Advances in Intelligent Systems Research (AISR), volume 142 2017 International Conference on Information Technology and Intelligent Manufacturing (ITIM 2017)

Security Evolution on the Non-linear Part of SNOW2.0 against Guess and Determine Attack

Hao Hu 1, Jianjun Lu 2 1 The 27th Research Institute of China Electronics Technology Group Corporation Zhengzhou, China 2 Air Force Engineering University Xinyang, China Email: [email protected]

267 shows the complexity of O 2 , while there is no Abstract. SNOW 2.0 was proposed by Ekdahl and () Johansson as a strengthened version of SNOW 1.0, which heuristic GD attack introduced on SNOW 2.0. In [5], it was submitted to the NESSIE project, with a variable-length has been shown that there is a linear key of 256 bits. The designers of SNOW2.0 improved the distinguisher on SNOW 2.0 which requires resistance against Guess and Determine (GD) attack by 177 172 introducing two inputs to the Finite State Machine (FSM). 2 bits of keystream and 2 operations. In 2008, In this paper, the results show that the introduction of those Jung-Keun Lee et al.[6] presented a correlation attack two inputs is not optimal. The suggestion on improving the on SNOW2.0 with a computational complexity of resistance against GD attack for SNOW2.0 is given. O (2212.38 ), a Memory complexity of O (2202.83 )bits, a

Keywords-SNOW2.0; Guess and Determine Attack; data complexity of O (2198.77 )bits. SNOW1.0; Finite State Machine The main changes from SNOW 1.0 to SNOW 2.0 1 Introduction were to modify the feedback polynomial and to ensure that the FSM takes two inputs from the shift register. The original version denoted SNOW1.0[1] was The introduction of two inputs to the FSM part makes a submitted to the NESSIE project. It has excellent guess-and-determine attack more difficult. But the performance, several faster than AES. However, a few designers of SNOW2.0 did not show the method of attacks have been reported. SNOW2.0 was proposed by introducing these two inputs in [2]. In this paper, we Ekdahl and Johansson in [2] as a strengthened version will show the optimal inputs introduced to the FSM of SNOW1.0. Currently, SNOW2.0 is considered part to improve the resistance against GD attacks. as one of the most efficient stream ciphers. In section 2 a short description of SNOW 2.0 is It is used for benchmarking the performance of stream given. In section 3 we show the optimal inputs ciphers by the eSTREAM project. SNOW2.0 has also introduced to the FSM part. We give an overall view on been taken as a starting point for the ETSI project on a the paper along with suggestions on improving the design of a new UMTS encryption algorithm [3]. resistance against GD attacks for SNOW 2.0 in section Because of efficient implementation both in hardware 4. and software, SNOW 2.0 is one out of two stream ciphers chosen for the forthcoming international 2 a short description of SNOW 2.0 standard ISO/IEC IS 18033-4[3]. Guess and Determine (GD) attack can be considered SNOW2.0 is a word-oriented stream cipher with as one of the general attacks on stream ciphers. Arising 16-word internal state. Each word consists of 32 bits. from the name, in GD attacks, the contents of some The keystream generation of SNOW2.0 can be grouped cells are to be guessed, based on which the contents of under roughly 3 parts: Linear Feedback Shift Register the other cells of the stream cipher can be determined. (LFSR), Finite State Machine (FSM), and output In [4] a systematic way of implementing some GD Transformation. The bitwise XOR of two 32-bit blocks attacks by solving systems of linear equations, called is denoted by Å and addition modulo 232 is denoted Advanced GD attacks, is introduced. The result of by □＋. implementing Advanced GD attacks on SNOW 2.0 Figure.1 is a schematic picture of SNOW2.0.

Copyright © 2017, the Authors. Published by Atlantis Press. 120 This is an open access article under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/). Advances in Intelligent Systems Research (AISR), volume 142

FSM, denoted ft , is calculated as □＋ ftt= (s +15 RR1)tÅ 2t (4)

Then the output zt of the keystream generator is given as

zfstt=Åt (5) The FSM is updated as follows. □＋ Rs1tt++15= R2t (6)

RSR2t+1 = (1t) (7) The S-box, denoted S , is a permutation on  based on the round function of Rijndael [7]. 232

Fig 1. A schematic picture of SNOW2.0 3 The analysis of optimal inputs introduced to the FSM part In SNOW2.0, we have two different elements involved in the feedback loop, a and a-1 , where a is In [2], the authors claim that the FSM taking two inputs making GD attacks more difficult. Because a root of primitive polynomial of degree 4 over F . 28 given the output of FSM, together with R1 and R2 is To be more precise, the LFSR consists of sixteen 32-bit no longer possible to deduce the next FSM state registers and is associated with the feedback directly. The update of R1 does not depend on the polynomial over GF( 232 ) as follows. output of the FSM, but on a word taken from the LFSR. paxxx=+++Î16 14 a- 1 x 5 1 Féùx (1) Hence, the introduction of s in relation (6) result in () 232 ëûêú t+5 Here, a is a root of XX4++bb 23 3 245 XX 2 ++ bb 48 239 improving the resistance against GD attack and correlation attack. But the authors do not show the Î F éùx ,and b is a root of XXXX8753++++1 Î F éxù . 28 ëû 2 ë û reason of introducing st+5 not other states of LFSR. Let the state of LFSR at time t ³ 0 be denoted In fact, the introduction of s in relation (6) is éù t+5 ()sssFxi,, ,Î32 ,³ 0. So the recursive ttti++15 2 ëûêú not optimal for improving the resistance against GD relationship between the LFSR and states is as follows. attack according to our research. Here, we will replace ss=+a-1 s +as (2) tt++16 2 t + 11 t st+5 in relation (6) with other states of LFSR, keeping Thus, by squaring (2) we have other parts of SNOW2.0 unchanged. Then we give GD -22 attacks on each kind of modified SNOW2.0. For sstt++32=+ 4a s t + 22 +ast (3) The FSM has two registers, denoted R1 and R2 , comparison we also give a GD attack on unmodified SNOW2.0. The results are depicted in Table 1. In this each holding 32 bits. The value of the registers at time table, the inputs denote the states of LFSR introduced t ³ 0 R1 R2 is denoted t and t , respectively. The to the FSM part. input to the FSM is (sst++15, t5 ) and the output of the

