Differential Attacks against Stream Cipher ZUC ⋆ Hongjun Wu, Tao Huang, Phuong Ha Nguyen, Huaxiong Wang, and San Ling Division of Mathematical Sciences, School of Physical and Mathematical Sciences Nanyang Technological University, Singapore {wuhj,huangtao,ng007ha,hxwang,lingsan}@ntu.edu.sg Abstract. Stream cipher ZUC is the core component in the 3GPP con- fidentiality and integrity algorithms 128-EEA3 and 128-EIA3. In this paper, we present the details of our differential attacks against ZUC 1.4. The vulnerability in ZUC 1.4 is due to the non-injective property in the initialization, which results in the difference in the initialization vector being cancelled. In the first attack, difference is injected into the first byte of the initialization vector, and one out of 2 15.4 random keys re- sult in two identical keystreams after testing 2 13.3 IV pairs for each key. The identical keystreams pose a serious threat to the use of ZUC 1.4 in applications since it is similar to reusing a key in one-time pad. Once identical keystreams are detected, the key can be recovered with aver- age complexity 2 99.4 . In the second attack, difference is injected into the second byte of the initialization vector, and every key can result in two identical keystreams with about 2 54 IVs. Once identical keystreams are detected, the key can be recovered with complexity 2 67 . We have pre- sented a method to fix the flaw by updating the LFSR in an injective way in the initialization. Our suggested method is used in the later versions of ZUC. The latest ZUC 1.6 is secure against our attacks. 1 Introduction Comparing to block ciphers, dedicated stream ciphers normally require less com- putation for achieving the same security level. Stream ciphers are widely used in applications. For example, RC4 [10] is used in SSL and WEP, and A5/1 [8] is used in GSM (the Global System for Mobile Communications). But the use of RC4 in WEP is insecure [7], and A5/1 is very weak [4]. ECRYPT (2004–2008) has organised the eSTREAM competition, which stimulated the study on stream ciphers, and a number of new stream ciphers were proposed [1–3, 5, 6, 9, 15]. The 3rd Generation Partnership Project (3GPP) was set up for making globally applicable 3G mobile phone system specifications based on the GSM specifications. Stream cipher ZUC was designed by the Data Assurance and Communication Security Research Center of the Chinese Academy of Sciences. ⋆ This research is supported by the National Research Foundation Singapore under its Competitive Research Programme (CRP Award No. NRF-CRP2-2007-03) and Nanyang Technological University NAP startup grant (M4080529.110). X. Wang and K. Sako (Eds.): ASIACRYPT 2012, LNCS 7658, pp. 262–277, 2012. c  International Association for Cryptologic Research 2012