Analyzing SNOW and ZUC Security Algorithms Using NIST SP 800-22 and Enhancing their Randomness

Zakaria Hassan Abdelwahab^1,*, Talaat A. Elgarf¹ and Abdelhalim Zekry²

¹Communications Engineering Department, Higher Technological Institute, Ramadan city, Egypt

²Communications Engineering Department, Faculty of Engineering, Ain shams University, Cairo, Egypt

E-mail: zakariahassan@windowslive.com; talaat.elgarf@hti.edu.eg; AAAZekry@hotmail.com

*Corresponding Author

Received 03 May 2020; Accepted 24 November 2020; Publication 06 February 2021

Abstract

Confidentiality and Integrity algorithms are based on SNOW and ZUC stream cipher algorithms. These standardized algorithms are designed by the 3rd Generation Partnership Project (3GPP) for advanced mobile communication systems (4G-LTE Advanced, LTE Advanced Pro, and 5G-Next Generation). In this paper, twenty configurations of SNOW and ZUC algorithms are studied and analyzed to select the one with the best randomness properties. Each configuration has two different S-boxes in the Finite State Machine (FSM) layer of the SNOW algorithm and Nonlinear Function (NLF) layer of the ZUC algorithm. The two S-boxes are selected from the best five S-boxes published in kinds of literature (Rijndael, Dickson, Feistel structure, New Rijndael, and Improved New Rijndael S-boxes). The NIST SP 800-22 statistical test suite involves 15 tests that are used to assess the randomness properties of each configuration. A complete simulation of each configuration SNOW and ZUC with two different S-boxes is applied using C-language. Test results showed that the best pair arrangement of S-boxes in the SNOW algorithm is the configuration (Feistel structure – Rijndael S-boxes) although the standard configuration by 3GPP is (Rijndael – Dickson S-boxes). Also, the best configuration in the ZUC algorithm is (New Rijndael – Rijndael S-boxes) although the standard configuration by 3GPP is (Feistel structure – New Rijndael S-boxes). The best configurations passed all the NIST SP 800-22 suite randomness tests successfully.

Keywords: Mobile security, 4G, 5G, Stream cipher, SNOW algorithm, ZUC algorithm, NIST SP 800-22 statistical analysis test.

1 Introduction

The Confidentiality and Integrity algorithms are applied for the advanced mobile communication systems to secure the user and signaling messages information transmitted over the wireless mobile network in which the kernel structure of these 3GPP standardized algorithms are SNOW and ZUC stream cipher algorithms [1, 2]. The core structure of the SNOW and ZUC algorithms depends on Linear Feedback Shift Registers (LFSR), Finite State Machine (FSM), Nonlinear Function (NLF), Bit Reorganization (BR), and a combination pair of S-boxes (S1, S2) [3, 4]. Each SNOW and ZUC algorithm has two S-boxes in its nonlinear layer structure. SNOW algorithm has S1-box (Rijndael) and S2-box Dickson [3] standardized by 3GPP in its Finite State Machine (FSM) layer while the ZUC algorithm has its two S-boxes as S1-box (Feistel structure) and S2-box (New Rijndael) [4] in its Nonlinear Function (NLF) layer.

During the literature review, it was noticed some threats in the analysis of SNOW [5–7]/ZUC [8] stream cipher algorithms through the statistical evaluation of the short keystream data set attack and cryptanalytic attacks as in SNOW (sliding property attack [9, 10], fault attack [11], cache timing attack [12], multiset collision attack [13], and improved heuristic guess and determine attack [14]), and as in ZUC (alternative algebraic analysis [15, 16] and differential attacks [17]. There is a need to assess such systems that depend on the combination of S-boxes that are used to update the registers in the nonlinear layer structure of these algorithms (FSM-SNOW and NLF-ZUC) to increase their complexity and therefore the time to cryptanalysis. One of the most important parameters is the randomness properties of the output keystream sequences produced by such algorithms.

Up to our knowledge, no recent papers investigate the randomness properties of SNOW and ZUC stream cipher output keystream by using the 3GPP standardized S-boxes in SNOW and ZUC algorithms to select the best pair arrangement of (S1, S2) boxes. In this paper, we analyze the randomness properties of these two algorithms using the standard NIST SP 800-22 test suite. We started with the standard SNOW and ZUC algorithms using the 3GPP original arrangement of the two S-boxes (S1, S2) in the finite state machine part of the algorithm and then test all the different twenty combinations of the two S-boxes (S1, S2) taken from five strong S-boxes (Rijndael, Dickson, Feistel structure, New Rijndael, and Improved New Rijndael S-boxes), to determine the configuration of pair S-boxes (S1, S2) with the best randomness properties.

This paper is organized as follows: In Section 2, modern algorithms applied in the 4th and 5th mobile generation are presented. In Section 3, NIST SP 800-22 randomness tests applied to the output of nonlinear stream ciphers are described. In Section 4, configurations of S-boxes are described. In Section 5, SNOW and ZUC simulation with different S-boxes configurations and NIST SP 800-22 randomness 15-tests verification. Finally, Section 6 concludes this paper.

2 Modern algorithms applied in 4th and 5th Mobile Generation

This section describes the processes of the synchronous stream cipher algorithms (SNOW and ZUC) that are used in the heart core of the confidentiality and integrity algorithms applied in advanced mobile communications.

2.1 Description of SNOW Algorithm

SNOW is a synchronous stream cipher that contains two different processes, the initialization process and the generation of the keystream process, below the rule of 128 bits Ciphering Key/Integrity Key (CK/IK) and 128 bits initialization vector (IV) [3]. The internal structure of the SNOW is collected from the Linear Feedback Shift Register (LFSR), and Finite State machine (FSM) layers. The LFSR layer is created by 16 stages in which each stage consists of 32 bits, the FSM layer is created by three 32 bits registers, nonlinearly clocked (R${\mathrm{}}_1$, R${\mathrm{}}_2$, and R${\mathrm{}}_3$), and the combination of pair S1-box (Rijndael) and S2-box (Dickson) is used in the Finite State machine (FSM) layer [3].

SNOW algorithm during the initialization process is initialized with 128 bits key consisting of four concatenating 32 bits word (K${}_0\parallel$K${}_1\parallel$K${}_2\parallel$K${\mathrm{}}_3$) and 128 bits initialization variable consisting of four concatenating 32 bits words (IV${}_0\parallel$IV${}_1\parallel$IV${}_2\parallel$IV${\mathrm{}}_3$) to initiate the internal state of the LFSR registers using a feedback value calculated by a primitive polynomial over the Galois field GF (2${\mathrm{}}^{32}$) based on the well-known Mul$\mathrm{\alpha }$ and Div$\mathrm{\alpha }$ main functions and XOR operations [3]. This process is performed for 32 clock runs without generating an output keystream sequence (as shown in Figure 1). Calculate the intermediate value (V) as following [3]:

$\mathrm{V}$	$\mathrm{}=({\mathrm{s}}_{0,1}\parallel {\mathrm{s}}_{0,2}\parallel {\mathrm{s}}_{0,3}\parallel 0\mathrm{x}00)\oplus \mathrm{M}\mathrm{u}\mathrm{l}\mathrm{\alpha }({\mathrm{s}}_{0,0})\oplus {\mathrm{s}}_2$
	$\mathrm{\hspace{1em}}\oplus (0\mathrm{x}00\parallel {\mathrm{s}}_{11,0}\parallel {\mathrm{s}}_{11,1}\parallel {\mathrm{s}}_{11,2})\oplus \mathrm{D}\mathrm{i}\mathrm{v}\mathrm{\alpha }({\mathrm{s}}_{11,3})\oplus \mathrm{F}$	(1)

Figure 1 SNOW algorithm during the initialization process [3].

Clocking the FSM has two input words s${\mathrm{}}_{15}$ and s${\mathrm{}}_5$ from the LFSR. It produces 32 bits output word (F) as [3]:

$\mathrm{F}=({\mathrm{s}}_{15}⊞{\mathrm{R}}_1)\oplus {\mathrm{R}}_2$

(2)

where $⊞$ is the addition modulo 2${\mathrm{}}^{32}$. The update of the FSM is defined by Calculate the intermediate value (r) as follows [3]:

$\mathrm{r}$	$\mathrm{}={\mathrm{R}}_2⊞({\mathrm{R}}_3\oplus {\mathrm{s}}_5)$	(3)
${\mathrm{R}}_3$	$\mathrm{}=\mathrm{S}2({\mathrm{R}}_2)$	(4)
${\mathrm{R}}_2$	$\mathrm{}=\mathrm{S}1({\mathrm{R}}_1)$	(5)
${\mathrm{R}}_1$	$\mathrm{}=\mathrm{r}$	(6)

SNOW algorithm during the generation of the keystream process to generate randomness keystream cipher outputs 32 bits word (Z${\mathrm{}}_{\mathrm{t}}$) at each clock cycle. The keystream word is calculated as ${\mathrm{Z}}_{\mathrm{t}}=\mathrm{F}\oplus {\mathrm{s}}_0$ (as shown in Figure 2). Calculate the intermediate value (V) as following [3]:

$\mathrm{V}$	$\mathrm{}=({\mathrm{s}}_{0,1}\parallel {\mathrm{s}}_{0,2}\parallel {\mathrm{s}}_{0,3}\parallel 0\mathrm{x}00)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{\alpha }({\mathrm{s}}_{0,0})\oplus {\mathrm{s}}_2\oplus (0\mathrm{x}00\parallel {\mathrm{s}}_{11,0}\parallel {\mathrm{s}}_{11,1}\parallel {\mathrm{s}}_{11,2})$
	$\mathrm{\hspace{1em}}\oplus \mathrm{D}\mathrm{I}\mathrm{V}\mathrm{\alpha }({\mathrm{s}}_{11,3})$	(7)

In both processes the functions MUL$\mathrm{\alpha }$ and DIV$\mathrm{\alpha }$ are used, there are maps 8 bits to 32 bits which are defined as following [3]:

$\mathrm{M}\mathrm{U}\mathrm{L}\mathrm{\alpha }(\mathrm{c})$	$=(\mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}\mathrm{P}\mathrm{O}\mathrm{W}(\mathrm{c},23,0\mathrm{x}\mathrm{A}9)\parallel \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}\mathrm{P}\mathrm{O}\mathrm{W}(\mathrm{c},245,0\mathrm{x}\mathrm{A}9)$
	$\mathrm{\hspace{1em}}\parallel \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}\mathrm{P}\mathrm{O}\mathrm{W}(\mathrm{c},48,0\mathrm{x}\mathrm{A}9)$
	$\mathrm{\hspace{1em}}\parallel \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}\mathrm{P}\mathrm{O}\mathrm{W}(\mathrm{c},239,0\mathrm{x}\mathrm{A}9))$	(8)
$\mathrm{D}\mathrm{I}\mathrm{V}\mathrm{\alpha }(\mathrm{c})$	$=(\mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}\mathrm{P}\mathrm{O}\mathrm{W}(\mathrm{c},16,0\mathrm{x}\mathrm{A}9)\parallel \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}\mathrm{P}\mathrm{O}\mathrm{W}(\mathrm{c},39,0\mathrm{x}\mathrm{A}9)$
	$\mathrm{\hspace{1em}}\parallel \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}\mathrm{P}\mathrm{O}\mathrm{W}(\mathrm{c},6,0\mathrm{x}\mathrm{A}9)$
	$\mathrm{\hspace{1em}}\parallel \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}\mathrm{P}\mathrm{O}\mathrm{W}(\mathrm{c},64,0\mathrm{x}\mathrm{A}9))$	(9)

Figure 2 SNOW algorithm during the generation of keystream [3].

