Several MILP-Aided Attacks Against SNOW 2.0

  • Yuki FunabikiEmail author
  • Yosuke Todo
  • Takanori Isobe
  • Masakatu Morii
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11124)


SNOW 2.0 is a software-oriented stream cipher and internationally standardized by ISO/IEC 18033-4. In this paper, we present three attacks on SNOW 2.0 by MILP-aided automatic search algorithms. First, we present an efficient algorithm to find linear masks with the high correlation. It enables us to improve time and data complexities of the known fast correlation attacks. Then we propose a 17-round integral distinguisher out of 32 rounds by evaluating the propagation of the division property. Moreover, we propose a cube attack on the 14-round SNOW 2.0. The time complexity is \(2^{61.59}\) where \(2^{39}\) chosen IVs are required. As far as we know, these are the first investigations about integral and cube attacks of SNOW 2.0, respectively.


Stream cipher SNOW 2.0 Fast correlation attack Division property Integral distinguisher Cube attack MILP 



This work was supported by JSPS KAKENHI Grant Numbers JP17K00184, JP17K12698.


  1. 1.
  2. 2.
    Biryukov, A., Priemuth-Schmid, D., Zhang, B.: Multiset collision attacks on reduced-round SNOW 3G and SNOW 3G(+). In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 139–153. Springer, Heidelberg (2010). Scholar
  3. 3.
    Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: an algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002). Scholar
  4. 4.
    Coppersmith, D., Halevi, S., Jutla, C.: Cryptanalysis of stream ciphers with linear masking. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 515–532. Springer, Heidelberg (2002). Scholar
  5. 5.
    Cui, T., Jia, K., Fu, K., Chen, S., Wang, M.: New automatic search tool for impossible differentials and zero-correlation linear approximations. IACR Cryptology ePrint Archive 2016, p. 689 (2016)Google Scholar
  6. 6.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer, Heidelberg (2002). Scholar
  7. 7.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009). Scholar
  8. 8.
    Ekdahl, P., Johansson, T.: SNOW-a new stream cipher. In: Proceedings of First Open NESSIE Workshop, pp. 167–168 (2000)Google Scholar
  9. 9.
    Ekdahl, P., Johansson, T.: A new version of the stream cipher SNOW. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 47–61. Springer, Heidelberg (2003). Scholar
  10. 10.
    Fu, K., Wang, M., Guo, Y., Sun, S., Hu, L.: MILP-based automatic search algorithms for differential and linear trails for speck. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 268–288. Springer, Heidelberg (2016). Scholar
  11. 11.
    Hawkes, P., Rose, G.G.: Guess-and-determine attacks on SNOW. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 37–46. Springer, Heidelberg (2003). Scholar
  12. 12.
    ISO/IEC: JTC1: ISO/IEC 18033–4: Information technology - security techniques - encryption algorithms - part 4: Stream ciphers (2011)Google Scholar
  13. 13.
    Lee, J.-K., Lee, D.H., Park, S.: Cryptanalysis of sosemanuk and SNOW 2.0 using linear masks. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 524–538. Springer, Heidelberg (2008). Scholar
  14. 14.
    Lu, Y., Vaudenay, S.: Faster correlation attack on bluetooth keystream generator E0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 407–425. Springer, Heidelberg (2004). Scholar
  15. 15.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994). Scholar
  16. 16.
    Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1(3), 159–176 (1989)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Mouha, N., Wang, Q., Gu, D., Preneel, B.: Differential and linear cryptanalysis using mixed-integer linear programming. In: Wu, C.-K., Yung, M., Lin, D. (eds.) Inscrypt 2011. LNCS, vol. 7537, pp. 57–76. Springer, Heidelberg (2012). Scholar
  18. 18.
    Nyberg, K., Wallén, J.: Improved linear distinguishers for SNOW 2.0. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 144–162. Springer, Heidelberg (2006). Scholar
  19. 19.
    Sasaki, Y., Todo, Y.: New impossible differential search tool from design and cryptanalysis aspects. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 185–215. Springer, Cham (2017). Scholar
  20. 20.
    Stein, W., et al.: Sage: Open Source Mathematical Software (2008)Google Scholar
  21. 21.
    Sun, L., Wang, W., Wang, M.: Automatic search of bit-based division property for ARX ciphers and word-based division property. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 128–157. Springer, Cham (2017). Scholar
  22. 22.
    Sun, S., et al.: Towards finding the best characteristics of some bit-oriented block ciphers and automatic enumeration of (related-key) differential and linear characteristics with predefined properties. Technical report, Cryptology ePrint Archive, Report 2014/747 (2014)Google Scholar
  23. 23.
    Sun, S., Hu, L., Wang, P., Qiao, K., Ma, X., Song, L.: Automatic security evaluation and (related-key) differential characteristic search: application to SIMON, PRESENT, LBlock, DES(L) and other bit-oriented block ciphers. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 158–178. Springer, Heidelberg (2014). Scholar
  24. 24.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015). Scholar
  25. 25.
    Todo, Y., Isobe, T., Hao, Y., Meier, W.: Cube attacks on non-blackbox polynomials based on division property. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 250–279. Springer, Cham (2017). Scholar
  26. 26.
    Todo, Y., Morii, M.: Bit-based division property and application to Simon family. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 357–377. Springer, Heidelberg (2016). Scholar
  27. 27.
    Wallén, J.: Linear approximations of addition modulo 2n. In: Johansson, T. (ed.) FSE 2003. LNCS, vol. 2887, pp. 261–273. Springer, Heidelberg (2003). Scholar
  28. 28.
    Wang, Q., Hao, Y., Todo, Y., Li, C., Isobe, T., Meier, W.: Improved division property based cube attacks exploiting algebraic properties of superpoly. IACR Cryptology ePrint Archive 2017, p. 1063 (2017)Google Scholar
  29. 29.
    Watanabe, D., Biryukov, A., De Cannière, C.: A distinguishing attack of SNOW 2.0 with linear masking method. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 222–233. Springer, Heidelberg (2004). Scholar
  30. 30.
    Xiang, Z., Zhang, W., Bao, Z., Lin, D.: Applying MILP method to searching integral distinguishers based on division property for 6 lightweight block ciphers. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 648–678. Springer, Heidelberg (2016). Scholar
  31. 31.
    Zhang, B., Xu, C., Meier, W.: Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 643–662. Springer, Heidelberg (2015). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Yuki Funabiki
    • 1
    Email author
  • Yosuke Todo
    • 2
  • Takanori Isobe
    • 3
  • Masakatu Morii
    • 1
  1. 1.Kobe UniversityNada-ku, KobeJapan
  2. 2.NTT Secure Platform LaboratoriesMusashino, TokyoJapan
  3. 3.University of HyogoChuo-ku, KobeJapan

Personalised recommendations