A Correlation Attack on Full SNOW-V and SNOW-Vi

Abstract

In this paper, a method for searching correlations between the binary stream of Linear Feedback Shift Register (LFSR) and the keystream of SNOW-V and SNOW-Vi is presented based on the technique of approximation to composite functions. With the aid of the linear relationship between the four taps of LFSR input into Finite State Machine (FSM) at three consecutive clocks, we present an automatic search model based on the SAT/SMT technique and search out a series of linear approximation trails with high correlation. By exhausting the intermediate masks, we find a binary linear approximation with a correlation \(-2^{-47.76}\). Using such approximation, we propose a correlation attack on SNOW-V with an expected time complexity \(2^{246.53}\), a memory complexity \(2^{238.77}\) and \(2^{237.5}\) keystream words generated by the same key and Initial Vector (IV). For SNOW-Vi, we provide a binary linear approximation with the same correlation and mount a correlation attack with the same complexity as that of SNOW-V. To the best of our knowledge, this is the first known attack on full SNOW-V and SNOW-Vi, which is better than the exhaustive key search with respect to time complexity. The results indicate that neither SNOW-V nor SNOW-Vi can guarantee the 256-bit security level if we ignore the design constraint that the maximum length of keystream for a single pair of key and IV is less than \(2^{64}\).

Appendices

A Detailed Reasoning Process of Intermediate Masks

Based on the linear approximation of F in Sect. 3, we analyze the intermediate masks in the case that the input and output masks are fixed as \((\gamma ,\beta ,l,m,n,\gamma )\) and \((\alpha ,\alpha ,h,\beta )\) respectively. We denote \(\xi _{j}^{i}\) the mask of the j-th output of \({{f}_{i}}\) and \({{\rho }_{i}}\) the correlation of \({{f}_{i}}\). Then the linear approximation equation of \({{f}_{1}}\) is

$$\begin{aligned} \begin{array}{ll} ~ &{}\gamma \cdot x\oplus \beta \cdot y\oplus l\cdot z\oplus m\cdot u\oplus n\cdot v\oplus \gamma \cdot w, \\ \overset{{{\rho }_{1}}}{\mathop {=}}&{} \xi _{1}^{1}\cdot (x\boxminus v)\oplus \xi _{2}^{1}\cdot y\oplus \xi _{3}^{1}\cdot z\oplus \xi _{4}^{1}\cdot u\oplus \xi _{5}^{1}\cdot L(z,u)\oplus \xi _{5}^{1}\cdot v\oplus \xi _{6}^{1}\cdot w ,\\ \end{array}\end{aligned}$$

(3)

which is equivalent to

$$\begin{array}{ll} &{}(\beta \oplus \xi _{2}^{1})\cdot y\oplus (\gamma \oplus \xi _{6}^{1})\cdot w\oplus [\xi _{5}^{1}\cdot L(z,u)\oplus (l\oplus \xi _{3}^{1})\cdot z\oplus (\xi _{4}^{1}\oplus m)\cdot u] \\ \oplus &{} [\xi _{1}^{1}\cdot (x\boxminus v)\oplus \gamma \cdot x\oplus (n\oplus \xi _{5}^{1})\cdot v]\overset{{{\rho }_{1}}}{\mathop {=}}\,0 . \\ \end{array}$$

With the assumption that \({{\rho }_{1}}\ne 0\), we have \(\xi _{2}^{1}=\beta ,\xi _{6}^{1}=\gamma \). Denoting \(\xi _{1}^{1}=a,\xi _{3}^{1}=e,\xi _{4}^{1}=f,\xi _{5}^{1}=d\), we have \(d \mathbf {\boldsymbol{L}}=(e\oplus l)||(f\oplus m)\) by

$$d\cdot L(z,u)=d \mathbf {\boldsymbol{L}}(z||u)^T=(e\oplus l)\cdot z\oplus (f\oplus m) \cdot u,$$

and (3) is equivalent to \(\gamma \cdot x\overset{{{\rho }_{1}}}{\mathop {=}}\,a\cdot (x\boxminus v)\oplus (n\oplus d)\cdot v\), which is the linear approximation \(a,n\oplus d \rightarrow \gamma \) of the addition modulo \({{2}^{32}}\). Thus the correlation of (3) is \({{\rho }_{1}}={{\rho }_{A}}(a,n\oplus d \rightarrow \gamma )\).

