Cryptology ePrint Archive: Report 2012/425
The Stream Cipher Core of the 3GPP Encryption Standard 128-EEA3: Timing Attacks and Countermeasures
Abstract: The core of the 3rd Generation Partnership Project (3GPP) encryption standard 128-EEA3 is a stream cipher called ZUC. It was designed by the Chinese Academy of Sciences and proposed for inclusion in the cellular wireless standards called “Long Term Evolution” or “4G”. The LFSR-based cipher uses a 128-bit key. In this paper, we first show timing attacks on ZUC that can recover, with about 71.43% success rate, (i) one bit of the secret key immediately, and (ii) information involving 6 other key bits. The time, memory and data requirements of the attacks are negligible. While we see potential improvements to the attacks, we
also suggest countermeasures.
Category / Keywords: secret-key cryptography / Stream cipher, cache timing attack, key recovery
Original Publication (with minor differences): Expanded and updated version of Inscrypt 2011 paper.
Date: received 27 Jul 2012, last revised 8 Nov 2013
Contact author: sgautham at isichennai res in
Available format(s): PDF | BibTeX Citation
Note: The timing analysis presented in this paper was privately communicated by the author to the ETSI/SAGE before the 2nd International Workshop on ZUC Algorithm and Related Topics. Subsequently, the reference C implementation of ZUC was modified to the one in Version 1.6 of the ZUC Specification of the ETSI/SAGE. This revised code is the latest and the ZUC specification with this code has been included in the LTE standards. The latest code is essentially the code in Version 1.5 of the ZUC Specification of the ETSI/SAGE with two corrections, one of which was proposed independently by the author to the ETSI/SAGE. See http://www.gsma.com/technicalprojects/fraud-security/security-algorithms/, under "3GPP
Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3". Further details and references are available in Sect. 6 of this ePrint paper (see "Update").
Version: 20131108:130540 (All versions of this report)
Short URL: ia.cr/2012/425
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]