#include "include/jzuc.h"

Detailed Description

ZUC Encrytpion Algorithm (128-EEA3)

See also: Specification of the 3GPP Confidentiality and Integrity Algorithms 128-EEA3 and 128-EIA3 Document 2: ZUC Specification

General structure of the algorithm

ZUC has three logical layers, see the figure below. The top layer is a linear feedback shift register (LFSR) of 16 stages, the middle layer is for bit-reorganization ( BR), and the bottom layer is a nonlinear function F

General Structure of ZUC

The linear feedback shift register (LFSR)

The linear feedback shift register (LFSR) has 16 of 31-bit cells $(s_0, s_1,\cdots,s_{15})$ . Each cell $s_i (0 \leq i \leq 15)$ is restricted to take values from the following set $\{1,2,3,\cdots,{2}^{31} – 1\}$ . The LFSR has 2 modes of operations: the initialization mode and the working mode

In the initialization mode, the LFSR receives a 31-bit input word u, which is obtained by removing the rightmost bit from the 32-bit output W of the nonlinear function F, i.e., u=W>>1. More specifically, the initialization mode works as follows:

LFSRWithInitialisationMode(u) {

$v={2}^{15}s_{15}+{2}^{17}s_{13}+{2}_{21}s_{10}+{2}^{20}s_4+(1+{2}^{8})s_0$ mod $({2}^{31}-1)$
$s_{16}=(v+u)$ mod $({2}^{31}-1)$
$If s_{16}=0$ , then set $s_{16}={2}^{31}-1$
$(s_1,s_2,\cdots,s_{15},s_{16})\rightarrow(s_0,s_1,\cdots,s_{14},s_{15})$

}

In the working mode, the LFSR does not receive any input, and it works as follows:

LFSRWithWorkMode() {

$s_{16}={2}^{15}s_15+{2}^{17}s_13+{2}^{21}s_10+{2}^{20}s_4+(1+{2}^{8})s_0$ mod $({2}^{31}-1)$
$If s_{16}=0$ , then set $s_{16}={2}^{31}-1$
$(s_1,s_2,\cdots,s_{15},s_{16})\rightarrow(s_0,s_1,\cdots,s_{14},s_{15})$

}

Informative note: Since the multiplication of a 31-bit string s by ${2}^{i}$ over $GF({2}^{31}-1)$ can be implemented by a cyclic shift of s to the left by i bits, only addition modulo ${2}^{31}-1$ is needed in step 1 of the above functions. More precisely, step 1 of the function LFSRWithInitialisationMode can be implemented by

$v=(s_{15} <<<_{31} 15)+(s_{13} <<<_{31} 17)+(s_{10} <<<_{31} 21)+(s_4 <<<_{31} 20)+(s_0 <<<_{31} 8)+s_0$ mod $({2}^{31}-1)$

and the same implementation is needed for step 1 of the function LFSRWithWorkMode

Informative note: For two elements $ a,b$ over $GF({2}^{31}-1)$ , the computation of $ v=a+b$ mod $({2}^{31}-1)$ can be done by

(1) compute v=a+b and

(2) if the carry bit is 1, then set v=v+1

Alternatively (and better if the implementation should resist possible timing attacks):

(1) compute w=a+b, where w is a 32-bit value; and

(2) set v = (least significant 31 bits of w) + (most significant bit of w)

The bit-reorganization

The middle layer of the algorithm is the bit-reorganization. It extracts 128 bits from the cells of the LFSR and forms 4 of 32-bit words, where the first three words will be used by the nonlinear function F in the bottom layer, and the last word will be involved in producing the keystream

Let $s_0, s_2, s_5, s_7, s_9, s_{11}, s_{14}, s_{15}$ be 8 cells of LFSR as in section 3.2. Then the bitreorganization forms 4 of 32-bit words $ X_0, X_1, X_2, X_3$ from the above cells as follows:

Bitreorganization() {

$X_0=s_{15H} \parallel s_{14L}$
$X_1=s_{11L} \parallel s_{9H}$
$X_2=s_{7L} \parallel s_{5H}$
$X_3=s_{2L} \parallel s_{0H}$

}

Note: The $ s_i$ are 31-bit integers, so $s_{iH}$ means bits 30...15 and not 31...16 of $s_i, for 0 \leq i \leq 15$

The nonlinear function F

The nonlinear function F has 2 of 32-bit memory cells $ R_1$ and $ R_2$ . Let the inputs to F be $ X_0, X_1$ and $ X_2$ , which come from the outputs of the bit-reorganization (see section 3.3), then the function F outputs a 32-bit word W. The detailed process of F is as follows:

F ( $ X_0, X_1, X_2$ ) {

$W=(X_0 \oplus R_1) \oplus R_2$
$W_1=R_1 \oplus X_1$
$W_2=R_2 \oplus X_2$
$R_1=S(L_1(W_{1L} \parallel W_{2H}))$
$R_2=S(L_2(W_{2L} \parallel W_{1H}))$

}

where S is a 32×32 S-box, see section 3.4.1, $ L_1$ and $ L_2$ are linear transforms as defined in section 3.4.2

The S-box S

The 32×32 S-box S is composed of 4 juxtaposed 8×8 S-boxes, i.e., S=( $ S_0,S_1,S_2,S_3$ ), where $ S_0=S_2$ , $ S_1=S_3$ . The definitions of $ S_0$ and $ S_1$ can be found in table 3.1 and table 3.2 respectively

Let x be an 8-bit input to $ S_0$ (or $ S_1$ ). Write x into two hexadecimal digits as $x=h \parallel l$ , then the entry at the intersection of the h-th row and the l-th column in table 3.1 (or table 3.2) is the output of $ S_0$ (or $ S_1$ )