For \({{f}_{2}}\), we have

$$\begin{aligned} \begin{array}{ll} &{}a\cdot x\oplus \beta \cdot y\oplus e\cdot z\oplus f\cdot u\oplus d\cdot v\oplus \gamma \cdot w \\ =&{}\xi _{1}^{2}\cdot ({{\sigma }^{-1}}(x)\boxminus y)\oplus \xi _{1}^{2}\cdot v\oplus \xi _{2}^{2}\cdot y\oplus \xi _{3}^{2}\cdot z\oplus \xi _{4}^{2}\cdot u\oplus \xi _{5}^{2}\cdot v\oplus \xi _{6}^{2}\cdot w, \\ \end{array}\end{aligned}$$

(4)

which is equivalent to

$$\begin{array}{ll} &{} [\xi _{1}^{2}\cdot ({{\sigma }^{-1}}(x)\boxminus y)\oplus a\cdot x\oplus (\beta \oplus \xi _{2}^{2})\cdot y]\oplus (e\oplus \xi _{3}^{2})\cdot z\oplus (\xi _{4}^{2}\oplus f)\cdot u \\ \oplus &{} (\xi _{1}^{2}\oplus \xi _{5}^{2}\oplus d)\cdot v\oplus (\xi _{6}^{2}\oplus \gamma )\cdot w\overset{{{\rho }_{2}}}{\mathop {=}}\,0 . \\ \end{array}$$

By \({{\rho }_{2}}\ne 0\) we know that \(\xi _{3}^{2}=e,\xi _{4}^{2}=f,\xi _{6}^{2}=\gamma \), \(\xi _{1}^{2}=d\oplus \xi _{5}^{2}\). Denoting \(\xi _{2}^{2}=b\), then (4) is equivalent to \(\xi _{1}^{2}\cdot ({\boldsymbol{\sigma }^{-1}}(x)\boxminus y)\oplus a\cdot x\oplus (\beta \oplus \xi _{2}^{2})\cdot y=0\). Let \(X={\boldsymbol{\sigma }^{-1}}(x)\), then the above equation can be converted to

$$a\cdot \sigma (X)=(a \mathbf {\boldsymbol{\sigma }}) \cdot X\overset{{{\rho }_{2}}}{\mathop {=}}\,(\beta \oplus b)\cdot y\oplus \xi _{1}^{2}\cdot (X\boxminus y),$$

which is the linear approximation \(\beta \oplus b,d\oplus \xi _{5}^{2} \rightarrow a \boldsymbol{\sigma }\) of the addition modulo \({{2}^{32}}\), hence \({{\rho }_{2}}={{\rho }_{A}}(\beta \oplus b,d\oplus \xi _{5}^{2} \rightarrow {a{\mathbf {\boldsymbol{\sigma } }}})\).

For \({{f}_{3}}\), the following equation holds

$$\begin{aligned} \begin{array}{ll} &{}(d\oplus \xi _{5}^{2})\cdot x\oplus b\cdot y\oplus e\cdot z\oplus f\cdot u\oplus \xi _{5}^{2}\cdot v\oplus \gamma \cdot w \\ \overset{{{\rho }_{3}}}{\mathop {=}}\,&{} \xi _{1}^{3}\cdot {{E}^{-1}}(x)\oplus \xi _{2}^{3}\cdot {{E}^{-1}}(y)\oplus \xi _{3}^{3}\cdot z\oplus \xi _{4}^{3}\cdot u\oplus \xi _{5}^{3}\cdot v\oplus \xi _{6}^{3}\cdot w .\\ \end{array}\end{aligned}$$

(5)

It is equivalent to

$$\begin{array}{ll} &{}[\xi _{1}^{3}\cdot {{E}^{-1}}(x)\oplus (d\oplus \xi _{5}^{2})\cdot x]\oplus [\xi _{2}^{3}\cdot {{E}^{-1}}(y)\oplus b\cdot y]\oplus (\xi _{3}^{3}\oplus e)\cdot z\oplus (\xi _{4}^{3}\oplus f)\cdot u \\ \oplus &{} (\xi _{5}^{3}\oplus \xi _{5}^{2})\cdot v\oplus (\xi _{6}^{3}\oplus \gamma )\cdot w\overset{{{\rho }_{3}}}{\mathop {=}}\,0. \\ \end{array}$$

By \({{\rho }_{3}}\ne 0\) we know that \(\xi _{3}^{3}=e,\xi _{4}^{3}=f,\xi _{5}^{3}=\xi _{5}^{2},\xi _{6}^{3}=\gamma \). Let \(\xi _{2}^{3}=c\), then (5) is equivalent to \([\xi _{1}^{3}\cdot {{E}^{-1}}(x)\oplus (d\oplus \xi _{5}^{2})\cdot x]\oplus [\xi _{2}^{3}\cdot {{E}^{-1}}(y)\oplus b\cdot y]\overset{{{\rho }_{3}}}{\mathop {=}}\,0\), which is the two linear approximations \(\xi _{1}^{3} \overset{AES}{\mathop {\rightarrow }}\,d\oplus \xi _{5}^{2}\) and \(c\overset{AES}{\mathop {\rightarrow }}\,b\) of AES round function, so we have \({{\rho }_{3}}={{\rho }_{E}}(\xi _{1}^{3} \rightarrow d\oplus \xi _{5}^{2}){{\rho }_{E}}(c\rightarrow b)\).

