# A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3

Document Sample

Analysis of the Initial and Modified
Versions of the Candidate 3GPP Integrity
Algorithm 128-EIA3
Thomas Fuhr, Henri Gilbert, Jean-René Reinhard, and Marion Videau
ANSSI, France

presented by Peng Wang
1                                                        DACAS, China
Introduction to 128-EIA3
   IV-dependent MAC
1) a 128-bit key                                       Message

2) 128-bit initial vector

3) a 1-20000 bits message                          128-EIA3(IK, IV)

4) 32-bit MAC value

MAC

   Security Goal: Unforgeability
Infeasible to generate a new valid (IV, Message, MAC)

2
128-EIA3 v1.4 and v1.5
in v1.4

in v1.5
ZUC

z0, z1, …, z31, …, zl ,…, zl+31, …, zL+32 …… ,zL+63

3
in v1.4

in v1.5

z0,z1, …z31, …,zl+31, … , zl+31,…, zL+32 …… ,zL+63
W0 W1            W

4
An Existential Forgery Attack against
128-EIA3 v1.4
   Given any message and the associated MAC value under
an unknown integrity key and an initial vector,
   to predict the MAC value of a related message under the
same key and the same initial vector with a success
probability 1/2.

5
Some observations
   Wi s are not independent

   Wmasks are also related for the same IV

6
For two different messages and the same IV…


( IK , IV )


( IK , IV )

7
An Existential Forgery

   When we get (IV, M, T)
M = (m0,…,ml-1)

   We forge (IV, M’, T’)
M’ = (0,m0,…,ml-1)
T’ = (T<<1, β)

   The success probability is 1/2.
8
Partial Flaw in 128-EIA3 v1.4 Security
Arguments
   All the models used for the proofs assume that the hash
function and the mask value are randomly chosen and in
particular that they are independent from each other.
   In the case of 128-EIA3 v1.4, the mask computation also
involves the message length and leads to distinct, but
related mask values, for identical IVs and different
message lengths.

9
Sensitivity of 128-EIA3 v1.5 to Nonce
Reuse
    Two specific properties of 128-EIA3 v1.5, which do not affect a
generic Wegman-Carter authentication scheme.
    These properties involve the MACs of three distinct messages
under the same key/IV pair.
    Therefore, they might threaten the security of 128-EIA3 v1.5 if
an adversary can get the MAC of two distinct messages under
the same (key, IV) pair.
    Such an event can happen if IVs are mistakenly repeated by the
MAC generating party.
10
On the Independance of Universal
    In the case of 128-EIA3 v1.5, the independence of the
universal hash function keys and the masking values is not
guaranteed.
    The knowledge of the tags of two related messages under
the same (key, IV) pair may allow to compute the tag of a
third message under the same key and IV.

11
Sliding Property of the Universal Hash
Function of 128-EIA3

12
Conclusion
    The existential forgery attack presented in Section 4 was
forwarded to the designers of 128-EIA3 v1.4, who produced
the modified version 128-EIA3 v1.5 to address the issue.
    While our analysis of 128-EIA3 v1.5 did not reveal any security
issue of similar significance and the new MAC offers a provable
resistance (under some assumptions) against a large class of
forgery attacks, we have highlighted some structural properties
of the mask values computation and the universal family of
hash functions underlying 128-EIA3 v1.5, and shown that these
may lead to limitations of its resilience against nonce reuse.
    None of the security properties we have investigated here
relates to the specific features of the underlying IV-dependent
stream cipher ZUC.

13
Thank you!

14

DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 1 posted: 2/18/2013 language: Unknown pages: 14