Performance Analysis of 3G Protocol: Encryption and

Authentication
Anita Singhrova1, Rita Mahajan 2
1

Lecturer, Computer Science and Engineering Department, C R State College of Engineering, Murthal, Sonepat,
Haryana, India. nidhianita@yahoo.com
2
Lecturer, E & Ec Department, Punjab Engineering College, Deemed University, Chandigarh-160012, India.
rita_mahajan@rediffmail.com

ABSTRACT
3G provides two types of security algorithms, KASUMI for encryption and Milenage for
authentication. This paper presents performance analysis and comparison between the algorithms in terms of
time complexity. Parameters considered are processing power and input size. Security features may have
adverse effect on quality of services offered to the end users and the system capacity. The computational
cost overhead that the security protocols and algorithms impose on lightweight and users devices is
analyzed. The analysis results revealed the effect of authentication and encryption algorithms of 3G on
system performance defined in terms of throughput.
Keywords:
Rijndael.

Mobile Security; Universal mobile telecommunication system; Time complexity; Kasumi;

1. INTRODUCTION
The Universal Mobile Telecommunication system (UMTS) is a realization of third generation (3G)
networks, which intend to establish a single integrated and secure network. Mobile/wireless Internet is
becoming available with 3G mobile communication systems. Wireless networks are as such less secure and
mobility further adds to security risk. Therefore, it is desirable that 3G is at least as secure as fixed networks.
The complete 3G security architecture consists of five major security classes: (i) network access
security, (ii) network domain security, (iii) user domain security, (iv) application domain security and (v)
visibility and configurability of security [1].
Security is achieved at the cost of performance degradation; it is critical and fundamental to
quantitatively measure overhead caused by various security services [2][3].
Network access security is a key component in the 3G security. The class deals with the set of
security mechanisms that provide users with secure access to 3G services. Such mechanisms include: (i) user
identity confidentiality, (ii) authentication and key agreement, (iii) Data confidentiality and (iv) Integrity
Protection. In 3G UMTS, encryption is implemented using KASUMI algorithm and authentication is
implemented using MILENAGE algorithm [4] [5].
The rest of this article is organized as follows. 3G security overview is presented in section 2. In
section 3, analytical analysis is provided for 3G encryption and authentication algorithms with respect to
time complexity. Section 4, provides the throughput of encryption and authentication algorithm. Finally,
summary and conclusion are discussed in section 5.

2. 3G SECURITY OVERVIEW
Third generation mobile systems such as UMTS revolutionized telecommunications technology by
offering mobile users content rich services, wireless broadband access to Internet, and worldwide roaming.
However, the broadcast nature of the wireless communication and increased popularity of wireless devices
introduce serious security vulnerabilities. Mobile users and providers must be assured of the correct identity
of the communicating party; user and signaling data must be protected with confidentiality and integrity
mechanisms [4].
Encryption and Authentication are the two main security mechanisms in 3G network access
securities [5].

P10/ 1

2.1 Encryption
Within the security architecture of the 3GPP system there are two standardized algorithm: a
confidentiality algorithm f8, and an integrity algorithm f9 [4]. Each of these algorithms is based on the
KASUMI algorithm [6][8].

2.2 Authentication
The UMTS authentication algorithm consists of seven functions f1,f1*,f2,f3,f4,f5 and f5*. The
standardized algorithm set for these seven functions is called MILENAGE [4][8]. MILENAGE has been
designed by the experienced group that already designed KASUMI, f8 and f9. For MILENAGE, a specific
kernel has to be chosen, and therefore Rijndael was selected [7]. Rijndael is an iterated block cipher with a
128 bit block length and a 128 bit key length. It is composed of eleven rounds that transform the input into
the output

3. ANALYTICAL ANALYSIS
This section focuses on 3G authentication and encryption computation time complexity. Before
analyzing the encryption and authentication algorithm cryptographic algorithm requirements must be known
[8].