The Rijndael S1-box used in the Finite State Machine (FSM) layer of the SNOW algorithm is set by the resulting Table 1, the input is mapped to its multiplicative inverse in GF (2${\mathrm{}}^8$) $=$ GF(2)[x]/(x${\mathrm{}}^8$ $+$ x${\mathrm{}}^4$ $+$ x${\mathrm{}}^3$ $+$ x $+$ 1), the multiplicative inverse is then transformed using the following affine transformation ($\mathrm{S}1=\mathrm{M}{\mathrm{x}}^{-1}+\mathrm{B}$, where $\mathrm{B}=0\mathrm{x}63$ and M is a matrix of size $8\times 8$) [3, 10]:

$\left(\begin{array}{c}\hfill {\mathrm{S}}_0\hfill \\ \hfill {\mathrm{S}}_1\hfill \\ \hfill {\mathrm{S}}_2\hfill \\ \hfill {\mathrm{S}}_3\hfill \\ \hfill {\mathrm{S}}_4\hfill \\ \hfill {\mathrm{S}}_5\hfill \\ \hfill {\mathrm{S}}_6\hfill \\ \hfill {\mathrm{S}}_7\hfill \end{array}\right)=\left(\begin{array}{cccccccc}\hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill \end{array}\right)\left(\begin{array}{c}\hfill {\mathrm{b}}_0\hfill \\ \hfill {\mathrm{b}}_1\hfill \\ \hfill {\mathrm{b}}_2\hfill \\ \hfill {\mathrm{b}}_3\hfill \\ \hfill {\mathrm{b}}_4\hfill \\ \hfill {\mathrm{b}}_5\hfill \\ \hfill {\mathrm{b}}_6\hfill \\ \hfill {\mathrm{b}}_7\hfill \end{array}\right)+\left(\begin{array}{c}\hfill 1\hfill \\ \hfill 1\hfill \\ \hfill 0\hfill \\ \hfill 0\hfill \\ \hfill 0\hfill \\ \hfill 1\hfill \\ \hfill 1\hfill \\ \hfill 0\hfill \end{array}\right)$

(10)

The Rijndael S1-box maps 32 bits input to 32 bits output. Let $\mathrm{X}={\mathrm{x}}_0\parallel {\mathrm{x}}_1\parallel {\mathrm{x}}_2\parallel {\mathrm{x}}_3$ and $\mathrm{S}1(\mathrm{X})={\mathrm{y}}_0\parallel {\mathrm{y}}_1\parallel {\mathrm{y}}_2\parallel {\mathrm{y}}_3$, with y${\mathrm{}}_0$ the most and y${\mathrm{}}_3$ the least significant byte, then y${\mathrm{}}_0$, y${\mathrm{}}_1$, y${\mathrm{}}_2$, y${\mathrm{}}_3$ are defined as follows [3]:

${\mathrm{y}}_0$	$\mathrm{}=\mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}1({\mathrm{x}}_0),0\mathrm{x}1\mathrm{B})\oplus \mathrm{S}1({\mathrm{x}}_1)\oplus \mathrm{S}1({\mathrm{x}}_2)$
	$\mathrm{\hspace{1em}}\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}1({\mathrm{x}}_3),0\mathrm{x}1\mathrm{B})\oplus \mathrm{S}1({\mathrm{x}}_3),$
${\mathrm{y}}_1$	$\mathrm{}=\mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}1({\mathrm{x}}_0),0\mathrm{x}1\mathrm{B})\oplus \mathrm{S}1({\mathrm{x}}_0)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}1({\mathrm{x}}_1),0\mathrm{x}1\mathrm{B})$
	$\mathrm{\hspace{1em}}\oplus \mathrm{S}1({\mathrm{x}}_2)\oplus \mathrm{S}1({\mathrm{x}}_3),$
${\mathrm{y}}_2$	$\mathrm{}=\mathrm{S}1({\mathrm{x}}_0)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}1({\mathrm{x}}_1),0\mathrm{x}1\mathrm{B})\oplus \mathrm{S}1({\mathrm{x}}_1)$
	$\mathrm{\hspace{1em}}\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}1({\mathrm{x}}_2),0\mathrm{x}1\mathrm{B})\oplus \mathrm{S}1({\mathrm{x}}_3),$
${\mathrm{y}}_3$	$\mathrm{}=\mathrm{S}1({\mathrm{x}}_0)\oplus \mathrm{S}1({\mathrm{x}}_1)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}1({\mathrm{x}}_2),0\mathrm{x}1\mathrm{B})$
	$\mathrm{\hspace{1em}}\oplus \mathrm{S}1({\mathrm{x}}_2)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}1({\mathrm{x}}_3),0\mathrm{x}1\mathrm{B}).$	(11)

Table 1 Rijndael S1-box used in FSM- SNOW algorithm [3]

	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	63	7C	77	7B	F2	6B	6F	C5	30	01	67	2B	FE	D7	AB	76
1	CA	82	C9	7D	FA	59	47	F0	AD	D4	A2	AF	9C	A4	72	C0
2	B7	FD	93	26	36	3F	F7	CC	34	A5	E5	F1	71	D8	31	15
3	04	C7	23	C3	18	96	05	9A	07	12	80	E2	EB	27	B2	75
4	09	83	2C	1A	1B	6E	5A	A0	52	3B	D6	B3	29	E3	2F	84
5	53	D1	00	ED	20	FC	B1	5B	6A	CB	BE	39	4A	4C	58	CF
6	DO	EF	AA	FB	43	4D	33	85	45	F9	02	7F	50	3C	9F	A8
7	51	A3	40	8F	92	9D	38	F5	BC	B6	DA	21	10	FF	F3	D2
8	CD	0C	13	EC	5F	97	44	17	C4	A7	7E	3D	64	5D	19	73
9	60	81	4F	DC	22	2A	90	88	46	EE	B8	14	DE	5E	0B	DB
A	E0	32	3A	0A	49	06	24	5C	C2	D3	AC	62	91	95	E4	79
B	E7	C8	37	6D	8D	D5	4E	A9	6C	56	F4	EA	65	7A	AE	08
C	BA	78	25	2E	1C	A6	B4	C6	E8	DD	74	1F	4B	BD	8B	8A
D	70	3E	B5	66	48	03	F6	0E	61	35	57	B9	86	C1	1D	9E
E	E1	F8	98	11	69	D9	8E	94	9B	1E	87	E9	CE	55	28	DF
F	8C	A1	89	0D	BF	E6	42	68	41	99	2D	0F	B0	54	BB	16

The Dickson S2-box used in the Finite State Machine (FSM) layer of the SNOW algorithm is formed using the Dickson polynomial ${\mathrm{g}}_{49}(\mathrm{x})=\mathrm{x}\oplus {\mathrm{x}}^9\oplus {\mathrm{x}}^{13}\oplus {\mathrm{x}}^{15}\oplus {\mathrm{x}}^{33}\oplus {\mathrm{x}}^{41}\oplus {\mathrm{x}}^{45}\oplus {\mathrm{x}}^{47}\oplus {\mathrm{x}}^{49}$, for input x (8 bits) in GF(2${\mathrm{}}^8$) defined by the polynomial ${\mathrm{x}}^8+{\mathrm{x}}^6+{\mathrm{x}}^5+{\mathrm{x}}^3+1$, the output (8 bits) of S2-box matches with ${\mathrm{g}}_{49}(\mathrm{x})\oplus 0\mathrm{x}25$ is set by the resulting Table 2 [3, 10]. The Dickson S2-box maps 32 bits input to 32 bits output, let $\mathrm{X}={\mathrm{x}}_0\parallel {\mathrm{x}}_1\parallel {\mathrm{x}}_2\parallel {\mathrm{x}}_3$ and $\mathrm{S}2(\mathrm{X})={\mathrm{y}}_0\parallel {\mathrm{y}}_1\parallel {\mathrm{y}}_2\parallel {\mathrm{y}}_3$, with ${\mathrm{y}}_0$ the most and ${\mathrm{y}}_3$ the least significant byte, then ${\mathrm{y}}_0$, ${\mathrm{y}}_1$, ${\mathrm{y}}_2$, ${\mathrm{y}}_3$ are defined as follows [3]:

${\mathrm{y}}_0$	$\mathrm{}=\mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}2({\mathrm{x}}_0),0\mathrm{x}69)\oplus \mathrm{S}2({\mathrm{x}}_1)\oplus \mathrm{S}2({\mathrm{x}}_2)$
	$\mathrm{\hspace{1em}}\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}2({\mathrm{x}}_3),0\mathrm{x}69)\oplus \mathrm{S}2({\mathrm{x}}_3),$
${\mathrm{y}}_1$	$\mathrm{}=\mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}2({\mathrm{x}}_0),0\mathrm{x}69)\oplus \mathrm{S}2({\mathrm{x}}_0)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}2({\mathrm{x}}_1),0\mathrm{x}69)$
	$\mathrm{\hspace{1em}}\oplus \mathrm{S}2({\mathrm{x}}_2)\oplus \mathrm{S}2({\mathrm{x}}_3),$
${\mathrm{y}}_2$	$\mathrm{}=\mathrm{S}2({\mathrm{x}}_0)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}2({\mathrm{x}}_1),0\mathrm{x}69)\oplus \mathrm{S}2({\mathrm{x}}_1)$
	$\mathrm{\hspace{1em}}\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}2({\mathrm{x}}_2),0\mathrm{x}69)\oplus \mathrm{S}2({\mathrm{x}}_3),$
${\mathrm{y}}_3$	$\mathrm{}=\mathrm{S}2({\mathrm{x}}_0)\oplus \mathrm{S}2({\mathrm{x}}_1)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}2({\mathrm{x}}_2),0\mathrm{x}69)$
	$\mathrm{\hspace{1em}}\oplus \mathrm{S}2({\mathrm{x}}_2)\oplus \mathrm{M}\mathrm{U}\mathrm{L}\mathrm{x}(\mathrm{S}2({\mathrm{x}}_3),0\mathrm{x}69).$	(12)

Table 2 Dickson S2-box used in FSM-SNOW algorithm [3]

	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	25	24	73	67	D7	AE	5C	30	A4	EE	6E	CB	7D	B5	82	DB
1	E4	8E	48	49	4F	5D	6A	78	70	88	E8	5F	5E	84	65	E2
2	D8	E9	CC	ED	40	2F	11	28	57	D2	AC	E3	4A	15	1B	99
3	B2	80	85	A6	2E	02	47	29	07	4B	0E	C1	51	AA	89	D4
4	CA	01	46	B3	EF	DD	44	7B	C2	7F	BE	C3	9F	20	4C	64
5	83	A2	68	42	13	B4	41	CD	BA	C6	BB	6D	4D	71	21	F4
6	8D	B0	E5	93	FE	8F	E6	CF	43	45	31	22	37	36	96	FA
7	BC	0F	08	52	1D	55	1A	C5	4E	23	69	7A	92	FF	5B	5A
8	EB	9A	1C	A9	D1	7E	0D	FC	50	8A	B6	62	F5	0A	F8	DC
9	03	3C	0C	39	F1	B8	F3	3D	F2	D5	97	66	81	32	A0	00
A	06	CE	F6	EA	B7	17	F7	8C	79	D6	A7	BF	8B	3F	1F	53
B	63	75	35	2C	60	FD	27	D3	94	A5	7C	A1	05	58	2D	BD
C	D9	C7	AF	6B	54	0B	E0	38	04	C8	9D	E7	14	B1	87	9C
D	DF	6F	F9	DA	2A	C4	59	16	74	91	AB	26	61	76	34	2B
E	AD	99	FB	72	EC	33	12	DE	98	3B	C0	9B	3E	18	10	3A
F	56	E1	77	C9	1E	9E	95	A3	90	19	A8	6C	09	D0	F0	86

2.2 Description of ZUC algorithm

ZUC is a modern synchronous stream cipher that contains two different processes, the initialization process and the generation of the keystream process, below the rule of 128 bits Ciphering Key/Integrity Key (CK/IK) and 128 bits Initialization Vector (IV) [4]. The internal structure of the ZUC algorithm is collected from the Linear Feedback Shift Register (LFSR), Bit-Reorganization (BR), and Nonlinear Function (NLF) layers. The LFSR layer is created by 16 stages in which each stage consists of 31 bits, the bit reorganization excerpts 128 bits from the stages of the LFSR and reshapes 4 of 32-bits word, in which the first three words will be used by the Nonlinear Function (NLF) and the final word will be used to produce the keystream cipher output (Z${\mathrm{}}_{\mathrm{t}}$) [4].

