[Resource Topic] 2020/1046: On the Linear Distinguishing Attack against ZUC-256 Stream Cipher

Welcome to the resource topic for 2020/1046

On the Linear Distinguishing Attack against ZUC-256 Stream Cipher

Authors: ZUC Design Team


At FSE 2020, a linear distinguishing attack is presented against the ZUC-256 stream cipher based on the 32-bit word with a data/time complexity of about 2^{236.38}. In this paper, we re-evaluate the complexity of this attack and discuss the applicability of such a distinguishing attack in 5G application scenarios, where each keystream frame is limited to 20000, and up to 2^{32} bits. To assure a high success probability close to 1, it is shown that the precise time complexity of the distinguishing attack is 2^{253.93} basic operations with a data complexity of 2^{241.38} bits keystream, which is far beyond the keystream length limit in 5G application settings in the single-frame setting. Besides, we also consider the multiple-frame scenario where a long keystream could be formed by concatenating many short keystream frames generated from different (Key, IV) pairs. We show that even in such a strong model of distinguishing attacks, the reported bias will not exist in 5G application scenarios and the linear distinguishing attack will not work due to the fact that the long linear combination relation derived from the polynomial multiple of the LFSR in ZUC-256 over \mbox{GF}(2^{31}-1), which has been verified in experiments. It is concluded that the ZUC-256 stream cipher offers the full 256-bit security in 5G application scenarios.

ePrint: https://eprint.iacr.org/2020/1046

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .