(Quantum) Time-Memory-Data Tradeoff Attacks on the SNOW-V Stream Cipher

Abstract

Symmetric cryptosystems (i.e., stream ciphers and block ciphers) have always played an important part in securing the various generations of 3GPP (3rd Generation Partnership Project) mobile telephony systems. The SNOW-V stream cipher, published in September 2019, is the most recent member of the well-known SNOW family of ciphers. It is designed to provide confidentiality and integrity for 5G communications. There have been no time-memory-data tradeoff (TMDTO) attacks on the cipher published so far. By combining with the BSW sampling technique, we propose TMDTO attacks on SNOW-V. The results show that the attacker can mount a TMDTO attack, where none of the online time complexity, the memory complexity and the offline time complexity are bigger than $2^{256}$, if the keystream sequences generated by the secret key, together with different IVs, are provided to the attacker. Furthermore, we analyze the security of SNOW-V against quantum TMDTO attacks, and the results show that a quantum TMDTO attack offers, strictly, better online time complexity than Grover’s algorithm, when the available memory space is bigger than $2^{170.67}$. These results are helpful in evaluating the security of SNOW-V against (quantum) TMDTO attacks.

1. Introduction

Starting with the GSM (Global System for Mobile Communication) system, which employs the A5-1 stream cipher [1], symmetric cryptosystems (i.e., stream ciphers and block ciphers) have always played an important role in securing the various generations of 3GPP (3rd Generation Partnership Project) mobile telephony systems. The block cipher KASUMI [2] is the heart of 3GPP confidentiality algorithm f8 and 3GPP integrity algorithm f9. SNOW 3G [3] is a stream cipher used by the 3GPP standards, as the core part of the confidentiality and integrity algorithms for the UMTS (Universal Moblle Telecommunications System) and LTE (Long Term Evolution) networks. The stream cipher ZUC [4] forms the core component in 3GPP confidentiality and integrity algorithms 128-EEA3 and 128-EIA3.

The SNOW-V stream cipher, proposed by Ekdahl, Johansson, Maximov and Yang [5], in November 2018, is the most recent member of the SNOW family of stream ciphers. The latest version of this stream cipher was published in September 2019 in [5], which is the focus of this analysis. The SNOW-V stream cipher follows the same design principles of its predecessors, SNOW [6], SNOW 2.0 [7] and the 3GPP-standard stream cipher SNOW 3G [3], but introduces changes that make the stream cipher more suitable for high-speed encryption in virtualized environments. The target application of the cipher is to provide confidentiality and integrity for 5G communications. In the specification of SNOW-V, the designers had given a comprehensive security analysis, including almost all known cryptanalytic techniques. The results show that SNOW-V is secure against these attacks and can provide a 256-bit security level, as claimed.

Related works. Up to now, some cryptanalytic results of SNOW-V have been published. In January 2020, Jiao, Li and Hao [8] proposed a byte-based guess-and-determine attack on SNOW-V, with complexity $2^{406}$, using seven keystream blocks. Later, it was improved by Yang, Johansson and Maximov [9], to have a time complexity of $2^{378}$. To make a better understanding of the design of SNOW-V, several attacks on the simplified variants of SNOW-V were published. In [9], a distinguishing attack on a simplified variant of SNOW-V, where 32-bit adders are replaced with exclusive or, was proposed with a time complexity of $2^{303}$. At FSE 2021, Gong and Zhang [10] gave a fast correlation attack on another simplified variant of SNOW-V, where some of the 32-bit adders are replaced with 8-bit adders, which recovers all 896 internal state bits with a time complexity of $2^{377.01}$, requiring a memory space of $2^{363}$ and $2^{253.73}$ keystream outputs. In [11,12], Hoki, Isobe, Ito, Liu and Sakamoto constructed a MILP model, to search for integral characteristics using the division property, and applied this search model to SNOW-V. They proposed distinguishing and key recovery attacks on the reduced-round versions of the SNOW-V stream cipher. Note that none of these attacks above threaten the security of full SNOW-V.