The BR layer is shaped by four registers of 32 bits (X${\mathrm{}}_0$, X${\mathrm{}}_1$, X${\mathrm{}}_2$, X${\mathrm{}}_3$) filled by the 8 stage registers (s${\mathrm{}}_{15}$, s${\mathrm{}}_{14}$, s${\mathrm{}}_{11}$, s${\mathrm{}}_9$, s${\mathrm{}}_7$, s${\mathrm{}}_5$, s${\mathrm{}}_2$, s${\mathrm{}}_0$) of the LFSR layer. The BR is defined as following [4]:

${\mathrm{X}}_0$	$\mathrm{}={\mathrm{s}}_{15\mathrm{H}}\parallel {\mathrm{s}}_{14\mathrm{L}}$
${\mathrm{X}}_1$	$\mathrm{}={\mathrm{s}}_{11\mathrm{L}}\parallel {\mathrm{s}}_{9\mathrm{H}}$
${\mathrm{X}}_2$	$\mathrm{}={\mathrm{s}}_{7\mathrm{L}}\parallel {\mathrm{s}}_{5\mathrm{H}}$
${\mathrm{X}}_3$	$\mathrm{}={\mathrm{s}}_{2\mathrm{L}}\parallel {\mathrm{s}}_{0\mathrm{H}}$

where s${\mathrm{}}_{\mathrm{n}\mathrm{H}}$ is the leftmost 16 bits of integer s${\mathrm{}}_{\mathrm{n}}$ and s${\mathrm{}}_{\mathrm{n}\mathrm{L}}$ is the rightmost 16 bits of integer s${\mathrm{}}_{\mathrm{n}}$.

The Non-Linear function (NLF) has two of 32 bits memory registers R${\mathrm{}}_1$ and R${\mathrm{}}_2$. The inputs to the nonlinear function are X${\mathrm{}}_0$, X${\mathrm{}}_1$, and X${\mathrm{}}_2$, which come from the outputs of the bit-reorganization, then the function (F) outputs 32 bits word (W), then the nonlinear function (F (X${\mathrm{}}_0$, X${\mathrm{}}_1$, X${\mathrm{}}_2$)) is described as follows [4]:

$\mathrm{W}$	$\mathrm{}=({\mathrm{X}}_0\oplus {\mathrm{R}}_1)⊞{\mathrm{R}}_2$	(13)
${\mathrm{W}}_1$	$\mathrm{}={\mathrm{R}}_1⊞{\mathrm{X}}_1$	(14)
${\mathrm{W}}_2$	$\mathrm{}={\mathrm{R}}_2\oplus {\mathrm{X}}_2$	(15)
${\mathrm{R}}_1$	$\mathrm{}=\mathrm{S}(\mathrm{L}1({\mathrm{W}}_{1\mathrm{L}}\parallel {\mathrm{W}}_{2\mathrm{H}}))$	(16)
${\mathrm{R}}_2$	$\mathrm{}=\mathrm{S}(\mathrm{L}2({\mathrm{W}}_{2\mathrm{L}}\parallel {\mathrm{W}}_{1\mathrm{H}}))$	(17)

Two S-boxes are used in the Nonlinear Function (NLF) layer of the ZUC algorithm (Feistel structure S1-box and New Rijndael S2-box) [4, 16]. Both L1 and L2 are linear transforms from 32 bits to 32 bits words, the linear transform depended on the Exclusive-OR and the cyclic shift over GF(2)[x]/(x${}^{32}+1$) is described as follows [4]:

$\mathrm{L}1(\mathrm{x})$	$=\mathrm{x}\oplus (\mathrm{x}{⋘}_{32}2)\oplus (\mathrm{x}{⋘}_{32}10)\oplus (\mathrm{x}{⋘}_{32}18)\oplus (\mathrm{x}{⋘}_{32}24)$	(18)
$\mathrm{L}2(\mathrm{x})$	$=\mathrm{x}\oplus (\mathrm{x}{⋘}_{32}8)\oplus (\mathrm{x}{⋘}_{32}14)\oplus (\mathrm{x}{⋘}_{32}22)\oplus (\mathrm{x}{⋘}_{32}30)$	(19)

The $32\times 32$ S-box (S) is collected from four contrasted $(8\times 8)$ S-boxes, S $=$ (S1, S2, S3, S4), where S1-box $=$ S3-box, S2-box $=$ S4-box. The S1-box is designed using a Feistel structure as shown in Table 3 (nonlinearity $=$ 96, differential uniformity $=$ 8, algebraic degree $=$ 5, and algebraic immunity $=$ 2) and the S2-box is based on the inversion over the finite field GF (2${\mathrm{}}^8$) defined by the irreducible polynomial ${\mathrm{x}}^8+{\mathrm{x}}^7+{\mathrm{x}}^3+\mathrm{x}+1$ [16].

Since the S2-box is affine equivalent to that of the Rijndael S-box, then the New Rijndael S2-box as shown in Table 4, has many cryptographic properties same as the Rijndael S-box including (nonlinearity $=$ 112, differential uniformity $=$ 4, algebraic degree $=$ 7, and algebraic immunity $=$ 2) [16], the multiplicative inverse is then transformed using the following affine transformation ($\mathrm{S}2=\mathrm{M}{\mathrm{x}}^{-1}+\mathrm{B}$, where $\mathrm{B}=0\mathrm{x}55$ and M is a matrix of size $8\times 8$) as following [16]:

$$\left(\begin{array}{c}\hfill {\mathrm{S}}_0\hfill \\ \hfill {\mathrm{S}}_1\hfill \\ \hfill {\mathrm{S}}_2\hfill \\ \hfill {\mathrm{S}}_3\hfill \\ \hfill {\mathrm{S}}_4\hfill \\ \hfill {\mathrm{S}}_5\hfill \\ \hfill {\mathrm{S}}_6\hfill \\ \hfill {\mathrm{S}}_7\hfill \end{array}\right)=\left(\begin{array}{cccccccc}\hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill \\ \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill \end{array}\right)\left(\begin{array}{c}\hfill {\mathrm{b}}_0\hfill \\ \hfill {\mathrm{b}}_1\hfill \\ \hfill {\mathrm{b}}_2\hfill \\ \hfill {\mathrm{b}}_3\hfill \\ \hfill {\mathrm{b}}_4\hfill \\ \hfill {\mathrm{b}}_5\hfill \\ \hfill {\mathrm{b}}_6\hfill \\ \hfill {\mathrm{b}}_7\hfill \end{array}\right)+\left(\begin{array}{c}\hfill 1\hfill \\ \hfill 0\hfill \\ \hfill 1\hfill \\ \hfill 0\hfill \\ \hfill 1\hfill \\ \hfill 0\hfill \\ \hfill 1\hfill \\ \hfill 0\hfill \end{array}\right)$$

(20)

Let $\mathrm{X}={\mathrm{x}}_0\parallel {\mathrm{x}}_1\parallel {\mathrm{x}}_2\parallel {\mathrm{x}}_3$ be the input with ${\mathrm{x}}_0$ the most and ${\mathrm{x}}_3$ the least significant byte. Let $\mathrm{S}(\mathrm{X})={\mathrm{r}}_0\parallel {\mathrm{r}}_1\parallel {\mathrm{r}}_2\parallel {\mathrm{r}}_3$ with ${\mathrm{r}}_0$ the most and ${\mathrm{r}}_3$ the least significant byte, then we have ${\mathrm{r}}_{\mathrm{i}}=\mathrm{S}\mathrm{i}({\mathrm{w}}_{\mathrm{i}})$, i $=$ 0, 1, 2, 3. $\mathrm{S}(\mathrm{X})=\mathrm{S}1({\mathrm{x}}_0)\parallel \mathrm{S}2({\mathrm{x}}_1)\parallel \mathrm{S}3({\mathrm{x}}_2)\parallel \mathrm{S}4({\mathrm{x}}_3)$, let ${\mathrm{x}}_{\mathrm{n}}$ be an 8-bit input to Feistel S1-box (or New Rijndael S2-box) then write ${\mathrm{x}}_{\mathrm{n}}$ into two hexadecimal digits as $\mathrm{x}=\mathrm{r}\parallel \mathrm{c}$, then the entrance at the joint of the r-th row and the c-th column in Table 3 is the output of Feistel S1-box (or in Table 4 is the output of New Rijndael S2-box) [4].

Table 3 Feistel structure S1-box used in NLF-ZUC algorithm [4]

	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	3E	72	5B	47	CA	E0	00	33	04	D1	54	98	09	B9	6D	CB
1	7B	1B	F9	32	AG	9D	6A	A5	B8	2D	FC	1D	08	53	03	90
2	4D	4E	84	99	E4	CE	D9	91	DD	B6	85	48	8B	29	6E	AC
3	CD	C1	F8	1E	73	43	69	C6	B5	BD	FD	39	63	20	D4	38
4	76	7D	B2	A7	CF	ED	57	C5	F3	2C	BB	14	21	06	55	9B
5	E3	EF	5E	31	4F	7F	5A	A4	0D	82	51	49	5F	BA	58	1C
6	4A	16	D5	17	A8	92	24	1F	8C	FF	D8	AE	2E	01	D3	AD
7	3B	4B	DA	46	EB	C9	DE	9A	8F	87	D7	3A	80	6F	2F	C8
8	B1	B4	37	F7	0A	22	13	28	7C	CC	3C	89	C7	C3	96	56
9	07	BF	7E	F0	0B	2B	97	52	35	41	79	61	A6	4C	10	FE
A	BC	26	95	88	8A	B0	A3	FB	C0	18	94	F2	E1	E5	E9	5D
B	D0	DC	11	66	64	5V	EC	59	42	75	12	F5	74	9C	AA	23
C	0E	86	AB	BE	2A	02	E7	67	E6	44	A2	6C	C2	93	9F	F1
D	F6	FA	36	D2	50	68	9E	62	71	15	3D	D6	40	C4	E2	0F
E	8E	83	77	6B	25	05	3F	0C	30	EA	70	B7	A1	E8	A9	65
F	8D	27	1A	DB	81	B3	A0	4F	45	7A	19	DF	EE	78	34	60

Table 4 New Rijndael S2-box used in NLF-ZUC algorithm [4]

	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	55	C2	63	71	3B	C8	47	86	9F	3C	DA	5B	29	AA	FD	77
1	8C	C5	94	0C	A6	1A	13	00	E3	A8	16	72	40	F9	D8	42
2	44	26	68	96	81	D9	45	3E	10	76	C6	A7	8B	39	43	E1
3	3A	B5	56	2A	C0	6D	B3	05	22	66	BF	DC	0B	FA	62	48
4	DD	20	11	06	36	C9	C1	CF	F6	27	52	BB	69	F5	D4	87
5	7F	84	4C	D2	9C	57	A4	BC	4F	9A	DF	FE	D6	8D	7A	EB
6	2B	53	D8	5C	A1	14	17	FB	23	D5	7D	30	67	73	08	09
7	EE	B7	70	3F	61	B2	19	8E	4E	E5	4B	93	8F	5D	DB	A9
8	AD	F1	AE	2E	CB	0D	FC	F4	2D	46	6E	1D	97	E8	D1	E9
9	4D	37	A5	75	5E	83	9E	AB	82	9D	B9	1C	E0	CD	49	89
A	01	B6	BD	58	24	A2	5F	38	78	99	15	90	50	B8	95	E4
B	D0	91	C7	CE	ED	0F	B4	6F	A0	CC	F0	02	4A	79	C3	DE
C	A3	EF	EA	51	E6	6B	18	EC	1B	2C	80	F7	74	E7	FF	21
D	5A	6A	54	1E	41	31	92	35	C4	33	07	0A	BA	7E	0E	34
E	88	B1	98	7C	F3	3D	60	6C	7B	CA	D3	1F	32	65	04	28
F	64	BE	85	9B	2F	59	8A	D7	B0	25	AC	AF	12	03	E2	F2