3.1. Encryption
3G encryption uses KASUMI algorithm. KASUMI uses a 128 bit key and block size of 64 bits. The
algorithm has 8 distinct steps and 8 rounds [6]. Steps 1 to 8 are functionally identical and are dependent on
different portions of input key. Out of 8 steps, in
Steps 1,3,5,7
Fodd (I, RKi) = FOi (FLi (I, KLi), KOi, KIi)
Steps 2,4,6,8 Feven ( I, RKi ) = FLi ( FOi ( I, , KOi, KIi ) , KLi )

3.1.1. FL Function
The function FL consists of two XOR (16-bit each), four 16-bit copy, one AND, one OR and two
left shifts (cyclic) by one bit each [6]. The input to the function FL comprises a 32-bit data input I and a 32bit sub key KLi. The sub key is split into two 16-bit sub keys, KLi,1 and KLi,2 where KLi = KL i,1 || KL i,2.
The input data I is split into two 16-bit halves, L and R where I = L || R.
The 32-bit output value is ( L|| R ). Where R=R ROL( L KL i,1 ) and L=L ROL( R KL i,2 )

3.1.2. FO Function
The input to the function FO comprises a 32-bit data input I and two sets of sub keys, a 48-bit sub
key KOi and 48-bit sub key KIi [6]. The 32-bit data input is split into two halves, L0 and R0 where I = L0 ||
R0. The 48-bit sub keys are subdivided into three 16-bit sub keys where
KOi = KOi,1 || KOi,2 || KOi,3 and KIi = KIi,1 || KIi,2 || KIi,3.
Then for each integer j with 1 j 3 we define:
Rj = FI(Lj-1 KOi,j , KIi,j ) Rj-1
Lj = Rj-1
Finally we return the 32-bit value (L3 || R3). This function consists of six 16-bit XOR, six 16-bit copy and
three FI function call.

3.1.3. FI Function
The function FI takes a 16-bit data input I and 16-bit sub key KIi,j. The input I is split into two
unequal components, a 9-bit left half L0 and a 7-bit right half R0 where I = L0 || R0.
Similarly the key KIi,j is split into a 7-bit component KIi,j,1 and a 9-bit component KIi,j,2 where KIi,j =
KIi,j,1 || KIi,j,2.
The function uses two S-boxes, S7 and S9. It also uses two additional functions which we designate ZE( )
and TR( ).
L1 = R0
R1 = S9[L0] ZE(R0)
L2 = R1 KIi,j,2
R2 = S7[L1] TR(R1) KI i,j,1
L3 = R2
R3 = S9[L2] ZE(R2)

P10/ 2

L4 = S7[L3] TR(R3) R4 = R3
The function returns the 16-bit value (L4 || R4).This function consists of three 9-bit XOR, three 7-bit XOR
and six 7-bit copy. Two times S9 and S7 mappings respectively, and invokes ZE( ) and TR( ) functions
twice.

3.1.4. S-boxes
The two S-boxes have been designed so that they may be easily implemented in combinational logic
as well as by a look-up table. Both forms are given for each table [6].
x = x8 || x7 || x6 || x5 || x4 || x3 || x2 || x1 || x0
y = y8 || y7 || y6 || y5 || y4 || y3 || y2 || y1 || y0
where the x8, y8 and x7,y7 bits only apply to S9, and the x0 and y0 bits are the least significant bits.
In the logic equations: x0x1x2 implies x0 x1 x2 where is the AND operator.

3.1.5. Key Schedule

KASUMI has a 128-bit key K. Each round of KASUMI uses 128 bits of key that are derived from K
[6]. Before the round keys can be calculated two 16-bit arrays Kj and Kj (j=1 to 8) are derived. The 128-bit
key K is subdivided into eight 16-bit values K1K8 where K = K1 || K2 || K3 |||| K8.
A second array of sub-keys, Kj is derived from Kj by applying:
For each integer j with 1 j 8 Kj= Kj Cj where Cj is the constant value.
This function consists of eight 16-bit XOR, eight 1-bit cyclic left shift, eight 5-bit cyclic left shift,
eight 8-bit cyclic left shift and eight 13-bit cyclic left shift. The extraction of round sub-keys is a 2-D table
lookup.
TABLE 1. KASUMI basic operations
Basic
operation
ZE
TR
2 --- D
table map
( for i:j bit map)
Left Shift
Copy**
XOR**
AND**
OR**

EQUIVALENT SIMPLE OPERATIONS

TIMES
SPACE
TYPE
NEEDED
NEEDED
XOR
1
XOR
1
MULTIPLY
1
ADD
1
I
ROWS * J
1
1-D TABLE LOOKUP
COLUMNS
LEFT SHIFT BY N BITS
1
N * 32-BITCOPY
N
N * 32-BIT XOR
N
N * 32-BIT AND
N
N * 32-BIT OR
N