Recently, an automatic-linear-trails search method, by solving the SMT/SAT model, was proposed for full SNOW-V, by Shi, Jin, Zhang, Cui, Ding and Jin [13], at EUROCRYPT 2022. The authors gave a correlation attack on full SNOW-V, which recovers all 896 internal state bits with a time complexity of $2^{246.53}$, requiring a memory space of $2^{238.77}$ and $2^{237.5}$ keystream outputs. Later, Zhou, Feng and Zhang [14] proposed an improved correlation attack on full SNOW-V, which recovers all 896 internal state bits with a time complexity of $2^{240.86}$, requiring a memory space of $2^{240.37}$ and $2^{236.87}$ keystream outputs. There two attacks show that SNOW-V is vulnerable against correlation attacks and cannot offer 256-bit security.

Our contributions. To the best of our knowledge, there have been no time-memory-data tradeoff (TMDTO) attacks on the cipher published so far. This paper presents the first TMDTO attacks and quantum TMDTO attacks on the stream cipher SNOW-V. We combine TMDTO attacks with the BSW sampling technique, to analyze the security of SNOW-V. The results show that SNOW-V is secure against BS-TMDTO attacks, while the attacker can mount a BG-TMDTO attack, where none of the online time complexity, the memory complexity and the offline time complexity is bigger than $2^{256}$, if the keystream sequences generated by the secret key, together with different IVs, are provided to the attacker. Furthermore, we analyze the security of SNOW-V against quantum TMDTO attacks, and the results show that a quantum TMDTO attack offers, strictly, better online time complexity than Grover’s algorithm, when the available memory space is bigger than $2^{170.67}$. These results are helpful in evaluating the security of SNOW-V against (quantum) TMDTO attacks.

The rest of the paper is organized as follows. In Section 2, a brief description of SNOW-V is given. In Section 3, we briefly introduce a TMDTO attack and a quantum TMDTO attack. The security of SNOW-V against TMDTO attacks with BSW sampling is analyzed in Section 4. In Section 5, we analyze the security of SNOW-V against quantum TMDTO attacks. Concluding remarks are given in Section 6.

2. Brief Description of SNOW-V

The SNOW-V stream cipher supports a 256-bit key and a 128-bit initialization vector (IV). It has a large internal state size of 896 bits and outputs 128 bits at each clock. It is built around two components, i.e., two linear feedback shift registers of length 16, over the field $GF\left(2^{16}\right)$, and a non-linear finite-state machine (FSM), with three 128-bit registers. Figure 1 gives a diagrammatic representation of the SNOW-V stream cipher. In Figure 1, the symbol ⊕ denotes a bitwise XOR operation, and the symbol ${⊞}_{32}$ denotes a parallel application of four additions modulo $2^{32}$ over each sub-word. It should be noted that, in the operation ${⊞}_{32}$, the four 32-bit parts of the 128-bit words are added with carry, but the carry from a lower 32-bit word to a higher is discarded.

The two LFSRs are named LFSR-A and LFSR-B, both of length 16 and with a cell size of 16 bits. They use different irreducible polynomials, each feeding into the other. Denote the states of the LFSR-A and LFSR-B as $\left(a_{15}^{\left(t\right)},\cdots ,a_0^{\left(t\right)}\right)$ and $\left(b_{15}^{\left(t\right)},\cdots ,b_0^{\left(t\right)}\right)$, respectively, at time $t\ge 0$. The update functions of LFSR-A and LFSR-B are given as follows.

$$a_{15}^{\left(t+1\right)}=b_0^{\left(t\right)}\oplus \alpha a_0^{\left(t\right)}\oplus a_1^{\left(t\right)}\oplus {\alpha }^{-1}{a}_8^{\left(t\right)}$$

$$a_i^{\left(t+1\right)}=a_{i+1}^{\left(t\right)},i=0,1,\cdots ,14$$

$$b_{15}^{\left(t+1\right)}=a_0^{\left(t\right)}\oplus \beta b_0^{\left(t\right)}\oplus b_3^{\left(t\right)}\oplus {\beta }^{-1}{b}_8^{\left(t\right)}$$

$$b_i^{\left(t+1\right)}=b_{i+1}^{\left(t\right)},i=0,1,\cdots ,14$$

where $\alpha$ and $\beta$ are roots of two different primitive polynomials over $GF\left(2^{16}\right)$, and the notations ${\alpha }^{-1}$ and ${\beta }^{-1}$ are the inverses in the respective implemented fields. At each time, SNOW-V updates the two LFSRs eight times, i.e., 256 bits of the total 512-bit state will be updated in a single step.

