Open Access is an initiative that aims to make scientific research freely available to all. To date our community has made over 100 million downloads. It’s based on principles of collaboration, unobstructed discovery, and, most importantly, scientific progression. As PhD students, we found it difficult to access the research we needed, so we decided to create a new Open Access publisher that levels the playing field for scientists across the world. How? By making research easy to access, and puts the academic needs of the researchers before the business interests of publishers.
We are a community of more than 103,000 authors and editors from 3,291 institutions spanning 160 countries, including Nobel Prize winners and some of the world’s most-cited researchers. Publishing on IntechOpen allows authors to earn citations and find new collaborators, meaning more people see your work not only from your own field of study, but from other related fields too.
To purchase hard copies of this book, please contact the representative in India:
CBS Publishers & Distributors Pvt. Ltd.
www.cbspd.com
|
customercare@cbspd.com
In this chapter, we have studied three word-oriented stream ciphers SNOW 1.0, SNOW 2.0 and SNOW 3G in a detailed way. The detailed description includes the working principles of each cipher, security vulnerabilities and implementation issues. It also helps us to study the challenges in each cipher. As SNOW 3G is used as a confidentiality and integrity component in 3G, 4G and 5G communications, the after study of this article may instigate the reader to find the fixes from different cryptanalysis and also find a new suitable design in Mobile telephony security.
Department of Computer Science and Engineering, IIT Guwahati, Assam, India
Srinivasan Krishnaswamy
Department of Electronics and Electrical Engineering, IIT Guwahati, Assam, India
Pinaki Mitra*
Department of Computer Science and Engineering, IIT Guwahati, Assam, India
*Address all correspondence to: pinaki@iitg.ac.in
1. Introduction
In modern era of communication, mobile devices, tablets, computers are developed with huge processing power, memory and storage. When one mobile device communicates with a remote server or another mobile device, the communication always takes place in a secret way. For any bank transaction or any online purchase through PC, we always require communication link between the source and the server which ensures the authentication, confidentiality and integrity of the channel. Before the year 1999, Block ciphers was the only way to provide confidentiality in any kind of communication in word oriented environment. AES, DES, 3-DES, BlowFish, Serpent, Twofish are some of the common used block cipher algorithms. The problems associated with block ciphers are mainly processing power, throughput in comparison to stream cipher. Stream cipher works very efficiently in hardware due to its simple design and good statistical properties. But it lacks in software based applications. But is it possible to make a word-oriented cipher which will be faster than Block cipher, at least gives security of AES [1] (Advance Encryption Standard) and suits in software as well as hardware? This initiate the design and analysis of word-oriented stream cipher. The basic building block of word oriented stream cipher is designed by LFSR (Linear Feedback Shift Register) with multi input multi output (MIMO) delay blocks and a Nonlinear function. In this kind of design, LFSR plays the role of generating sequence with uniform distribution. It generates m−sequence. As, sequence from LFSR can be easily cryptanalyzed by Barleycamp Massey Algorithm [2], Nonlinear maps are used along with LFSR to increase the linear complexity as well as nonlinearity of the output sequence. Generally, S-box, Addition modulo 2n(⊞), Subtraction modulo 2n(⊟) are used as Nonlinear function. Word-based Cipher acts as a pseudorandom number generator (PRNG) which produces vector in each clock cycle as keystreams. Plaintext block and keystream block are encrypted with bitwise EXOR operator and it creates cipher text block. In the receiving end, cipher text block and the same keystream generator produces the plaintext block using the same bitwise exor operator. In the next subsection, we discuss about some existing word-based LFSR.
