中文摘要：

为了探讨祖冲之算法（ZUC）的安全性,该文对ZUC算法进行了线性区分攻击分析。文中对ZUC算法中两轮非线性函数F最优化线性逼近,得到线性逼近方程式,计算线性逼近的偏差为2^-22.6。利用线性逼近方程式构造仅包含输出密钥流的区分器,并寻找最优掩码使区分器的偏差最大,在最优线性掩码的基础上计算得到区分器的区分偏差为2-65.5。该攻击需要约O（2^131比特）密钥流,就能把随机序列与密钥流序列区分开,从理论上证明了ZUC算法的安全性。最后通过与已有的安全性分析结果对比发现,该文的线性区分攻击结果有一定的优越性。

英文摘要：

In order to probe into the security of the ZUC algorithm, linear distinguishing attack on the ZUC algorithm is proposed. In this paper, we first consider the linear approximation of 2-round nonlinear function F and get linear approximation equation, and the best advantage of the linear approximation equation is 2^-22.6. By combining those linear approximations, we establish a distinguisher only depending on the keystream. In order to get the best advantage of distinguisher, we search the best linear masking and the best advantage of the distinguisher is about 2^-65. 5. The result shows that the key stream generated by ZUC is distinguishable from a random sequence after observing approximately O（ 2^131） bits, and it proves that the ZUC algorithm is safel By comparison, the result of the linear distinguishing attack is superior to other attacks.