Resistance of SNOW-V against Fast Correlation Attacks

IF 1.7 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

IACR Transactions on Symmetric Cryptology Pub Date : 2021-03-19 DOI:10.46586/tosc.v2021.i1.378-410

Xinxin Gong, Bin Zhang

{"title":"Resistance of SNOW-V against Fast Correlation Attacks","authors":"Xinxin Gong, Bin Zhang","doi":"10.46586/tosc.v2021.i1.378-410","DOIUrl":null,"url":null,"abstract":"SNOW-V is a new member in the SNOW family of stream ciphers, hoping to be competitive in the 5G mobile communication system. In this paper, we study the resistance of SNOW-V against bitwise fast correlation attacks by constructing bitwise linear approximations. First, we propose and summarize some efficient algorithms using the slice-like techniques to compute the bitwise linear approximations of certain types of composition functions composed of basic operations like ⊞, ⊕, Permutation, and S-box, which have been widely used in word-oriented stream ciphers such as SNOW-like ciphers. Then, using these algorithms, we find a number of stronger linear approximations for the FSM of the two variants of SNOW-V given in the design document, i.e., SNOW-V σ0 and SNOW-V⊞8, ⊞8. For SNOW-V σ0, where there is no byte-wise permutation, we find some bitwise linear approximations of the FSM with the SEI (Squared Euclidean Imbalance) around 2−37.34 and mount a bitwise fast correlation attack with the time complexity 2251.93 and memory complexity 2244, given 2103.83 keystream outputs, which improves greatly the results in the design document. For SNOW-V⊞8, ⊞8, where both of the two 32-bit adders in the FSM are replaced by 8-bit adders, we find our best bitwise linear approximations of the FSM with the SEI 2−174.14, while the best byte-wise linear approximation in the design document of SNOW-V has the SEI 2−214.80. Finally, we study the security of a closer variant of SNOW-V, denoted by SNOW-V⊞32, ⊞8, where only the 32-bit adder used for updating the first register is replaced by the 8-bit adder, while everything else remains identical. For SNOW-V⊞32, ⊞8, we derive many mask tuples yielding the bitwise linear approximations of the FSM with the SEI larger than 2−184. Using these linear approximations, we mount a fast correlation attack with the time complexity 2377.01 and a memory complexity 2363, given 2253.73 keystream outputs. Note that neither of our attack threatens the security of SNOW-V. We hope our research could further help in understanding bitwise linear approximation attacks and also the structure of SNOW-like stream ciphers.","PeriodicalId":37077,"journal":{"name":"IACR Transactions on Symmetric Cryptology","volume":"59 1","pages":"378-410"},"PeriodicalIF":1.7000,"publicationDate":"2021-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Transactions on Symmetric Cryptology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.46586/tosc.v2021.i1.378-410","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 12

Abstract

SNOW-V is a new member in the SNOW family of stream ciphers, hoping to be competitive in the 5G mobile communication system. In this paper, we study the resistance of SNOW-V against bitwise fast correlation attacks by constructing bitwise linear approximations. First, we propose and summarize some efficient algorithms using the slice-like techniques to compute the bitwise linear approximations of certain types of composition functions composed of basic operations like ⊞, ⊕, Permutation, and S-box, which have been widely used in word-oriented stream ciphers such as SNOW-like ciphers. Then, using these algorithms, we find a number of stronger linear approximations for the FSM of the two variants of SNOW-V given in the design document, i.e., SNOW-V σ0 and SNOW-V⊞8, ⊞8. For SNOW-V σ0, where there is no byte-wise permutation, we find some bitwise linear approximations of the FSM with the SEI (Squared Euclidean Imbalance) around 2−37.34 and mount a bitwise fast correlation attack with the time complexity 2251.93 and memory complexity 2244, given 2103.83 keystream outputs, which improves greatly the results in the design document. For SNOW-V⊞8, ⊞8, where both of the two 32-bit adders in the FSM are replaced by 8-bit adders, we find our best bitwise linear approximations of the FSM with the SEI 2−174.14, while the best byte-wise linear approximation in the design document of SNOW-V has the SEI 2−214.80. Finally, we study the security of a closer variant of SNOW-V, denoted by SNOW-V⊞32, ⊞8, where only the 32-bit adder used for updating the first register is replaced by the 8-bit adder, while everything else remains identical. For SNOW-V⊞32, ⊞8, we derive many mask tuples yielding the bitwise linear approximations of the FSM with the SEI larger than 2−184. Using these linear approximations, we mount a fast correlation attack with the time complexity 2377.01 and a memory complexity 2363, given 2253.73 keystream outputs. Note that neither of our attack threatens the security of SNOW-V. We hope our research could further help in understanding bitwise linear approximation attacks and also the structure of SNOW-like stream ciphers.

查看原文本刊更多论文

SNOW-V对快速相关攻击的抵抗力

SNOW- v是流密码SNOW家族的新成员，希望在5G移动通信系统中具有竞争力。本文通过构造位线性近似，研究了SNOW-V对位快速相关攻击的抵抗能力。首先，我们提出并总结了一些利用类切片技术计算若干种组合函数的位线性逼近的有效算法，这些组合函数由诸如运、⊕、置换、S-box等基本运算组成，在类斯诺密码等面向字的流密码中得到了广泛的应用。然后，利用这些算法，我们找到了设计文档中给出的SNOW-V的两个变量(即SNOW-V σ0和SNOW-V 8, win 8)的若干更强的线性逼近。对于没有字节排列的SNOW-V σ0，我们找到了一些具有SEI(平方欧几里得不平衡)约为2−37.34的FSM的位线性近似，并在给定2103.83个密钥流输出的情况下，进行了时间复杂度为2251.93和内存复杂度为2244的位快速相关攻击，大大改善了设计文档中的结果。在SNOW-V的8、8中，两台32位加法器都被替换为8位加法器，我们发现对FSM的最佳位线性近似为SEI 2−174.14，而在SNOW-V的设计文档中，最佳位线性近似为SEI 2−214.80。最后，我们研究了一个更接近于SNOW-V的变体，即SNOW-V 32、8的安全性，其中只有用于更新第一个寄存器的32位加法器被8位加法器取代，而其他的都保持不变。对于SNOW-V的32、8，我们推导出了许多掩模元，得到了SEI大于2−184的FSM的位线性近似。使用这些线性近似，我们在给定2253.73个密钥流输出的情况下，以时间复杂度2377.01和内存复杂度2363进行了快速相关攻击。请注意，我们的攻击都没有威胁到SNOW-V的安全。我们希望我们的研究能够进一步帮助理解按位线性逼近攻击以及类snow流密码的结构。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IACR Transactions on Symmetric Cryptology Mathematics-Applied Mathematics

CiteScore

5.50

自引率

22.90%

发文量