@inproceedings{44772e09d642472cac1e367962160d38,
title = "SAT based analysis of LTE stream cipher ZUC",
abstract = "Mobile security is of paramount importance. The security of LTE (long term evolution of radio networks), which is currently widely deployed as a long-term standard for mobile networks, relies upon three cryptographic primitives, among which the stream cipher ZUC. In this paper, we point out that the linear feedback shift register (LFSR) used in ZUC has about 225 encodings of the zero state (i.e. all LFSR variables are 0) due to the fact that operations are performed modulo 231 - 1 on 32-bit operands. We use SAT solvers to show that these states are reachable when 64 bits of ZUC's initial state can be chosen (i.e. R1, R2). That is, for each key there are many initial vectors that lead to a weak state after ZUC's initialization. We also use SAT-solvers to disprove the existence of such weak inputs when the initial values of R1, R2 are set to zero as required by the official specifications. Finally, we discuss how the redundancy introduced in ZUC's output function might help mounting SAT-solver based guess-and-determine attacks given a few keystream digits.",
keywords = "128-EEA3, 128-EIA3, LTE, SAT solver, Stream cipher, ZUC",
author = "Fr{\'e}d{\'e}ric Lafitte and Olivier Markowitch and \{Van Heule\}, Dirk",
year = "2013",
doi = "10.1145/2523514.2523533",
language = "English",
isbn = "9781450324984",
series = "SIN 2013 - Proceedings of the 6th International Conference on Security of Information and Networks",
pages = "110--116",
booktitle = "SIN 2013 - Proceedings of the 6th International Conference on Security of Information and Networks",
note = "6th International Conference on Security of Information and Networks, SIN 2013 ; Conference date: 26-11-2013 Through 28-11-2013",
}