** for 32-bit processor and up to 32-bits N=1.

TABLE 2. KASUMI --- FL function
operations
t Times
16-bit XOR
2
16-bit COPY
4
16-bit AND
1
16-bit OR
1
16-bit left shift
2
16-bit split
1
16-bit combine
1
2D key lookup
2

time needed
1
1
1
1
1
3
3
3

P10/ 3

Equivalent total
2
4
1
1
2
3
3
6
Total=22 operations

TABLE 3. KASUMI -- FI function

operations
times
Key XOR
2
(KIi,j,1 and KIi,j,2)
9-bit XOR
2
7-bit XOR
2
7-bit copy
3
9-bit copy
3
2
S9 mapping
(1-D table map)
S7 mapping
2
(1-D table map)
ZE
2
TR
2
7-9 bit split
1
7-9 bit combine
1
Key split in seven
1
Key split in nine
1

time needed
1
1
1
1
1
1

2
2
3
3
2

1
1
4
3
2
2

TABLE 4. KASUMI -- FO function

operations
times
16-bit XOR
6
16-bit COPY
6
FI ( )*
3
16 bit split
1
16 bit combine
1
2D key lookup
6

Equivalent total
2

time needed
1
1
31
3
3
3

2
2
4
3
2
2
Total = 31 operations

Equivalent total
6
6
93
3
3
18
Total = 129 operations

*in one FO( ), FI ( ) is called three times

TABLE 5. KASUMI -- Keys
times
operations
Endian correct
8
K prime
8
C construct subkeys
8

time needed
5
2
34

TABLE 6. KASUMI operations in one block encryption

step
operations
Time
times
needed
1-8
32-bit COPY
16
1
1-8
32-bit XOR
8
1
1-8
FL ( )
8
22
1-8
FO ( )
8
129
key setup
1
328
1
32 bit split
1
22
8
32 bit combine
1
14

P10/ 4

Equivalent Total
40
16
272
Total = 328 operations

Equivalent total
16
8
176
1032
328
22
14
Total = 1596 operations

3.1.6 Computational cost

Encryption functionality imposes an additional computational cost [2] [3].
Tkasumi is total number of operations in block (encryption)=1596.
Tkasumi = 1596
Sd is the size of original message (in bytes).
N is the message size in bits. N=8 *Sd
n is the total number of blocks. n = Ceil (N 64)
where Ceil(x) means the smallest integer >= operand
Ukasumi is the total number of operations required for KASUMI encryption or decryption of message
size Sd.
Ukasumi = ceil ((8 * Sd) 64) * Tkasumi.
= n * Tkasumi
Cp is MIPS performed by the processor.
tkasumi (Sd, Cp) is the time required for encryption (decryption) for processor speed Cp and message
size Sd in bytes.
tkasumi (Sd , Cp ) = Ukasumi (Sd ) Cp or
tkasumi (Sd , Cp ) = (ceil ((8 * Sd ) 64) * Tkasumi) Cp
Or tkasumi (Sd, Cp) = (n * Tkasumi) Cp
The mobile devices are equipped with embedded processors, which can perform 100-500 Million
of Instructions per Seconds (MIPS) [9].

E n c ryp tio n tim e

( in m icro se cs )

Encryption time
600
100 MIPS
200 MIPS

400
200

300 MIPS
400 MIPS
500 MIPS

0
5 10 15 20 25 30
n ( Number of input blocks)

Fig 1: Encryption time (in sec) as a function of number of packets for different processing speeds (MIPS).

3.2. Authentication
3G authentication is implemented by Rijndael. Rijndael is an iterated block cipher with a variable
block length and variable key length [7]. The block and key length are independently specified as 128 bits
for 3GPP and is used in encryption mode [7]. It consists of 9 rounds in addition to an initial and a final round
to transform the input into the output. An intermediate result is called state. The state can be a 4 X 4
rectangular array of bytes (128 bits in total).

3.2.1. The Byte Substitution Transformation

It is a non-linear byte substitution, operating on each of the State bytes independently. The
substitution table is stored as S-box. For every element of State, we apply the transformation:
bi,j = S-box [ai,j] where ai,j is the initial value of the element in State, and bi,j is the output value of the
element in State.

P10/ 5

In this transformation, we require 16 1-Dimensional lookup for 16 elements. Therefore, 16 operations are
carried for 1 block of input of 128 bits.

3.2.2. The Shift Row Transformation

In this transformation, the rows of the State are cyclically left shifted by different amounts. Row 0 is
not shifted, four states in row 1 are shifted by 1 byte, four states in row 2 by 2 bytes and four states in row 3
by 3 bytes. Therefore, 0 + (4*1) + (4* 2) + (4* 3) = 24 operations.