1.1 Related work
The research on word-based stream cipher was coined by Bart Preneel in FSE 1994. In NESSIE (New European Schemes for Signature, Integrity, and Encryption) competition (2000–2003), six stream ciphers (BMGL, Leviathan, LILI-128, SNOW [3], SOBER-t16 [4] and SOBER-t32 [5]) were submitted. Among which SNOW 1.0, SOBER-t16 and SOBER t-32 were found as word oriented stream ciphers. In 2002, SNOW, SOBER-t16 and SOBER t-32 were found with security flaws with certain cryptographic attacks (Distinguishing attack, Guess and Determine attack and Linear cryptanalysis). In 2002, SNOW 2 [6] was proposed by Ekdahl and Johansson, the same author published SNOW 1.0. But two cryptographic attacks, Algebraic attack and Linear Distinguishing attack made SNOW 2.0 vulnerable. After SNOW 2.0, in 2006 SNOW 3G and in 2008 Sosemanuk [7] (as a Estream finalist) came into the literature. SNOW 3G was selected as 3GPP Confidentiality and Integrity Algorithms UEA2 and UIA2. It was also analyzed by Fault Analysis attack [8] in 2009. Sosemanuk cipher is an modified of version of SNOW 2.0. There are some attacks on Sosemanuk like Linear masking method [9], byte based guess and determine attack [10]. Ekdahl et al. recently proposed SNOW-V [11] stream cipher with the feature of 256-bit security and huge throughput in 5G environment. Still, we find fast correlation attack [12] with 2251.93 complexity and improved guess and determining attack [13] with 2406 complexity on SNOW-V.
In this literature, we are trying to present detailed study of SNOW 1.0, SNOW 2.0 and SNOW 3G and discuss the basic problems related to it.
In this section, we present some definitions and related concepts useful to understand the context of next sections.
Primitive polynomial: A polynomial that generates all elements in an extension field over a base field is called Primitive Polynomial. It is also irreducible polynomial. There are ϕqn−1n primitive polynomials of degree n in GFqX, where ϕ is the Euler phi function.
Example 1.x4+x+1 and x4+x3+1 are two primitive polynomials of GF24.
Linear feedback shift register (LFSR): LFSR is an important source of PRNG in stream cipher design. It is very fast and easy to implement in hardware. It consists of some D flip flops and a feedback polynomial. If f is the primitive polynomial of degree n and x1x2⋯xn where each xi∈F2, is the state of the LFSR, the state update function of the LFSR L is defined:
L:x1x2⋯xn→fx1x2⋯xnx2⋯xn−1E1
If the feedback polynomial of a LFSR is primitive, it can generate all the nonzero states in its period. But LFSR based PRNG is vulnerable to Barleycamp Massey attack. It finds the initial state and the feedback polynomial of the LFSR if 2×n keystream can be accessed from the LFSR state. So, various forms of nonlinear feedback shift register (NLFSR) like Nonlinear combiner generator, Nonlinear feedforward generator, Clock control generator are used as a keystream generator to resist BMA attack. But LFSRs are slow in smartphone, PC, embedded system applications with respect to word oriented operation. So word oriented PRNG’s like RC4, SOBER, SNOW, SNOW 2.0 etc. came to the market to serve the purpose of PRNG. The important factor in word oriented LFSR is primitive polynomial over extension field. These papers [14, 15, 16] are a good source of materials to study primitive polynomials over extension field.
Let b be the number of m input output delay blocks (D0,D1,⋯,Db where each Di∈F2m) and gain matrices B0,B1,⋯,Bb−1∈F2m×m of a multi-input multi-output LFSR(MIMO LFSR). Initial state of the MIMO LFSR is of mb bits. The state update function of a σ−LFSR, Amb is defined as:
Amb=0I0⋯000I⋯0⋮⋮⋮⋯⋮000⋯IB0B1B2⋯Bb−1∈F2mb×mb
where 0,I∈F2m×m are all zero and identity matrix respectively. The characteristic polynomial of Amb,
fx=xn+Bb−1xn−1+Bb−2xn−2+⋯+B0E2
is called a primitive polynomial over F2m if periodicity of the polynomial is 2mb−1. Primitive MIMO LFSR is a good PRNG as the keystreams generated from it satisfy balancedness, span-n, 2-level autocorrelation property according to Golomb’s randomness criterion. But only LFSR cannot be used as a PRNG due to small linear complexity. Linear complexity is the length of the smallest linear feedback shift register which can generate the sequence. To increase the linear complexity, nonlinear functions are used in PRNG along with LFSR (Figure 1).