The FSM contains three 128-bit registers, denoted as $R{1}^{\left(t\right)},R{2}^{\left(t\right)},R{3}^{\left(t\right)}$, at time $t\ge 0$, which takes two blocks, $T1$ and $T2$, from the two LFSRs as inputs and produces a 128-bit keystream as output. The update expressions of FSM are defined as below.

$$R{1}^{\left(t+1\right)}=\sigma \left(R{2}^{\left(t\right)}{⊞}_{32}\left(R{3}^{\left(t\right)}\oplus T{2}^{\left(t\right)}\right)\right)$$

$$R{2}^{\left(t+1\right)}=AE{S}^R\left(R{1}^{\left(t\right)},C1\right)$$

$$R{3}^{\left(t+1\right)}=AE{S}^R\left(R{2}^{\left(t\right)},C2\right)$$

where the block $T{2}^{\left(t\right)}$ is a 128-bit word denoted as $T{2}^{\left(t\right)}=\left(a_7^{\left(8t\right)},\cdots ,a_0^{\left(8t\right)}\right)$, $\sigma$ is a byte-oriented permutation given by $\sigma$ = [ 0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14, 3, 7, 11, 15]. $AE{S}^R\left(IN,key\right)$ denotes the AES encryption round function, and $C1$ and $C2$ are two round-key constants, with values that are both fixed to be zero.

The 128-bit keystream, $z^{\left(t\right)}$ at time $t\ge 0$, is outputted by the following expression

$$z^{\left(t\right)}=\left(R{1}^{\left(t\right)}{⊞}_{32}T{1}^{\left(t\right)}\right)\oplus R{2}^{\left(t\right)}$$

where the block $T{1}^{\left(t\right)}$ is a 128-bit word denoted as $T{1}^{\left(t\right)}=\left(b_{15}^{\left(8t\right)},\cdots ,b_8^{\left(8t\right)}\right)$.

The SNOW-V (Algorithm 1) stream cipher has a 256-bit key K and a 128-bit initialization vector $IV$ as inputs. Denote the key and IV as $K=\left(k_{15},\cdots ,k_0\right)$ and $IV=\left(i{v}_7,\cdots ,i{v}_0\right)$, and each $k_i\left(0\le i\le 15\right)$ and $i{v}_j\left(0\le j\le 7\right)$ is a 16-bit vector. The first step of the initialization is to load the key and IV into the two LFSRs, by assigning $\left(a_{15}^{\left(0\right)},\cdots ,a_0^{\left(0\right)}\right)=\left(k_7,\cdots ,k_0,i{v}_7,\cdots ,i{v}_0\right)$ and $\left(b_{15}^{\left(0\right)},\cdots ,b_0^{\left(0\right)}\right)=\left(k_{15},\cdots ,k_8,0,\cdots ,0\right)$. Then, the cipher is clocked 16 times in the same way as in the running-key mode, with the exception being that the 128-bit output $z^{\left(t\right)}$ is not outputted while XORed into LFSR-A at each clock. Note that at the two last clocks of initialization, the key is XORed into the $R1$ register, again. The procedure of initialization can be described in the pseudocode as follows.

Algorithm 1 Initialization of SNOW-V.

Procedure $INITIALIZATION\left(K,IV\right)$   $\left(a_{15},\cdots ,a_8\right)\leftarrow \left(k_7,\cdots ,k_0\right)$   $\left(a_7,\cdots ,a_0\right)\leftarrow \left(i{v}_7,\cdots ,i{v}_0\right)$   $\left(b_{15},\cdots ,b_8\right)\leftarrow \left(k_{15},\cdots ,k_8\right)$   $\left(b_7,\cdots ,b_0\right)\leftarrow \left(0,\cdots ,0\right)$   $R1,R2,R3\leftarrow 0,0,0$   For t from 1 to 16 do     $T1\leftarrow \left(b_{15},\cdots ,b_8\right)$     $FSMupdate\left(\right)$     $LFSRupdate\left(\right)$     $\left(a_{15},\cdots ,a_8\right)\leftarrow \left(a_{15},\cdots ,a_8\right)\oplus z$     If $t=15$ then $R1\leftarrow R1\oplus \left(k_7,\cdots ,k_0\right)$     If $t=16$ then $R1\leftarrow R1\oplus \left(k_{15},\cdots ,k_8\right)$

After the initialization, the SNOW-V stream cipher starts the keystream generation. The following Algorithm 2 gives a full description of SNOW-V in the pseudocode.

