KSS

Key Stream Segment

Security
Introduced in Rel-8
A Key Stream Segment (KSS) is a portion of the keystream generated by a stream cipher algorithm (like SNOW 3G or ZUC) used in 3GPP systems. It is produced by the cipher algorithm from a secret key and an initialization vector (IV) and is then combined (typically XORed) with plaintext data to produce ciphertext, providing confidentiality.

Description

The Key Stream Segment (KSS) is a core operational concept in the stream cipher-based confidentiality algorithms specified by 3GPP, namely the 128-EEA1 (SNOW 3G), 128-EEA2 (AES in CTR mode), and 128-EEA3 (ZUC) algorithms. Unlike block ciphers that encrypt data in fixed-size blocks, a stream cipher generates a pseudorandom sequence of bits called the keystream. The KSS refers to the specific segment of this keystream that is aligned and used to encrypt a particular unit of data, such as a Protocol Data Unit (PDU) or a specific segment of a data flow.

The generation of a KSS begins with the initialization of the stream cipher. The algorithm is seeded with a secret Ciphering Key (CK) and an Initialization Vector (IV). The IV is critical and is constructed from parameters like the radio bearer identity, the direction of transmission (uplink/downlink), and a fresh COUNT value (a cryptographic sequence number). This ensures that the same CK never generates the same keystream twice for different data units. Once initialized, the cipher's internal state is updated, and it produces the keystream output. For a given data unit of length L bits, the algorithm generates an L-bit segment of this keystream—this is the KSS for that data unit.

The encryption process is then straightforward: the plaintext data bits are combined bit-by-bit (or word-by-word) with the corresponding bits of the KSS using the exclusive-OR (XOR) operation to produce the ciphertext. Decryption at the receiver is identical: the receiver, possessing the same CK and synchronized IV/COUNT, generates the identical KSS and XORs it with the received ciphertext to recover the original plaintext. The security relies entirely on the unpredictability and randomness of the KSS. If the KSS were predictable or reused, the confidentiality would be compromised. Therefore, the careful construction of the IV and the cryptographic strength of the underlying stream cipher algorithm (SNOW 3G, AES-CTR, ZUC) are paramount to ensuring each KSS is unique and cryptographically strong.

Purpose & Motivation

The purpose of the Key Stream Segment is to provide efficient and secure confidentiality protection for user data and signaling over the air interface in 3GPP systems. Stream ciphers, and by extension the KSS, were chosen for this role due to their specific advantages in a wireless communication context.

They solve the problem of encrypting data streams that are inherently variable in length and may experience bit errors. Stream ciphers operate on a bit-by-bit (or byte-by-byte) basis, making them naturally suited for continuous data streams like voice or video. The XOR operation is computationally lightweight and, critically, error-propagating in a benign way: a single bit error in the ciphertext causes only a single bit error in the decrypted plaintext. This is a significant advantage over block cipher modes like CBC, where a single bit error can corrupt an entire block of decrypted data, which is undesirable in error-prone radio environments.

The historical motivation stems from the need for stronger encryption in 3G (UMTS) compared to the weaker A5 algorithms of GSM. The 3GPP security group selected and later standardized specific stream ciphers (SNOW 3G, later ZUC) that offered a high level of security while meeting performance constraints of mobile devices. The concept of the KSS is intrinsic to how these algorithms operate. It addresses the limitation of older, weaker ciphers by providing a robust mechanism where each segment of data is protected by a unique, cryptographically strong mask (the KSS), derived from a strong key and a carefully synchronized state, ensuring long-term confidentiality against eavesdropping on the radio link.

Key Features

  • Keystream Alignment: Represents the specific segment of the cipher's output keystream aligned to a particular data unit (PDU) for encryption/decryption.
  • Synchronous Operation: Requires perfect synchronization of the cipher's internal state (via COUNT/IV) between sender and receiver to generate the identical KSS.
  • Bitwise XOR Encryption: Confidentiality is achieved by combining the plaintext and the KSS using the exclusive-OR (XOR) logical operation.
  • Error Transparency: A bit error in the transmitted ciphertext results in only a single bit error in the decrypted plaintext, which is suitable for radio channels.
  • Algorithm Agnostic: The KSS concept applies to all 3GPP stream ciphers (SNOW 3G, AES-CTR, ZUC), though the internal generation mechanism differs.
  • IV-Dependent: The uniqueness and security of each KSS depend critically on the correct and non-repeating construction of the Initialization Vector (IV).

Evolution Across Releases

Rel-8 Initial

Formally specified the Key Stream Segment concept within the 3GPP security specifications, particularly for the LTE confidentiality algorithms 128-EEA1 (SNOW 3G) and 128-EEA2 (AES in CTR mode). Defined how the KSS is generated from the ciphering key (CK), bearer identity, direction, and COUNT value, and applied via XOR for encryption over the LTE air interface (Uu).

TS 33.102
Rel-11

Introduced the 128-EEA3 (ZUC) stream cipher algorithm, adding a third method for generating the KSS. This provided a cipher option based on a Chinese cryptographic algorithm, diversifying the algorithmic portfolio and meeting specific regional requirements.

TS 33.102
Rel-15

The KSS concept and the underlying stream cipher algorithms (SNOW 3G, AES-CTR, ZUC) were carried forward into the 5G security architecture as NEA1, NEA2, and NEA3, respectively. The fundamental principle of generating a key stream segment for confidentiality protection remained unchanged for the 5G air interface (NG-RAN).

TS 33.102
Rel-16

Ensured the continued robustness and applicability of the KSS-based encryption in new 5G scenarios, including enhanced URLLC and integration with network slicing security, where low-latency encryption remains critical.

TS 33.102
Rel-17

Maintenance and potential analysis of the cryptographic strength of the stream ciphers generating the KSS in light of evolving computational threats. Continued support for all three algorithms in 5G deployments.

TS 33.102
Rel-18

Ongoing support within the 5G-Advanced security framework. The KSS mechanism is considered a mature and stable part of the confidentiality solution for user plane data.

TS 33.102
Rel-19

Continued inclusion as a core confidentiality mechanism. Any evolution would likely be tied to the introduction of new, post-quantum resistant algorithms in future releases, which may operate on different principles.

TS 33.102

Defining Specifications

SpecificationTitle
TS 33.102 3GPP TR 33.102