Cryptology ePrint Archive: Report 2012/425

The Stream Cipher Core of the 3GPP Encryption Standard 128-EEA3: Timing Attacks and Countermeasures

Gautham Sekar

Abstract: The core of the 3rd Generation Partnership Project (3GPP) encryption standard 128-EEA3 is a stream cipher called ZUC. It was designed by the Chinese Academy of Sciences and proposed for inclusion in the cellular wireless standards called “Long Term Evolution” or “4G”. The LFSR-based cipher uses a 128-bit key. In this paper, we first show timing attacks on ZUC that can recover, with about 71.43% success rate, (i) one bit of the secret key immediately, and (ii) information involving 6 other key bits. The time, memory and data requirements of the attacks are negligible. While we see potential improvements to the attacks, we also suggest countermeasures.

Category / Keywords: secret-key cryptography / Stream cipher, cache timing attack, key recovery

Publication Info: Expanded and updated version of Inscrypt 2012 paper.

Date: received 27 Jul 2012, last revised 27 Nov 2012

Contact author: sgautham at isichennai res in

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Note: 1. Update: The constant-time C implementation (ZUC-1.5C) that we have proposed in the paper, is now approved by the 3GPP for inclusion in the LTE standards. This C implementation and the ETSI's evaluation report are available at, under "3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3". 2. Revision 1: Typographical errors in Table 4 (Appendix A) have been corrected (i.e., $\Gamma_6$ --> $\Gamma_5$).

Version: 20121127:132916 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]