ZUC-256算法草案英文版.pdf

The ZUC-256 Stream Cipher Abstract. To be well adapted to the 5G communications and the postquantum cryptography era, we propose the ZUC-256 stream cipher in this paper, a successor of the previous ZUC-128 stream cipher used in the 3GPP confidentiality and integrity algorithms 128-EEA3 and 128-EIA3 which is highly compatible with the ZUC-128 stream cipher and has its own design features. The aim is a new stream cipher that offers the 256bit security for the upcoming applications in 5G. For the authentication, various tag sizes are supported with the IV-respecting restriction. Keywords: ZUC algorithm, Stream ciphers, 256-bit security. 1 Introduction The core of the 3GPP confidentiality and integrity algorithms 128-EEA3 and 128-EIA3 is the ZUC-128 stream cipher [1]. With the development of the communication and computing technology, there is an emerging need for the new core stream cipher in the upcoming 5G applications which offers 256-bit security. To be highly compatible with the current 128-bit version, we present the ZUC256 stream cipher, which is a successor of the previous ZUC-128 stream cipher. The new ZUC-256 stream cipher differs from ZUC-128 only in the initialization phase and in the message authentication codes (MAC, also called authentication tag or tag) generation phase, other aspects are all the same as the previous ZUC-128 algorithm. This paper is structured as follows. In Section 2, we give the detailed description of the new ZUC-256 stream cipher, including both the initialization phase, the keystream generation phase and the MAC generation phase. Finally, some conclusions are drawn in Section 3. 2 The Description of the Cipher In this section, we will present the detailed description of the ZUC-256 stream cipher. The following notations will be used hereafter. - Denote the integer modular addition by
, i.e., for 0 ≤ x < 232 and 0 ≤ y < 232 , x
y is the integer addition mod 232 . - Denote the integer addition modulo (231 − 1) by (x + y) mod (231 − 1) for 1 ≤ x ≤ 231 − 1 and 1 ≤ y ≤ 231 − 1. - Denote the bitwise exclusive OR by ⊕. - Denote the bit string concatenation by k. - Denote the bitwise logic OR by |. 2 mod  231  1 215 s15 217 s14 s15H s14L s13 s12 s11 s10 s11L s9H 1+28 2 20 2 21 s9 s8 s7 s6 s7 L s5H s5 s4 s3 s1 s2 s2 L s0 s0H    Fig. 1. The keystream generation phase of the ZUC-256 stream cipher - K = (K31 , K30 , ..., K2 , K1 , K0 ), the 256-bit secret key used in ZUC-256 where Ki for 0 ≤ i ≤ 31 are 8-bit bytes. - IV = (IV24 , IV23 , ..., IV17 , IV16 , IV15 , . . . , IV1 , IV0 ), the 184-bit initialization vector used in ZUC-256 where IVi for 0 ≤ i ≤ 16 are 8-bit bytes and IVi for 17 ≤ i ≤ 24 are 6-bit string occupying the 6 least significant bits of a byte. - di for 0 ≤ i ≤ 15 are the 7-bit constants used in the ZUC-256 stream cipher. - ≪, the left rotation of a 64-bit operand, x ≪ n means ((x  n) | (x  (64− n))), where  and  are the logical left shift and right shift, respectively. As depicted in Fig.1 and Fig.2, there are 3 parts involved in ZUC-256: a 496-bit linear feedback shift register (LFSR) defined over the field GF(231 −1), consisting of 16 31-bit cells (s15 , s14 , · · · , s2 , s1 , s0 ) defined over the set {1, 2, · · · , 231 −1}; a bit reorganization layer (BR), which extracts the content of the LFSR to form 4 32-bit words, (X0 , X1 , X2 , X3 ), used in the following finite state machine (FSM); there are 2 32-bit words R1 and R2 used as the memory in the FSM. Z The ZUC-256 Stream Cipher 3 mod  231  1 215 s15 217 s14 s15H s14L s13 221 s12 s11 s10 1+28 220 s9 s8 s7 s11L s9 H s6 s5 s7 L s5H s4 s3 s1 s2 s2 L >> 1   Fig. 2. The initialization phase of the ZUC-256 stream cipher The Key/IV loading scheme of ZUC-256 is as follows. s0 = K0 k d0 k K21 k K16 s1 = K1 k d1 k K22 