Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V

Transcript

1. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Jin

   Hoki1, Takanori Isobe1,2,3, Ryoma Ito2, Fukang Liu1, Kosei Sakamoto1 1 University of Hyogo, 2 NICT, 3 JST PRESTO ACISP 2021 December 1-3, 2021

2. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

   ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V SNOW-V Stream Cipher 2 Introduction SNOW-V n a variant of a family of SNOW stream ciphers u SNOW 1.0 → SNOW 2.0 → SNOW 3G → SNOW-V (2019) → SNOW-Vi (2021) n a standard encryption scheme for the 5G mobile communication u 256-bit security level against key recovery attacks u 64-bit security level against distinguishing attacks l The length of keystreams is limited to at most 264 bits for a fixed key

3. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

   ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Overall Structure of SNOW-V 3 Introduction a15 a14 a13 a12 a11 a10 a9 a8 a7 a6 a5 a4 a3 a2 a1 a0 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 α α-1 β β-1 AES Enc Round AES Enc Round R3 R1 σ (128-bit keystream) z0 z1 z2 … R2 LFSR FSM T1 T2

4. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

   ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Linear Feedback Shift Register (LFSR) Operations 4 Introduction a15 a14 a13 a12 a11 a10 a9 a8 a7 a6 a5 a4 a3 a2 a1 a0 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 α α-1 β β-1 AES Enc Round AES Enc Round R3 R1 σ (128-bit keystream) z0 z1 z2 … R2 LFSR n LFSR-A and LFSR-B: 16 cells with size of 16 bits (8 clocks/round) gA(x) = x16 + x15 + x12 + x11 + x8 + x3 + x2 + x + 1 ∈ F2 [x] gB(x) = x16 + x15 + x14 + x11 + x8 + x6 + x5 + x + 1 ∈ F2 [x] a(t+16) = b(t) + αa(t) + a(t+1) + α-1a(t+8) mod gA(x) b(t+16) = a(t) + βb(t) + b(t+3) + β-1b(t+8) mod gB(x) T1 T2

5. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

   ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Finite State Machine (FSM) Operations 5 Introduction a15 a14 a13 a12 a11 a10 a9 a8 a7 a6 a5 a4 a3 a2 a1 a0 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 α α-1 β β-1 AES Enc Round AES Enc Round R3 R1 σ (128-bit keystream) z0 z1 z2 … R2 FSM n R1, R2, R3 are 128-bit registers n Round keys for AES are set to 0 n σ is byte-oriented permutation n Addition modulo 232 T1 T2

6. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

   ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Initilization 6 Introduction a15 a14 a13 a12 a11 a10 a9 a8 a7 a6 a5 a4 a3 a2 a1 a0 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 α α-1 β β-1 AES Enc Round AES Enc Round R3 R1 σ (128-bit keystream) z0 z1 z2 … FSM R2 n The initialization consists of 16 rounds (128 clocks) n Loading 256-bit key K = (k15 , …, k0 ) and 128-bit IV IV = (iv7 , …, iv0 ) (a15 , …, a0 ) = (k7 , …, k0 , iv7 , …, iv0 ) (b15 , …, b0 ) = (k15 , …, k8 , 0, …, 0) LFSR z T1 T2

7. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

   ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Motivations: Security Analysis of SNOW-V 7 Introduction [EJM19] Ekdahl et al., A new SNOW stream cipher called SNOW-V. ToSC 2019-3. [JLH20] Jiao et al., A Guess-and-Determine Attack on SNOW-V Stream Cipher. The Computer Journal (2020). [SJZ+21] Shi et al., A Correlation Attack on Full SNOW-V and SNOW-Vi. ePrint (2021/1047). [YJM21] Yang et al., Improved guess-and-determine and distinguishing attacks on SNOW-V. ToSC 2021-3. Existing Security Analysis n Keystream generation phase u TMDTO, Linear, Algebraic, and Guess-and-Determine attacks [EJM19] u Guess-and-Determine attack [JLH20] u Guess-and-Determine and Linear attacks [YJM21] u Correlation attacks [SJZ+21] n Initialization phase u Cube attacks [EJM19]

8. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

   ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Motivations: Security Analysis of SNOW-V 8 Introduction [EJM19] Ekdahl et al., A new SNOW stream cipher called SNOW-V. ToSC 2019-3. [JLH20] Jiao et al., A Guess-and-Determine Attack on SNOW-V Stream Cipher. The Computer Journal (2020). [SJZ+21] Shi et al., A Correlation Attack on Full SNOW-V and SNOW-Vi. ePrint (2021/1047). [YJM21] Yang et al., Improved guess-and-determine and distinguishing attacks on SNOW-V. ToSC 2021-3. Existing Security Analysis n Keystream generation phase u TMDTO, Linear, Algebraic, and Guess-and-Determine attacks [EJM19] u Guess-and-Determine attack [JLH20] u Guess-and-Determine and Linear attacks [YJM21] u Correlation attacks [SJZ+21] n Initialization phase u Cube attacks [EJM19] Our Motivations n Integral, Differential, and Bit-wise Differential attacks u No security analysis for these important attacks

9. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

   ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Summary of our results 9 Introduction Attack type Rounds Data Time Ref. Integral / Distinguisher 3 28.00 28.00 This 4 216.00 216.00 This 5 248.00 248.00 This Differential / Distinguisher 3 217.00 217.00 This 4 297.00 297.00 This Bit-wise Differential / Distinguisher 4 24.47 24.47 This Cube / Key Recovery 3 215.00 2255.00 [EJM19] Bit-wise Differential / Key Recovery 4 226.96 2153.97 This [CM16] Choudhuri et al., Significantly improved multi-bit differentials for reduced round Salsa and ChaCha. ToSC 2016-2. [EJM19] Ekdahl et al., A new SNOW stream cipher called SNOW-V. ToSC 2019-3. Our Contributions n MILP-based search methods for Integral and differential attacks n Single- and dual-bit differential attacks inspired by [CM16]

10. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Summary of our results 10 Introduction Attack type Rounds Data Time Ref. Integral / Distinguisher 3 28.00 28.00 This 4 216.00 216.00 This 5 248.00 248.00 This Differential / Distinguisher 3 217.00 217.00 This 4 297.00 297.00 This Bit-wise Differential / Distinguisher 4 24.47 24.47 This Cube / Key Recovery 3 215.00 2255.00 [EJM19] Bit-wise Differential / Key Recovery 4 226.96 2153.97 This [CM16] Choudhuri et al., Significantly improved multi-bit differentials for reduced round Salsa and ChaCha. ToSC 2016-2. [EJM19] Ekdahl et al., A new SNOW stream cipher called SNOW-V. ToSC 2019-3. Our Contributions n MILP-based search methods for Integral and differential attacks n Single- and dual-bit differential attacks inspired by [CM16]

11. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Bit-based Division Property 11 MILP-aided Integral Distinguisher Constructing the integral distinguisher n Investigating the propagation of the set of inputs We evaluate it with MILP [XZBL16] ALL (𝒜) The set contains all possible taken values CONSTANT (𝒞) All values in the set are constant BALANCE (𝓑) Sum of all values in the set is zero UNKNOWN (𝒰) The set has unknown properties [TM16] Todo et al., Bit-based Division Property and Application to Simon Family, FSE’ 16. [XZBL16] Zejun et al., Applying MILP Method to Searching Integral Distinguishers Based on Division Property, ASIACRYPT’16. Bit-based division property [TM16] Let 𝕏 be a multiset whose elements takes a value of 𝔽! ". When the multiset 𝕏 has the division property 𝒟𝕂 $! , where 𝕂 denotes a set of 𝑛-dimensional vectors whose 𝑖-th element takes 0 or 1, it fulfills the following conditions:

12. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Bit-based Division Property 12 MILP-aided Integral Distinguisher Constructing the integral distinguisher n Investigating the propagation of the set of inputs We evaluate it with MILP [XZBL16] ALL (𝒜) The set contains all possible taken values CONSTANT (𝒞) All values in the set are constant BALANCE (𝓑) Sum of all values in the set is zero UNKNOWN (𝒰) The set has unknown properties [TM16] Todo et al., Bit-based Division Property and Application to Simon Family, FSE’ 16. [XZBL16] Zejun et al., Applying MILP Method to Searching Integral Distinguishers Based on Division Property, ASIACRYPT’16. Bit-based division property [TM16] Let 𝕏 be a multiset whose elements takes a value of 𝔽! ". When the multiset 𝕏 has the division property 𝒟𝕂 $! , where 𝕂 denotes a set of 𝑛-dimensional vectors whose 𝑖-th element takes 0 or 1, it fulfills the following conditions: M x2X ⇡u(x) = ( unknown if there exist k 2 K s.t. wt(u) ⌫ k, 0 otherwise.

13. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Modeling for the Propagation of the Division Property 13 MILP-aided Integral Distinguisher We can create models of each component based on the basic models [XZBL16] Zejun et al., Applying MILP Method to Searching Integral Distinguishers Based on Division Property, ASIACRYPT’16. Basic models [XZBL16] COPY AND XOR 𝑎 𝑏+ 𝑏, 𝑏- ⋯ 𝑎+ 𝑎, 𝑏 ⋀ 𝑎+ 𝑎, 𝑏 ⨁ ⋯ 𝑎- 𝑎 + 𝑏! + ⋯ + 𝑏" = 0 𝑏 − 𝑎! ≥ 0 𝑏 − 𝑎# ≥ 0 𝑏 − 𝑎! − 𝑎# ≤ 0 𝑎! + ⋯ + 𝑎" + 𝑏 = 0

14. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Model for Each Component 14 MILP-aided Integral Distinguisher 32-bit Modular addition n We need it based on COPY, XOR, and AND [SWM17] [SWM17] Sun et al., Automatic Search of Bit-based Division Property for ARX Ciphers and Word-based Division Property, ASIACRYPT’17. [XZBL16] Zejun et al., Applying MILP Method to Searching Integral Distinguishers Based on Division Property, ASIACRYPT’16. [SWM16] Sun et al., MILP-aided Bit-based Division Property for Primitives with Non-bit-permutation Linear Layers, ePrint’16. AES round function n SubBytes: we use the modeling method by Xiang et al. [XZBL16] n MixColumns: we express MDS matrix as a 32 × 32 binary matrix and model it based on COPY, XOR, and AND [SWM16] LFSR n 𝜶, 𝜶$𝟏, 𝜷, 𝜷$𝟏: we express them as a 16 × 16 binary matrix and model them based on COPY, XOR, and AND [SWM16]

15. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Our Search Method and Results 15 MILP-aided Integral Distinguisher [FTIM18] Funabiki et al., Several MILP-aided Attacks against SNOW 2.0, CANS’18. Method 1. Find the longest integral distinguisher by setting all the 128-bit IV as active. 2. Reduce data complexity: Treat each byte as a unit and there are in total 216 − 2 input patterns. 3. Assign 𝑎 into the MBS of each byte assigned to 𝒜 at Step 2. If we cannot find the integral distinguisher, we assign the next bit of MBS to 𝑎. This process is repeated until we find the integral distinguisher [FTIM18].

16. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Our Search Method and Results 16 MILP-aided Integral Distinguisher [FTIM18] Funabiki et al., Several MILP-aided Attacks against SNOW 2.0, CANS’18. Method 1. Find the longest integral distinguisher by setting all the 128-bit IV as active. 2. Reduce data complexity: Treat each byte as a unit and there are in total 216 − 2 input patterns. 3. Assign 𝑎 into the MBS of each byte assigned to 𝒜 at Step 2. If we cannot find the integral distinguisher, we assign the next bit of MBS to 𝑎. This process is repeated until we find the integral distinguisher [FTIM18]. Results n Practical 3- and 4-round integral attacks n The longest integral distinguisher reached 5 rounds Attack type Rounds Data Time Integral / Distinguisher 3 28.00 28.00 4 216.00 216.00 5 248.00 248.00

17. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Single- and Dual-bit Differential Cryptanalysis [CM16] 17 Bit-wise Differential Distinguisher Input Difference (ID) n Δ.,0 1 = 𝑖𝑣. 𝑗 ⊕ 𝑖𝑣′. 𝑗 u 𝑖𝑣& 𝑗 , 𝑖𝑣′& 𝑗 : the 𝑗-th bit of the 𝑖-th byte in IV [CM16] Choudhuri et al., Significantly improved multi-bit differentials for reduced round Salsa and ChaCha. ToSC 2016-2. Output Difference (OD) for 𝒓-round SNOW-V n Δ2,3 4 = 𝑧2 𝑞 ⊕ 𝑧′2 𝑞 u 𝑧' 𝑞 , 𝑧′' 𝑞 : the 𝑝-th bit of the 𝑞-th byte in the first output keystream Single- and Dual-bit Differential Probability [CM16] For a fixed key and all possible choices of IVs, Pr Δ',) * = 1 Δ&,+ , = 1 = ! # 1 + 𝜀- Pr Δ'!,)! * ⊕ Δ'",)" * = 1 Δ&,+ , = 1 = ! # 1 + 𝜀-

18. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Chosen-IV Technique 18 Bit-wise Differential Distinguisher a15 a14 a13 a12 a11 a10 a9 a8 a7 a6 a5 a4 a3 a2 a1 a0 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 α α-1 β β-1 IV LFSR

19. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Chosen-IV Technique 19 Bit-wise Differential Distinguisher a15 a14 a13 a12 a11 a10 a9 a8 a7 a6 a5 a4 a3 a2 a1 a0 b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15 α α-1 β β-1 u16 mul_x(u16 v, u16 c){ if(v & 0x8000){ return (v << 1) ^ c; }else{ return (v << 1) } u16 mul_x_inv(u16 v, u16 c){ if(v & 0x0001){ return (v >> 1) ^ c; }else{ return (v >> 1) } LFSR

20. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Chosen-IV Technique 20 Bit-wise Differential Distinguisher Property 2. The mul_x_inv function is executed 16 times in the LFSR_update function algorithm, and the output varies with the value of the LSB. Property 1. The mul_x function is executed 16 times in the LFSR_update function algorithm, and the output varies with the value of the MSB. Choosing IVs whose MSBs and LSBs are 0 should suppress the propagation of differences throughout the internal state of SNOW-V during the initialization phase. u16 mul_x(u16 v, u16 c){ if(v & 0x8000){ return (v << 1) ^ c; }else{ return (v << 1) } u16 mul_x_inv(u16 v, u16 c){ if(v & 0x0001){ return (v >> 1) ^ c; }else{ return (v >> 1) }

21. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Chosen-IV Technique 21 Bit-wise Differential Distinguisher Property 2. The mul_x_inv function is executed 16 times in the LFSR_update function algorithm, and the output varies with the value of the LSB. Property 1. The mul_x function is executed 16 times in the LFSR_update function algorithm, and the output varies with the value of the MSB. Choosing IVs whose MSBs and LSBs are 0 should suppress the propagation of differences throughout the internal state of SNOW-V during the initialization phase. u16 mul_x(u16 v, u16 c){ if(v & 0x8000){ return (v << 1) ^ c; }else{ return (v << 1) } u16 mul_x_inv(u16 v, u16 c){ if(v & 0x0001){ return (v >> 1) ^ c; }else{ return (v >> 1) }

22. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Chosen-IV Technique 22 Bit-wise Differential Distinguisher Property 2. The mul_x_inv function is executed 16 times in the LFSR_update function algorithm, and the output varies with the value of the LSB. Property 1. The mul_x function is executed 16 times in the LFSR_update function algorithm, and the output varies with the value of the MSB. Choosing IVs whose MSBs and LSBs are 0 should suppress the propagation of differences throughout the internal state of SNOW-V during the initialization phase. u16 mul_x(u16 v, u16 c){ if(v & 0x8000){ return (v << 1) ^ c; }else{ return (v << 1) } u16 mul_x_inv(u16 v, u16 c){ if(v & 0x0001){ return (v >> 1) ^ c; }else{ return (v >> 1) }

23. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Chosen-IV Technique 23 Bit-wise Differential Distinguisher V0 = {xxxxxxxxxxxxxxxx(2) |x ∈ {0,1}} V1 = {0xxxxxxxxxxxxxx0(2) |x ∈ {0,1}} V2 = {00xxxxxxxxxxxx00(2) |x ∈ {0,1}} V3 = {000xxxxxxxxxx000(2) |x ∈ {0,1}} V4 = {0000xxxxxxxx0000(2) |x ∈ {0,1}} V5 = {00000xxxxxx00000(2) |x ∈ {0,1}} V6 = {000000xxxx000000(2) |x ∈ {0,1}} V7 = {0000000xx0000000(2) |x ∈ {0,1}} Choosing IVs whose MSBs and LSBs are 0 should suppress the propagation of differences throughout the internal state of SNOW-V during the initialization phase.

24. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Experimental Results 24 Bit-wise Differential Distinguisher Domain Single-bit differentials Dual-bit differentials ID OD bias ID OD bias V0 Δ!,,. , Δ,,, / -10.299 Δ/,! , Δ,,! / ⊕ Δ!,! / -9.432 V1 Δ0,! , Δ,,, / -10.114 Δ/,! , Δ,,! / ⊕ Δ!,! / -9.243 V2 Δ/,# , Δ,,, / -9.804 Δ/,# , Δ,,, / ⊕ Δ!,, / -9.069 V3 Δ,,1 , Δ#,/ / -9.121 Δ/,! , Δ,,! / ⊕ Δ!,! / -8.825 V4 Δ2,2 , Δ3,# / -8.975 Δ!/,. , Δ,,! / ⊕ Δ!,! / -7.343 V5 Δ!0,/ , Δ.,0 / -7.904 Δ2,. , Δ#,# / ⊕ Δ0,# / -5.675 V6 Δ!0,! , Δ1,/ / -6.197 Δ,,2 , Δ,,, / ⊕ Δ!,. / -3.725 V7 Δ!/,! , Δ!#,0 / -4.268 Δ4,, , Δ,,! / ⊕ Δ0,# / -1.733 Table. The best bit-wise differential biases (log2 ) for 4-round SNOW-V. n Chosen-IV technique is valid up to 4 rounds of SNOW-V

25. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Experimental Results 25 Bit-wise Differential Distinguisher (9/9) Domain Single-bit differentials Dual-bit differentials ID OD bias ID OD bias V0 Δ!,,. , Δ,,, / -10.299 Δ/,! , Δ,,! / ⊕ Δ!,! / -9.432 V1 Δ0,! , Δ,,, / -10.114 Δ/,! , Δ,,! / ⊕ Δ!,! / -9.243 V2 Δ/,# , Δ,,, / -9.804 Δ/,# , Δ,,, / ⊕ Δ!,, / -9.069 V3 Δ,,1 , Δ#,/ / -9.121 Δ/,! , Δ,,! / ⊕ Δ!,! / -8.825 V4 Δ2,2 , Δ3,# / -8.975 Δ!/,. , Δ,,! / ⊕ Δ!,! / -7.343 V5 Δ!0,/ , Δ.,0 / -7.904 Δ2,. , Δ#,# / ⊕ Δ0,# / -5.675 V6 Δ!0,! , Δ1,/ / -6.197 Δ,,2 , Δ,,, / ⊕ Δ!,. / -3.725 V7 Δ!/,! , Δ!#,0 / -4.268 Δ4,, , Δ,,! / ⊕ Δ0,# / -1.733 Table. The best bit-wise differential biases (log2 ) for 4-round SNOW-V. n Chosen-IV technique is valid up to 4 rounds of SNOW-V u Bit-wise differential attack is valid up to 4 rounds of SNOW-V u 24.466 samples suffice to distinguish the 4-round SNOW-V from a TRNG

26. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Differential Attack Based on Probabilistic Neutral Bits (PNB) 26 Key Recovery Attack on the 4-round SNOW-V [AFK+08] Aumasson et al., New Features of Latin Dance: Analysis of Salsa, ChaCha, and Rumba. FSE 2008. Δ 1 Δ 4 Δ 5 1. Bias search Key, IV Keystream 2. PNB identification 3. Probabilistic backwards computation 4. Key recovery Existing Security Analysis of Salsa and ChaCha [AFK+08]

27. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Differential Attack Based on Probabilistic Neutral Bits (PNB) 27 Key Recovery Attack on the 4-round SNOW-V [AFK+08] Aumasson et al., New Features of Latin Dance: Analysis of Salsa, ChaCha, and Rumba. FSE 2008. Δ 1 Δ 4 Δ 5 1. Bias search Procedures 1. Search for Bit-wise differential biases 𝜺𝒅 Key, IV Keystream 2. PNB identification 3. Probabilistic backwards computation 4. Key recovery Existing Security Analysis of Salsa and ChaCha [AFK+08]

28. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Differential Attack Based on Probabilistic Neutral Bits (PNB) 28 Key Recovery Attack on the 4-round SNOW-V [AFK+08] Aumasson et al., New Features of Latin Dance: Analysis of Salsa, ChaCha, and Rumba. FSE 2008. Δ 1 Δ 4 Δ 5 1. Bias search 2. PNB identification 3. Probabilistic backwards computation 4. Key recovery Keystream Procedures 1. Search for Bit-wise differential biases 𝜀7 2. Identify the PNB u The PNB is a concept that divides the secret key bits into two sets: 𝒎-bit significant key bits and 𝒏-bit neutral key bits. Key, IV Existing Security Analysis of Salsa and ChaCha [AFK+08]

29. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Differential Attack Based on Probabilistic Neutral Bits (PNB) 29 Key Recovery Attack on the 4-round SNOW-V [AFK+08] Aumasson et al., New Features of Latin Dance: Analysis of Salsa, ChaCha, and Rumba. FSE 2008. Existing Security Analysis of Salsa and ChaCha [AFK+08] Δ 1 Δ 4 Δ 5 1. Bias search 2. PNB identification 3. Probabilistic backwards computation 4. Key recovery Keystream Procedures 1. Search for Bit-wise differential biases 𝜀7 2. Identify the PNB 3. Perform the probabilistic backwards computation u It computes the probabilistic 𝒓-round bias 𝜀5 based on the PNB concept. Key, IV

30. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Differential Attack Based on Probabilistic Neutral Bits (PNB) 30 Key Recovery Attack on the 4-round SNOW-V [AFK+08] Aumasson et al., New Features of Latin Dance: Analysis of Salsa, ChaCha, and Rumba. FSE 2008. Existing Security Analysis of Salsa and ChaCha [AFK+08] Δ 1 Δ 4 Δ 5 1. Bias search 2. PNB identification 3. Probabilistic backwards computation 4. Key recovery Keystream Procedures 1. Search for Bit-wise differential biases 𝜀7 2. Identify the PNB 3. Perform the probabilistic backwards computation 4. Recover the secret key u It mainly guesses 𝒎-bit significant key bits. Key, IV

31. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Differential Attack Based on Probabilistic Neutral Bits (PNB) 31 Key Recovery Attack on the 4-round SNOW-V [AFK+08] Aumasson et al., New Features of Latin Dance: Analysis of Salsa, ChaCha, and Rumba. FSE 2008. Existing Security Analysis of Salsa and ChaCha [AFK+08] A problem regarding its application to SNOW-V Unlike the existing security analysis of Salsa and ChaCha, it is difficult to compute the differential biases from the obtained keystreams (under the known plaintext attack scenario) by performing the backwards computation. Δ 1 Δ 4 Δ 5 1. Bias search 2. PNB identification 3. Probabilistic backwards computation 4. Key recovery Keystream Key, IV

32. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Differential Attack Based on Probabilistic Neutral Bits (PNB) 32 Key Recovery Attack on the 4-round SNOW-V [AFK+08] Aumasson et al., New Features of Latin Dance: Analysis of Salsa, ChaCha, and Rumba. FSE 2008. Existing Security Analysis of Salsa and ChaCha [AFK+08] → simply replace the backwards computation with the forwards computation Δ 1 Δ 4 Δ 5 1. Bias search 2. PNB identification 3. Probabilistic backwards computation 4. Key recovery Keystream A problem regarding its application to SNOW-V Unlike the existing security analysis of Salsa and ChaCha, it is difficult to compute the differential biases from the obtained keystreams (under the known plaintext attack scenario) by performing the backwards computation. Key, IV

33. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Differential Attack Based on Probabilistic Neutral Bits (PNB) 33 Key Recovery Attack on the 4-round SNOW-V Application to SNOW-V 2. PNB identification 3. Probabilistic forwards computation 4. Key recovery Keystream Procedures 1. Search for Bit-wise differential biases 𝜀7 2. Identify the PNB 3. Perform the probabilistic forwards computation (compute bias 𝜀8) 4. Recover the secret key Δ 1 Δ 4 1. Bias search Key, IV

34. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Experimental Results 34 Key Recovery Attack on the 4-round SNOW-V Table. The best parameters for our attacks with the success probability of one for the 4-round SNOW-V, where 𝑚 is the size of significant key bits. Domain ID OD 𝑚 𝜀- 𝜀5 𝛼 Time Data V0 Δ/,0 , Δ,,, / ⊕ Δ!,, / 127 2-9.548 1.000 109 2153.97 226.96 V7 Δ!,2 , Δ,,, / ⊕ Δ!,! / 149 2-1.878 1.000 108 2154.60 211.59 Time and Data Complexities [AFK+08] 𝑇 = 2-𝑁 + 2,9:;< 𝑁 = max < =>? @AB +;C! " C! , , < =>? @AB +;C# " C# , Note: 𝛼 (and hence 𝑁) is chosen such that it minimizes the time complexity. [AFK+08] Aumasson et al., New Features of Latin Dance: Analysis of Salsa, ChaCha, and Rumba. FSE 2008.

35. J. Hoki, T. Isobe, R. Ito, F. Liu, K. Sakamoto

    ACISP 2021, December 1-3, 2021. Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V Conclusion 35 Conclusion Attack type Rounds Data Time Ref. Integral / Distinguisher 3 28.00 28.00 This 4 216.00 216.00 This 5 248.00 248.00 This Differential / Distinguisher 3 217.00 217.00 This 4 297.00 297.00 This Bit-wise Differential / Distinguisher 4 24.47 24.47 This Cube / Key Recovery 3 215.00 2255.00 [EJM19] Bit-wise Differential / Key Recovery 4 226.96 2153.97 This [CM16] Choudhuri et al., Significantly improved multi-bit differentials for reduced round Salsa and ChaCha. ToSC 2016-2. [EJM19] Ekdahl et al., A new SNOW stream cipher called SNOW-V. ToSC 2019-3. Our Contributions n MILP-based search methods for Integral and differential attacks n Single- and dual-bit differential attacks inspired by [CM16]