3.2.3. The Mix Column Transformation

The mix column transformation operates on each column of the State independently. For column j,
we have
b0,j = T2(a0,j) T3(a1,j) a2,j a3,j
b1,j = a0,j T2(a1,j) T3(a2,j) a3,j
b2,j = a0,j a1,j T2(a2,j) T3(a3,j)
b3,j = T3(a0,j) a1, j a2,j T2(a3,j)
where T2(a) = 2*a if a < 128 or
T2(a) = (2*a) 283 if a >= 128 and
T3(a) = T2(a) a.
For each column there are (4 XOR + 1 multiplication + 1 optional XOR) *4. Since there are 4 columns there
will be 80 or 100 operations.

3.2.4. The Round Key addition

In this operation, a Round Key is applied to the State by a simple bitwise exclusive-or. The Round
Key is derived from the Cipher Key by means of the key schedule. The Round Key length is equal to the
block length. So, for every element of State, we have:
bi,j = ai,j rki,j
Where ai,j is the initial value of the element in State, bi,j is the output value of the element in State and rki,j is
the round key byte. There are total of 16 XOR. Therefore, 16 operations are required for this transformation.

3.2.5. Key schedule

Rijndael has 11 Round Keys, numbered 0-10, that are each 4x4 rectangular arrays of bytes.
Let rkr,i,j be the value of the rth Round Key at position (i, j) in the array and ki,j be the cipher key loaded into a
4x4 array.
Initialization: rk0,i,j = ki,j for all i and j.
The other Round Keys (r=1 to 10 inclusive) are calculated from the previous one as follows.
First the 0th column is constructed:
rkr, 0, 0 = rkr-1,0,0 S-box[rkr-1,1,3] round-const[r]
rk r, 1, 0 = rk r-1,1,0 S-box[rk r-1,2,3]
rkr,2,0 = rkr-1,2,0 S-box[rk r-1,3,3]
rkr,3,0 = rk r-1,3,0 S-box[rk r-1,0,3]
where round-const[1] = 1 and
round-const[r] = T2(round-const[r-1]), and S-box is the previously mentioned byte substitution.
Then the remaining three columns are constructed in turn from the corresponding column of the previous
Round Key and the previous column of the current Round Key:
rk r,i,j = rk r-1,i,j rk r,i,j-1 for i=0,1,2,3 and j=1,2,3.
There are total 16 operations for initialization, 6 operations for zeroth column and 12 operations for other
columns. Hence, there are total (6*10) + 12 = 72 operations for all the four columns.

P10/ 6

TABLE 7. Rijndael basic operations

BASIC OPERATION
Round key Addition
Byte substitution
Transformation
Shift row
Transformation
Mix column
Transformation
Key schedule
Key schedule Initialization
2-D table look
up (for i:j bit map)
2-D table
( for 4*4 bit map)
into 1-D or vice versa

EQUIVALENT SIMPLE OPERATIONS

Space needed
Type
Times needed
8-bit XOR
1
-D table lookup [B ]
1
b
left shift by n bit

XOR

Multiply
XOR
MULTIPLY
8-bit copy
Multiply
Add
1-D table lookup
COPY
Add
Right shift by 2 bits

1
1
1
1
1
1
1
1
1
1

i rows*j col

4 rows* 4 col

TABLE 8. Rijndael operations

Operations

times

Round key addition

Byte substitution transformation
Shift row transformation
(1 for 1st row , 2 for 2nd row and 3 for 3rd row)
Column transformation ( 4 XOR + 1 Multiply
+1 XOR optional ) *4 for 1 col.
Key initialization
Key schedule (5 XOR+ 1 Multiply )
*10 (for rounds ) + 12 XOR for 4 columns)

16
16
4
4
16
1

time Equivalent
needed
Total
1
16
1
16
1+1+1=3
12
(4+1)*4=20

80

4
60 + 12=72

16
72

TABLE 9. Total Rijndael operations in one block authentication

step

operations

0 Key initialization
Key schedule
0-10 Key ( 2-D lookup)
1 8-bit round key addition
1-9
Round
10
Final round
0 1-D rep. into 2D
10 2-D rep. into 1-D

times

Time needed

1
1
1
72
11
3
1
16
9 16+12+80+16 =124
11
1
16+12+16= 44
16
3
16
3

Equivalent
total
1
72
33
16
1116
56
48
48
Total = 1441 operations

3.2.6 Computational cost

Authentication imposes an additional computation cost [2][3].
Trijndael is total number of operations in 1 block encryption.

