Analysis of the initial and modified versions of the candidate 3GPP integrity algorithm 128-EIA3

Authors:
Thomas Fuhr;Henri Gilbert;Jean-René Reinhard;Marion Videau
Affiliations:
ANSSI, France;ANSSI, France;ANSSI, France;ANSSI, France
Venue:
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
Year:
2011

Citing 6
Cited 3

Universal hashing and authentication codes

Designs, Codes and Cryptography
LFSR-based Hashing and Authentication

CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Bucket Hashing and its Application to Fast Message Authentication

CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
On Fast and Provably Secure Message Authentication Based on Universal Hashing

CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms

CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
Plaintext Recovery Attacks against SSH

SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy

Grain-128a: a new version of Grain-128 with optional authentication

International Journal of Wireless and Mobile Computing
Analysis of indirect message injection for MAC generation using stream ciphers

ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
SAT based analysis of LTE stream cipher ZUC

Proceedings of the 6th International Conference on Security of Information and Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery attack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and the same initial vector with a success probability 1/2. We then briefly analyse the tweaked version of the algorithm that was introduced in January 2011 to circumvent this attack. We give some evidence that while this new version offers a provable resistance against similar forgery attacks under the assumption that (key, IV) pairs are never reused by any legitimate sender or receiver, some of its design features limit its resilience against IV reuse.