Paper 2020/1046

On the Linear Distinguishing Attack against ZUC-256 Stream Cipher

Bin Zhang, TCA Laboratory, State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, 100190, Beijing, China, University of Chinese Academy of Sciences, Beijing, 100049, China
Dengguo Feng, TCA Laboratory, State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, 100190, Beijing, China
Chenhui Jin, Information Engineering University, 450001, Zhengzhou, China
Wen-Feng Qi, Information Engineering University, 450001, Zhengzhou, China
Wenling Wu, TCA Laboratory, State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, 100190, Beijing, China, University of Chinese Academy of Sciences, Beijing, 100049, China
Chao Xu, State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
Yanfeng Wang, State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
Lin Jiao, State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
Abstract

At FSE 2020, a linear distinguishing attack is presented against the ZUC-256 stream cipher based on the $32$-bit word with a data/time complexity of about $2^{236.38}$. In this paper, we re-evaluate the complexity of this attack and discuss the applicability of such a distinguishing attack in 5G application scenarios, where each keystream frame is limited to $20000$, and up to $2^{32}$ bits. To assure a high success probability close to $1$, it is shown that the precise time complexity of the distinguishing attack is $2^{253.93}$ basic operations with a data complexity of $2^{241.38}$ bits keystream, which is far beyond the keystream length limit in 5G application settings in the single-frame setting. Besides, we also consider the multiple-frame scenario where a long keystream could be formed by concatenating many short keystream frames generated from different (Key, IV) pairs. We show that even in such a strong model of distinguishing attacks, the reported bias will not exist in 5G application scenarios and the linear distinguishing attack will not work due to the fact that the long linear combination relation derived from the polynomial multiple of the LFSR in ZUC-256 over $\mbox{GF}(2^{31}-1)$, which has been verified in experiments. It is concluded that the ZUC-256 stream cipher offers the full $256$-bit security in 5G application scenarios.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
ZUC-256256-bit securityLinear distinguishing attack.
Contact author(s)
martin_zhangbin @ hotmail com
History
2025-04-23: revised
2020-09-01: received
See all versions
Short URL
https://ia.cr/2020/1046
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2020/1046,
      author = {Bin Zhang and Dengguo Feng and Chenhui Jin and Wen-Feng Qi and Wenling Wu and Chao Xu and Yanfeng Wang and Lin Jiao},
      title = {On the Linear Distinguishing Attack against {ZUC}-256 Stream Cipher},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/1046},
      year = {2020},
      url = {https://eprint.iacr.org/2020/1046}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.