International Association for Cryptologic Research

International Association
for Cryptologic Research


Paper: New Cryptanalysis of ZUC-256 Initialization Using Modular Differences

Fukang Liu , University of Hyogo, Hyogo, Japan
Willi Meier , University of Applied Sciences and Arts Northwestern Switzerland (FHNW), Windisch, Switzerland
Santanu Sarkar , Indian Institute of Technology Madras, Chennai, India
Gaoli Wang , East China Normal University, Shanghai, China; Key Lab of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China
Ryoma Ito , National Institute of Information and Communications Technology, Tokyo, Japan
Takanori Isobe , University of Hyogo, Hyogo, Japan; National Institute of Information and Communications Technology, Tokyo, Japan; PRESTO, Japan Science and Technology Agency, Tokyo, Japan
DOI: 10.46586/tosc.v2022.i3.152-190
Search ePrint
Search Google
Abstract: ZUC-256 is a stream cipher designed for 5G applications by the ZUC team. Together with AES-256 and SNOW-V, it is currently being under evaluation for standardized algorithms in 5G mobile telecommunications by Security Algorithms Group of Experts (SAGE). A notable feature of the round update function of ZUC-256 is that many operations are defined over different fields, which significantly increases the difficulty to analyze the algorithm.As a main contribution, with the tools of the modular difference, signed difference and XOR difference, we develop new techniques to carefully control the interactions between these operations defined over different fields. At first glance, our techniques are somewhat similar to those developed by Wang et al. for the MD-SHA hash family. However, as ZUC-256 is quite different from the MD-SHA hash family and its round function is much more complex, we are indeed dealing with different problems and overcoming new obstacles.As main results, by utilizing complex input differences, we can present the first distinguishing attacks on 31 out of 33 rounds of ZUC-256 and 30 out of 33 rounds of the new version of ZUC-256 called ZUC-256-v2 with low time and data complexities, respectively. These attacks target the initialization phase and work in the related-key model with weak keys. Moreover, with a novel IV-correcting technique, we show how to efficiently recover at least 16 key bits for 15-round ZUC-256 and 14-round ZUC-256-v2 in the related-key setting, respectively. It is unpredictable whether our attacks can be further extended to more rounds with more advanced techniques. Based on the current attacks, we believe that the full 33 initialization rounds provide marginal security.
  title={New Cryptanalysis of ZUC-256 Initialization Using Modular Differences},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universit├Ąt Bochum},
  volume={2022, Issue 3},
  author={Fukang Liu and Willi Meier and Santanu Sarkar and Gaoli Wang and Ryoma Ito and Takanori Isobe},