For \({{f}_{4}}\), we have

$$\begin{aligned} \xi _{1}^{3}\cdot x\oplus c\cdot y\oplus e\cdot z\oplus f\cdot u\oplus \xi _{5}^{2}\cdot v\oplus \gamma \cdot w\overset{{{\rho }_{4}}}{\mathop {=}}\,\xi _{1}^{4}\cdot x\oplus \xi _{2}^{4}\cdot (y\boxplus z)\oplus \xi _{3}^{4}\cdot u\oplus \xi _{4}^{4}\cdot v\oplus \xi _{5}^{4}\cdot w, \end{aligned}$$

(6)

which is equivalent to

$$(\xi _{1}^{3}\oplus \xi _{1}^{4})\cdot x\oplus [\xi _{2}^{4}\cdot (y\boxplus z)\oplus c\cdot y\oplus e\cdot z]\oplus (f\oplus \xi _{3}^{4})\cdot u\oplus (\xi _{5}^{2}\oplus \xi _{4}^{4})\cdot v\oplus (\gamma \oplus \xi _{5}^{4})\cdot w\overset{{{\rho }_{4}}}{\mathop {=}}\,0.$$

By \({{\rho }_{4}}\ne 0\) we know that \(\xi _{1}^{4}=\xi _{1}^{3},\xi _{3}^{4}=f,\xi _{4}^{4}=\xi _{5}^{2},\xi _{5}^{4}=\gamma \), and we can rewrite the above equation as \(\xi _{2}^{4}\cdot (y\boxplus z)\overset{{{\rho }_{4}}}{\mathop {=}}\,c\cdot y\oplus e\cdot z\), which is the approximation \(c,e \rightarrow \xi _{2}^{4}\) of addition modulo \(2^{32}\). Obviously \({{\rho }_{4}}={{\rho }_{A}}(c,e \rightarrow \xi _{2}^{4})\).

For \({{f}_{5}}\), the approximation equation is

$$\begin{aligned} \xi _{1}^{3}\cdot x\oplus \xi _{2}^{4}\cdot y\oplus f\cdot z\oplus \xi _{5}^{2}\cdot u\oplus \gamma \cdot v\overset{{{\rho }_{5}}}{\mathop {=}}\,\xi _{1}^{5}\cdot x\oplus \xi _{2}^{5}\cdot y\oplus \xi _{3}^{5}\cdot z\oplus \xi _{4}^{5}\cdot u\oplus \xi _{5}^{5}\cdot {{E}^{-1}}(v), \end{aligned}$$

(7)

which is equivalent to

$$(\xi _{1}^{3}\oplus \xi _{1}^{5})\cdot x\oplus (\xi _{2}^{4}\oplus \xi _{2}^{5})\cdot y\oplus (f\oplus \xi _{3}^{5})\cdot z\oplus (\xi _{5}^{2}\oplus \xi _{4}^{5})\cdot u\oplus [\xi _{5}^{5}\cdot {{E}^{-1}}(v)\oplus \gamma \cdot v]\overset{{{\rho }_{5}}}{\mathop {=}}\,0.$$

By \({{\rho }_{5}}\ne 0\) we know that \(\xi _{1}^{5}=\xi _{1}^{3},\xi _{2}^{5}=\xi _{2}^{4},\xi _{3}^{5}=f,\xi _{4}^{5}=\xi _{5}^{2}\). Denoting \(\xi _{5}^{5}=q\), then (7) can be reduced to \(q\cdot {{E}^{-1}}(v)\oplus \gamma \cdot v\overset{{{\rho }_{5}}}{\mathop {=}}\,0\), which is the linear approximation \(q \overset{AES}{\mathop {\rightarrow }}\,\gamma \) of AES round function, so \({{\rho }_{5}}={{\rho }_{E}}(q \rightarrow \gamma )\).

For \({{f}_{6}}\), we have

$$\begin{aligned} \xi _{1}^{3}\cdot x\oplus \xi _{2}^{4}\cdot y\oplus f\cdot z\oplus \xi _{5}^{2}\cdot u\oplus q\cdot v\overset{{{\rho }_{6}}}{\mathop {=}}\,\alpha \cdot x\oplus \alpha \cdot y\oplus h\cdot u\oplus \beta \cdot (z\boxplus v). \end{aligned}$$

(8)

By \({{\rho }_{6}}\ne 0\) we know that \(\xi _{1}^{3}=\xi _{2}^{4}=\alpha ,\xi _{5}^{2}=h\), and (8) can be simplified to \(\beta \cdot (z\boxplus v)\oplus f\cdot z\oplus q\cdot v\overset{{{\rho }_{6}}}{\mathop {=}}\,0\), which is the linear approximation \(f,q \rightarrow \beta \) of addition modulo \(2^{32}\). So we have \({{\rho }_{6}}={{\rho }_{A}}(f,q \rightarrow \beta )\).