Figure 1.
Word oriented LFSR based Encryption.
Substituation Box (S-Box): An S-Box or substitution box f is a vectorial Boolean function [17] which is defined as follows:
f:F2n→F2n
It is nothing but the permutation of n elements from one set to another. We can represent f as (f1,f2,⋯,fn) where each fi is the component Boolean function [18] of the S-box.
fi:Vn→F2
There are n! S-box’es for a set of n elements. We can categorize S-boxes into two section.
Affine S-box: If all the component functions are affine functions.
Non Affine S-box: If at least one component function is nonlinear function.
In cryptology, researchers are interested on Non affine S-boxes whose all component functions are nonlinear. S-box should have good cryptographic characteristics such as balancedness, good nonlinearity, resiliency, optimal algebraic immunity, good differential uniformity [19].
Example 2. One of the S-boxes used in DES(Data Encryption Standard) is:
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
4
13
1
2
15
11
8
3
10
6
12
5
9
0
7
There are four boolean function with respect to this S-box. Their Algebraic Normal Form(ANF) are:
In this section, we demonstrate SNOW 1.0 Keystream generator and various attacks possible on it (Figure 2).
Figure 2.
Block Diagram of SNOW 1.0.
SNOW 1.0 consists of two parts as LFSR part and FSM part. The LFSR of SNOW 1.0 has 16 delay blocks Sti, each can store 32 values. It means Sti∈F232. The LFSR has a primitive feedback polynomial over F232 which is
py=y16+y13+y7+αE3
where α is the generating element of F232. The irreducible polynomial fy used to generate F232 as an ideal is fy=y32+y29+y20+y15+y10+y+1 such that fα=0.
F232=F2yfy
The FSM (Finite State Machine) part comprised of registers Reg1, Reg2∈F232 and substitution box S,
Fm:0132×0132→0132Fmt=Stt+i⊞Reg1t⊕Reg2tE4
Here, ⊞ operator is integer addition modulo 232 such as x⊞y=x+ymod232. In the FSM the registers are updated as follows.
Reg1t+1=Fm⊞Reg2t⋘⊕Reg1tE5
Reg2t+1=SReg1tE6
The S-box S operation acts as follows (Figure 3). The input y is broken into 4 bytes. Each of the bytes are changed to another byte by a nonlinear mapping from 8 to 8 bits. The nonlinear mapping is
Figure 3.
Block Diagram of SNOW 2.0.
x=Y7⊕β2⊕β⊕1E7
where x is output of nonlinear map, Y is the input and both considered to be representing elements ∈F28 with the polynomial basis β7⋯β1. β is the root of the irreducible polynomial hy=y8+y5+y3+y+1 such that hβ=0. The nonlinear mapping followed by a permutation of the bits in the output word.
4.1 SNOW 1.0 algorithm
In this section, we demonstrate the working nature of SNOW 1.0. It starts with Initialization, LFSRupdate, FSMupdate and finally ends with SNOW 1.0 algorithm.
Algorithm 1: Initialization().
Input: Key K=k1⋯k8∈F2256 where each ki∈F232 and Initialization vector IV=IV2IV1∈F264 where each IV2,IV1∈F232.
Guess and determine attack: It is one type of key recovery attack. It [20] utilizes the relationship between internal values (recurrence relation in a shift register) and the relationship used to establish the key-stream values from the registers values. In this attack, value of some registers are guessed and then the relationships are utilized to find other internal values.
The problem in SNOW 1.0 is the recurrence relation
We can find out the distance of three words between Stt and Stt+3, and the distance of 6 words between Stt+3 and Stt+9. So the attacker can use Stt+i⊕Stt+6+i as a single input to both the equation. Another aspect the use of ⋘ operator (Circular shift operator) helps in finding relation between FSM and Reg2 (Table 2).
Distinguishing attack: In this kind of attack linear approximation of the nonlinear part is done first and combined with the linear part. Coppersmith et al. [21] observed that only α present which in F232. Using Frobenious automorphism (ϕ:y→y232) they eliminated α and gave a new linear relation over GF2.
