×

zbMATH — the first resource for mathematics

Analysis of the initial and modified versions of the candidate 3GPP integrity algorithm 128-EIA3. (English) Zbl 1292.94064
Miri, Ali (ed.) et al., Selected areas in cryptography. 18th international workshop, SAC 2011, Toronto, ON, Canada, August 11–12, 2011. Revised selected papers. Berlin: Springer (ISBN 978-3-642-28495-3/pbk). Lecture Notes in Computer Science 7118, 230-242 (2012).
Summary: In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery attack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and the same initial vector with a success probability 1/2. We then briefly analyse the tweaked version of the algorithm that was introduced in January 2011 to circumvent this attack. We give some evidence that while this new version offers a provable resistance against similar forgery attacks under the assumption that (key, IV) pairs are never reused by any legitimate sender or receiver, some of its design features limit its resilience against IV reuse.
For the entire collection see [Zbl 1234.94005].

MSC:
94A60 Cryptography
PDF BibTeX XML Cite
Full Text: DOI
References:
[1] 3GPP Technical Specification Group Services and System Aspects: 3GPP System Architecture Evolution (SAE); Security architecture (Release 9). Tech. Rep. 3G TS 33.401 V 9.3.1, 3rd Generation Partnership Project (2010-04)
[2] Bellare, M., Goldreich, O., Mityagin, A.: The Power of Verification Queries in Message Authentication and Authenticated Encryption. Tech. Rep. 2004/309, Cryptology ePrint Archive (2004)
[3] Carter, J., Wegman, M.: Universal Classes of Hash Functions. Journal of Computer and System Science 18, 143–154 (1979) · Zbl 0412.68090 · doi:10.1016/0022-0000(79)90044-8
[4] ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. Document 1: UEA2 and UIA2 Specification. Version 2.1. Tech. rep., ETSI (March 16, 2009), http://www.gsmworld.com/documents/uea2_uia2_d1_v2_1.pdf
[5] ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 1: 128-EEA3 and 128-EIA3 Specification. Version 1.4. Tech. rep., ETSI (July 30, 2010)
[6] ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification. Version 1.4. Tech. rep., ETSI (July 30, 2010)
[7] ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report. Version 1.1. Tech. rep., ETSI (August 11, 2010)
[8] ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 1: 128-EEA3 and 128-EIA3 Specification. Version 1.5. Tech. rep., ETSI (January 4, 2011), http://www.gsmworld.com/documents/EEA3_EIA3_specification_v1_5.pdf
[9] ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification. Version 1.5. Tech. rep., ETSI (January 4, 2011), http://www.gsmworld.com/documents/EEA3_EIA3_ZUC_v1_5.pdf
[10] ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report. Version 1.3, Tech. rep., ETSI (January 18, 2011), http://www.gsmworld.com/documents/EEA3_EIA3_Design_Evaluation_v1_3.pdf
[11] Handschuh, H., Preneel, B.: Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008) · Zbl 1183.94035 · doi:10.1007/978-3-540-85174-5_9
[12] Krawczyk, H.: LFSR-Based Hashing and Authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994) · Zbl 0939.94567 · doi:10.1007/3-540-48658-5_15
[13] Martin Albrecht, K.P., Watson, G.: Plaintext Recovery Attacks Against SSH. In: Proceedings of IEEE Symposium on Security and Privacy 2009, pp. 16–26. IEEE Computer Society (2009) · doi:10.1109/SP.2009.5
[14] Rogaway, P.: Bucket Hashing and Its Application to Fast Message Authentication. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 29–42. Springer, Heidelberg (1995) · Zbl 0868.94026 · doi:10.1007/3-540-44750-4_3
[15] Rogaway, P.: Bucket Hashing and its Application to Fast Message Authentication. Journal of Cryptology 12(2), 91–115 (1999) · Zbl 0937.94011 · doi:10.1007/PL00003822
[16] Shoup, V.: On Fast and Provably Secure Message Authentication Based on Universal Hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996) · Zbl 1329.94087 · doi:10.1007/3-540-68697-5_24
[17] Stinson, D.: Universal Hashing and Authentication Codes. Design, Codes and Cryptography 4, 369–380 (1994) · Zbl 0812.94011 · doi:10.1007/BF01388651
[18] Sun, B., Tang, X., Li, C.: Preliminary Cryptanalysis Results of ZUC. Presented at the First International Workshop on ZUC Algorithm, vol. 12 (2010)
[19] Wegman, M., Carter, J.: New Hash Functions and Their Use in Authentication and Set Equality. Journal of Computer and System Science 22, 265–279 (1981) · Zbl 0461.68074 · doi:10.1016/0022-0000(81)90033-7
[20] Wu, H.: Cryptanalysis of the Stream Cipher ZUC in the 3GPP Confidentiality & Integrity Algorithms 128-EEA3 & 128-EIA3. Presented at the ASIACRYPT 2010 rump session (2010), http://www.spms.ntu.edu.sg/Asiacrypt2010/Rump%20Session-%207%20Dec%202010/wu_rump_zuc.pdf
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.