Paper 2012/425

The Stream Cipher Core of the 3GPP Encryption Standard 128-EEA3: Timing Attacks and Countermeasures

Gautham Sekar

Abstract

The core of the 3rd Generation Partnership Project (3GPP) encryption standard 128-EEA3 is a stream cipher called ZUC. It was designed by the Chinese Academy of Sciences and proposed for inclusion in the cellular wireless standards called “Long Term Evolution” or “4G”. The LFSR-based cipher uses a 128-bit key. In this paper, we first show timing attacks on ZUC that can recover, with about 71.43% success rate, (i) one bit of the secret key immediately, and (ii) information involving 6 other key bits. The time, memory and data requirements of the attacks are negligible. While we see potential improvements to the attacks, we also suggest countermeasures.

Note: 1. Update: The constant-time C implementation (ZUC-1.5C) that we have proposed in the paper, is now approved by the 3GPP for inclusion in the LTE standards. This C implementation and the ETSI's evaluation report are available at http://www.gsma.com/technicalprojects/fraud-security/security-algorithms/, under "3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3". 2. Revision 1: Typographical errors in Table 4 (Appendix A) have been corrected (i.e., $\Gamma_6$ --> $\Gamma_5$).