Data complexity
Process complexity
Guess-and-determine attack (method 1)
O264
O2256
Guess-and-determine attack (method 2)
O295
O2100
Table 2.
GD attack complexity.
py232+py=y16×232+y13×232+y7×232+y16+y13+y7E10
The best linear approximation of the two consecutive round input outputs of the FSM from the following.
δ=Stt15⊕Stt16⊕Stt+122⊕Stt+123⊕Fmt15⊕Fmt+123E11
where Sttk signify k th bit of St0 state of the LFSR at time t. The bias of the linear approximation evaluated was at least 2−9.3. And the author calculated 2101.6 rounds keystream requirement for distinguishing the output sequence from SNOW 1.0 and the sequences from true random bit generator.
This section discusses all about SNOW 2.0 Keystream generator. We also mention about some cryptographic attacks on SNOW 2.0.
SNOW 2.0 is the updated KSG over SNOW 1.0. Here, the primitive polynomial over GF232 is chosen by studying the weakness of the primitive polynomial in SNOW 1.0. Let δ be the generating element of the primitive polynomial fy=y8+y7+y5+y3+1, such that fδ=0 and α be the generator of the primitive polynomial gy=y4+δ23y3+δ245y2+δ48y+δ239 such that gα=0. We can represent each element in F232 with the help of the basis α3α2α1. Using the above 2 extension fields the generator polynomial of SNOW 2.0
Hy=αy16+y14+α−1y5+1∈F232YE12
is calculated and the recurrence relation of Hy is as follows:
Stt+15=α−1Stt+11+Stt+2+αSttE13
where Stt∈F232 is the state of the first delay block in clock time t.
The FSM part of SNOW 2.0 is same as SNOW 1.0, except Stt+5 is used as a input to the FSM. It makes more dependency of state vectors to the FSM. We can evaluate the FSM Fmt as:
Fmt=Stt+15⊞Reg1t⊕Reg2tE14
and the keystream zt is given by
zt=Fmt⊕SttE15
The updation of registers Reg1t+1, Reg2t+1 from Reg1t, R2t are related as follows:
Reg1t+1=Stt+4⊞Reg2tE16
Reg2t+1=SReg1tE17
Here S is the S-box which takes 4 bytes (b0,b1,b2,b3) as input and uses AES S-box followed by mixcolumn operation to output 4 bytes.
In the above equation, the matrix used is for Mixcolumn operation where the value in X∈F28 and the S-box S:F28→F28 is a permutation function used in SubByte step defined as:
Sy=0,ify=0y−1,∀y∈F28−0
5.1 Key initialization
In SNOW 2.0128 bits or 256 bits key (K) and a initialization vector IV (public) is used. The IV∈01⋯2128−1 and the two memory registers are set to 0. The cipher is then clocked 32 times where no keystream is produced and the FSM output is feeded as following:
Stt+15=α−1Stt+11⊕Stt+2⊕αStt⊕FmtE19
The cipher is then switched into the normal mode, but the first output of the keystream is discarded. After 250 keystream the cipher’s key K is changed to a new value for resisting from cryptanalysis.
5.2 SNOW 2.0 algorithm
In this section, we describe the working principle of SNOW 2.0 algorithm which consists of Initialization, LFSRupdate, FSMupdate.
Algorithm 5: Initialization().
Input: Key K=k0⋯k7∈F2256 where each ki∈F232 and Initialization vector IV=IV3IV2IV1IV0∈F2128 where each IVi∈F232.
In this kind of attack a distinguisher algorithm is constructed to distinguish the output keystream from a PRNG and same length output from a true random number generator. If the distinguishing algorithm complexity is less than the brute force search algorithm, this is called an attack on the cipher.
