Cryptology ePrint Archive: Report 2021/1104

Finding Practical Distinguishers for ZUC-256 Using Modular Differences

Fukang Liu and Willi Meier and Santanu Sarkar and Gaoli Wang and Ryoma Ito and Takanori Isobe

Abstract: ZUC-256 is a stream cipher designed for 5G applications and is currently being under evaluation for standardized algorithms in 5G mobile telecommunications by Security Algorithms Group of Experts (SAGE). A notable feature of the round update function of ZUC-256 is that many operations are defined over different fields, which significantly increases the difficulty to analyze the algorithm. In this paper, we develop new techniques to carefully control the interactions between these operations defined over different fields. Moreover, while the designers expect that only simple input differences can be exploited to mount a practical attack on 27 initialization rounds, which is indeed implied in the 28-round practical attack discovered by Babbage and Maximov, we demonstrate that much more complex input differences can be utilized to achieve practical attacks on more rounds of ZUC-256. At the first glance, our techniques are somewhat similar to that developed by Wang et al. for the MD-SHA hash family. However, as ZUC-256 is quite different from the MD-SHA hash family, we are indeed dealing with different problems and overcoming new obstacles. With the discovered complex input differences, we are able to present the first practical distinguishing attacks on 31 out of 33 rounds of ZUC-256 and 30 out of 33 rounds of the new version of ZUC-256 called ZUC-256-v2, respectively. It is unpredictable whether our attacks can be further extended to more rounds with more advanced techniques. Based on the current attacks, we believe that the full 33 initialization rounds are marginal.

Category / Keywords: secret-key cryptography / 5G, stream cipher, ZUC-256, differential attack, modular difference, signed difference

Date: received 27 Aug 2021, last revised 5 Sep 2021

Contact author: liufukangs at 163 com, willimeier48 at gmail com, santanu at iitm ac in, glwang at sei ecnu edu cn, itorym at nict go jp, takanori isobe at ai u-hyogo ac jp

Available format(s): PDF | BibTeX Citation

Note: Update the formula to compute the data/time complexity and fix an important typo that may cause misunderstanding in the procedure Enumeration-A.

Version: 20210905:235927 (All versions of this report)

Short URL: ia.cr/2021/1104


[ Cryptology ePrint archive ]