Improved differential attacks on the reduced-round SNOW-V and SNOW-Vi stream cipher

Abstract

The SNOW-V stream cipher is a candidate cipher for 5G mobile communication system, and the SNOW-Vi stream cipher is a faster variant of SNOW-V. In this paper, we analyze the resistance of the reduced-round SNOW-V and SNOW-Vi against the chosen IV differential distinguishing attacks in the initialization phase. Firstly, we use the divide-and-conquer strategy to give a Mixed-integer Linear Programming (MILP) model to describe the probabilities within the Differential Distribution Table (DDT) of large S-boxes, which can more accurately search the best differential characteristics of SNOW-V and SNOW-Vi than using the probability lower bound of the DDT in the original MILP model. Secondly, we point out that the registers R1,R2,R3 of SNOW-Vi filled with 0 were not considered in the original MILP model, resulting in the MILP model may return impossible differential characteristics. Then, we give the splicing search technology of C program and MILP model to solve this problem. Thirdly, based on these two studies, we present a more efficient and accurate MILP model for searching the best differential characteristics of the reduced-round SNOW-V and SNOW-Vi. The improved MILP model reduces the complexity of the distinguishing attacks. Finally, we give two multiple differential attack techniques on SNOW-V/SNOW-Vi structure, and apply them to the reduced-round SNOW-V and SNOW-Vi, respectively. While improving the results of single differential attacks, we also reduce the complexity of differential attack on the 4-round SNOW-V from 297 to 259.985, which can give the effective attack under the data limitation 264 for the single key. In addition, we give the first differential attack on 5-round SNOW-Vi, and the time complexity and data complexity is 296.84. The success rate is 0.97725. Although this has exceeded the data complexity limitation of the single key attack, it is meaningful for us to analyze the security of SNOW-Vi.