P10/ 7

Trijndael = 1441
Sd is the size of original message (in bytes).
N is the message size in bits. N=8 * Sd
n is the total number of blocks. n = Ceil (N 128)
where Ceil(x) means the smallest integer operand
Urijndael is the total number of operations required for Rijndael encryption or decryption of message size Sd.
Urijndael= ceil ((8 * Sd) 128) * Trijndael = n * Trijndael
Cp is MIPS performed by the processor.
trijndael (Sd, Cp) is the time required for encryption (decryption) for processor speed Cp and message size Sd in
bytes.
trijndael (Sd , Cp ) = Urijndael (Sd ) Cp or trijndael (Sd , Cp ) = (ceil ((8 * Sd ) 128) * Trijndael) Cp
or trijndael (Sd, Cp ) = (n * Trijndael) Cp
The mobile devices are equipped with embedded processors, which can perform 100-500 Million of
Instructions per Seconds (MIPS) [9].

Authentication time(in micro sec)

Authentication time
500
450
400
350
300
250
200
150
100
50
0

100 MIPS
200 MIPS
300 MIPS
400 MIPS
500 MIPS

10

15

20

25

30

n ( Num be r of block s )

Fig 2: Authentication time (in sec) Vs n of i/p blocks and processing power
To draw comparison between the computational cost of encryption and authentication, a graph is drawn with
number of operations and number of packets as inputs.

No of operations (in 100000)

Total operations required

12
10
8
KASUMI

Rijndael

4
2
0
100

200

300

400

500

600

Number of packets

Fig 3: Number of operations required as a function of packet size

P10/ 8

4. THROUGHPUT
Throughput is defined as the number of bits in one time unit and is measured in Mbps [ 1].
throughputkasumi :
n blocks require tkasumi (in sec) time period for encryption for a given Cp.
Therefore, in 1sec = (n*64 bits) tkasumi (in sec)
throughputrijndael :
n blocks require trijndael (in sec) time period for authentication for a given Cp.
Therefore, in 1sec = (n*128 bits) trijndael (in sec)
Throughput
50
Throughput (in Mbps)

45
40
35
30

Kasumi

25

Rijndael

20
15
10
5
0
100

200

300

400

500

Processing pow er (in MIPS)

Fig 4: Throughput (in Mbps) as a function of processing speed (in MIPS)

5. SUMMARY AND CONCLUSION

Encryption consumes significantly more processing resources compared to authentication. The time
required for security transformation increases proportionally with the required number of operations, but it
also involves the processor capabilities. Since the numbers of operations are greater for encryption then
authentication, throughput for encryption is low compared to authentication. Encryption should be used in
critical user information not for regular traffic flow. Encryption if needed should be combined with
authentication. In this case if the message fails authentication, decryption process is saved (not performed).
Finally, except for the transformation complexity and the processor capabilities, the real time required for a
packet to be protected depends on the overall system load as well.

ACKNOWLEDGEMENTS
The authors would like to thank all the staff members of the Department of computer science and
the Department of information technology of Punjab Engineering College, Chandigarh, India for their advice
and encouragement.

REFERENCES
[1]. 3GPP TS 33.102 (v3.12.0), 3G Security: Security Architecture, Release 99, June 2002.
[2]. O. Elkeelany, M. Matalgah, K. Sheikh, M. Thaker, G. Chaudhry, D. Medhi, J. Qaddouri, Performance
analysis of IPSec protocol: encryption and authentication, Proc. IEEE Intl Conf. Communications, pp.
1164-1168, New York, NY, April-May 2002.
[3]. Christos Xenakis, Lazaros Merakos, IPsec based end_to_end VPN deployment over UMTS,
Computer Communications vol. 27, pp.1693-1708, May 2004.

P10/ 9

[4]. Stefan Pitz, Roland Schmitz, Tobias Martin, Security mechanisms in UMTS, Datenschutz und
Datensicherheit (DUD), vol. 25, pp 1-10. 2001.
[5]. Christos Xenakis, Lazaros Merakos, Security in 3G Mobile network, Computer communications, vol.
27, pp 638-650, 2004.
[6]. 3GPP TS 35.201 (v.1.0), Specification of 3GPP confidentiality and integrity algorithm, Document 1:
f8, f9 specification Dec 1999.
[7]. 3GPP TS 35.205 (v.1.0), Specification of Milenage algorithm for the 3GPP authentication and key
generation functions Nov 2000.
[8]. 3GPP TS 33.105 (v4.1.0), 3G security: cryptographic algorithm requirements, release 4, 2001.
[9]. ARM microprocessor solutions from ARM Ltd, http://www.arm.com/products/CPUs

P10/10