Advertisement

Differential Attacks against Stream Cipher ZUC

  • Hongjun Wu
  • Tao Huang
  • Phuong Ha Nguyen
  • Huaxiong Wang
  • San Ling
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7658)

Abstract

Stream cipher ZUC is the core component in the 3GPP confidentiality and integrity algorithms 128-EEA3 and 128-EIA3. In this paper, we present the details of our differential attacks against ZUC 1.4. The vulnerability in ZUC 1.4 is due to the non-injective property in the initialization, which results in the difference in the initialization vector being cancelled. In the first attack, difference is injected into the first byte of the initialization vector, and one out of 215.4 random keys result in two identical keystreams after testing 213.3 IV pairs for each key. The identical keystreams pose a serious threat to the use of ZUC 1.4 in applications since it is similar to reusing a key in one-time pad. Once identical keystreams are detected, the key can be recovered with average complexity 299.4. In the second attack, difference is injected into the second byte of the initialization vector, and every key can result in two identical keystreams with about 254 IVs. Once identical keystreams are detected, the key can be recovered with complexity 267. We have presented a method to fix the flaw by updating the LFSR in an injective way in the initialization. Our suggested method is used in the later versions of ZUC. The latest ZUC 1.6 is secure against our attacks.

Keywords

Stream Cipher Linear Feedback Shift Register Differential Attack Memory Word Keystream Word 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Babbage, S., Dodd, M.: The MICKEY Stream Ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 191–209. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Berbain, C., Billet, O., Canteaut, A., Courtois, N.T., Gilbert, H., Goubin, L., Gouget, A., Granboulan, L., Lauradoux, C., Minier, M., Pornin, T., Sibert, H.: Sosemanuk, a Fast Software-Oriented Stream Cipher. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 98–118. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J.: The Salsa20 Family of Stream Ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 84–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Biryukov, A., Shamir, A., Wagner, D.: Real Time Cryptanalysis of A5/1 on a PC. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 1–44. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Boesgaard, M., Vesterager, M., Zenner, E.: The Rabbit Stream Cipher. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 69–83. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    De Cannière, C., Preneel, B.: Trivium. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 244–266. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the Key Scheduling Algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Golić, J.D.: Cryptanalysis of Alleged A5 Stream Cipher. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 239–255. Springer, Heidelberg (1997)Google Scholar
  9. 9.
    Hell, M., Johansson, T., Maximov, A., Meier, W.: The Grain Family of Stream Ciphers. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 179–190. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Rivest, R.L.: The RC4 Encryption Algorithm. RSA Data Security, Inc. (March 1992)Google Scholar
  11. 11.
    ETSI/SAGE Specification. Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification; Version: 1.4 (July 30, 2010)Google Scholar
  12. 12.
    ETSI/SAGE Specification. Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification; Version: 1.5 (January 4, 2011)Google Scholar
  13. 13.
    ETSI/SAGE Specification. Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification; Version: 1.6 (June 28, 2011)Google Scholar
  14. 14.
    Sun, B., Tang, X., Li, C.: Preliminary Cryptanalysis Results of ZUC. In: First International Workshop on ZUC Algorithm, vol. 12 (2010)Google Scholar
  15. 15.
    Wu, H.: The Stream Cipher HC-128. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 39–47. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Wu, H., Nguyen, P.H., Wang, H., Ling, S.: Cryptanalysis of the Stream Cipher ZUC in the 3GPP Confidentiality & Integrity Algorithms 128-EEA3 & 128-EIA3. In: Rump Session of Asiacrypt 2010 (2008)Google Scholar
  17. 17.
    Wu, H., Preneel, B.: Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 276–290. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Hongjun Wu
    • 1
  • Tao Huang
    • 1
  • Phuong Ha Nguyen
    • 1
  • Huaxiong Wang
    • 1
  • San Ling
    • 1
  1. 1.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingapore

Personalised recommendations