ZUC algorithm during the initialization process, the LFSR obtains 31 bits input word (u), which is obtained by eliminating the rightmost bit from the 32 bits output (W) of the nonlinear function, (u $=$ W$>$$>$1), this process is performed for 32 clock runs without generating the output sequence of keystream (as shown in Figure 3) [4]. Let $\mathrm{K}={\mathrm{K}}_0\parallel {\mathrm{K}}_1\parallel \mathrm{\dots }\parallel {\mathrm{K}}_{14}\parallel {\mathrm{K}}_{15}$, $\mathrm{I}\mathrm{V}=\mathrm{I}{\mathrm{V}}_0\parallel \mathrm{I}{\mathrm{V}}_1\parallel \mathrm{\dots }\parallel \mathrm{I}{\mathrm{V}}_{14}\parallel \mathrm{I}{\mathrm{V}}_{15}$, where ${\mathrm{K}}_{\mathrm{i}}$ and $\mathrm{I}{\mathrm{V}}_{\mathrm{i}},0\le \mathrm{i}\le 15$, are all bytes, and D be a 240-bit long constant string combined by 16 substrings of 15 bits, $\mathrm{D}={\mathrm{D}}_0\parallel {\mathrm{D}}_1\parallel \mathrm{\dots }\parallel {\mathrm{D}}_{14}\parallel {\mathrm{D}}_{15}$, then the LFSR registers are initialized as follows [4]:

For $0\le \mathrm{i}\le 15$, let ${\mathrm{s}}_{\mathrm{i}}={\mathrm{K}}_{\mathrm{i}}\parallel {\mathrm{D}}_{\mathrm{i}}\parallel \mathrm{I}{\mathrm{V}}_{\mathrm{i}}$

$\mathrm{V}$	$\mathrm{}=2^{15}{\mathrm{s}}_{15}+2^{17}{\mathrm{s}}_{13}+2^{21}{\mathrm{s}}_{10}+2^{20}{\mathrm{s}}_4+(1+2^8){\mathrm{s}}_0\text{ mod }(2^{31}-1)$	(21)
${\mathrm{s}}_{16}$	$\mathrm{}=(\mathrm{v}+\mathrm{u})\mathrm{m}\mathrm{o}\mathrm{d}(2^{31}-1)$	(22)

If ${\mathrm{s}}_{16}=0$, then set ${\mathrm{s}}_{16}=2^{31}-1$, and (${\mathrm{s}}_1,{\mathrm{s}}_2,\mathrm{\dots },{\mathrm{s}}_{15},{\mathrm{s}}_{16})\to ({\mathrm{s}}_0,{\mathrm{s}}_1,\mathrm{\dots },{\mathrm{s}}_{14},{\mathrm{s}}_{15})$.

Figure 3 ZUC algorithm during the initialization process [4].

ZUC algorithm during the generation of keystream process to generate randomness keystream cipher outputs 32 bits word (Z${\mathrm{}}_{\mathrm{t}}$ $=$ F(X${\mathrm{}}_0$, X${\mathrm{}}_1$, X${\mathrm{}}_2$) $\oplus$ X${\mathrm{}}_3$) at each clock cycle using the output of the NLF layer, Exclusive OR, and the register X${\mathrm{}}_3$ of the BR layer (as shown in Figure 4).

Figure 4 ZUC algorithm during the generation of keystream [4].

3 The NIST SP 800-22 Statistical Test Suite

The NIST SP 800-22 test package is established on the mode of statistical hypothesis analysis, if the P-value for an investigation is determined to be equal to one, then the sequence performs to have faultless randomness and the P-value of zero specifies that the sequence performs to be non-random [18, 19]. The significance level ($\mathrm{\alpha }$) be able to select for the tests ($\mathrm{\alpha }$ $=$ 0.01), if the P-value $\ge$ $\mathrm{\alpha }$, subsequently the null hypothesis (H${\mathrm{}}_0$) is accepted (sequence performs to exist random) and if the P-value $<$ $\mathrm{\alpha }$, subsequently the null hypothesis (H${\mathrm{}}_0$) is rejected (sequence performs to exist non-random) [18].

NIST SP 800-22 is a statistical suite that involves 15 tests [18]. There are described as:

• Frequency Test: balanced property [18].

• Block Frequency Test: balanced property for M-sized blocks (subsequences) of the keystream. Given sequence length n, the block size M must be that, M $\ge$ 0.01n, n $\ge$ MN, and non-overlapping blocks N $<$ 100, N $=$ n/M. For n $=$ 1048576, we selected M $=$ 16384 [18].

• Runs Test: decides that the number of runs ones and zeros of several lengths is as expected for a random sequence. In precise, this test decides whether the oscillation between such zeros and ones is too fast or too slow, the Runs test carries out a Frequency test as a precondition [18].

• Longest Run Test: decides that the length of the longest run of ones within the tested sequence is reliable with the length of the longest run of ones that would be expected in a random sequence [18].

• Rank Test: checks for linear dependence among fixed-length substrings of the original sequence [18].

• Discrete Fourier Test: detects periodic features (i.e., repetitive patterns that are near each other) in the tested sequence that would indicate a deviation from the hypothesis of randomness. The aim is to detect whether the number of peaks above the 95% threshold is significantly different than 5% [18].

• Non-Overlapping Template Matching Test: detects how many times a pre-defined template occurs in the sequence. For this test, an m-bit window is used to search for an exact m-bit pattern. If the pattern is not originating, the window slides a one-bit position. If the pattern is originating, the window is reset to the bit after the originate pattern, and the search continues. Non-overlapping templates involve of 148 subtests (P-values), for each of the 148 templates identical to the default template size, m $=$ 9 [18].

• Overlapping Template Matching Test: this test and the Non-Overlapping Template Matching test, use an m-bit window to search for an exact m bit pattern. If the pattern is not originating, the window slides a one-bit position. The difference between them is that when the pattern is originating, the window slides only one bit before continuing the search [18].

• Universal Test: detects whether or not the sequence can be significantly compressed without loss of information [18].

• Linear Complexity Test: decides whether or not the sequence is complex enough to be considered random. Random sequences are characterized by longer LFSRs, using the Berlekamp Massey algorithm, we selected the length of the bit string n $\ge$10${\mathrm{}}^6$, the value of the length in bits of a block (M) must be in the range 500 $\le$ M $\le$ 5000, and (N) independent blocks of (M) bits, N $\ge$ 200 [18].

• Serial Test: decides whether the number of existences of the 2${\mathrm{}}^{\mathrm{m}}$, (m) bit overlapping patterns is nearly the same as would be expected for a random sequence. Random sequences have uniformity, that is, every m bit pattern (the length in bits of each block) has the same chance of performing as every other m-bit pattern. This test extends the sequence by adding the first (m-1) bits to the end of the sequence for different values of (n). Resolve the frequency of all possible overlapping (m) bit blocks, all probable overlapping (m-1) bit blocks, and all probable overlapping (m-2) bit blocks. This test involves 2 subtests (P${\mathrm{}}_1$ and P${\mathrm{}}_2$ values). we necessity to select block length (m) such that we have $\mathrm{m}<\lfloor \mathrm{l}\mathrm{o}{\mathrm{g}}_2\mathrm{n}\rfloor -2$, we selected $\mathrm{m}=16$ [18].

• Approximate Entropy Test: compares the frequency of overlapping blocks of two consecutive/adjacent lengths (m and m+1) beside the expected outcome for a random sequence, we need block length (m) such that $\mathrm{m}<\lfloor \mathrm{l}\mathrm{o}{\mathrm{g}}_2\mathrm{n}\rfloor -5$, we selected m $=$ 10 [18].

• Cumulative Sums Test: decides whether the cumulative sum of the restricted sequences occurring in the tested sequence is too large or too small relative to the expected behavior of that cumulative sum for random sequences. This cumulative sum may be considered as a random walk. This test involves 2 subtests, a change for relating the test either Forward P-value or Reverse P-value [18].

• Random Excursions Test: decides if the number of visits to a certain state inside a cycle swerves from what one would expect for a random sequence. This test involves of 8 subtests (P-values), identical to the (x) values $-4\le \mathrm{x}\le -1$ and $1\le \mathrm{x}\le 4$. Let J $=$ the total number of zero crossings in random walk S${\mathrm{}}^{\prime }$ and if J $<$ 500, then discontinue the test. For each of the 8 states of x, compute $\mathrm{\nu }$${\mathrm{}}_{\mathrm{k}}$(x) $=$ the total number of cycles in which state x occurs exactly k times among all cycles, for k $=$ 0, 1, …, 5 (k $=$ 5, all frequencies $\ge$ 5 are stored in ${\mathrm{\nu }}_5$(x)) [18].

• Random Excursions Variant Test: detects aberrations from the expected number of visits to several states in the random walk. This test involves 18 subtests (P-values), identical to the (x) values –9 $\le$ x $\le$ $-$1 and 1 $\le$ x $\le$ 9. For each of the eighteen non-zero states of x, compute $\mathrm{\xi }$(x) $=$ the total number of times that state x occurred across all J cycles [18].

4 Configurations of S-Boxes

We have four 3GPP-standardized S-boxes applied in SNOW and ZUC algorithms (4G, 5G), these are described as follows:

• Rijndael (R) (S1-box), and Dickson (D) (S2-box) are used in the SNOW algorithm [3].

• Feistel structure (F) (S1-box), and New Rijndael (NR) (S2-box) are used in the ZUC algorithm [4].

We added the most complex S-box (Improved New Rijndael (INR) S-box) which had been tested by Jie Cui, Hong Zhong, Jiankai Wang, and Runhua Shi using cryptographic properties of S-box that has the strongest resistance against algebraic attacks ($\mathrm{\Gamma }$ $=$ 2${\mathrm{}}^{160}$) [20]. The S-box (Improved New Rijndael) as shown in Table 5 [21], the input is mapped to its multiplicative inverse in GF (2${\mathrm{}}^8$) $=$ GF(2)[x]/(x${}^8+{\mathrm{x}}^4+{\mathrm{x}}^3+\mathrm{x}+1)$, a new affine transformation (L${\mathrm{}}_{5\mathrm{B},5\mathrm{D}}$) to substitute the original one. There are described as [21]:

• Set the affine transformation L${\mathrm{}}_{5\mathrm{B},5\mathrm{D}}$: ${\mathrm{x}}^{\prime }={\mathrm{L}}_{5\mathrm{B},5\mathrm{D}}(\mathrm{x})=\mathrm{L}\mathrm{b}\times \mathrm{x}+5\mathrm{D}$

$$\left(\begin{array}{cccccccc}\hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill \\ \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill & \hfill 0\hfill & \hfill 1\hfill \end{array}\right)\left(\begin{array}{c}\hfill {\mathrm{x}}_7\hfill \\ \hfill {\mathrm{x}}_6\hfill \\ \hfill {\mathrm{x}}_5\hfill \\ \hfill {\mathrm{x}}_4\hfill \\ \hfill {\mathrm{x}}_3\hfill \\ \hfill {\mathrm{x}}_2\hfill \\ \hfill {\mathrm{x}}_1\hfill \\ \hfill {\mathrm{x}}_0\hfill \end{array}\right)+\left(\begin{array}{c}\hfill 0\hfill \\ \hfill 1\hfill \\ \hfill 0\hfill \\ \hfill 1\hfill \\ \hfill 1\hfill \\ \hfill 1\hfill \\ \hfill 0\hfill \\ \hfill 1\hfill \end{array}\right)$$

(23)

• Proceeding the multiplicative inverse:

$$x^{\prime \prime }={(x^{\prime })}^{-1}$$

(24)

• Set the affine transformation again:

$$y=L_{5B,5D}(x^{\prime \prime })=Lb\times x^{\prime \prime }+5D$$

(25)

Table 5 Improved New Rijndael S-box [21]

