have revised the design of SNOW 3G and updated it to a new faster cipher called SNOW-V, which could be used to secure 5G and the coming mobile systems. Find out how SNOW-V meets the new requirements for security, performance, and flexibility.
Today we see that 5G brings new challenges that will affect air encryption algorithms:
- Virtualization – most components of 5G can be virtualized, including ciphering layers
- Performance – 5G is expected to operate at a very high speed, at least 20Gbps
- Security – 5G is expected to raise the security to a 256-bit level in order to mitigate future advances in cryptanalysis (quantum attacks, for example)
It is important to address these needs early in order to avoid future compatibility problems and make deployments of 5G as flexible as possible. As a mobile network supplier, we see more and more demands for virtualized installations, both in the Core Network and in the Radio Access Network (RAN). RAN virtualization is of course only partial, as the actual radio power amplifiers and antennas are still physical, but there are several aspects of RAN that can be successfully run in a cloud environment. The air encryption algorithms, however, are sitting quite high up in the stack and are therefore expected to be executed in a cloud environment.
Because of the requirement to be executable in the cloud, there are certain challenges as to the type of algorithms that can be used. In a cloud environment it might not be possible to use hardware accelerators and dedicated ASICs to implement the ciphering functionality. The algorithms need to be able to achieve the target speed of 5G in pure software.
So what is the target speed of 5G? Well, that depends a little on whom you ask. ITU (the United Nations agency for information and communication technologies) has stated 20Gbps as a minimum speed for the downlink and some radio engineers talk about maximum speeds of up to 40 or 50Gbps. Those are impressive speeds. 3GPP (the standardization body for mobile networks) needs to make sure that the ciphers for the future mobile network can handle speeds like that, so security does not become a bottleneck! It’s also paramount that the algorithms are able to run fast in software, otherwise RAN virtualization can’t happen, and service providers would lose the benefits of using commercial off the shelf (COTS) hardware in the cloud platform.
Another upcoming novelty of the 5G system is that 3GPP has initiated a study on increasing the encryption key sizes from 128-bit keys to 256-bit keys. This also affects the ciphering algorithms since they must be able to accommodate the increased key size and be strong enough to deliver the corresponding increased security level. Remember that the aim for a good cipher is to be so strong that the best attack is to exhaustively try all possible keys.
Introduction to SNOW-V
To reach the new goals of 5G and to increase deployment flexibility, Ericsson Research together with Lund University have developed a new cipher called SNOW-V, where V stands for virtualization. SNOW-V is a thoroughly revised version of the cipher SNOW 3G, which is currently used in 4G. SNOW-V reuses the best design principles of SNOW 3G, but is extremely well suited for software implementation using vectorized (SIMD) instructions, and also leverages the hardware accelerated CPU instructions for AES encryption available in all modern CPUs. SNOW-V also has an increased 256-bit security level, compared to the 128-bit security of SNOW 3G. Figure 1 gives an overview of SNOW-V.
SNOW-V is a stream cipher that produces a keystream material which is then XORed with the plaintext to produce the ciphertext. Similarly to SNOW 3G, the algorithm has two parts: the Linear Feedback Shift Register (LFSR) at the top, and the Finite State Machine (FSM) at the bottom, but both parts are updated to meet the new requirements.
To ensure a high throughput, SNOW-V produces 128 bits of keystream material at each clock cycle, compared to 32 bits in SNOW 3G. The LFSR construction was revised to be highly parallelizable and operate fast with SIMD instructions while maintaining the security level; it updates 8 times with each clock, so that after every clock, the two 128-bit tap values T1 and T2 are fresh.
The size of the FSM registers is increased from 32 bits to 128 bits, which makes it possible to produce 128 bits of the keystream efficiently, and also improves the security margin. The 32-bit S-Boxes used in SNOW 3G are now replaced with large 128-bit S-Boxes by utilizing the AES encryption round for this purpose. The new sigma-permutation is introduced to both strengthen the security and to implicitly modify the first 128-bit S-Box so that it becomes different from the second one. Reusing parts of the AES building blocks in SNOW-V is similar to the way that AES S-Boxes and MixColumn are used in SNOW 3G. Finally, SNOW-V brings in a new security feature, called FP(1), which makes it hard or even impossible to backtrack the secret key even if the internal state is compromised.
SNOW-V can be used in a setting where it not only provides confidentiality, but also message integrity. This combined operation is called AEAD (Authenticated Encryption with Associated Data). It is a drop-in replacement for the Galois Counter Mode (GCM), and the mode is called SNOW-V-GCM. It’s also quite similar to the integrity protection algorithm EIA1 used in LTE, but EIA1 is based on SNOW 3G and utilizes a 64-bit polynomial, whereas SNOW-V-GCM uses the same polynomial as AES-GCM (128 bits) and can provide a 128-bit Message Authentication Code (MAC).
A distinct advantage of SNOW-V in AEAD mode from AES-GCM is that in SNOW-V-GCM the hidden H-key is renewed whenever a new pair of (Key, IV) is used, while in AES-GCM it is a constant value for different IVs and the same Key. Many cryptanalyses of the AEAD mode of AES exploit this feature, but they appear not applicable in case of SNOW-V.
For a more detailed explanation of the various parts of SNOW-V, we refer to the design paper.
We now turn to the crucial question of how fast we can run this cipher in software.
The natural benchmark would be AES-256, which provides the same level of security and is used in many different protocols such as TSL and IPSec, for example. In Table 1 we provide performance figures for both the pure encryption mode, and the AEAD mode. We can see that for practical plaintext lengths, SNOW-V outperforms AES-256 by a factor 1.5 – 1.6x in the encryption case. In AEAD mode, it provides competitive performance.
Table 1 shows the performance on an Intel platform laptop. We also ran the algorithm on an Apple iPhone just to see the performance on an ARM-based system, where again, we reached speeds over 20Gbps.
It’s also very important to be able to implement the air encryption algorithm in hardware. This will likely be the dominant implementation in the devices. In Table 2, we’ve estimated the area, (in terms of Gate Equivalents, GE) and speed for AES-256 and different implementations of SNOW-V. The refence [UMHA16] can be found in the SNOW-V paper, as well as a detailed explanation of the different variants.
Overall, our brief assessment of SNOW-V in hardware is that it could reuse quite large portions from other LTE ciphers, if added to existing crypto accelerators. All that sounds promising combined with an expected tremendous speed in hardware.
We can conclude that SNOW-V fulfills all three requirements put on the air encryption algorithms by the 5G system. But the most crucial property of an encryption algorithm is to be secure. This is not something that can be definitely concluded at any time, since new attacks are constantly emerging. What we can say is that we believe that SNOW-V is resistant to all known attacks today. This statement is also backed up by the fact that we asked three renowned independent researchers from Royal Holloway to conduct a full security analysis of SNOW-V and they found no security issues with the design. Their report is available on request (please contact either of us by email). Reference implementations of SNOW-V and more details on cryptanalysis can be found in the original paper.
Ericsson Research has proposed SNOW-V as a potential candidate for inclusion in the 5G specification. In the end, the work on SNOW-V was done, we believe, for a better future of the mobile world, and it’s totally free for anyone to use in any application. We hope that the security community will support this new, attractive design of the SNOW-family, and find a good use of it.
Read more about future network security.
Learn more about 5G security.