Docstoc

Cryptanalysis of the Stream Cipher ZUC in the 3GPP Confidentiality

Document Sample
Cryptanalysis of the Stream Cipher ZUC in the 3GPP Confidentiality Powered By Docstoc
					      Cryptanalysis of the Stream Cipher ZUC
in the 3GPP Confidentiality & Integrity Algorithms
             128-EEA3 & 128-EIA3

         Hongjun Wu, Phuong Ha Nguyen,
            Huaxiong Wang, San Ling

         N       Technological U i i
         Nanyang T h l i l University
                   Singapore
Stream Cipher ZUC
• 128   A3 128 A3
  128-EEA3 & 128-EIA3
  – 3GPP confidentiality & integrity algorithms
  – Published in June 2010
  – Currently preliminary version for security evaluation

• The core cryptosystem in 128-EEA3 & 128-EIA3
             yp y
  is stream cipher ZUC




                                                            2
Stream Cipher ZUC
• Based on linear feedback shift register
  – Primitive polynomial over GF(231-1)
              p y                (     )
  – Use addition, XOR, rotation, Sbox to generate
    keystream
     • high security




                                                    3
Stream
Cipher
ZUC:
Keystream
generation




             4
 Stream Cipher ZUC: Initialization
• Load 128-bit key & 128-bit IV into register
• Run the cipher for 32 steps
  – Each 32-bit keystream is truncated to 31 bits
  – Th XOR d to S15 (
    Then XORed                 l       f h      i )
                        (one element of the register)
• Ready for keystream generation
      y       y       g




                                                        5
Cryptanalysis of ZUC
• Observation:

        If a, a, b  GF (231  1), a  a ' ,
        Then it may happen that
          (a  b) mod(231  1)  (a  b) mod(231  1)




                                                         6
Cryptanalysis of ZUC
• Observation:

Example: a = 1111111111000000000000000000000
         a =
         a’= 0000000000111111111111111111111
         b = 1111111111000000000000000000000

then (ab)mod(231-1) = (a’b)mod(231-1) = 0

       0                231-1



                                              7
Cryptanalysis of ZUC
• Different IVs of ZUC may result in identical
  keystreams:
  – Introduce difference at iv[0]
  – Difference at S15 after feedback
  – Difference at S15 may disappear after XORing with
    the truncated keystream word (based on the
    previous observation)
     • Then identical states!


    Only the first step is involved in the attack!
                                                     8
Cryptanalysis of ZUC
• P b bilit that identical k t
  Probability th t id ti l keystreams appear:
  – For a random key, try all the values of iv[0], iv[10],
    iv[14],                                     iv[15],
    iv[14] try all the values of the six lsb of iv[15]
    let iv[2] = 112
     • identical keystreams appear with probability about 2-16
                   y         pp         p         y

• Experiment: with difference at iv[0], more than
  four thousand id i l k
  f     h                             i
              d identical keystream pairs were
  found
  – after optimizing the search algorithm, finding an
     ft     ti i i th         h l ith fi di
    identical keystream pairs takes around 3 minutes on a
    CPU core

                                                                 9
Cryptanalysis of ZUC
• E    l
  Examples:
 key = 87,4,95,13,161,32,199,61,20,147,56,84,126,205,165,148
 iv = 166,166,112,38,192,214,34,211,170,25,18,71,4,135,68,5
 iv’ = 116,166,112,38,192,214,34,211,170,25,18,71,4,135,68,5

 keystream words:   bfe800d5 0360a22b 6c4554c8 67f00672
                    2ce94f3f f94d12ba 11c382b3 cbaf4b31 …

 key=79,104,119,45,239,93,93,202,172,113,158,37,85,121,134,148;
 iv =170,17,112,85,0,138,20,77,6,91,153,83,105,0,92,63;
 iv’=128,17,112,85,0,138,20,77,6,91,153,83,105,0,92,63;

 keystream words:
 k   t        d      0131e501 8f1ef253 6a928250 ded7df1b
                     0131 501 8f1 f253 6 928250 d d7df1b
                     fbb9bfe8 e74ce021 1344b122 da9dd837    …




                                                                  10
Cryptanalysis of ZUC
• Key recovery
  – Difference at iv[0] result in identical keystreams
                    [ ]                       y
     • The values of key[0] & key[15] are known
     • The sum of key[13]+key[10] 16+ key[4] 8 is known
                  key[13]+key[10]*16+ key[4]*8
     => The effective key size is reduced from
           bits t b t         bits
       128 bit to about 100 bit




                                                          11
Cryptanalysis of ZUC
• Other attacks
  – Difference at iv[1] (          )
                    [ ] (estimation)
     • For a random key and an IV pair with difference at
         [ ],             y       p     pp          p         y
       iv[1], identical keystream pair appears with probability
       about 2-61
        – For 28 IVs with difference at iv [1], identical keystream pair
                          b bilit 47
          appears with probability 2-47
                    ith
     • The effective key size is reduced from 128 bits to
       about 66 bits



                                                                           12
How to resist the attack?
      If a, a, b  GF (231  1), a  a ' ,
      Then it may happen that
        (a  b) mod(231  1)  (a  b) mod(231  1)




      If a, a  GF (231  1), a  a ' ,
      Then
        (a  b) mod(231  1)  (a  b) mod(231  1)


                                                       13
How to resist the attack?
 To resist the attack:
                       stage +
 In the initialization stage, “+” instead of
 “XOR” be used to combine the truncated
 keystream word with S15




                                               14
Conclusion
• Stream cipher ZUC is weak against chosen IV
  attack
  – XORing the elements in GF(231-1) may be non-
    invertible
• Fixing the security flaw
  – Use only the addition modulo GF(231-1) when
    updating the LFSR over GF(231-1)



                                                   15

				
DOCUMENT INFO
Shared By:
Stats:
views:147
posted:1/1/2011
language:English
pages:15
Description: The goal is to achieve 3GPP 2G networks to 3G networks by the smooth transition to ensure backward compatibility of future technologies to support the easy construction of networks and roaming and compatibility between systems. Its functions: 3GPP is to develop the main core network based on GSM, UTRA (FDD W-CDMA technology is, TDD for the TD-CDMA technology) as the third generation wireless interface specification.