Analysis of the Initial and Modified
Versions of the Candidate 3GPP Integrity
Thomas Fuhr, Henri Gilbert, Jean-René Reinhard, and Marion Videau
presented by Peng Wang
1 DACAS, China
Introduction to 128-EIA3
1) a 128-bit key Message
2) 128-bit initial vector
3) a 1-20000 bits message 128-EIA3(IK, IV)
4) 32-bit MAC value
Security Goal: Unforgeability
Infeasible to generate a new valid (IV, Message, MAC)
128-EIA3 v1.4 and v1.5
z0, z1, …, z31, …, zl ,…, zl+31, …, zL+32 …… ,zL+63
m0W0 ml-1Wl-1 Wl Wmask
z0,z1, …z31, …,zl+31, … , zl+31,…, zL+32 …… ,zL+63
W0 W1 W
Wl-1 l Wmask
An Existential Forgery Attack against
Given any message and the associated MAC value under
an unknown integrity key and an initial vector,
to predict the MAC value of a related message under the
same key and the same initial vector with a success
Wi s are not independent
Wmasks are also related for the same IV
For two different messages and the same IV…
( IK , IV )
( IK , IV )
An Existential Forgery
When we get (IV, M, T)
M = (m0,…,ml-1)
We forge (IV, M’, T’)
M’ = (0,m0,…,ml-1)
T’ = (T<<1, β)
The success probability is 1/2.
Partial Flaw in 128-EIA3 v1.4 Security
All the models used for the proofs assume that the hash
function and the mask value are randomly chosen and in
particular that they are independent from each other.
In the case of 128-EIA3 v1.4, the mask computation also
involves the message length and leads to distinct, but
related mask values, for identical IVs and different
Sensitivity of 128-EIA3 v1.5 to Nonce
Two specific properties of 128-EIA3 v1.5, which do not affect a
generic Wegman-Carter authentication scheme.
These properties involve the MACs of three distinct messages
under the same key/IV pair.
Therefore, they might threaten the security of 128-EIA3 v1.5 if
an adversary can get the MAC of two distinct messages under
the same (key, IV) pair.
Such an event can happen if IVs are mistakenly repeated by the
MAC generating party.
On the Independance of Universal
Hashing Keys and Masking Values
In the case of 128-EIA3 v1.5, the independence of the
universal hash function keys and the masking values is not
The knowledge of the tags of two related messages under
the same (key, IV) pair may allow to compute the tag of a
third message under the same key and IV.
Sliding Property of the Universal Hash
Function of 128-EIA3
The existential forgery attack presented in Section 4 was
forwarded to the designers of 128-EIA3 v1.4, who produced
the modified version 128-EIA3 v1.5 to address the issue.
While our analysis of 128-EIA3 v1.5 did not reveal any security
issue of similar significance and the new MAC offers a provable
resistance (under some assumptions) against a large class of
forgery attacks, we have highlighted some structural properties
of the mask values computation and the universal family of
hash functions underlying 128-EIA3 v1.5, and shown that these
may lead to limitations of its resilience against nonce reuse.
None of the security properties we have investigated here
relates to the specific features of the underlying IV-dependent
stream cipher ZUC.