Paper 2021/1104

New Cryptanalysis of ZUC-256 Initialization Using Modular Differences

Fukang Liu, Willi Meier, Santanu Sarkar, Gaoli Wang, Ryoma Ito, and Takanori Isobe


ZUC-256 is a stream cipher designed for 5G applications by the ZUC team. Together with AES-256 and SNOW-V, it is currently being under evaluation for standardized algorithms in 5G mobile telecommunications by Security Algorithms Group of Experts (SAGE). A notable feature of the round update function of ZUC-256 is that many operations are defined over different fields, which significantly increases the difficulty to analyze the algorithm. As a main contribution, with the tools of the modular difference, signed difference and XOR difference, we develop new techniques to carefully control the interactions between these operations defined over different fields. While the designers expect that only simple input differences can be exploited to mount a practical attack on 27 initialization rounds in the released document, which is indeed implied in the 28-round practical attack discovered by Babbage and Maximov, we demonstrate that under the same attack scenario much more complex input differences can be utilized to achieve practical attacks on more rounds of ZUC-256. The new attacks involve lots of nontrivial efforts to cancel differences from the perspective of the modular difference, signed difference and XOR difference. At the first glance, our techniques are somewhat similar to that developed by Wang et al. for the MD-SHA hash family. However, as ZUC-256 is quite different from the MD-SHA hash family and its round function is much more complex, we are indeed dealing with different problems and overcoming new obstacles. With the discovered complex input differences, we are able to present the first distinguishing attacks on 31 out of 33 rounds of ZUC-256 and 30 out of 33 rounds of the new version of ZUC-256 called ZUC-256-v2 with practical time and data complexities, respectively. Moreover, with a novel IV-correcting technique, we show how to efficiently recover at least 16 key bits for 15-round ZUC-256 and 14-round ZUC-256-v2 in the related-key setting, respectively. It is unpredictable whether our attacks can be further extended to more rounds with more advanced techniques. Based on the current attacks, we believe that the full 33 initialization rounds provide marginal security.

Note: Major revision: change the title and add more explanations.

Available format(s)
Secret-key cryptography
Publication info
Preprint. Minor revision.
5Gstream cipherZUC-256differential attackmodular differencesigned difference
Contact author(s)
liufukangs @ gmail com
willimeier48 @ gmail com
santanu @ iitm ac in
glwang @ sei ecnu edu cn
itorym @ nict go jp
takanori isobe @ ai u-hyogo ac jp
2022-02-16: last of 3 revisions
2021-08-31: received
See all versions
Short URL
Creative Commons Attribution


      author = {Fukang Liu and Willi Meier and Santanu Sarkar and Gaoli Wang and Ryoma Ito and Takanori Isobe},
      title = {New Cryptanalysis of ZUC-256 Initialization Using Modular Differences},
      howpublished = {Cryptology ePrint Archive, Paper 2021/1104},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.