Algorithm 2 SNOW-V Algorithm.

$INITIALIZATION\left(K,IV\right)$   While more keystream blocks needed do     $T1\leftarrow \left(b_{15},\cdots ,b_8\right)$     $FSMupdate\left(\right)$     $LFSRupdate\left(\right)$     Output keystream block z

3. TMDTO Attack and Quantum TMDTO Attack

The problem of, efficiently, inverting a random-looking function f is a fundamental problem in cryptanalysis, where $f\left(x\right)$ is considered as the cipher-text obtained, by encrypting some fixed plain-text p under the secret key x. In 1980, Hellman [15] proposed the well-known time–memory tradeoff (TMTO) technique, to solve this problem. The complexities of Hellman’s TMTO attack can be evaluated by looking at three main parameters, i.e., the online time complexity T, the memory complexity M and the offline time complexity P. The obtained tradeoff curve is $T{M}^2=N^2,P=N$, where N is the number of possible internal states. A time-memory-data tradeoff (TMDTO) attack is a generalization of the time–memory tradeoff technique, which aims at obtaining a better tradeoff by increasing the number of required data. Generally, a TMDTO attack has two phases: an offline phase, where the mapping table from different inputs to keystreams is constructed and stored, and an online phase, where the attacker has intercepted some keystreams and searches for them in the table, expecting to get some matches and, further, recover the corresponding input. The complexities of a TMDTO attack can be evaluated by looking at four main parameters, i.e., the online time complexity T, the memory complexity M, the data complexity D and the offline time complexity P. TMDTO attacks on stream ciphers can be divided into two scenarios, according to the function the attacker tries to invert. In the first scenario, the attacker tries to invert the function mapping of the internal states of a stream cipher to a segment of the keystream output. The most classic attacks in this scenario are Babbage-Golić (BG) [16,17] and Biryukov-Shamir (BS) [18] tradeoffs, with curves $TM=N,P=M$ with $D=T$ and $T{M}^2{D}^2=N^2,P=N/\phantom{ND}D$ with $1\le D^2\le T$, respectively. A BS-TMDTO attack is an extension of the original attack by Hellman, by utilizing multiple data points. In the other scenario, TMDTO attacks can, also, be used to invert the function mapping of the initial inputs (e.g., Key and IV) of a stream cipher to a segment of the keystream output. The most classic attacks in this scenario are Hong-Sarkar (HS-TMDTO) [19] and Dunkelman-Keller (DK-TMDTO) tradeoffs [20], both of which have the same curve as a BS-TMDTO attack with $N=K\times V$. Here, K and V denote the number of possible keys and IVs, respectively.

In 2015, Nayebi, Aaronson, Belovs and Trevisan [21] first analyzed the time–memory tradeoff attacks in the quantum setting, when f is a permutation, taking into consideration the power offered by quantum algorithms and, particularly, Grover’s algorithm [22]. The attack was extended to the case of random functions in [23,24]. At FOCS 2020, it was proven, by Chung, Guo, Liu and Qian [25], that no quantum algorithms with quantum advice and memory less than $\sqrt{N}$ are better, compared with a simple application of Grover’s algorithm to this problem. Recently, Dunkelman, Keller, Ronen and Shamir [26] proposed the quantum version of time-memory-data tradeoff attacks, and improved Hellman’s tradeoff curve to $T^{\frac{4}{3}}{M}^2=N^2$ and the time-memory-data curve to $T^{\frac{4}{3}}{M}^2{D}^2=N^2$, respectively. A typical point on this curve is $T=M=D=N^{\frac{3}{8}}$.

4. TMDTO Attacks on SNOW-V with BSW Sampling

In this section, we will analyze the sampling resistances of SNOW-V, and imply a BS-TMDTO attack and a BG-TMDTO attack with BSW sampling to the cipher, respectively. The key of implying TMDTO attacks with BSW sampling is to compute the sampling resistance of the cipher.

4.1. BSW Sampling

The BSW sampling technique was first introduced by Biryukov, Shamir and Wagner [27] at FSE 2000, which helps the TMDTO attacks acquire a wider choice of parameters, by relaxing the restriction. Generally, the BSW sampling technique works if the following assumption [28] is satisfied for a given stream cipher.