	0	1	2	3	4	5	6	7	8	9	A	B	C	D	E	F
0	FA	62	a0	EA	81	C9	2F	22	E5	A9	BD	1E	13	4D	65	C8
1	87	17	BB	88	B8	45	57	95	F3	0B	9E	D7	68	11	8A	B2
2	3B	A8	1D	A5	F8	5D	3E	8F	D2	0E	80	06	54	4B	3D	6E
3	F0	28	02	6D	E9	63	32	23	82	1C	C3	B3	15	B4	0G	C7
4	12	39	19	58	7C	99	A1	26	89	B7	77	C2	D5	66	73	DD
5	BF	40	72	0D	4A	97	5C	2B	FD	BE	6B	D1	44	9A	69	0A
6	75	6F	70	16	EB	FB	BA	33	36	3F	78	21	74	2E	B1	8E
7	5B	7B	7A	AD	4E	7E	AF	A4	F6	10	B5	C1	48	F1	3C	A6
8	09	E7	CE	8B	24	20	DE	D4	9F	AE	79	07	61	A2	DB	5E
9	D8	4C	EE	ED	7D	C6	71	FE	29	FF	31	C5	59	FC	DA	98
A	2A	6A	E6	42	B0	CD	04	91	F9	14	47	27	83	34	1F	EC
B	2D	18	5A	76	60	E4	50	25	3A	56	03	D9	85	6C	90	E8
C	41	94	92	30	05	38	84	D6	CA	51	AC	43	8C	D3	A7	C0
D	0C	1A	67	AB	D0	F4	1B	BC	8D	F7	5F	AA	08	46	35	B6
E	00	E0	9B	CF	EF	86	9D	4F	E3	DF	E1	93	B9	E2	53	64
F	7F	CB	CC	01	9C	2C	A3	F5	52	55	49	96	DC	C4	F2	37

To assess the randomness properties of SNOW and ZUC algorithms, we selected two S-boxes out of the five ones mentioned above (Rijndael (R), Dickson (D), Feistel structure (F), New Rijndael (NR), and Improved New Rijndael (INR) S-boxes). So, we have twenty different configurations of pair S-boxes for both SNOW and ZUC algorithms.

5 SNOW and ZUC Simulation with Different S-boxes Configurations and NIST SP 800-22 Randomness 15-tests Verifications

This section discusses the SNOW and ZUC simulation with different S-boxes configurations and NIST tests verification.

5.1 Simulation of SNOW and ZUC Algorithms with Different Twenty Pair S-boxes Configurations

We implemented the SNOW and ZUC algorithms by using C language to evaluate the performance and test the best pair S-boxes configurations of SNOW and ZUC algorithms output keystream sequences (Z${\mathrm{}}_{\mathrm{t}}$). NIST SP 800-22 statistical test suite will be applied on SNOW and ZUC algorithms output sequences of length ten Megabits, then with every clock pulse, it produces a 32-bit word of output ${\mathrm{Z}}_{\mathrm{t}}=[{\mathrm{Z}}_1\parallel {\mathrm{Z}}_2\parallel \mathrm{\dots }\parallel {\mathrm{Z}}_{312500}]$.

5.1.1 Simulation of SNOW Algorithm with Different Twenty Configurations of S-boxes

SNOW is a word-oriented stream cipher that generates 32 bits word keystream ${\mathrm{Z}}_{\mathrm{t}}=[{\mathrm{Z}}_1\parallel {\mathrm{Z}}_2\parallel \mathrm{\dots }\parallel {\mathrm{Z}}_{312499}\parallel {\mathrm{Z}}_{312500}]$ as shown in Table 6, under control of 128 bits Key (CK/IK) $=$ [2BD6459F82C5B300952C4910488 1FF48] and 128 bits IV $=$ [EA024714AD5C4D84DF1F9B251C0BF45F] as standardized in test set one by 3GPP [22].

Table 6 Results implementation of the SNOW algorithm with different twenty configurations of (S1-box) and (S2-box)

Sample (1): R (S1-box|) and D (S2-box) , as in standardized 3GPP SNOW [22]

Z${}_{\mathrm{t}}=[\mathrm{A}\mathrm{B}\mathrm{E}\mathrm{E}9704\parallel 7\mathrm{A}\mathrm{C}31373\parallel \mathrm{\dots }\parallel 04244\mathrm{B}83\parallel 9\mathrm{C}\mathrm{F}\mathrm{E}\mathrm{A}3\mathrm{D}6]$

Sample (2): D (S1-box|) and R (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{C}111\mathrm{D}662\parallel 8\mathrm{B}110\mathrm{B}9\mathrm{B}\parallel \mathrm{\dots }\parallel \mathrm{E}77\mathrm{E}\mathrm{E}597\parallel 126\mathrm{E}98\mathrm{C}2]$

Sample (3): [ R (S1-box|) and INR (S2-box) ]

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{A}8061\mathrm{F}97\parallel \mathrm{E}\mathrm{C}\mathrm{B}76\mathrm{A}82\parallel \mathrm{\dots }\mathrm{\dots }\parallel 1\mathrm{F}799\mathrm{F}\mathrm{E}0\parallel 466\mathrm{E}650\mathrm{D}]$

Sample (4): INR (S1-box|) and R (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{C}95308\mathrm{B}9\parallel 516283\mathrm{A}\mathrm{B}\parallel \mathrm{\dots }\mathrm{\dots }\parallel 3\mathrm{A}3\mathrm{C}\mathrm{D}518\parallel 696\mathrm{F}68\mathrm{B}1]$

Sample (5):D (S1-box|) and INR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{B}\mathrm{A}725\mathrm{F}13\parallel 53\mathrm{D}\mathrm{F}\mathrm{C}\mathrm{E}\mathrm{B}\mathrm{C}\parallel \mathrm{\dots }\parallel 41005\mathrm{D}82\parallel 48\mathrm{D}0\mathrm{E}266]$

Sample (6): INR (S1-box|) and D (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[208\mathrm{C}06\mathrm{E}8\parallel 3\mathrm{B}\mathrm{C}\mathrm{A}8820\parallel \mathrm{\dots }\mathrm{\dots }\parallel 7\mathrm{F}\mathrm{F}86529\parallel \mathrm{E}7628318]$

Sample (7): NR (S1-box|) and F (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[1\mathrm{D}1\mathrm{B}215\mathrm{E}\parallel \mathrm{C}0773\mathrm{E}\mathrm{D}1\parallel \mathrm{\dots }\parallel \mathrm{E}4\mathrm{A}519\mathrm{C}2\parallel 8020\mathrm{E}7\mathrm{F}0]$

Sample (8): F (S1-box|) and NR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[0\mathrm{F}33\mathrm{F}\mathrm{B}21\parallel \mathrm{B}\mathrm{E}4\mathrm{E}49\mathrm{C}0\parallel \mathrm{\dots }\mathrm{\dots }\parallel 80\mathrm{D}19\mathrm{C}48\parallel \mathrm{A}\mathrm{E}8\mathrm{A}3\mathrm{B}\mathrm{B}\mathrm{F}]$

Sample (9): F (S1-box|) and INR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[94039631\parallel \mathrm{F}3415052\parallel \mathrm{\dots }\mathrm{\dots }\parallel 471\mathrm{D}9\mathrm{A}7\mathrm{A}\parallel 893\mathrm{F}1455]$

Sample (10): INR (S1-box|) and F (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{B}4463505\parallel \mathrm{C}0380\mathrm{D}\mathrm{C}8\parallel \mathrm{\dots }\mathrm{\dots }\parallel 2\mathrm{E}\mathrm{C}\mathrm{A}8\mathrm{F}\mathrm{E}\mathrm{F}\parallel 41\mathrm{C}9\mathrm{F}241]$

Sample (11): NR (S1-box|) and INR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[6\mathrm{C}\mathrm{C}1\mathrm{C}\mathrm{C}\mathrm{C}\mathrm{B}\parallel 0937\mathrm{A}\mathrm{D}76\parallel \mathrm{\dots }\mathrm{\dots }\parallel 44784\mathrm{A}\mathrm{C}5\parallel 79\mathrm{B}\mathrm{C}\mathrm{D}4\mathrm{C}3]$

Sample (12): INR (S1-box|) and NR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{A}\mathrm{D}\mathrm{D}456\mathrm{D}5\parallel 86\mathrm{F}\mathrm{A}2492\parallel \mathrm{\dots }\mathrm{\dots }\parallel 5569\mathrm{F}\mathrm{E}42\parallel \mathrm{E}4\mathrm{D}87277]$

Sample (13): R (S1-box|) and NR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[2\mathrm{E}535\mathrm{E}84\parallel \mathrm{D}591\mathrm{F}\mathrm{F}55\parallel \mathrm{\dots }\parallel 46255592\parallel 0\mathrm{B}737\mathrm{D}22]$

Sample (14): NR (S1-box|) and R (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[1635\mathrm{C}\mathrm{B}\mathrm{F}\mathrm{D}\parallel 104\mathrm{E}\mathrm{A}1\mathrm{A}\mathrm{F}\parallel \mathrm{\dots }\mathrm{\dots }\parallel \mathrm{C}\mathrm{E}07\mathrm{C}416\parallel 4\mathrm{D}74\mathrm{C}\mathrm{C}\mathrm{F}\mathrm{E}]$

Sample (15): R (S1-box|) and F (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[3\mathrm{B}17\mathrm{B}\mathrm{A}47\parallel 07\mathrm{B}9112\mathrm{F}\parallel \mathrm{\dots }\mathrm{\dots }\parallel 0\mathrm{E}55\mathrm{D}7\mathrm{A}8\parallel 95923\mathrm{E}4\mathrm{F}]$

Sample (16): F (S1-box|) and R (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[4\mathrm{D}6\mathrm{D}\mathrm{C}\mathrm{B}\mathrm{B}7\parallel 3461\mathrm{E}626\parallel \mathrm{\dots }\mathrm{\dots }\parallel 819886\mathrm{D}8\parallel \mathrm{D}3388432]$

Sample (17): D (S1-box|) and NR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[68956\mathrm{D}31\parallel \mathrm{B}94\mathrm{E}\mathrm{F}1\mathrm{E}\mathrm{B}\parallel \mathrm{\dots }\mathrm{\dots }\parallel 3265985\mathrm{A}\parallel 42\mathrm{C}\mathrm{F}8\mathrm{F}6\mathrm{B}]$

Sample (18): NR (S1-box|) and D (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[4\mathrm{A}\mathrm{C}53315\parallel 0351\mathrm{F}2\mathrm{B}3\parallel \mathrm{\dots }\mathrm{\dots }\parallel \mathrm{A}\mathrm{E}\mathrm{D}5\mathrm{D}835\parallel 830\mathrm{F}8\mathrm{C}\mathrm{F}1]$

Sample (19): D (S1-box|) and F (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[7022\mathrm{C}\mathrm{C}9\mathrm{E}\parallel 93\mathrm{F}93\mathrm{D}\mathrm{B}6\parallel \mathrm{\dots }\mathrm{\dots }\parallel 6071\mathrm{D}858\parallel 3\mathrm{D}258954]$

Sample (20): F (S1-box|) and D (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{C}3\mathrm{B}0\mathrm{F}1\mathrm{F}\mathrm{E}\parallel \mathrm{B}57\mathrm{C}8162\parallel \mathrm{\dots }\mathrm{\dots }\parallel 147425\mathrm{D}\mathrm{C}\parallel 280\mathrm{F}\mathrm{D}770]$

Table 7 Results implementation of the ZUC algorithm with different twenty configurations of (S1-box) and (S2-box)

Sample (1): R (S1-box|) and D (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[9\mathrm{E}31\mathrm{F}6\mathrm{B}\mathrm{D}\parallel 88\mathrm{E}\mathrm{A}\mathrm{D}710\parallel \mathrm{\dots }\parallel 5\mathrm{A}\mathrm{F}\mathrm{F}0720\parallel \mathrm{E}\mathrm{E}\mathrm{F}967\mathrm{A}\mathrm{C}]$

Sample (2): D (S1-box|) and R (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[77\mathrm{D}0\mathrm{A}9\mathrm{B}5\parallel \mathrm{D}6685\mathrm{E}74\parallel \mathrm{\dots }\parallel \mathrm{A}548\mathrm{D}129\parallel 13\mathrm{D}5\mathrm{C}471]$