121 Advances in Intelligent Systems Research (AISR), volume 142

Table 1. The results of GD attacks on each kind of modified SNOW2.0

The input The elements guessed for GD attack Computational complexity

O 2256 st RRs1,tttttt 2,-+++1143 , sss , , , R 1 t , R 1 t+4 () O 2256 st+1 RRs1,ttttttt 2,-+++1124 , sss , , , s , R 1 t+3 () O 2256 st+2 RRs1,ttttttt 2,-+++1123 , sss , , , s , R 1 t+3 () O 2288 st+3 RRs1,2,ttttttt-++++12343 ,, sss , , s ,1 R t ,1 R t+6 () O 2288 st+4 RRs1,tttttttt 2,-++++13453 , sss , , , s , R 1 , R 1 t+6 () O 2288 st+5 RRsss1,2,,,,,,1,1t ttt++++1456 t s t s t R t + 3 R t +5 () O 2288 st+6 RRsss1,2,,,,,,1,1t ttt++++1567 t s t s t R t + 3 R t +5 () O 2320 st+7 RRs1,2,,,,,,,1,1tttttttt++++++145678 s s s s s R t + 3 R t +5 () O 2320 st+8 RRsss1,2,,tttttttt+++++12789 , , s , s , s ,1 R t + 3 ,1 R t +5 () O 2320 st+9 RRsssssss1,2,,,,,,,ttttttttt+++++++12348910 ,1 R t +3 () O 2288 st+10 RRs1,ttttttt 2,+++++23491011 , s , s , s , s , s t + , R 1 t +3 () O 2256 st+11 RRs1,ttttt 2,+++2 , s 3 , s 10 , s t + 11 , s t + 12 , R 1 t + 3 () O 2256 st+12 RRs1,ttttt 2,+++3 , s 4 , s 11 , s t + 12 , s t + 13 , R 1 t + 3 () O 2256 st+13 RRsssssR1,2,,,,,,1ttttttt+++++10 11 12 13 14 t + 3 () O 2256 st+14 RRs1,ttttt 2,+++2 , s 3 , s 13 , s t + 14 , s t + 15 , R 1 t + 3 () O 2256 st+15 RRs1,2,,,,1,1,1tttt+++14 s 15 s t 16 R t + 3 R t + 4 R t + 5 ()

According to table 1, we can see that the input 4. Conclusions st+5 introduced to the FSM part is not optimal for improving the resistance against GD attack as the The designers of SNOW2.0 improved the resistance designers claimed. The results in table 1 show that against Guess and Determine (GD) attack by introducing two inputs to the Finite State Machine replacing s with one of three states sss,, t+5 ttt+++789 (FSM). In this paper, the results show that the can improve the resistance against GD attack for introduction of those two inputs is not optimal. The SNOW 2.0. This is our suggestion on modifying suggestion on improving the resistance against GD SNOW2.0. As for Advanced GD attack on SNOW2.0 attack for SNOW2.0 is given. introduced in [4], which is through solving systems of linear equations, it is mainly based on the linear References relations (2) and (3). Here we keep these two relations [1] P.Ekdahl,T.Johansson.SNOW–a new stream cipher.Proce unchanged, only modifying the input s introduced t+5 edings of first NESSIE workshop,Heverlee,Belgium,2000. to the FSM part. Hence, we think that the complexity [2] P. Ekdahl and T. Johansson. “A New Version of the of Advanced GD attack on modified SNOW2.0 will Stream Cipher SNOW”, Selected Areas in Cryptography,

267 SAC 2002, LNCS 2295, pp.47-61, Springer Verlag, 2002. keep about O ()2 unchanged. [3] ETSI/SAGE.Specification of the 3GPP confidentiality and integrity algorithms UEA2&UIA2.Document 5:Design and evaluationreport,version:1.0,2006.http://www.3gpp.org/

122 Advances in Intelligent Systems Research (AISR), volume 142

ftp/tsg_sa/WG3_Security/TSGS3_42_Bangalore/Docs/S3060 [6] Jung-Keun Lee, Dong Hoon Lee, and Sangwoo Park. 180.zip “Cryptanalysis of Sosemanuk and SNOW2.0 Using Linear [4] H. Ahmadi and T. Eghlidos.“Advanced Guess and Masks”. ASIACRYPT 2008, LNCS 5350, pp.524–538, 2008. Determine Attacks on Stream Cipher”.IST 2005, pp.87-91, [7] Daemen J, Rijmen V. The design of Rilndael: AES-the 2005. Advanced Encryption Standard. Springer-Verlag, [5] Nyberg Kaisa and Wallen Johan.Improved Linear Berlin,2002. Distinguishers for SNOW2.0.International Association of [8] P. Hawkes,G. Rose. “Guess-and-determine attacks on Cryptologic Research,vol 4047,p144-162,springer-Verlag. SNOW”, Preproceedings of Selected Areas in Cryptography (SAC), August 2002, St John’s, Newfoun

123