Assumption A1

([28]). For a given stream cipher with the internal state size $n={log}_{2}N$, given the value of its $n-l$ particular state bits and the first l keystream bits produced from that state, the remaining l internal state bits may be deduced, directly.

By setting the first output segment of the keystream bits of the cipher to be fixed string, such as a run of consecutive zeros, the BSW sampling helps the attacker find an efficient way to generate and enumerate special cipher states. If the assumption above is satisfied, the cipher has a sampling resistance of $R=2^{-l}$. The TMDTO attack, combined with BSW sampling, has the same tradeoff curve as the BS-TMDTO attack, i.e., $T{M}^2{D}^2=N^2$ and $P=N/\phantom{ND}D$. However, a new restriction $1\le D^2\le T$ is obtained, which leads to a wider choice of parameters, compared with the restriction $1\le R^2{D}^2\le T$, in a BS-TMDTO attack. This probably enables a BS-TMDTO attack to achieve a better complexity level, by relaxing the restriction. After the introduction of the BSW sampling technique, it had been successfully applied to MICKEY and Grain stream ciphers, see [29,30] for more details. Besides, Ding, Jin, Guan and Qi [28] proposed a generalization of a BG-TMDTO attack at AFRICACRYPT 2014, based on the BSW sampling technique.

4.2. Sampling Resistances of SNOW-V

Recalling the description of SNOW-V, we can rewrite the update functions of two LFSRs to facilitate the calculation of sampling resistances.

$$LFSR-A:T{1}^{\left(t-1\right)},T{1}^{\left(t\right)},T{2}^{\left(t+1\right)}\Rightarrow T{2}^{\left(t+2\right)}$$

$$LFSR-B:T{2}^{\left(t\right)},T{1}^{\left(t-1\right)},T{1}^{\left(t\right)}\Rightarrow T{1}^{\left(t+1\right)}$$

where

$$T{1}^{\left(t-1\right)}=\left(b_{15}^{\left(8t-8\right)},\cdots ,b_8^{\left(8t-8\right)}\right)=\left(b_7^{\left(8t\right)},\cdots ,b_0^{\left(8t\right)}\right)$$

$$T{1}^{\left(t\right)}=\left(b_{15}^{\left(8t\right)},\cdots ,b_8^{\left(8t\right)}\right)$$

$$T{1}^{\left(t+1\right)}=\left(b_{15}^{\left(8t+8\right)},\cdots ,b_8^{\left(8t+8\right)}\right)$$

$$T{2}^{\left(t\right)}=\left(a_7^{\left(8t\right)},\cdots ,a_0^{\left(8t\right)}\right)$$

$$T{2}^{\left(t+1\right)}=\left(a_7^{\left(8t+8\right)},\cdots ,a_0^{\left(8t+8\right)}\right)=\left(a_{15}^{\left(8t\right)},\cdots ,a_8^{\left(8t\right)}\right)$$

$$T{2}^{\left(t+2\right)}=\left(a_7^{\left(8t+16\right)},\cdots ,a_0^{\left(8t+16\right)}\right)=\left(a_{15}^{\left(8t+8\right)},\cdots ,a_8^{\left(8t+8\right)}\right)$$

Recalling Assumption 1 above, it is easy to verify that $l=128$ and $R=2^{-128}$ satisfy for SNOW-V. The attacker can guess $R{1}^{\left(t\right)},R{3}^{\left(t\right)},T{1}^{\left(t\right)},T{1}^{\left(t-1\right)},T{2}^{\left(t\right)},T{2}^{\left(t+1\right)}$ and, then, recover $R{2}^{\left(t\right)}$ by $z^{\left(t\right)}=\left(R{1}^{\left(t\right)}{⊞}_{32}T{1}^{\left(t\right)}\right)\oplus R{2}^{\left(t\right)}$. This means that the attacker can determine 128 unknown internal state bits (i.e., $R{2}^{\left(t\right)}$) using 128 keystream bits (i.e., $z^{\left(t\right)}$), after guessing $896-128=768$ internal state bits (i.e., $R{1}^{\left(t\right)},R{3}^{\left(t\right)},T{1}^{\left(t\right)},T{1}^{\left(t-1\right)},T{2}^{\left(t\right)},T{2}^{\left(t+1\right)}$). Hence, $l=128$ and $R=2^{-128}$ satisfy for SNOW-V.

