Abstract
In this paper we investigate the security of the two most recent versions of the message authentication code 128-EIA3, which is considered for adoption as a third integrity algorithm in the emerging 3GPP standard LTE. We first present an efficient existential forgery attack against the June 2010 version of the algorithm. This attack allows, given any message and the associated MAC value under an unknown integrity key and an initial vector, to predict the MAC value of a related message under the same key and the same initial vector with a success probability 1/2. We then briefly analyse the tweaked version of the algorithm that was introduced in January 2011 to circumvent this attack. We give some evidence that while this new version offers a provable resistance against similar forgery attacks under the assumption that (key, IV) pairs are never reused by any legitimate sender or receiver, some of its design features limit its resilience against IV reuse.
Chapter PDF
Similar content being viewed by others
References
3GPP Technical Specification Group Services and System Aspects: 3GPP System Architecture Evolution (SAE); Security architecture (Release 9). Tech. Rep. 3G TS 33.401 V 9.3.1, 3rd Generation Partnership Project (2010-04)
Bellare, M., Goldreich, O., Mityagin, A.: The Power of Verification Queries in Message Authentication and Authenticated Encryption. Tech. Rep. 2004/309, Cryptology ePrint Archive (2004)
Carter, J., Wegman, M.: Universal Classes of Hash Functions. Journal of Computer and System Science 18, 143–154 (1979)
ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. Document 1: UEA2 and UIA2 Specification. Version 2.1. Tech. rep., ETSI (March 16, 2009), http://www.gsmworld.com/documents/uea2_uia2_d1_v2_1.pdf
ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 1: 128-EEA3 and 128-EIA3 Specification. Version 1.4. Tech. rep., ETSI (July 30, 2010)
ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification. Version 1.4. Tech. rep., ETSI (July 30, 2010)
ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report. Version 1.1. Tech. rep., ETSI (August 11, 2010)
ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 1: 128-EEA3 and 128-EIA3 Specification. Version 1.5. Tech. rep., ETSI (January 4, 2011), http://www.gsmworld.com/documents/EEA3_EIA3_specification_v1_5.pdf
ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC Specification. Version 1.5. Tech. rep., ETSI (January 4, 2011), http://www.gsmworld.com/documents/EEA3_EIA3_ZUC_v1_5.pdf
ETSI/SAGE: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 & 128-EIA3. Document 4: Design and Evaluation Report. Version 1.3, Tech. rep., ETSI (January 18, 2011), http://www.gsmworld.com/documents/EEA3_EIA3_Design_Evaluation_v1_3.pdf
Handschuh, H., Preneel, B.: Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008)
Krawczyk, H.: LFSR-Based Hashing and Authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)
Martin Albrecht, K.P., Watson, G.: Plaintext Recovery Attacks Against SSH. In: Proceedings of IEEE Symposium on Security and Privacy 2009, pp. 16–26. IEEE Computer Society (2009)
Rogaway, P.: Bucket Hashing and Its Application to Fast Message Authentication. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 29–42. Springer, Heidelberg (1995)
Rogaway, P.: Bucket Hashing and its Application to Fast Message Authentication. Journal of Cryptology 12(2), 91–115 (1999)
Shoup, V.: On Fast and Provably Secure Message Authentication Based on Universal Hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996)
Stinson, D.: Universal Hashing and Authentication Codes. Design, Codes and Cryptography 4, 369–380 (1994)
Sun, B., Tang, X., Li, C.: Preliminary Cryptanalysis Results of ZUC. Presented at the First International Workshop on ZUC Algorithm, vol. 12 (2010)
Wegman, M., Carter, J.: New Hash Functions and Their Use in Authentication and Set Equality. Journal of Computer and System Science 22, 265–279 (1981)
Wu, H.: Cryptanalysis of the Stream Cipher ZUC in the 3GPP Confidentiality & Integrity Algorithms 128-EEA3 & 128-EIA3. Presented at the ASIACRYPT 2010 rump session (2010), http://www.spms.ntu.edu.sg/Asiacrypt2010/Rump%20Session-%207%20Dec%202010/wu_rump_zuc.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fuhr, T., Gilbert, H., Reinhard, JR., Videau, M. (2012). Analysis of the Initial and Modified Versions of the Candidate 3GPP Integrity Algorithm 128-EIA3. In: Miri, A., Vaudenay, S. (eds) Selected Areas in Cryptography. SAC 2011. Lecture Notes in Computer Science, vol 7118. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28496-0_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-28496-0_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28495-3
Online ISBN: 978-3-642-28496-0
eBook Packages: Computer ScienceComputer Science (R0)