Watanabe et al. [21] 2003 used linear masking method to distinguish the output of SNOW 2.0 from a TRNG. Basically it tries to find out linear relation between the output of the keystream with FSM and LFSR. SO to serve this purpose we need to find a mask T∈F232 with high bias such that
with assumption that all the masks values are same, becomes possible of two nonlinear approximation such as S-box and the three ⊞ operator,
TSX=TXE22
TX⊞y=TX⊕TyE23
The bias of the total approximation can be found with complexity O2−112.25. So we need about 2225 words to distinguish SNOW 2.0 from true random bit sequence.
In 2006 FSE, Nyberg et al. [22] improved this attack by approximating FSM (Finite state machine) and output of the cipher with different linear mask (T,λ∈F232)
measured the bias of the above relation with correlation (T,λ) which is defined as:
correlationTλ=#x∈F232:TFx=λx−#x∈F232:TFx!=λxE26
They also investigated the diffusion property of Mixcolumn, improved the search complexity of linear distinguishing attack.
5.3.2 Correlation attack
In correlation attack [23] over extension field, the correlation of output keystream with the LFSR output is calculated for a particular N (# available words). If the correlation or bias value is far greater than 12n, we find linear relation between input and output and also find out the initial state of the LFSR. It is also one kind of key recovery attack. Another kind of correlation attack is Fast Correlation attack [24] where the each output of a keystream zi is written as:
zi=ui+eiE27
ui is the output of the LFSR and ei is considered as error in the discrete memoryless channel which is the nonlinear function attached with LFSR. So, finding initial state of the LFSR is equivalent of solving the decoding problem in error correcting code. We consider LFSR as Nl linear code, where l is the size of the LFSR.
In 2008, Lee et al. [9], in Asiacrypt 2008 presented more improved result with second LFSR derivation technique to mount correlation attack with time complexity O2212.38, space complexity O2202.83 bits and data complexity O2197.77 bits to find out the initial state of SNOW 2.0 LFSR.
In 2015, Bin Zhang et al. [25] published paper on Fast correlation attack on SNOW 2.0 over extension field to find out the initial state of the LFSR with data complexity O2163.59, time complexity O2164.15 which is 249 times faster than the previous one.
In 2018, Funabiki et al. [26] updated the FCA attack on SNOW 2.0 by using a MILP aided search for the linear mask very efficiently. It also uses the k-tree algorithm in [25] to find the key of SNOW 2.0 in data complexity O2162.34 and time complexity O2162.92.
In 2020, Gond et al. [27] published their work on FCA on SNOW 2.0 by slightly modifying the idea of k-tree algorithm. It finds the key of SNOW 2.0 in data complexity O2159.62 and time complexity O2162.86.
Theorem 6.1The carry bitciin the additionX⊞Y=Zis equal to zero with probability12+12i+1.
5.3.3 Algebraic attack
Any stream cipher can be expressed with respect to algebraic equations where the variables of the equations are nothing but the initial state of the LFSR. We know that the challenge is to solving system of nonlinear equations with respect to the keystreams available to the us. It is well known to us that Solving such system of nonlinear equations over finite field is NP-Hard problem. But there are some approaches in the literature to mount algebraic attack like linearization, Grobner basis, Finding low degree annihilators [28] of a Boolean function etc.
In 2005, [29] Olivier Billet et. el cryptanalyzed SNOW 2.0 with algebraic attack like following:
Assuming ⊞ in the cipher as ⊕ operation, the equations at time stamp t help in mounting algebraic attack:
Reg2t=Reg20+∑i=0tzi+∑i=0tSt4+i+St15+i+StiE28
where only known information is output keystreams(z).
Reg2t+1=SReg1tE29
=SReg2t+zt+St15+t+SttE30
From each S-boxes we can find 39 linearly independent equations, So total 39×4=156 quadratic equations can be found from equation (11) for one keystream. The authors took linearization as a tool to make ∑i=02544i≈217 many unknown variables. The equations can be solved using Graobner basis with the help of about less than 17 keystreams. It results to find the initial state of the cipher with time complexity O251.
