Public Evaluation Report UEA2/UIA2
Total Page:16
File Type:pdf, Size:1020Kb
ETSI/SAGE Version: 2.0 Technical report Date: 9th September, 2011 Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 1 of 43 Document 4: Design and Evaluation report. Version 2.0 Document History 0.1 20th June 2010 First draft of main technical text 1.0 11th August 2010 First public release 1.1 11th August 2010 A few typos corrected and text improved 1.2 4th January 2011 A modification of ZUC and 128-EIA3 and text improved 1.3 18th January 2011 Further text improvements including better reference to different historic versions of the algorithms 1.4 1st July 2011 Add a new section on timing attacks 2.0 9th September 2011 Final deliverable LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 2 of 43 Document 4: Design and Evaluation report. Version 2.0 Reference Keywords 3GPP, security, SAGE, algorithm ETSI Secretariat Postal address F-06921 Sophia Antipolis Cedex - FRANCE Office address 650 Route des Lucioles - Sophia Antipolis Valbonne - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 X.400 c= fr; a=atlas; p=etsi; s=secretariat Internet [email protected] http://www.etsi.fr Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 2006. All rights reserved. LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 3 of 43 Document 4: Design and Evaluation report. Version 2.0 Contents 1 Scope .................................................................................................................................. 7 2 References .......................................................................................................................... 7 3 Abbreviations ...................................................................................................................... 7 4 Structure of this report ........................................................................................................ 9 5 Background to the design and evaluation work .................................................................. 9 6 Versions of these algorithms / evaluation history ............................................................. 10 7 Algorithm parameters ....................................................................................................... 10 7.1 EEA – Encryption algorithm .................................................................................... 11 7.2 EIA – Integrity algorithm ......................................................................................... 11 8 Summary of the 128-EEA3 and 128-EIA3 algorithms ..................................................... 13 8.1 The stream cipher ZUC ............................................................................................. 13 8.2 Confidentiality function 128-EEA3 .......................................................................... 14 8.3 Integrity function 128-EIA3 ..................................................................................... 15 9 Overall design rationale for ZUC ..................................................................................... 16 10 Design and evaluation of ZUC components ..................................................................... 17 10.1 Design of the LFSR .................................................................................................. 17 10.2 Design of the bit-reorganization ............................................................................... 21 10.3 Design of the nonlinear function F ........................................................................... 23 11 128-EEA3 and 128-EIA3 constructions ........................................................................... 27 11.1 128-EEA3 construction ............................................................................................. 27 11.2 128-EIA3 construction .............................................................................................. 27 12 Resistance against cryptanalytic attacks ........................................................................... 30 12.1 Weak key attacks ...................................................................................................... 30 12.2 Guess-and-Determine Attacks .................................................................................. 31 12.3 BDD Attacks (from evaluation report [32]) .............................................................. 31 12.4 Inversion Attacks (from evaluation report [32]) ....................................................... 31 12.5 Linear Distinguishing Attacks .................................................................................. 31 12.6 Algebraic Attacks ..................................................................................................... 33 12.7 Chosen IV Attacks .................................................................................................... 36 12.8 Time-Memory-Data Trade-Off Attacks .................................................................... 37 12.9 Timing Attacks ......................................................................................................... 38 13 Conclusion of the evaluation ............................................................................................ 39 14 Acknowledgements .......................................................................................................... 40 Annex A - External references ................................................................................................. 41 LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 4 of 43 Document 4: Design and Evaluation report. Version 2.0 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http://www.etsi.org/ipr). At the time of writing of this report, no information of any Intellectual Property Rights (IPRs) has been drawn to the attention neither to the Task Force nor to ETSI. No guarantee can be given as to the existence of other IPRs not referenced in SR 000 314 (or the updates on the ETSI Web server (http://www.etsi.org/ipr) which are, or may be, or may become, essential to the present document. LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 5 of 43 Document 4: Design and Evaluation report. Version 2.0 Foreword This Report has been produced by the ETSI SAGE Task Force on the Design of the third LTE encryption and integrity protection algorithms 128-EEA3 and 128-EIA3 (SAGE TF 3GPP). The work described in this report was undertaken in response to a request made by 3GPP. LTE Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. page 6 of 43 Document 4: Design and Evaluation report. Version 2.0 1 Scope This public report contains a detailed summary of the design and evaluation work performed during the development of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 and 128-EIA3. The report also includes summaries of evaluations made by independent external evaluators, and reflects modifications that amend the security flaws found by Bing Sun et al. [35] at the 2010 ZUC workshop, by Hongjun Wu [36] at the rump session of ASIACRYPT 2010, and by Thomas Fuhr et al. at the 2010 ZUC workshop/eprint [37]. 2 References For the purposes of this report, the following references apply: [1] 3G TS 33.401 V 9.3.1 (2010-04) 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security architecture (Release 9). [2] ETSI/SAGE Specification. Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 1: 128-EEA3 and 128-EIA3 Specification; Version: 1.6; Date: 1st July 2011. [3] ETSI/SAGE Specification. Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification; Version: 1.6; Date: 28th June 2011. Additional references to external documents are provided in Annex A. 3 Abbreviations For the purposes of the present report, the following abbreviations apply: AES Advanced Encryption Standard CK Cipher Key ETSI European Telecommunications Standards Institute GF(q) The Galois field with q elements 3GPP 3rd Generation Partnership Project EPS Evolved Packet System (comprising LTE and SAE) EEA EPS Encryption Algorithm EIA EPS Integrity Algorithm 128-EEA3 Proposed third algorithm fulfilling the EEA requirement 128-EIA3 Proposed third algorithm fulfilling the EIA requirement IBS Input Bit Stream IK Integrity Key IPR Intellectual Property Rights IV Initialization Vector LFSR Linear Feedback Shift Register LTE Long Term Evolution (radio network) MAC Message Authentication Code OBS Output Bit Stream OTP One Time Pad SA3 3GPP Systems