1 Background to the design and evaluation work

The security architecture for LTE includes various services that need to be provided by standardized cryptographic algorithms. In particular, two standardized algorithms are required for the radio interface, namely: EEA Encryption algorithm EIA Integrity algorithm Before this work began, two encryption and integrity algorithm sets had already been developed and standardized for LTE. The first set, 128-EEA1 and 128-EIA1, is based on SNOW 3G; the second, 128-EEA2 and 128-EIA2, is based on Advanced Encryption Standard (AES). (The prefix 128- indicates that the algorithms take a 128-bit secret key). 3GPP Systems and Architecture Group (SA3) agreed in May 2009 on a requirement for a third encryption and integrity algorithm set one designed in China, so that the Chinese authorities would permit its use in that country. The resulting algorithm set is based on a core stream cipher algorithm named ZUC, after Zu Chongzhi, the famous Chinese scientist from history. The algorithms were designed by experts at the Data Assurance and Communication Security Research Center (DACAS) of the Chinese Academy of Sciences. Of course, an algorithm from China is not enough of a requirement. It was agreed that a robust, three-phase evaluation program would be followed: 1. Evaluation by an ETSI SAGE task force; 2. Evaluation by two funded teams of academic experts, delivering their results to the ETSI SAGE task force; 3. After that evaluation, if the task force recommended that the algorithm (modified or not) is suitable for acceptance into the standard, then a public evaluation phase would take place before final standardization. The SAGE task force set high security goals for the algorithm set. To recommend the algorithms, it was not sufficient merely that no practical attacks were found during the evaluation. Rather, the task force required that the algorithms should be judged to have a high security margin, and also that the

design rationale behind all components of the algorithm should be clear and transparent.

2 Algorithm parameters
2.1 EEA Encryption algorithm The input parameters to the ciphering algorithm are a 128-bit cipher key named KEY, a 32-bit COUNT, a 5-bit bearer identity BEARER, the 1-bit direction of the transmission i.e. DIRECTION, and the length of the key stream required i.e. LENGTH. The DIRECTION bit shall be 0 for uplink and 1 for downlink. The use of the ciphering algorithm EEA to encrypt plaintext by applying a keystream using a bit per bit binary addition of the plaintext and the keystream is illustrated in Figure 1. The plaintext may be recovered by generating the same keystream using the same input parameters and applying a bit per bit binary addition with the ciphertext.

Figure 1 Ciphering of data Based on the input parameters the algorithm generates the output keystream block KEYSTREAM which is used to encrypt the input plaintext block PLAINTEXT to produce the output ciphertext block CIPHERTEXT. The input parameter LENGTH shall affect only the length of the KEYSTREAM BLOCK, not the actual bits in it.

2.2 EIA Integrity algorithm The input parameters to the integrity algorithm are a 128-bit integrity key named KEY, a 32-bit COUNT, a 5-bit bearer identity called BEARER, the 1-bit direction of the transmission i.e. DIRECTION, and the message itself i.e. MESSAGE. The DIRECTION bit shall be 0 for uplink and 1 for downlink. The bit length of the MESSAGE is LENGTH. The use of the integrity algorithm EIA to authenticate the integrity of messages is illustrated in Figure 2.

Figure 2 Derivation of MAC-I/NAS-MAC (or XMAC-I/XNAS-MAC) Based on these input parameters the sender computes a 32-bit message authentication code (MAC-I/NAS-MAC) using the integrity algorithm EIA. The message authentication code is then appended to the message when sent. The receiver computes the expected message authentication code (XMAC-I/XNAS-MAC) on the message received in the same way as the sender computed its message authentication code on the message sent and verifies the data integrity of the message by comparing it to the received message authentication code, i.e. MAC-I/NAS-MAC.

3 Summary of the 128-EEA3 and 128-EIA3 algorithms

The detailed specifications of the 128-EEA3 and 128-EIA3 algorithms can be found in ref. [2] and ref.[3]. This section includes a brief overview of the 128-EEA3 and 128-EIA3 designs. The basic building block for both 128EEA3 and 128-EIA3 is the stream cipher algorithm ZUC, which is composed of three components with an internal state of 560 bits initialized from a 128bit cipher key K and a 128-bit initialization vector IV.

3.1 The stream cipher ZUC The structure of ZUC is depicted in the following diagram:

Figure 3 The structure of ZUC ZUC consists of a Linear Feedback Shift Register (LFSR), a bit reorganization BR and a nonlinear function F. The LFSR is constructed from 16 register units, each holding 31 bits, and the feedback is defined by a primitive polynomial over the finite field GF ( -1) . The bit reorganization extracts 128 bits from the state of the LFSR and forms four 32-bit words which will be used by the nonlinear function F. The nonlinear function F is based upon two 32-bit registers and . The operation of the nonlinear function F involves input from the bit reorganization and uses two S-boxes and . The mixing operations are the exclusive OR, the cyclic shift and the addition modulo . See ref. [3] for details on the specification of S-boxes. 3.2 Confidentiality function 128-EEA3 The new confidentiality algorithm (128-EEA3) encrypts and decrypts frames using ZUC as a standard synchronous stream cipher. Ref. [2] defines

how the system parameters COUNT, BEARER and DIRECTION are used together with the Confidentiality Key (CK) to initialize the keystream generator. The output from ZUC consists of 32-bit words that are XORed to the corresponding Input Bit Stream (IBS). The main stream cipher principles of 128-EEA3 are shown in Figure 4. The produced cipher text block is denoted as Output Bit Stream (OBS). For decryption the same scheme is used to recover the plain text block (IBS) from the received cipher text (OBS). Sender and receiver will synchronize for each frame using the frame counter COUNTER-C.

Figure 4 Principles of the 128-EEA3 encryption operatio 3.3 Integrity function 128-EIA3 The new integrity algorithm (128-EIA3) computes a 32-bit Message Authentication Code (MAC) on an input message under an integrity key IK. We assumed that the message could be between 1 and 20000 bits in length (but the algorithm supports longer messages if needed). The 128-EIA3 algorithm is based on universal hashing.

Prior to processing the message, the ZUC generator is initialized with the integrity key IK and the initialization vector IV, and a keystream with length 64 bits more than that of the message is generated. The message is padded with a bit 1. Set the initial value of an accumulator variable T to be 0. For each bit of the padded message, if the i-th bit of message is 1, then the accumulator accumulates T with the word defined by the successive 32 bits starting from the i-th bit of the keystream. Finally T is viewed as the MAC of the message and is outputted. The structure of 128-EIA3 is depicted in Figure 5.

Figure 5 Principles of the 128-EIA3 MAC computation