5.3.4 Guess and determining attack
In this kind of attack, the attacker first assumes the value of some registers and determine the value of the rest registers following the guesses. Later, keystream is generated from the cipher. If the keystream is equal to the keystream found by known keystream, the guess is a valid one. The terminology for the minimum guessed values of the cipher is called guessed basis. First systematic algorithm was proposed by Ahmadi et al. [30] which was a Viterbi like algorithm. Guessed basis for this algorithm was 8 and time complexity of the algorithm is O2265. The next updated result is found from the article [31] which uses two auxiliary equations. Moreover, the guessed basis for this result is 6 and time complexity of the algorithm is O2192.
5.4 KDFC SNOW
To resist from Algebraic attack, another version of SNOW 2.0 called Key dependent feedback configuration (KDFC) SNOW is proposed in [32]. It replaces the LFSR over F232 by σ−LFSR over M32F2. Moreover, it also implements the idea of different feedback matrices [33] for the σ−LFSR based on the key of the cipher. The whole process of changing the existing feedback matrix is done on the initialization phase of the cipher (Figure 4).
Figure 4.
Block diagram of KDFC-SNOW.
KDFC Scheme hides the feedback matrix of the σ−LFSR which helps the SNOW 2.0 to resist from some known plaintext attacks like Algebraic attack, Distinguishing Attack, Some Fast correlation attacks, Guess and Determining Attacks.
SNOW 3G is an updated version of SNOW 2G. To get resistance from Algebraic Attack on SNOW 2.0, this cipher is proposed. It is used in mobile telephony for 4G and 5G communication as authenticated encrypted word oriented stream cipher in UEA2 and UIA2. The basic building block of SNOW 3G is as follows (Figure 5):
Figure 5.
Block diagram of SNOW 3G.
The LFSR configuration of SNOW 3G is as same as SNOW 2.0. The only changes are in the FSM configuration. One extra register R3 and extra Sbox is proposed by the designer. We discuss only the FSM construction of SNOW 3G in the following paragraph.
FSM: The FSM of SNOW 3G consists of two input words St15 and St5. It generates a 32-bit output word FW.
Fw=St15⊞R1⊕St5E31
On the next step, the registers are updated. To do so, we calculate one value r like following:
r=R2⊞R3⊕St5E32
Next, we update the registers
R3=SBox2R2E33
R2=SBox1R1E34
R1=rE35
SBox1: This Sbox is same as the Sbox described in SNOW 2.0.
SBox2: The SBox2 (S2 in Eq. (23)) is constructed using the Dickson polynomial. It is defined as an element of GF28 which is generated by x8+x6+x5+x3+1. Suppose bi∈GF28, using that we find an 32−bits inputs b=b1‖b2‖b3‖b4 which is given as a input to the SBox2. It works as the following:
Here, Y∈GF28 and the matrix of Y and 1 is used for mixcolumn transformation.
6.1 Cryptographic attack on SNOW 3G
6.1.1 Fault attack on SNOW 3G
In this attack [8, 34] the attacker has a access of the physical device and it can cause transient fault attack on the device. In this kind of fault attack, the attacker can reset the device to its original state and apply a fault to the same device to get new keystream. The attacker can find the secret key of the cipher by verifying the faulty keystream and the actual keystream.
In SNOW 3G KSG, fault is injected between two computations of the following registers:
Register R1t.
Register R2t.
LFSR state St0t.
We need to keep track that we consider the memory locations of R1t+1, R2t+1, St15t+1 after computation of a new word. Next we can find out Xt⊕Xt′ which can give value either 1 or 0 for a certain fault injected positions, where Xt denotes the value the above mentioned registers in RAM and Xt′ is the faulty valued of the registers. We also verify the Zt⊕Zt′ value to get the confirmation of the fault occurrence. Finally, the state of the LFSR of SNOW 3G can be found by at least 24 fault injections and solving 512 linear equation by Gaussian elimination.
Note: Besides, all the attacks on SNOW 2.0 written before except algebraic attacks are also performed on SNOW 3G. It results SNOW 3G as a 128-bit secure cipher.
In Table 3, we enlist the attacks possible on SNOW 1.0, SNOW 2.0 and SNOW 3G.