Similarly, the attacker can guess $R{1}^{\left(t\right)},T{1}^{\left(t\right)},T{1}^{\left(t-1\right)},T{2}^{\left(t\right)},T{2}^{\left(t+1\right)}$ and, then, execute the following process to recover $R{2}^{\left(t\right)}$ and $R{3}^{\left(t\right)}$.

• Determine $R{2}^{\left(t\right)}$ by $z^{\left(t\right)}=\left(R{1}^{\left(t\right)}{⊞}_{32}T{1}^{\left(t\right)}\right)\oplus R{2}^{\left(t\right)}$.
• Determine $R{1}^{\left(t-1\right)}$ by $R{2}^{\left(t\right)}=AE{S}^R\left(R{1}^{\left(t-1\right)},C1\right)$.
• Determine $R{2}^{\left(t-1\right)}$ by $z^{\left(t-1\right)}=\left(R{1}^{\left(t-1\right)}{⊞}_{32}T{1}^{\left(t-1\right)}\right)\oplus R{2}^{\left(t-1\right)}$.
• Determine $R{3}^{\left(t\right)}$ by $R{3}^{\left(t\right)}=AE{S}^R\left(R{2}^{\left(t-1\right)},C2\right)$.

The process above shows that the attacker can determine 256 unknown internal state bits (i.e., $R{2}^{\left(t\right)},R{3}^{\left(t\right)}$) using 256 keystream bits (i.e., $z^{\left(t\right)},z^{\left(t-1\right)}$), after guessing $896-256=640$ internal state bits (i.e., $R{1}^{\left(t\right)},T{1}^{\left(t\right)},T{1}^{\left(t-1\right)},T{2}^{\left(t\right)},T{2}^{\left(t+1\right)}$). Hence, $l=256$ and $R=2^{-256}$ satisfy for SNOW-V.

In [8], Jiao et al. had given a specific Guess and Determine attack on SNOW-V, which confirms that $l=384$ and $R=2^{-384}$ satisfy for SNOW-V. In their work, the attacker can guess $R{1}^{\left(t\right)},R{1}^{\left(2\right)},T{1}^{\left(t-1\right)},T{2}^{\left(t\right)}$ and, then, execute a specific process to recover $R{2}^{\left(t\right)},R{3}^{\left(t\right)},T{1}^{\left(t\right)},T{2}^{\left(t+1\right)}$ with 384 keystream bits $z^{\left(t\right)},z^{\left(t+1\right)},z^{\left(t+2\right)}$. Hence, $l=384$ and $R=2^{-384}$ satisfy for SNOW-V.

4.3. TMDTO Attacks on SNOW-V with BSW Sampling

After calculating the sampling resistances of SNOW-V, we will imply a BS-TMDTO attack and a BG-TMDTO attack with BSW sampling to the cipher, respectively.

The tradeoff curve of BS-TMDTO attack with BSW sampling is the same as the BS-TMDTO attack, i.e., $T{M}^2{D}^2=N^2$ and $P=N/\phantom{ND}D$, while the choice of parameters is widened by relaxing the restriction $1\le D^2\le T$ to $1\le R^2{D}^2\le T$. A reasonable choice is $T=M=\sqrt{RN}$, $D=R^{-1}\sqrt{T}$ and $P=N/\phantom{N\left(R^{-1}\sqrt{T}\right)}\left(R^{-1}\sqrt{T}\right)$, by setting $R^2{D}^2=T$ to reduce the online time complexity and memory complexity. As for SNOW-V, it has $N=2^{896}$, which indicates the internal state space of SNOW-V. The complexities of BS-TMDTO attacks on SNOW-V with BSW sampling are summarized in

Table 1. BS-TMDTO attacks on SNOW-V with BSW sampling.

Sampling Resistance	T	M	D	P
$R=2^{-128}$	$2^{384}$	$2^{384}$	$2^{320}$	$2^{576}$
$R=2^{-256}$	$2^{320}$	$2^{320}$	$2^{416}$	$2^{480}$
$R=2^{-384}$	$2^{256}$	$2^{256}$	$2^{512}$	$2^{384}$

. The results show that SNOW-V is secure against BS-TMDTO attacks.

