Abstract
SNOW-V is a new member in the SNOW family of stream ciphers, hoping to be competitive in the 5G mobile communication system. In this paper, we study the resistance of SNOW-V against bitwise fast correlation attacks by constructing bitwise linear approximations. First, we propose and summarize some efficient algorithms using the slice-like techniques to compute the bitwise linear approximations of certain types of composition functions composed of basic operations like ⊞, ⊕, Permutation, and S-box, which have been widely used in word-oriented stream ciphers such as SNOW-like ciphers. Then, using these algorithms, we find a number of stronger linear approximations for the FSM of the two variants of SNOW-V given in the design document, i.e., SNOW-V σ0 and SNOW-V⊞8, ⊞8. For SNOW-V σ0, where there is no byte-wise permutation, we find some bitwise linear approximations of the FSM with the SEI (Squared Euclidean Imbalance) around 2−37.34 and mount a bitwise fast correlation attack with the time complexity 2251.93 and memory complexity 2244, given 2103.83 keystream outputs, which improves greatly the results in the design document. For SNOW-V⊞8, ⊞8, where both of the two 32-bit adders in the FSM are replaced by 8-bit adders, we find our best bitwise linear approximations of the FSM with the SEI 2−174.14, while the best byte-wise linear approximation in the design document of SNOW-V has the SEI 2−214.80. Finally, we study the security of a closer variant of SNOW-V, denoted by SNOW-V⊞32, ⊞8, where only the 32-bit adder used for updating the first register is replaced by the 8-bit adder, while everything else remains identical. For SNOW-V⊞32, ⊞8, we derive many mask tuples yielding the bitwise linear approximations of the FSM with the SEI larger than 2−184. Using these linear approximations, we mount a fast correlation attack with the time complexity 2377.01 and a memory complexity 2363, given 2253.73 keystream outputs. Note that neither of our attack threatens the security of SNOW-V. We hope our research could further help in understanding bitwise linear approximation attacks and also the structure of SNOW-like stream ciphers.
Highlights
1.1 BackgroundSNOW-V [8] is a new member in the SNOW family of stream ciphers, hoping to be competitive in the 5G mobile communication system
We present a number of stronger linear approximations for the Finite State Machine (FSM) of several variants of SNOW-V, i.e., SNOW-Vσ0, SNOW-V 8, 8 and SNOW-V 32, 8, and further propose attacks resulting in the bitwise fast correlation attacks faster than those in the design document of SNOW-V [8]
We first propose and summarize some efficient algorithms using the slice-like techniques to compute the linear approximations of certain types of composition functions composed of basic operations like, ⊕, Permutation and S-box, which are the underlying functions arising in the linear approximations of SNOWlike stream ciphers
Summary
SNOW-V [8] is a new member in the SNOW family of stream ciphers, hoping to be competitive in the 5G mobile communication system. SNOW 1.0 was submitted to NESSIE project by Ekdahl and Johansson in 2000, and SNOW 2.0 is an improved version which was published in 2002 and selected as an ISO standard in 2005. Both SNOW 1.0 and SNOW 2.0 consist of two main components: a Linear Feedback Shift Register (LFSR) and a Finite State Machine (FSM), based on operations on 32-bit words, with high efficiency in both software and hardware environment. It is currently in use in 3-4G mobile telephony systems, while SNOW-V aims to adapt SNOW 3G for 5G
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
