Improved guess-and-determine and distinguishing attacks on snow-v

Yang, Jing; Johansson, Thomas; Maximov, Alexander

Improved guess-and-determine and distinguishing attacks on snow-v

Mark

Yang, Jing ^LU ; Johansson, Thomas ^LU

and Maximov, Alexander ^LU (2021) In IACR Transactions on Symmetric Cryptology 2021(3). p.54-83

Abstract: In this paper, we investigate the security of SNOW-V, demonstrating two guess-and-determine (GnD) attacks against the full version with complexities 2³⁸⁴ and 2³⁷⁸, respectively, and one distinguishing attack against a reduced variant with complexity 2³⁰³ . Our GnD attacks use enumeration with recursion to explore valid guessing paths, and try to truncate as many invalid guessing paths as possible at early stages of the recursion by carefully designing the order of guessing. In our first GnD attack, we guess three 128-bit state variables, determine the remaining four according to four consecutive keystream words. We finally use the next three keystream words to verify the correct guess. The second GnD... (More); In this paper, we investigate the security of SNOW-V, demonstrating two guess-and-determine (GnD) attacks against the full version with complexities 2³⁸⁴ and 2³⁷⁸, respectively, and one distinguishing attack against a reduced variant with complexity 2³⁰³ . Our GnD attacks use enumeration with recursion to explore valid guessing paths, and try to truncate as many invalid guessing paths as possible at early stages of the recursion by carefully designing the order of guessing. In our first GnD attack, we guess three 128-bit state variables, determine the remaining four according to four consecutive keystream words. We finally use the next three keystream words to verify the correct guess. The second GnD attack is similar but exploits one more keystream word as side information helping to truncate more guessing paths. Our distinguishing attack targets a reduced variant where 32-bit adders are replaced with exclusive-OR operations. The samples can be collected from short keystream sequences under different (key, IV) pairs. These attacks do not threaten SNOW-V, but provide more in-depth details for understanding its security and give new ideas for cryptanalysis of other ciphers.
(Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/5a6f32ba-47c1-4fa6-abe7-286292104f70

author

Yang, Jing ^LU ; Johansson, Thomas ^LU

and Maximov, Alexander ^LU

organization

publishing date

2021-09

type

Contribution to journal

publication status

published

subject

Computer Science

keywords

Distinguishing attack, Guess-and-determine attack, SNOW-V

in

IACR Transactions on Symmetric Cryptology

volume

2021

issue

3

pages

30 pages

publisher

Ruhr-Universität Bochum

external identifiers

scopus:85119910115

ISSN

2519-173X

DOI

10.46586/tosc.v2021.i3.54-83

language

English

LU publication?

yes

id

5a6f32ba-47c1-4fa6-abe7-286292104f70

date added to LUP

2021-12-15 14:27:04

date last changed

2023-09-13 07:50:27

@article{5a6f32ba-47c1-4fa6-abe7-286292104f70,
  abstract     = {{<p>In this paper, we investigate the security of SNOW-V, demonstrating two guess-and-determine (GnD) attacks against the full version with complexities 2<sup>384</sup> and 2<sup>378</sup>, respectively, and one distinguishing attack against a reduced variant with complexity 2<sup>303</sup> . Our GnD attacks use enumeration with recursion to explore valid guessing paths, and try to truncate as many invalid guessing paths as possible at early stages of the recursion by carefully designing the order of guessing. In our first GnD attack, we guess three 128-bit state variables, determine the remaining four according to four consecutive keystream words. We finally use the next three keystream words to verify the correct guess. The second GnD attack is similar but exploits one more keystream word as side information helping to truncate more guessing paths. Our distinguishing attack targets a reduced variant where 32-bit adders are replaced with exclusive-OR operations. The samples can be collected from short keystream sequences under different (key, IV) pairs. These attacks do not threaten SNOW-V, but provide more in-depth details for understanding its security and give new ideas for cryptanalysis of other ciphers.</p>}},
  author       = {{Yang, Jing and Johansson, Thomas and Maximov, Alexander}},
  issn         = {{2519-173X}},
  keywords     = {{Distinguishing attack; Guess-and-determine attack; SNOW-V}},
  language     = {{eng}},
  number       = {{3}},
  pages        = {{54--83}},
  publisher    = {{Ruhr-Universität Bochum}},
  series       = {{IACR Transactions on Symmetric Cryptology}},
  title        = {{Improved guess-and-determine and distinguishing attacks on snow-v}},
  url          = {{http://dx.doi.org/10.46586/tosc.v2021.i3.54-83}},
  doi          = {{10.46586/tosc.v2021.i3.54-83}},
  volume       = {{2021}},
  year         = {{2021}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

Improved guess-and-determine and distinguishing attacks on snow-v