Whole SNOW family of ciphers use LFSR with y∗β operation over F232 where β is a primitive element of GF232. SNOW 2.0 and SNOW 3G uses the following approach:
y.β=y≪8⊕Tabley≫24E37
Here, Table(x) function takes 8-bit vector as input and return 32-bit vector as output. It can be described as follows:
where 0xA9 is the hexadecimal representation of the primitive polynomial x8+x7+x5+x3+1 over F2, F1 is a function which takes 16 bit inputs and positive integer i to 8-bit vector. F1Wix=W if i==0 and F1Wix=F2F1Wi−1xx, otherwise, where W,x∈F28. And F2Wx=W≪81⊕x if leftmostbit(W)==1, else F2Wx=W≪81. F2 is a function which takes two 8− bit inputs and gives 8- bit output. This whole procedure reduces the time complexity of vector-vector multiplication over finite field to O1 complexity.
7.2 Addition modulo 232(⊞)
Let us take two vectors P,Q∈F232 and addition modulo 232 is defined as follows:
P⊞Q=P+Qmod232=P+Q&0xFFFFFFFFE39
Here, + is normal addition and & is bitwise AND-operator.
In this article, we can observe that SNOW 1.0 has problems in its design regarding the ⋘7 shift operator. The interaction between the ⋘7 shift operator and the S-box is one of the reasons for the large correlation in the FSM. Besides, the S-box used in SNOW 1.0 is not up to the mark. So, changing the S-box with Rijndael improves its power [35] against Guess and Distinguishing attack. In this context, SNOW 2.0 is better than SNOW 1.0 with respect to the design issues and cryptographic attacks. Still, it is susceptible to several attacks. Among all the attacks, the best-known attack is Algebraic Attack [29] which is taken care in the upgraded version SNOW 3G. A new S-Box and another Register are introduced in SNOW 3G to circumvent the problems in SNOW 2.0. Besides, the only practical attack possible for SNOW 2.0 and SNOW 3G is Fault Attack [8, 34] which is possible if someone access the memory location of the SNOW algorithm. This results SNOW 3G to be used in mobile telephony with 128 bit security. Though, KDFC-SNOW is another approach which is also potential candidate to resist some known plaintext attacks on SNOW 2.0, it requires some research on the implementation issue in the initialization phase. Besides, KDFC-SNOW cannot resist the recent fast correlation attack by Gond et al. [27] on SNOW 2.0. A possible research towards the improvement of SNOW family may be the finding an word LFSR with 64- or 128-bit block size with 256 bit key security which would be beneficial in 5G communication. Also, resistance of Fast Correlation Attack may be another kind of research which can be taken as future study.
References
1.Daemen J. Rijmen V. Rijndael: Aes proposal; 1999
3.Ekdahl P, Johansson T. Snow—A new stream cipher. In: Proceedings of First Open NESSIE Workshop. KU-Leuven; 2000. pp. 167-168
4.Rose G. A stream cipher based on linear feedback over gf (2 8). In: Australasian Conference on Information Security and Privacy. Springer; 1998. pp. 135-146
5.Rose G, Hawkes P. The t-class of sober stream ciphers. Unpublished manuscript. http://www.home.aone.net.au/qualcomm, 1999
6.Ekdahl P, Johansson T. A new version of the stream cipher snow. In: International Workshop on Selected Areas in Cryptography. Springer; 2002. pp. 47-61
7.Berbain C, Billet O, Canteaut A, Courtois N, Gilbert H, Goubin L, et al. Sosemanuk, a fast software-oriented stream cipher. In: New Stream Cipher Designs. Springer; 2008. pp. 98-118
8.Debraize B, Corbella IM. Fault analysis of the stream cipher snow 3g. In: 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC). IEEE; 2009. pp. 103-110
9.Lee J-K, Lee DH, Park S. Cryptanalysis of sosemanuk and snow 2.0 using linear masks. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2008. pp. 524-538