k K17 s2 = K2 k d2 k K23 k K18 s3 = K3 k d3 k K24 k K19 s4 = K4 k d4 k K25 k K20 s5 = IV0 k (d5 | IV17 ) k K5 k K26 s6 = IV1 k (d6 | IV18 ) k K6 k K27 s7 = IV10 k (d7 | IV19 ) k K7 k IV2 s8 = K8 k (d8 | IV20 ) k IV3 k IV11 s9 = K9 k (d9 | IV21 ) k IV12 k IV4 s10 = IV5 k (d10 | IV22 ) k K10 k K28 s11 = K11 k (d11 | IV23 ) k IV6 k IV13 s12 = K12 k (d12 | IV24 ) k IV7 k IV14 s13 = K13 k d13 k IV15 k IV8 s14 = K14 k (d14 | (K31 )4H ) k IV16 k IV9 s15 = K15 k (d15 | (K31 )4L ) k K30 k K29 , s0H s0 4 where (K31 )4H is the high 4 bits of the byte K31 and (K31 )4L is the low 4 bits of K31 , and the constants di for 0 ≤ i ≤ 15 are defined as follows. d0 = 0100010 d1 = 0101111 d2 = 0100100 d3 = 0101010 d4 = 1101101 d5 = 1000000 d6 = 1000000 d7 = 1000000 d8 = 1000000 d9 = 1000000 d10 = 1000000 d11 = 1000000 d12 = 1000000 d13 = 1010010 d14 = 0010000 d15 = 0110000. There are 32 + 1 = 33 rounds of initialization in the ZUC-256 stream cipher, which is depicted as follows. 1. Load the key, IV and constants into the LFSR as specified above. 2. Let R1 = R2 = 0. 3. for i = 0 to 31 do – Bitreorganization( ) – W = F (X0 , X1 , X2 ) – LFSRWithInitializationMode(W  1) 4. – Bitreorganization( ) – W = F (X0 , X1 , X2 ) and discard W – LFSRWithworkMode(). Now we specify the relevant subroutines one-by-one. LFSRWithInitializationMode(u) 1. v = 215 · s15 + 217 · s13 + 221 · s10 + 220 · s4 + (1 + 28 ) · s0 mod(231 − 1) 2. if v = 0 then set v = 231 − 1 3. s16 = v + u mod(231 − 1) 4. if s16 = 0 then set s16 = 231 − 1 5. (s16 , s15 , · · · , s2 , s1 ) → (s15 , s14 , · · · , s1 , s0 ), where → is the assignment operation. The ZUC-256 Stream Cipher 5 LFSRWithworkMode() 1. s16 = 215 · s15 + 217 · s13 + 221 · s10 + 220 · s4 + (1 + 28 ) · s0 mod(231 − 1) 2. if s16 = 0 then set s16 = 231 − 1 3. (s16 , s15 , · · · , s2 , s1 ) → (s15 , s14 , · · · , s1 , s0 ). Bitreorganization() 1. X0 = s15H k s14L 2. X1 = s11L k s9H 3. X2 = s7L k s5H 4. X3 = s2L k s0H , where siH is the high 16 bits of the cell si and sjL is the low 16 bits of the cell sj . F (X0 , X1 , X2 ) 1. W = (X0 ⊕ R1 )
R2 2. W1 = R1
X1 3. W2 = R2 ⊕ X2 4. R1 = S(L1 (W1L k W2H )) 5. R2 = S(L2 (W2L k W1H )), where S = (S0 , S1 , S0 , S1 ) is the 4 parallel S-boxes which are the same as those used in the previous ZUC-128 and L1 and L2 are the two MDS matrices used in the ZUC-128. The ZUC-256 stream cipher generates a 32-bit keystream word at each time instant. KeystreamGeneration() 1. Bitreorganization( ) 2. Z = F (X0 , X1 , X2 ) ⊕ X3 3. LFSRWithworkMode(). ZUC-256 generates 20000-bit to 232 -bit keystream for each frame, i.e., for each frame it produces 625 to 227 keystream words; after that a key/IV resynchronization is performed with the key/constants fixed and the IV changing into a new value. In the 5G applications, the MAC generation algorithm of ZUC-256 is similar to that of ZUC-128, which is described as follows. Let M = (m0 , m1 , · · · , ml−1 ) be the l-bit length plaintext message and the size t of the tag is selectively to be of 32, 64 and 128 bits. MAC Generation(M ) l t e + 2 · 32 words. Denote the 1. Let ZUC-256 produce a keystream of L = d 32 keystream bit string by z0 , z1 , · · · , z32·L−1 , where z0 is the most significant bit of the first output keystream word and z31 is the least significant bit of the keystream word. 2. Initialize T ag = (z0 , z1 , · · · , zt−1 ) 6 3. for i = 0 to l − 1 do – let Wi = (zt+i , · · · , zi+2t−1 ) – if mi = 1 then T ag = T ag ⊕ Wi 4. Wl = (zl+t , · · · , zl+2t−1 ) 5. T ag = T ag ⊕ Wl 6. return T ag For the different sizes of the MAC tag, to prevent the forgery attack, the constants are specified as follows. 