Key Stream Segment

Description

The Key Stream Segment (KSS) is a core operational concept in the stream cipher-based confidentiality algorithms specified by 3GPP, namely the 128-EEA1 (SNOW 3G), 128-EEA2 (AES in CTR mode), and 128-EEA3 (ZUC) algorithms. Unlike block ciphers that encrypt data in fixed-size blocks, a stream cipher generates a pseudorandom sequence of bits called the keystream. The KSS refers to the specific segment of this keystream that is aligned and used to encrypt a particular unit of data, such as a Protocol Data Unit (PDU) or a specific segment of a data flow.

The generation of a KSS begins with the initialization of the stream cipher. The algorithm is seeded with a secret Ciphering Key (CK) and an Initialization Vector (IV). The IV is critical and is constructed from parameters like the radio bearer identity, the direction of transmission (uplink/downlink), and a fresh COUNT value (a cryptographic sequence number). This ensures that the same CK never generates the same keystream twice for different data units. Once initialized, the cipher's internal state is updated, and it produces the keystream output. For a given data unit of length L bits, the algorithm generates an L-bit segment of this keystream—this is the KSS for that data unit.

The encryption process is then straightforward: the plaintext data bits are combined bit-by-bit (or word-by-word) with the corresponding bits of the KSS using the exclusive-OR (XOR) operation to produce the ciphertext. Decryption at the receiver is identical: the receiver, possessing the same CK and synchronized IV/COUNT, generates the identical KSS and XORs it with the received ciphertext to recover the original plaintext. The security relies entirely on the unpredictability and randomness of the KSS. If the KSS were predictable or reused, the confidentiality would be compromised. Therefore, the careful construction of the IV and the cryptographic strength of the underlying stream cipher algorithm (SNOW 3G, AES-CTR, ZUC) are paramount to ensuring each KSS is unique and cryptographically strong.

Purpose & Motivation

The purpose of the Key Stream Segment is to provide efficient and secure confidentiality protection for user data and signaling over the air interface in 3GPP systems. Stream ciphers, and by extension the KSS, were chosen for this role due to their specific advantages in a wireless communication context.

They solve the problem of encrypting data streams that are inherently variable in length and may experience bit errors. Stream ciphers operate on a bit-by-bit (or byte-by-byte) basis, making them naturally suited for continuous data streams like voice or video. The XOR operation is computationally lightweight and, critically, error-propagating in a benign way: a single bit error in the ciphertext causes only a single bit error in the decrypted plaintext. This is a significant advantage over block cipher modes like CBC, where a single bit error can corrupt an entire block of decrypted data, which is undesirable in error-prone radio environments.

The historical motivation stems from the need for stronger encryption in 3G (UMTS) compared to the weaker A5 algorithms of GSM. The 3GPP security group selected and later standardized specific stream ciphers (SNOW 3G, later ZUC) that offered a high level of security while meeting performance constraints of mobile devices. The concept of the KSS is intrinsic to how these algorithms operate. It addresses the limitation of older, weaker ciphers by providing a robust mechanism where each segment of data is protected by a unique, cryptographically strong mask (the KSS), derived from a strong key and a carefully synchronized state, ensuring long-term confidentiality against eavesdropping on the radio link.