Logical Cryptanalysis as a SAT Problem
Journal of Automated Reasoning
A New Version of the Stream Cipher SNOW
SAC '02 Revised Papers from the 9th Annual International Workshop on Selected Areas in Cryptography
Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication
Journal of Cryptology
New Stream Cipher Designs
A different algebraic analysis of the ZUC stream cipher
Proceedings of the 4th international conference on Security of information and networks
Logical analysis of hash functions
FroCoS'05 Proceedings of the 5th international conference on Frontiers of Combining Systems
The conditional correlation attack: a practical attack on bluetooth encryption
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Applications of SAT solvers to cryptanalysis of hash functions
SAT'06 Proceedings of the 9th international conference on Theory and Applications of Satisfiability Testing
Analysis of the initial and modified versions of the candidate 3GPP integrity algorithm 128-EIA3
SAC'11 Proceedings of the 18th international conference on Selected Areas in Cryptography
Analysis of indirect message injection for MAC generation using stream ciphers
ACISP'12 Proceedings of the 17th Australasian conference on Information Security and Privacy
The stream cipher core of the 3GPP encryption standard 128-EEA3: timing attacks and countermeasures
Inscrypt'11 Proceedings of the 7th international conference on Information Security and Cryptology
Differential attacks against stream cipher ZUC
ASIACRYPT'12 Proceedings of the 18th international conference on The Theory and Application of Cryptology and Information Security
The weakness of integrity protection for LTE
Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks
Hi-index | 0.00 |
Mobile security is of paramount importance. The security of LTE (long term evolution of radio networks), which is currently widely deployed as a long-term standard for mobile networks, relies upon three cryptographic primitives, among which the stream cipher ZUC. In this paper, we point out that the linear feedback shift register (LFSR) used in ZUC has about 225 encodings of the zero state (i.e. all LFSR variables are 0) due to the fact that operations are performed modulo 231 -- 1 on 32-bit operands. We use SAT solvers to show that these states are reachable when 64 bits of ZUC's initial state can be chosen (i.e. R1, R2). That is, for each key there are many initial vectors that lead to a weak state after ZUC's initialization. We also use SAT-solvers to disprove the existence of such weak inputs when the initial values of R1, R2 are set to zero as required by the official specifications. Finally, we discuss how the redundancy introduced in ZUC's output function might help mounting SAT-solver based guess-and-determine attacks given a few keystream digits.