Sample (3): R (S1-box|) and INR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[722\mathrm{A}\mathrm{E}874\parallel \mathrm{E}\mathrm{A}\mathrm{A}0594\mathrm{C}\parallel \mathrm{\dots }\parallel 72\mathrm{E}696\mathrm{E}6\parallel \mathrm{D}36\mathrm{E}5\mathrm{D}\mathrm{A}\mathrm{A}]$

Sample (4): INR (S1-box|) and R (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[79\mathrm{B}\mathrm{B}2\mathrm{D}\mathrm{E}\mathrm{E}\parallel 79\mathrm{C}\mathrm{D}0\mathrm{E}\mathrm{F}\mathrm{E}\parallel \mathrm{\dots }\parallel \mathrm{C}5\mathrm{D}\mathrm{D}7\mathrm{A}80\parallel 4\mathrm{D}1\mathrm{A}3\mathrm{A}\mathrm{E}5]$

Sample (5): D (S1-box|) and INR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[0\mathrm{F}\mathrm{E}7\mathrm{D}8\mathrm{B}7\parallel 920519\mathrm{F}\mathrm{C}\parallel \mathrm{\dots }\parallel 03\mathrm{B}9814\mathrm{C}\parallel \mathrm{A}1\mathrm{E}\mathrm{E}26\mathrm{E}9]$

Sample (6): INR (S1-box|) and D (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[5\mathrm{D}3\mathrm{E}35\mathrm{A}4\parallel \mathrm{A}70\mathrm{B}0\mathrm{D}\mathrm{B}1\parallel \mathrm{\dots }\parallel \mathrm{C}6\mathrm{B}51\mathrm{E}89\parallel 6\mathrm{A}5\mathrm{E}84\mathrm{F}\mathrm{C}]$

Sample (7): NR (S1-box|) and F (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{A}062\mathrm{A}431\parallel 5\mathrm{E}\mathrm{D}61\mathrm{A}\mathrm{B}4\parallel \mathrm{\dots }\parallel 253465\mathrm{A}5\parallel 96\mathrm{B}8\mathrm{D}82\mathrm{D}]$

Sample (8): F (S1-box|) and NR (S2-box), as in standardized 3GPP ZUC [23]

${\mathrm{Z}}_{\mathrm{t}}=[14\mathrm{F}1\mathrm{C}272\parallel 3279\mathrm{C}419\parallel \mathrm{\dots }\parallel \mathrm{A}99\mathrm{B}9\mathrm{F}\mathrm{A}9\parallel 1\mathrm{A}\mathrm{F}5209\mathrm{F}]$

Sample (9): F (S1-box|) and INR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[6973\mathrm{F}\mathrm{C}71\parallel 3529160\mathrm{A}\parallel \mathrm{\dots }\parallel 2\mathrm{C}448\mathrm{F}\mathrm{A}\mathrm{D}\parallel \mathrm{D}1562\mathrm{A}98]$

Sample (10): INR (S1-box|) and F (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{D}629\mathrm{A}\mathrm{B}\mathrm{E}7\parallel 26\mathrm{F}61100\parallel \mathrm{\dots }\parallel 7\mathrm{D}9\mathrm{D}\mathrm{E}\mathrm{C}7\mathrm{C}\parallel 9\mathrm{C}44\mathrm{F}\mathrm{A}\mathrm{C}7]$

Sample (11): NR (S1-box|) and INR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{A}508\mathrm{A}0\mathrm{B}\mathrm{A}\parallel \mathrm{E}98\mathrm{A}7\mathrm{C}\mathrm{C}9\parallel \mathrm{\dots }\parallel \mathrm{B}1\mathrm{B}27\mathrm{E}\mathrm{C}4\parallel \mathrm{B}028\mathrm{C}\mathrm{A}0\mathrm{E}]$

Sample (12): INR (S1-box|) and NR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{C}\mathrm{E}\mathrm{A}4\mathrm{F}\mathrm{E}\mathrm{F}0\parallel 88\mathrm{B}8\mathrm{B}386\parallel \mathrm{\dots }\parallel \mathrm{C}\mathrm{A}\mathrm{A}8\mathrm{D}0\mathrm{C}8\parallel 7\mathrm{B}\mathrm{E}51175]$

Sample (13): R (S1-box|) and NR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[87\mathrm{D}\mathrm{D}182\mathrm{D}\parallel 3\mathrm{D}75\mathrm{A}9\mathrm{F}\mathrm{B}\parallel \mathrm{\dots }\parallel 369\mathrm{C}\mathrm{F}\mathrm{E}4\mathrm{C}\parallel 6\mathrm{C}5\mathrm{C}3\mathrm{E}\mathrm{A}3]$

Sample (14): N R (S1-box|) and R (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{D}3\mathrm{B}53312\parallel 289\mathrm{A}\mathrm{E}6\mathrm{E}4\parallel \mathrm{\dots }\parallel 5555624\mathrm{D}\parallel 5866\mathrm{A}1\mathrm{B}6]$

Sample (15): R (S1-box|) and F (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[1\mathrm{C}\mathrm{E}3\mathrm{E}\mathrm{E}0\mathrm{F}\parallel \mathrm{B}\mathrm{A}1\mathrm{D}6\mathrm{B}42\parallel \mathrm{\dots }\parallel \mathrm{D}9\mathrm{F}\mathrm{A}9\mathrm{A}02\parallel 28\mathrm{F}65185]$

Sample (16): F (S1-box|) and R (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[3\mathrm{C}\mathrm{A}\mathrm{D}3\mathrm{F}95\parallel \mathrm{B}846\mathrm{C}393\parallel \mathrm{\dots }\parallel \mathrm{B}97\mathrm{E}\mathrm{D}94\mathrm{F}\parallel 1\mathrm{F}\mathrm{B}34064]$

Sample (17): D (S1-box|) and NR (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[\mathrm{F}2\mathrm{A}\mathrm{C}4\mathrm{F}\mathrm{A}\mathrm{C}\parallel 0183\mathrm{A}\mathrm{C}\mathrm{A}7\parallel \mathrm{\dots }\parallel \mathrm{A}91\mathrm{D}\mathrm{F}17\mathrm{B}\parallel 093\mathrm{A}1\mathrm{F}22]$

Sample (18): NR (S1-box|) and D (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[5\mathrm{b}6\mathrm{e}9220\parallel 4\mathrm{f}7\mathrm{b}6903\parallel \mathrm{\dots }\parallel 378\mathrm{e}\mathrm{b}\mathrm{d}89\parallel 6\mathrm{c}\mathrm{b}640\mathrm{d}4]$

Sample (19): D (S1-box|) and F (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[928\mathrm{E}\mathrm{C}747\parallel 538\mathrm{E}47\mathrm{D}\mathrm{F}\parallel \mathrm{\dots }\parallel 500\mathrm{B}38\mathrm{B}\mathrm{B}\parallel 4\mathrm{A}7660\mathrm{D}3]$

Sample (20): F (S1-box|) and D (S2-box)

${\mathrm{Z}}_{\mathrm{t}}=[392\mathrm{A}7\mathrm{E}\mathrm{C}\mathrm{A}\parallel 092\mathrm{B}37\mathrm{F}\mathrm{D}\parallel \mathrm{\dots }\parallel 20230\mathrm{F}\mathrm{E}\mathrm{E}\parallel 333\mathrm{E}\mathrm{F}5\mathrm{F}\mathrm{E}]$

5.1.2 Simulation of ZUC Algorithm with Different Twenty Configurations of S-boxes

ZUC is a word oriented stream cipher that generates 32 bits word keystream ${\mathrm{Z}}_{\mathrm{t}}=[{\mathrm{Z}}_1\parallel {\mathrm{Z}}_2\parallel \mathrm{\dots }\parallel {\mathrm{Z}}_{312499}\parallel {\mathrm{Z}}_{312500}]$ as shown in Table 7, under control of 128 bits Key (CK/IK) $=$ [3D4C4BE96A82FDAEB58F641DB17B455B], D $=$ [44D726BC626B135E578935E2713509AF4D782F1 36BC41AF15E26 3C4D789A47AC] and 128 bits IV $=$ [84319AA8DE6915CA1F6BDA6bFBD 8C766] as standardized in test set three by 3GPP [23].

5.2 NIST SP 800-22 Statistical Analysis, Comparison, and Evaluation of SNOW and ZUC Stream Cipher Outputs

NIST analysis, comparison, and evaluation of SNOW and ZUC stream cipher outputs with the different twenty configurations of S-boxes are applied using 15-tests of the NIST SP 800-22 statistical test suite. The total length of stream cipher output is 10(2${\mathrm{}}^{20}$) bits. These 10(2${\mathrm{}}^{20}$) bits are divided into ten iterations each iteration consists of (2${\mathrm{}}^{20}$) bits is tested to give P-value. An average P-value is the result of these ten iteration tests.

5.2.1 NIST Statistical Analysis, Comparison, and Evaluation of SNOW Stream Cipher Output

Through these NIST (15-tests) statistical analyses, comparison, and evaluation of SNOW algorithm stream cipher output as shown in Tables 8 and 9, we noticed the following:

• The standard permutation (according to 3GPP-SNOW standardized S-boxes) (Sample (1) Rijndael (R) S1-box and Dickson (D) S2-box): failed in Serial test (P2 $=$ 0.004301 $<$ 0.01), weak in a Cumulative Sums test (forward test, P $=$ 0.035174), weak in Longest Runs test (P $=$ 0.066882), and weak in Non-Overlapping Template test (total number of failed P-value $=$ 15 from 148 subtests).

• Permutation (Sample (8) Feistel structure (F) S1-box and New Rijndael (NR) S2-box) (according to 3GPP-ZUC standardized S-boxes ): failed in Random Excursions test (number of discontinuities the test $=$ 8 from 10 iterations of P-values (J$<$500), failed in Random Excursions Variant test (number of discontinuities the test $=$ 8, and number of failed P-value $=$ 3 from 18 subtests), weak in Non-Overlapping Template test (total number of failed P-value $=$ 18 from 148 subtests), and weak in Discrete Fourier Transform test (P $=$ 0.066882).

• Best permutation (Sample (16) Feistel structure (F) S1-box and Rijndael (R) S2-box): passes all the NIST SP 800-22 randomness 15-tests successfully as shown in Figures 5(a–o). Table 10 shows the comparison between the existing proposes of SNOW that verified by NIST SP 800-22 tests.