1. for the tag size of 32 bits, the constants are d0 = 0100010 d1 = 0101111 d2 = 0100101 d3 = 0101010 d4 = 1101101 d5 = 1000000 d6 = 1000000 d7 = 1000000 d8 = 1000000 d9 = 1000000 d10 = 1000000 d11 = 1000000 d12 = 1000000 d13 = 1010010 d14 = 0010000 d15 = 0110000 2. for the tag size of 64 bits, the constants are d0 = 0100011 d1 = 0101111 d2 = 0100100 d3 = 0101010 d4 = 1101101 d5 = 1000000 d6 = 1000000 d7 = 1000000 d8 = 1000000 The ZUC-256 Stream Cipher 7 d9 = 1000000 d10 = 1000000 d11 = 1000000 d12 = 1000000 d13 = 1010010 d14 = 0010000 d15 = 0110000 3. for the tag size of 128 bits, the constants are d0 = 0100011 d1 = 0101111 d2 = 0100101 d3 = 0101010 d4 = 1101101 d5 = 1000000 d6 = 1000000 d7 = 1000000 d8 = 1000000 d9 = 1000000 d10 = 1000000 d11 = 1000000 d12 = 1000000 d13 = 1010010 d14 = 0010000 d15 = 0110000. The test vectors of the ZUC-256 stream cipher for the keystream generation phase are as follows. 1. let Ki = 0x00 for 0 ≤ i ≤ 31 and IVi = 0x00 for 0 ≤ i ≤ 24, then the first 20 keystream words are – 58d03ad6,2e032ce2,dafc683a,39bdcb03,52a2bc67, – f1b7de74,163ce3a1,01ef5558,9639d75b,95fa681b, – 7f090df7,56391ccc,903b7612,744d544c,17bc3fad, – 8b163b08,21787c0b,97775bb8,4943c6bb,e8ad8afd 2. let Ki = 0xff for 0 ≤ i ≤ 31 and IVi = 0xff for 0 ≤ i ≤ 16 and IVi = 0x3f for 17 ≤ i ≤ 24, then the first 20 keystream words are – 3356cbae,d1a1c18b,6baa4ffe,343f777c,9e15128f, – 251ab65b,949f7b26,ef7157f2,96dd2fa9,df95e3ee, – 7a5be02e,c32ba585,505af316,c2f9ded2,7cdbd935, 8 – e441ce11,15fd0a80,bb7aef67,68989416,b8fac8c2 The test vectors of the ZUC-256 stream cipher for the tag authentication phase are as follows. 1. let Ki = 0x00 for 0 ≤ i ≤ 31 and IVi = 0x00 for 0 ≤ i ≤ 24, M = 0x 00, · · · , 00 with the length l = 400-bit, then the 32-bit tag, 64-bit tag and | {z } 100 128-bit tag are as follows, respectively. – The 32-bit authentication tag is 9b972a74 – The 64-bit authentication tag is 673e5499 0034d38c – The 128-bit authentication tag is d85e54bb cb960096 7084c952 a1654b26 2. let Ki = 0x00 for 0 ≤ i ≤ 31 and IVi = 0x00 for 0 ≤ i ≤ 24, M = 0x 11, · · · , 11 with the length l = 4000-bit, then the 32-bit tag, 64-bit tag | {z } 1000 and 128-bit tag are as follows, respectively. – The 32-bit authentication tag is 8754f5cf – The 64-bit authentication tag is 130dc225 e72240cc – The 128-bit authentication tag is df1e8307 b31cc62b eca1ac6f 8190c22f 3. let Ki = 0xff for 0 ≤ i ≤ 31 and IVi = 0xff for 0 ≤ i ≤ 16 and IVi = 0x3f for 17 ≤ i ≤ 24, M = 0x 00, · · · , 00 with the length l = 400-bit, then the | {z } 100 32-bit tag, 64-bit tag and 128-bit tag are as follows, respectively. – The 32-bit authentication tag is 1f3079b4 – The 64-bit authentication tag is 8c71394d 39957725 – The 128-bit authentication tag is a35bb274 b567c48b 28319f11 1af34fbd 4. let Ki = 0xff for 0 ≤ i ≤ 31 and IVi = 0xff for 0 ≤ i ≤ 16 and IVi = 0x3f for 17 ≤ i ≤ 24, M = 0x 11, · · · , 11 with the length l = 4000-bit, then the | {z } 1000 32-bit tag, 64-bit tag and 128-bit tag are as follows, respectively. – The 32-bit authentication tag is 5c7c8b88 – The 64-bit authentication tag is ea1dee54 4bb6223b – The 128-bit authentication tag is 3a83b554 be408ca5 494124ed 9d473205 The security claim of the ZUC-256 stream cipher is the 256-bit security in the 5G application settings. For the forgery attacks on the authentication part, the security level is the same as the tag size and the IV is not allowed to be re-used. If the tag verification failed, no output should be generated. 3 Conclusions In this paper, we have presented the details of the new ZUC-256 stream cipher. Any cryptanalysis is welcome. The ZUC-256 Stream Cipher 9 References 1. Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 and 128-EIA3, Document 4: Design and Evaluation Reprot. http://www.gsmworld.com/documents/EEA3_EIA3_Design_Evaluation_v1_1.pdf. A Document History 25-01-2018 Online publication version 1.0 15-04-2018 Revision to the Figures version 1.1