Thus, the linear approximation trail of F can be described as

$$\begin{array}{l} (\gamma ,\beta ,l,m,n,\gamma )\xrightarrow [d \mathbf {\boldsymbol{L}}=(e\oplus l)||(f\oplus m),{{\rho }_{A}}(a,n\oplus d \rightarrow \gamma )]{{{f}_{1}}}(a,\beta ,e,f,d,\gamma )\xrightarrow [{{\rho }_{A}}(b\oplus \beta ,d\oplus h \rightarrow {a {\mathbf {\boldsymbol{\sigma }}}})]{{{f}_{2}}} \\ (d\oplus h,b,e,f,h,\gamma )\xrightarrow [{{\rho }_{E}}(\alpha \rightarrow d\oplus h){{\rho }_{E}}(c \rightarrow b)]{{{f}_{3}}}(\alpha ,c,e,f,h,\gamma )\xrightarrow [{{\rho }_{A}}(e,c \rightarrow \alpha )]{{{f}_{4}}}(\alpha ,\alpha ,f,h,\gamma ) \\ \xrightarrow [{{\rho }_{E}}(q \rightarrow \gamma )]{{{f}_{5}}}(\alpha ,\alpha ,f,h,q)\xrightarrow [{{\rho }_{A}}(f,q \rightarrow \beta )]{{{f}_{6}}}(\alpha ,\alpha ,h,\beta ).\\ \end{array}$$

B The Proof of \(d=(\texttt {0},\texttt {0},\texttt {0},\texttt {0})\) Under \(d \mathbf {L} =(0x000000*,\texttt {0},\texttt {0},\texttt {0},0x000000*,\texttt {0},\texttt {0},\texttt {0})\)

Here we denote 128-bit vector \(d=(d_7, d_6,...,d_0)\) in which \(d_i \in GF(2^{16})\), and \(\mathbf {\boldsymbol{\beta }}\) the binary matrix form of \(\beta \in GF(2^{16})\). By the relation

$$L(x,y) = \beta *x \oplus {\beta ^{ - 1}}*y \oplus (x> > 48) \oplus (y< < 80),$$

we have

$$\begin{array}{ll} d \cdot L(x,y) &{}= d \cdot \beta *x \oplus d \cdot {\beta ^{ - 1}}*y \oplus d \cdot (x>> 48) \oplus d \cdot (y<< 80)\\ &{}= d \cdot \beta *x \oplus d \cdot {\beta ^{ - 1}}*y \oplus [(d< < 48) \cdot x] \oplus [(d> > 80) \cdot y],\\ \end{array}$$

which is equivalent to

$$\begin{array}{ll} d \mathbf {\boldsymbol{L}}=&{}(d_7 \mathbf {\boldsymbol{\beta }} \oplus d_4,...,d_3 \mathbf {\boldsymbol{\beta }} \oplus d_0,d_2 \mathbf {\boldsymbol{\beta }},...,d_0 \mathbf {\boldsymbol{\beta }},\\ &{}d_7 {\mathbf {\boldsymbol{\beta }}^{-1}},...,d_3 {\mathbf {\boldsymbol{\beta }}^{-1}},d_2 {\mathbf {\boldsymbol{\beta }}^{-1}} \oplus d_7,...,d_0 {\mathbf {\boldsymbol{\beta }}^{-1}} \oplus d_5). \end{array}$$

Recall

$$d \mathbf {\boldsymbol{L}}=(0x000000*,\texttt {0},\texttt {0},\texttt {0},0x000000*,\texttt {0},\texttt {0},\texttt {0}),$$

we can observe that

$$d_2 \mathbf {\boldsymbol{\beta }}=d_1 \mathbf {\boldsymbol{\beta }}=d_0 \mathbf {\boldsymbol{\beta }}= d_7 {\mathbf {\boldsymbol{\beta }}^{-1}}=d_5 {\mathbf {\boldsymbol{\beta }}^{-1}}=d_4 {\mathbf {\boldsymbol{\beta }}^{-1}}=d_3 {\mathbf {\boldsymbol{\beta }}^{-1}}=d_1 {\mathbf {\boldsymbol{\beta }}^{-1}} \oplus d_6=0.$$

As \(\mathbf {\boldsymbol{\beta }}\) is invertible, we can get \(d=(\texttt {0},\texttt {0},\texttt {0},\texttt {0}).\)