Table 8 NIST SP800-22 statistical tests (Approximate Entropy, Block Frequency, Cumulative Sums, DFT, Frequency, Linear Complexity, Longest Run, and Overlapping Template tests) verifications (P-values) for the different twenty samples of configuration S-boxes used in the SNOW algorithm

	Approximate	Block	Cumulative Sums			Linear	Longest	Overlapping
NIST Test	Entropy	Frequency	(Forward/Reverse)	DFT	Frequency	Complexity	Run	Template
P-value	Test-1	Test-2	Test-3	Test-4	Test-5	Test-6	Test-7	Test-8
Sample number (S1-box and S2-box) applied in the SNOW algorithm
Sample 1 (R-D) ) as in 3GPP-SNOW	0.534146	0.350485	0.035174 0.534146	0.350485	0.911413	0.991468	0.066882	0.739918
Sample 2 (D-R)	0.004301	0.739918	0.122325 0.534146	0.350485	0.739918	0.122325	0.534146	0.122325
Sample 3 (R-INR)	0.066882	0.911413	0.534146 0.122325	0.739918	0.122325	0.739918	0.739918	0.534146
Sample 4 (INR-R)	0.534146	0.534146	0.739918 0.534146	0.739918	0.911413	0.739918	0.066882	0.122325
Sample 5 (D-INR)	0.739918	0.739918	0.534146 0.350485	0.122325	0.350485	0.350485	0.350485	0.739918
Sample 6 (INR-D)	0.534146	0.350485	0.122325 0.739918	0.122325	0.534146	0.066882	0.739918	0.066882
Sample 7 (NR-F)	0.739918	0.739918	0.122325 0.739918	0.739918	0.739918	0.350485	0.122325	0.534146
Sample 8 (F-NR)	0.911413	0.739918	0.350485 0.534146	0.066882	0.534146	0.739918	0.534146	0.739918
Sample 9 (F-INR)	0.534146	0.213309	0.534146 0.213309	0.350485	0.534146	0.534146	0.350485	0.122325
Sample 10 (INR-F)	0.534146	0.739918	0.534146 0.534146	0.911413	0.534146	0.739918	0.350485	0.350485
Sample 11 (NR-INR)	0.534146	0.122325	0.122325 0.534146	0.911413	0.534146	0.122325	0.911413	0.739918
Sample 12 (INR-NR)	0.534146	0.534146	0.350485 0.739918	0.213309	0.350485	0.122325	0.739918	0.911413
Sample 13 (R-NR)	0.739918	0.739918	0.739918 0.739918	0.534146	0.739918	0.213309	0.122325	0.350485
Sample 14 (NR-R)	0.350485	0.739918	0.122325 0.350485	0.739918	0.911413	0.534146	0.534146	0.739918
Sample 15 (R-F)	0.534146	0.534146	0.534146 0.534146	0.350485	0.739918	0.534146	0.534146	0.350485
Sample 16 (F-R)	0.213309	0.739918	0.739918 0.739918	0.911413	0.739918	0.122325	0.911413	0.911413
Sample 17 (D-NR)	0.534146	0.534146	0.911413 0.739918	0.350485	0.350485	0.739918	0.122325	0.350485
Sample 18 (NR-D)	0.739918	0.350485	0.534146 0.534146	0.534146	0.739918	0.350485	0.066882	0.213309
Sample 19 (D-F)	0.213309	0.213309	0.911413 0.739918	0.911413	0.739918	0.534146	0.350485	0.534146
Sample 20 (F-D)	0.911413	0.739918	0.534146 0.739918	0.739918	0.350485	0.739918	0.350485	0.534146

Table 9 NIST SP800-22 statistical tests (Non-Overlapping Template, Random Excursions, Random Excursions Variant, Rank, Runs, Serial, and Universal tests) verifications (P-values) for the different twenty samples of configuration S-boxes used in the SNOW algorithm

	Non	Random Excursions						Serial
NIST Test	Overlapping	Random Excursions		Variant		Rank	Runs	(P1&P2)	Universal
P-value	Test-9	Test-10		Test-11		Test-12	Test-13	Test-14	Test-15
Sample number	Total	Total	Total	Total	Total
(S1-box and S2-box)	No. of	No. of	No. of	No. of	No. of
applied in the	Failed	Discontinued	Failed	Discontinued	Failed
SNOW algorithm	P-value	the Test	P-value	the Test	P-value
Sample 1 (R-D) as in 3GPP-SNOW	15	2	0	2	0	0.534146	0.739918	0.122325 0.004301	0.911413
Sample 2 (D-R)	14	3	1	3	6	0.739918	0.122325	0.911413 0.350485	0.122325
Sample 3 (R-INR)	22	3	0	3	5	0.350485	0.350485	0.739918 0.739918	0.213309
Sample 4 (INR-R)	12	7	0	7	0	0.534146	0.350485	0.017912 0.122325	0.534146
Sample 5 (D-INR)	17	5	0	5	0	0.739918	0.008879	0.122325 0.534146	0.911413
Sample 6 (INR-D)	14	10	0	10	0	0.739918	0.122325	0.534146 0.350485	0.911413
Sample 7 (NR-F)	16	2	1	2	0	0.739918	0.122325	0.122325 0.739918	0.911413
Sample 8 (F-NR)	18	8	0	8	3	0.911413	0.739918	0.534146 0.911413	0.122325
Sample 9 (F-INR)	17	4	0	4	0	0.534146	0.350485	0.911413 0.911413	0.122325
Sample 10 (INR-F)	16	6	0	6	1	0.350485	0.911413	0.534146 0.350485	0.350485
Sample 11 (NR-INR)	13	4	0	4	0	0.350485	0.534146	0.350485 0.350485	0.122325
Sample 12 (INR-NR)	22	4	1	4	2	0.350485	0.739918	0.213309 0.035174	0.008879
Sample 13 (R-NR)	14	4	1	4	0	0.534146	0.739918	0.534146 0.911413	0.350485
Sample 14 (NR-R)	17	3	2	3	0	0.739918	0.122325	0.739918 0.213309	0.911413
Sample 15 (R-F)	19	5	0	5	0	0.534146	0.911413	0.911413 0.739918	0.534146
Sample 16 (F-R)	7	2	0	2	0	0.739918	0.350485	0.534146 0.534146	0.122325
Sample 17 (D-NR)	19	5	0	5	0	0.739918	0.534146	0.534146 0.911413	0.213309
Sample 18 (NR-D)	18	3	0	3	0	0.911413	0.739918	0.534146 0.739918	0.739918
Sample 19 (D-F)	30	4	0	4	0	0.213309	0.350485	0.350485 0.534146	0.739918
Sample 20 (F-D)	9	2	1	2	0	0.739918	0.122325	0.739918 0.534146	0.350485

Figure 5 (a–o) NIST SP 800-22 results showed that the upgrading SNOW algorithm by using the best permutation (Sample (16) Feistel structure S1-box and Rijndael S2-box passed all NIST randomness tests successfully).

Table 10 Comparison between the existing proposes of SNOW that verified by NIST SP 800-22 statistical test suite

	3GPP Standardized	Proposal The Best Arrangement
NIST SP	SNOW (Rijndael –	Pair of S-boxes in SNOW
800-22 Tests	Dickson S-boxes)	(Feistel – Rijndael S-boxes)
Approximate Entropy	Success	Success
Block Frequency	Success	Success
Cumulative Sums	Success	Success
DFT	Success	Success
Frequency	Success	Success
Linear Complexity	Success	Success
Longest Runs	Success	Success
Non-Overlapping Template	Success	Success
Overlapping Template	Success	Success
Random Excursions	Success	Success
Random Excursions Variant	Success	Success
Rank	Success	Success
Runs	Success	Success
Serial	Fail	Success
Universal	Success	Success

Table 11 NIST SP800-22 statistical tests (Approximate Entropy, Block Frequency, Cumulative Sums, DFT, Frequency, Linear Complexity, Longest Run, and Overlapping Template tests) verifications (P-values) for the different twenty samples of configuration S-boxes used in the ZUC algorithm

	Approximate	Block	Cumulative Sums			Linear	Longest	Overlapping
NIST Test	Entropy	Frequency	(Forward/Reverse)	DFT	Frequency	Complexity	Run	Template
P-value	Test-1	Test-2	Test-3	Test-4	Test-5	Test-6	Test-7	Test-8
Sample number (S1-box and S2-box) applied in the ZUC
Sample 1 (R-D)	0.122325	0.066882	0.534146 0.035174	0.350485	0.534146	0.739918	0.534146	0.035174
Sample 2 (D-R)	0.350485	0.534146	0.350485 0.534146	0.066882	0.534146	0.213309	0.534146	0.911413
Sample 3 (R-INR)	0.122325	0.350485	0.739918 0.739918	0.213309	0.350485	0.534146	0.350485	0.213309
Sample 4 (INR-R)	0.534146	0.911413	0.213309 0.213309	0.534146	0.534146	0.739918	0.739918	0.911413
Sample 5 (D-INR)	0.534146	0.534146	0.534146 0.035174	0.213309	0.350485	0.017912	0.534146	0.911413
Sample 6 (INR-D)	0.350485	0.739918	0.350485 0.350485	0.350485	0.035174	0.534146	0.534146	0.739918
Sample 7 (NR-F)	0.534146	0.350485	0.066882 0.350485	0.213309	0.534146	0.350485	0.991468	0.350485
Sample 8 (F-NR) ) as in 3GPP-ZUC	0.534146	0.739918	0.122325 0.350485	0.739918	0.122325	0.350485	0.213309	0.066882
Sample 9 (F-INR)	0.739918	0.066882	0.213309 0.350485	0.350485	0.534146	0.017912	0.739918	0.911413
Sample 10 (INR-F)	0.534146	0.739918	0.066882 0.534146	0.739918	0.911413	0.122325	0.739918	0.350485
Sample 11 (NR-INR)	0.911413	0.122325	0.739918 0.350485	0.066882	0.911413	0.350485	0.350485	0.739918
Sample 12 (INR-NR)	0.534146	0.350485	0.534146 0.534146	0.911413	0.350485	0.739918	0.534146	0.008879
Sample 13 (R-NR)	0.122325	0.534146	0.911413 0.213309	0.739918	0.213309	0.739918	0.350485	0.122325
Sample 14 (NR-R)	0.739918	0.739918	0.534146 0.739918	0.911413	0.534146	0.991468	0.035174	0.534146
Sample 15 (R-F)	0.213309	0.534146	0.017912 0.350485	0.534146	0.122325	0.534146	0.739918	0.004301
Sample 16 (F-R)	0.350485	0.534146	0.122325 0.350485	0.017912	0.534146	0.534146	0.213309	0.911413
Sample 17 (D-NR)	0.534146	0.739918	0.122325 0.739918	0.739918	0.350485	0.739918	0.534146	0.122325
Sample 18 (NR-D)	0.911413	0.017912	0.122325 0.350485	0.350485	0.213309	0.350485	0.534146	0.122325
Sample 19 (D-F)	0.739918	0.213309	0.350485 0.534146	0.066882	0.534146	0.739918	0.350485	0.534146
Sample 20 (F-D)	0.534146	0.122325	0.739918 0.350485	0.350485	0.739918	0.350485	0.534146	0.350485

Table 12 NIST SP800-22 statistical tests (Approximate Entropy, Block Frequency, Cumulative Sums, DFT, Frequency, Linear Complexity, Longest Run, and Overlapping Template tests) verifications (P-values) for the different twenty samples of configuration S-boxes used in the ZUC algorithm

	Non	Random Excursions						Serial
NIST Test	Overlapping	Random Excursions		Variant		Rank	Runs	(P1&P2)	Universal
P-value	Test-9	Test-10		Test-11		Test-12	Test-13	Test-14	Test-15
Sample number	Total	Total	Total	Total	Total
(S1-box and S2-box)	No. of	No. of	No. of	No. of	No. of
applied in the	Failed	Discontinued	Failed	Discontinued	Failed
SNOW algorithm	P-value	the Test	P-value	the Test	P-value
Sample 1 (R-D)	19	2	0	2	0	0.350485	0.911413	0.350485 0.739918	0.534146
Sample 2 (D-R)	11	4	1	4	2	0.350485	0.350485	0.534146 0.122325	0.350485
Sample 3 (R-INR)	15	5	0	5	2	0.035174	0.213309	0.911413 0.350485	0.122325
Sample 4 (INR-R)	19	5	0	5	0	0.350485	0.350485	0.739918 0.739918	0.534146
Sample 5 (D-INR)	15	5	1	5	0	0.213309	0.739918	0.213309 0.991468	0.213309
Sample 6 (INR-D)	17	2	4	2	5	0.035174	0.213309	0.739918 0.911413	0.534146
Sample 7 (NR-F)	15	6	0	6	0	0.122325	0.534146	0.534146 0.350485	0.739918
Sample 8 (F-NR) as in 3GPP-ZUC	20	2	1	2	4	0.739918	0.534146	0.739918 0.911413	0.350485
Sample 9 (F-INR)	10	5	0	5	0	0.350485	0.534146	0.739918 0.739918	0.739918
Sample 10 (INR-F)	14	1	4	1	5	0.008879	0.739918	0.350485 0.350485	0.991468
Sample 11 (NR-INR)	17	6	1	6	2	0.534146	0.739918	0.911413 0.534146	0.739918
Sample 12 (INR-NR)	23	2	2	2	2	0.911413	0.534146	0.739918 0.911413	0.739918
Sample 13 (R-NR)	20	5	0	5	1	0.350485	0.911413	0.534146 0.534146	0.350485
Sample 14 (NR-R)	14	5	0	5	0	0.911413	0.534146	0.739918 0.534146	0.534146
Sample 15 (R-F)	13	5	0	5	3	0.911413	0.017912	0.739918 0.122325	0.122325
Sample 16 (F-R)	14	5	0	5	3	0.035174	0.122325	0.739918 0.739918	0.350485
Sample 17 (D-NR)	14	6	0	6	0	0.122325	0.739918	0.350485 0.534146	0.911413
Sample 18 (NR-D)	18	2	1	2	1	0.739918	0.534146	0.122325 0.350485	0.534146
Sample 19 (D-F)	16	3	0	3	0	0.350485	0.534146	0.066882 0.213309	0.122325
Sample 20 (F-D)	17	5	0	5	1	0.534146	0.911413	0.739918 0.534146	0.350485

Figure 6 (a–o) NIST SP 800-22 results showed that the upgrading ZUC algorithm by using the best permutation (Sample (14) New Rijndael S1-box and Rijndael S2-box) passed all NIST randomness tests successfully.