The S-Box S0

The S-Box S1

The linear transforms L1 and L2

Both L1 and L2 are linear transforms from 32-bit words to 32-bit words, and are defined as follows:

$L_1(X)=X \oplus (X <<<_{32} 2) \oplus (X <<<_{32} 10) \oplus (X <<<_{32} 18) \oplus (X <<<_{32} 24)$

$L_2(X)=X \oplus (X <<<_{32} 8) \oplus (X <<<_{32} 14) \oplus (X <<<_{32} 22) \oplus (X <<<_{32} 30)$

Key loading

The key loading procedure will expand the initial key and the initial vector into 16 of 31-bit integers as the initial state of the LFSR. Let the 128-bit initial key k and the 128-bit initial vector iv be

$k=k_0 \parallel k_1 \parallel k_2 \parallel \cdots \parallel k_{15}$

and

$iv=iv_0 \parallel iv_1 \parallel iv_2 \parallel \cdots \parallel iv_{15}$

respectively, where $ k_i$ and $iv_i, 0\leq i\leq 15$ , are all bytes. Then k and iv are loaded to the cells $s_0, s_1,\cdots, s_{15}$ of LFSR as follows:

Let D be a 240-bit long constant string composed of 16 substrings of 15 bits:

$D=d_0 \parallel d_1 \parallel \cdots \parallel d_{15}$

where

$ d00 = 100010011010111_2 $

$ d01 = 010011010111100_2 $

$ d02 = 110001001101011_2 $

$ d03 = 001001101011110_2 $

$ d04 = 101011110001001_2 $

$ d05 = 011010111100010_2 $

$ d06 = 111000100110101_2 $

$ d07 = 000100110101111_2 $

$ d08 = 100110101111000_2 $

$ d09 = 010111100010011_2 $

$ d10 = 110101111000100_2 $

$ d11 = 001101011110001_2 $

$ d12 = 101111000100110_2 $

$ d13 = 011110001001101_2 $

$ d14 = 111100010011010_2 $

$ d15 = 100011110101100_2 $

$For 0 \leq i \leq 15, let s_i=k_i \parallel d_i \parallel iv_i$

The execution of ZUC

The execution of ZUC has two stages: the initialization stage and the working stage

The initialization stage

During the initialization stage, the algorithm calls the key loading procedure (see section 3.5) to load the 128-bit initial key k and the 128-bit initial vector iv into the LFSR, and set the 32bit memory cells R1 and R2 to be all 0. Then the cipher runs the following operations 32 times:

Bitreorganization();
w=F( );
LFSRWithInitialisationMode(w >> 1)

The working stage

After the initialization stage, the algorithm moves into the working stage. At the working stage, the algorithm executes the following operations once, and discards the output W of F:

Bitreorganization();
F( );
LFSRWithWorkMode()

Then the algorithm goes into the stage of producing keystream, i.e., for each iteration, the following operations are executed once, and a 32-bit word Z is produced as an output:

Bitreorganization();
Z=F( $X_0, X_1, X_2) \oplus X3$ ;
LFSRWithWorkMode()

For API Documentation:

See also: ProtocolPP::jarray; ProtocolPP::jzuc; ProtocolPP::jmodes; ProtocolPP::jconfident; ProtocolPP::jintegrity

For Additional Documentation:

See also: jarray; jzuc; jmodes; jconfident; jintegrity

The source code contained or described herein and all documents related to the source code (herein called "Material") are owned by John Peter Greninger and Sheila Rocha Greninger. Title to the Material remains with John Peter Greninger and Sheila Rocha Greninger. The Material contains trade secrets and proprietary and confidential information of John Peter Greninger and Sheila Rocha Greninger. The Material is protected by worldwide copyright and trade secret laws and treaty provisions. No part of the Material may be used, copied, reproduced, modified, published, uploaded, posted, transmitted, distributed, or disclosed in any way without prior express written consent of John Peter Greninger and Sheila Rocha Greninger (both are required)

No license under any patent, copyright, trade secret, or other intellectual property right is granted to or conferred upon you by disclosure or delivery of the Materials, either expressly, by implication, inducement, estoppel, or otherwise. Any license under such intellectual property rights must be express and approved by John Peter Greninger and Sheila Rocha Greninger in writing

Licensing information can be found at www.protocolpp.com/license with use of the binary forms permitted provided that the following conditions are met:

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution
Any and all modifications must be returned to John Peter Greninger at GitHub.com https://github.com/jpgreninger/protocolpp for evaluation. Inclusion of modifications in the source code shall be determined solely by John Peter Greninger. Failure to provide modifications shall render this license NULL and VOID and revoke any rights to use of Protocol++®
Commercial use (incidental or not) requires a fee-based license obtainable at www.protocolpp.com/shop
Academic or research use requires prior written and notarized permission from John Peter and Sheila Rocha Greninger

Use of the source code requires purchase of the source code. Source code can be purchased at www.protocolpp.com/shop

US Copyrights at https://www.copyright.gov/
- TXu002059872 (Version 1.0.0)
- TXu002066632 (Version 1.2.7)
- TXu002082674 (Version 1.4.0)
- TXu002097880 (Version 2.0.0)
- TXu002169236 (Version 3.0.1)
- TXu002182417 (Version 4.0.0)
- TXu002219402 (Version 5.0.0)
- TXu002272076 (Version 5.2.1)
- TXu002383571 (Version 5.4.3)

The name of its contributor may not be used to endorse or promote products derived from this software without specific prior written permission and licensing

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE

The documentation for this class was generated from the following file:

include/jzuc.h