Security Algorithms Group of Experts

Description

The Security Algorithms Group of Experts (SAGE) is a permanent working group within the European Telecommunications Standards Institute (ETSI) that performs critical cryptographic work for 3GPP. It is not a network function or protocol, but a standards development body composed of cryptographers and security experts from member companies. SAGE's primary output is the specification of the cryptographic algorithms that form the bedrock of security in all 3GPP systems, from 3G (UMTS) to 4G (LTE) and 5G (NR).

SAGE operates by receiving formal algorithm design requirements from 3GPP's System Architecture group (SA3), which is responsible for the overall security architecture. These requirements specify the functional needs (e.g., key sizes, performance constraints, resistance to known attacks) for a particular algorithm, such as a new authentication and key agreement (AKA) protocol or a ciphering algorithm for the air interface. SAGE then conducts a multi-phase process that includes an open call for candidate algorithms from the industry and academia, a rigorous evaluation and testing phase, and finally, the selection and detailed specification of the chosen algorithm(s).

The group's work covers several algorithm families. For authentication and key generation, SAGE specified the Milenage algorithm set (based on AES) used in UMTS and LTE, and later the TUAK algorithm set (based on Keccak/SHA-3) as an alternative. For air interface confidentiality and integrity protection, SAGE developed the core stream ciphers and block cipher modes: the Kasumi block cipher for 3G, and the SNOW 3G stream cipher and AES-based algorithms (128-EEA3/EIA3) for LTE. For 5G, SAGE specified the 5G AKA protocol and the NEA/NIA ciphering and integrity algorithms, which are profiles of existing AES and SNOW 3G algorithms with new specific modes of operation.

Its role is absolutely fundamental. The algorithms designed by SAGE are implemented in every piece of User Equipment (UE) and in network elements like the Home Subscriber Server (HSS) and Authentication Server Function (AUSF). They perform the critical functions of mutual authentication between the UE and the network, generate the session keys used for encryption, and ensure the integrity of signaling messages. Without SAGE's work, 3GPP networks would lack standardized, robust, and interoperable cryptographic protection, leaving them vulnerable to eavesdropping, impersonation, and data manipulation.

Purpose & Motivation

SAGE was established to provide 3GPP with a dedicated, expert resource for cryptographic algorithm design, a task that requires deep specialized knowledge not typically held by general system architects. Before its involvement, early cellular systems had weaker, proprietary, or non-standardized cryptographic mechanisms. The creation of SAGE was motivated by the need for strong, publicly vetted, and standardized security algorithms that could ensure interoperability between equipment from different vendors while maintaining a high level of protection against evolving threats.

The key problem SAGE solves is the 'black box' problem of trust in network security. By conducting open evaluations and standardizing algorithms, it removes the need for each operator or vendor to develop their own (potentially weak) cryptography. This creates a unified, high-assurance security baseline for the entire ecosystem. It addresses the limitations of previous approaches where security was often an afterthought or relied on secret, unanalyzed designs which could contain fatal flaws discovered only after widespread deployment.

Historically, SAGE's work began with the development of the A5/1 and A5/2 stream ciphers for GSM (though these were later found to be weak), but its formal, rigorous process was solidified for 3G (UMTS). The development of the UMTS security architecture presented new challenges, requiring a set of algorithms (the f1-f9 functions) for the AKA protocol. SAGE's successful design and specification of the Kasumi cipher and Milenage algorithm suite set the pattern for future work. Its ongoing purpose is to continuously evolve the cryptographic toolkit in response to increasing computational power (which can break older algorithms), new cryptographic attacks, and new system requirements from 5G and beyond, such as lightweight cryptography for IoT or post-quantum cryptography for long-term security.

Key Features

• Design and specification of 3GPP authentication and key agreement (AKA) algorithms (Milenage, TUAK)
• Development of air interface ciphering algorithms (e.g., 128-EEA1/EEA2/EEA3 for LTE)
• Development of air interface integrity protection algorithms (e.g., 128-EIA1/EIA2/EIA3 for LTE)
• Management of open evaluation and selection processes for new candidate algorithms
• Creation of detailed algorithm specifications and test vectors for implementation conformance
• Ongoing maintenance and evolution of algorithm portfolios to address new threats and requirements

Evolution Across Releases

Defining Specifications