Table 13 Comparison between the existing proposes of ZUC that verified by NIST SP 800-22 statistical test suite

	3GPP Standardized	Proposal The Best Arrangement
NIST SP	ZUC (Feistel –	Pair of S-boxes in ZUC
800-22 Tests	New Rijndael S-boxes)	(New Rijndael – Rijndael S-boxes)
Approximate Entropy	Success	Success
Block Frequency	Success	Success
Cumulative Sums	Success	Success
DFT	Success	Success
Frequency	Success	Success
Linear Complexity	Success	Success
Longest Runs	Success	Success
Non-Overlapping Template	Success	Success
Overlapping Template	Success	Success
Random Excursions	Fail	Success
Random Excursions Variant	Fail	Success
Rank	Success	Success
Runs	Success	Success
Serial	Success	Success
Universal	Success	Success

5.2.2 NIST Statistical Analysis, Comparison, and Evaluation of ZUC Stream Cipher Output

Through these NIST statistical analyses, comparison, and evaluation of ZUC algorithm stream cipher output as shown in Tables 11 and 12, we noticed the following:

• Permutation (Sample (1) Rijndael (R) S1-box and Dickson (D) S2-box) according to (3GPP-SNOW standardized S-boxes): weak in Block Frequency test (P $=$ 0.066882), weak in a Cumulative Sums test (Reverse test, P $=$ 0.035174), weak in Non-Overlapping Template test (total number of failed P-value $=$ 19 from 148 subtests), and weak in Overlapping Template test (P $=$ 0.035174).

• The standard Permutation (according to 3GPP-ZUC standardized S-boxes) (Sample (8) Feistel structure (F) S1-box and New Rijndael (NR) S2-box): failed in Random Excursions test (number of discontinuities the test $=$ 2 from 10 iterations of P-values (J$<$500) and number of failed P-value $=$ 1 from 8 subtests), failed in Random Excursions Variant test (number of discontinuities the test $=$ 2 and number of failed P-value $=$ 4 from 18 subtests) weak in Non-Overlapping Template test (total number of failed P-value $=$ 20 from 148 subtests), and weak in Overlapping Template test (P $=$ 0.066882).

• Best permutation (Sample (14) (New Rijndael (NR) S1-box and Rijndael (R) S2-box): passes all the NIST SP 800-22 randomness tests successfully as shown in Figures 6(a–o). Table 13 shows the comparison between the existing proposes of ZUC that verified by NIST SP 800-22 tests.

6 Conclusions

In this paper, we investigate the randomness properties of the keystream sequences produced by the two algorithms (SNOW and ZUC) that are used for confidentiality and integrity processes in advanced mobile communication systems. NIST 800-22 statistical test suite with its 15 tests is used for this purpose. Twenty different configurations of pair S-boxes in the nonlinear layer structure of the two algorithms are tested to select the best permutation (S1 and S2 boxes).

A complete simulation of SNOW and ZUC algorithms is presented using C-language. Samples of the keystream sequences with the length ten Megabits are used (according to the NIST standard). Test results showed that the best pair arrangement of S-boxes in the SNOW algorithm is the configuration (Feistel structure – Rijndael S-boxes) although the standard configuration by 3GPP is (Rijndael (R)-Dickson (D)S-boxes). Also, the best configuration in the ZUC algorithm is (New Rijndael – RijndaelS-boxes) although the standard configuration by 3GPP is (Feistel structure-New RijndaelS-boxes).

The best configurations passed all the NIST suite tests successfully. Applying the best configurations of S-boxes will lead to better randomness properties of the keystream sequences generated by SNOW and ZUC stream cipher algorithms and therefore increase the security level of both algorithms.

References

[1] 3GPP TS 35.501, Third Generation Partnership Project, Technical Specification Group Services and System Aspects, Security architecture and procedures for 5G system, March 2020.

[2] 3GPP TS 35.401, Third Generation Partnership Project, Technical Specification Group Services and System Aspects, 3GPP System Architecture Evolution (SAE), and security architecture for 4G, March 2020.

[3] 3GPP TS 35.216, Specification of the 3GPP Confidentiality and Integrity algorithms UEA2 and UIA2, Document 2: SNOW 3G specification, June 2018.

[4] 3GPP TS 35.222, Specification of the 3GPP Confidentiality and Integrity algorithms EEA3 and EIA3, Document 2: ZUC specification, June 2018.

[5] Patrick Bohm, ‘Statistical Evaluation of Stream Cipher SNOW 3G’, In Constantin Brancusi University of Targu Jiu Engineering Faculty Scientific Conference with international participation, 13th edition, pp. 363–366, Targu Jiu, 7–8 Nov., 2008.

[6] Mahdi Madani, Ilyas Benkhaddra, Camel Tanougast, Salim Chitroub, and Loic Sieler, ‘FPGA Implementation of an enhanced SNOW-3G Stream Cipher based on a Hyper-Chaotic System’, In the 4th international conference on Control, Decision and Information Technologies, IEEE, pp. 1168–1173, Barcelona, Spain, 5–7 April 2017.

[7] Mahdi Madani, Ilyas Benkhaddra, Camel Tanougast, Salim Chitroub, and Loic Sieler, ‘Digital Implementation of an Improved LTE Stream Cipher Snow-3G Based on Hyperchaotic PRNG’, Security and Communication Networks, Wiley and Hindawi, 15 pages, 2017.

[8] Mahdi Madani, Ilyas Benkhaddra, Camel Tanougast, Salim Chitroub, and Loic Sieler, ‘Enhanced ZUC Stream Cipher Based on a Hyperchaotic Controller System’, In the Euromicro Conference on Digital System Design (DSD), Vienna, Austria, 30 Aug.–1 Sept.2017.

[9] Aleksandar Kircanski and Amr M. Youssef, ‘On the sliding property of SNOW 3G and SNOW 2.0’, IET Information Security, Vol. 5(4), pp. 199–206, 2011.

[10] 3GPP TS 35.919, Specification of the 3GPP Confidentiality and Integrity algorithms UEA2 and UIA2, Document 5: Design and Evaluation report, June 2018.

[11] Alex Biryukov, Deike Priemuth-Schmid, and Bin Zhang, ‘Fault Analysis of the Stream Cipher Snow 3G’, In 6${\mathrm{}}^{\mathrm{t}\mathrm{h}}$ International Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), IEEE, pp. 103–110, Lausanne, Switzerland, Sept., 2010.

[12] Alex Biryukov, Deike Priemuth-Schmid, and Bin Zhang: “A Timing Attack on SNOW 3G,” In International Conference on Information and Communications Security, pp. 171–185, Spain, Dec., 2010.

[13] Alex Biryukov, Deike Priemuth-Schmid, and Bin Zhang, ‘Multiset Collision Attacks on Reduced-Round SNOW 3G and SNOW 3G$\oplus$’, In International Conference on Applied Cryptography and Network Security, pp. 191–198, China, Dec., 2010.

[14] Mohammad Sadegh Nemati Nia and Malek e Ashtar, ‘Improved Heuristic guess and determine attack on SNOW 3G stream cipher’, In 7th International Symposium on Telecommunications (IST), IEEE, pp. 972–976, Iran, Sept., 2014.

[15] Mufeed Juma AlMashrafi, ‘A different algebraic analysis of the ZUC stream cipher’, In Proceedings of the 4th International Conference on Security of Information and Networks (SIN), pp. 191–198, Australia, Nov., 2011.

[16] 3GPP TR 35.924, Specification of the 3GPP Confidentiality and Integrity Algorithms EEA3 & EIA3, Document 4: Design and Evaluation report, June 2018.

[17] Wu Hongjun, Huang Tao, Ha.Nguyen Phuong, Wang Huaxiong, and Ling San, ‘Differential Attacks against Stream Cipher ZUC’, In 18th International Conference on the Theory and Application of Cryptology and Information Security, Springer, pp. 262–277, China, 2–6 Dec., 2012.

[18] National Institute of Standards and Technology, A statistical test suite for random and pseudorandom number generators for cryptographic applications, NIST Special publication 800-22, April 2010.

[19] Carmina Georgescu, Emil Simion, Alina Petrescu Nita, Antonela Toma, ‘A view on NIST randomness tests independence’, Proc. 9th International Conference on Electronics, Computers, and Artificial Intelligence, IEEE, Romania, 29 June–1 July 2017.

[20] Jie Cui, Hong Zhong, Jiankai Wang, Runhua Shi, ‘Generation and optimization of Rijndael S-box equation system’, Information Technology Journal, Vol. 13(15), pp. 2482–2488, 2014.

[21] Jie Cui, Liusheng Huang, Hong Zhong, Chinchen Chang, Wei Yang: ‘An improved AES S-box and its performance analysis’, International Journal of Innovative Computing, Information, and Control, Vol. 75(A), pp. 2291–2302, 2011.

[22] 3GPP TS 35.217, Specification of the 3GPP Confidentiality and Integrity algorithms UEA2 and UIA2, Document 3: Implementer test data, June 2018.

[23] 3GPP TS 35.223, Specification of the 3GPP Confidentiality and Integrity algorithms EEA3 & EIA3, Document 3: Implementer test data, June 2018.

Biographies

Zakaria Hassan Abdelwahab was born in Ismailia, Egypt, in 1987. He received the B.S. degree in electrical engineering from the Higher Technological Institute (HTI), Tenth of Ramadan City, Egypt, in 2009, the M.S. degree in electrical engineering (electronics and communications engineering dept.) from the faculty of Engineering, Ain Shams University, Cairo, Egypt, in 2014 and the Ph.D. degree in electrical engineering (electronics and communications) at the faculty of Engineering, Ain Shams University, Egypt in 2020. In 2009, Zakaria joined the department of electrical engineering, HTI, as a teaching assistant and he is a member of the Egyptian engineering syndicate since 2009. His main areas of research interest are security telecommunications and network security.

Talaat A. Elgarf was born in Telwana-Menofia, Egypt, in 1953. He received the B.S. degree in electrical engineering (communications), from the Military Technical College, Cairo, Egypt, in 1976, the M.S. degree in electrical engineering from the faculty of Engineering (electronics and communications), Ain Shams University, Egypt, in 1990 and the Ph.D. degree in electrical engineering (electronics and communications) from the faculty of Engineering, Ain Shams University, Egypt, in 1993. He is currently visiting professor, Military Technical College, faculty of Engineering, Ain Shams University, Cairo, Egypt, and professor of communications, Higher Technological Institute (HTI), Tenth of Ramadan City, Egypt, since 2005.

Abdelhalim Zekry is a professor of electronics and communications at the faculty of Engineering, Ain Shams University, Cairo, Egypt. He worked as a staff member in several universities. He published more than 240 conference and periodical papers. He also supervised more than 110 Master thesis and 30 Doctorate thesis in the area of electronics and electronics for communications as well as photovoltaics. Prof. Zekry focuses his research programs on the field of microelectronics and electronic applications including communications and photovoltaics.

Journal of Cyber Security and Mobility, Vol. 9_4, 535–576.
doi: 10.13052/jcsm2245-1439.943
© 2020 River Publishers