10.Feng X, Liu J, Zhou Z, Wu C, Feng D. A byte-based guess and determine attack on sosemanuk. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2010. pp. 146-157
11.Ekdahl P, Johansson T, Maximov A, Yang J. A new snow stream cipher called snow-v. IACR Transactions on Symmetric Cryptology. 2019;2019(3):1-42
12.Gong X, Zhang B. Resistance of snow-v against fast correlation attacks. IACR Transactions on Symmetric Cryptology. 2021:378-410
13.Yang J, Johansson T, Maximov A. Improved guess-and-determine and distinguishing attacks on snow-v. Cryptology ePrint Archive. 2021
14.Krishnaswamy S, Pillai HK. On the number of special feedback configurations in linear modular systems. Systems and Control Letters. 2014;66:28-34
15.Tsaban B, Vishne U. Efficient linear feedback shift registers with maximal period. Finite Fields and Their Applications. 2002;80(2):256-267
16.Zeng G, Han W, He K. High efficiency feedback shift register: Sigma-lfsr. IACR Cryptology ePrint Archive. 2007:114;2007
17.Carlet C. Boolean functions for cryptography and error correcting codes. Boolean Methods and Models. 2006
18.Cusick TW, Stanica P. Cryptographic Boolean Functions and Applications. Academic Press; 2017
19.Adams C, Tavares S. The structured design of cryptographically good s-boxes. Journal of Cryptology. 1990;30(1):27-41
20.Hawkes P, Rose GG. Guess-and-determine attacks on snow. In: International Workshop on Selected Areas in Cryptography. Springer; 2002. pp. 37-46
21.Watanabe D, Biryukov A, De Canniere C. A distinguishing attack of snow 2.0 with linear masking method. In: International Workshop on Selected Areas in Cryptography. Springer; 2003. pp. 222-233
22.Nyberg K, Wallén J. Improved linear distinguishers for snow 2.0. In: International Workshop on Fast Software Encryption. Springer; 2006. pp. 144-162
23.Siegenthaler T. Correlation attacks on certain stream ciphers with nonlinear generators. In: IEEE International Symposium Information Theory, Saint Jovite, Canada. 1983. pp. 26-29
24.Meier W, Staffelbach O. Fast correlation attacks on certain stream ciphers. Journal of Cryptology. 1989;10(3):159-176
25.Zhang B, Xu C, Meier W. Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of snow 2.0. In: Annual Cryptology Conference. Springer; 2015. pp. 643-662
26.Funabiki Y, Todo Y, Isobe T, Morii M. Several milp-aided attacks against snow 2.0. In: International Conference on Cryptology and Network Security. Springer; 2018. pp. 394-413
27.Gong X, Zhang B. Fast computation of linear approximation over certain composition functions and applications to snow 2.0 and snow 3g. Designs, Codes and Cryptography. 2020;880(11):2407-2431
28.Dalai DK. Some necessary conditions of boolean functions to resist algebraic attacks [PhD thesis]. Indian Statistical Institute; 2006
29.Billet O, Gilbert H. Resistance of snow 2.0 against algebraic attacks. In: Cryptographers’ Track at the RSA Conference. Springer; 2005. pp. 19-28
30.Ahmadi H, Eghlidos T. Heuristic guess-and-determine attacks on stream ciphers. IET Information Security. 2009;30(2):66-73
31.Nia MSN, Payandeh A. The new heuristic guess and determine attack on snow 2.0 stream cipher. IACR Cryptology ePrint Archive. 2014;2014:619
32.Nandi S, Krishnaswamy S, Zolfaghari B, Mitra P. Key-dependent feedback configuration matrix of primitive σ–lfsr and resistance to some known plaintext attacks. IEEE Access. 2022;10:44840-44854
33.Krishnaswamy S, Pillai HK. On multisequences and their extensions. arXiv preprint arXiv:1208.4501. 2012
34.Armknecht F, Meier W. Fault attacks on combiners with memory. In: International Workshop on Selected Areas in Cryptography. Springer; 2005. pp. 36-50
35.Yilmaz E. Two versions of the stream cipher snow [PhD thesis]. Middle East Technical University. 2004
Written By
Subrata Nandi, Srinivasan Krishnaswamy and Pinaki Mitra
Open access peer-reviewed chapter