The tradeoff curve of a BG-TMDTO attack with BSW sampling is given in [28], i.e., $MT=rRN$, $MD=N$, $P=M$ and $D=d·d^{\prime }$, where r is an integer parameter satisfying the restriction $1\le r\le R^{-1}$, d denotes the number of keystream sequences generated by the given stream cipher for different IVs and $d^{\prime }$ denotes the length of each keystream sequence. As for SNOW-V, we have $N=2^{896}$, which indicates the internal state space of SNOW-V. The complexities of BG-TMDTO attacks with BSW sampling on SNOW-V are summarized in

Table 2. BG-TMDTO attacks on SNOW-V with BSW sampling.

Sampling Resistance	Integer Parameter	T	M	$\mathit{D}\left(\mathit{d},{\mathit{d}}^{\prime }\right)$	P
$R=2^{-128}$	$r=1$	$2^{384}$	$2^{384}$	$2^{384}\left(2^{192},2^{192}\right)$	$2^{384}$
$R=2^{-256}$	$r=1$	$2^{320}$	$2^{320}$	$2^{576}\left(2^{288},2^{288}\right)$	$2^{320}$
$R=2^{-384}$	$r=1$	$2^{256}$	$2^{256}$	$2^{640}\left(2^{320},2^{320}\right)$	$2^{256}$

. The results show that the attacker can mount a TMDTO attack, where none of the online time complexity, the memory complexity and the offline time complexity are bigger than $2^{256}$, if the keystream sequences generated by the secret key, together with the different IVs, are provided to the attacker.

5. Quantum TMDTO Attacks on SNOW-V

Grover’s algorithm is a quantum computing algorithm invented to search from an unstructured database, which can be mathematically modeled as follows.

Problem 1

([31]). Let $f:{\{0,1\}}^n\to 0,1$ be a binary function on the set of n-bit strings. The problem is to find an element $x\in {\{0,1\}}^n$, such that $f\left(x\right)=1$.

Let f be a quantum circuit or a quantum oracle with the promise $|f^{-1}\left(1\right)|=1$; Grover’s algorithm can solve this problem above with $O\left(2^{\frac{n}{2}}\right)$ evaluations of f. Comparing to $O\left(2^n\right)$, which is the best asymptotical complexity that a classical search algorithm could achieve for an unstructured database, Grover’s algorithm obtains a quadratic speedup and is significantly better. Thus, it is widely recognized that doubling the key size of the symmetric ciphers will be enough to maintain the same security level against quantum adversaries.

In [25], Chung et al. proved that even with quantum advice, $TM+T^2=N$ is required for an algorithm to invert random functions. In [26], Dunkelman, Keller, Ronen and Shamir improved the Hellman’s tradeoff curve to $T^{\frac{4}{3}}{M}^2=N^2$ and generalized the time-memory-data tradeoff curve to $T^{\frac{4}{3}}{M}^2{D}^2=N^2$, respectively. The quantum TMDTO attack has a circuit size of about $O\left(f\right)$ qubits. A typical point on this curve is $T=M=D=N^{\frac{3}{8}}$. As we know, the tradeoff curve for a DK-TMDTO attack is the same as a BS-TMDTO attack with $N=K\times V$ and $1\le D\le V$. Here, denote K and V as the numbers of possible keys and IVs, respectively. Now, we combine a quantum time-memory-data tradeoff attack with a DK-TMDTO attack, to analyze the stream cipher SNOW-V.

As for the stream cipher SNOW-V, we have $N=K\times V=2^{256}\times 2^{128}=2^{384}$. That is, we obtain a tradeoff curve for SNOW-V, as $T^{\frac{4}{3}}{M}^2{D}^2=2^{768}$ and $1\le D\le 2^{128}$. It is easy to see that a typical point on this curve is $T=M=D=2^{144}$. However, it does not satisfy the restriction $1\le D\le 2^{128}$.

Table 3. Quantum time-memory-data tradeoff attacks on SNOW-V.

N	K	V	T	M	D
			$2^{158.4}$	$2^{158.4}$	$2^{120}$
$2^{384}$	$2^{256}$	$2^{128}$	$2^{153.6}$	$2^{153.6}$	$2^{128}$
			$2^{128}$	$2^{170.67}$	$2^{128}$

lists the complexities of quantum time-memory-data tradeoff attacks on SNOW-V. The results show that in the quantum setting, a TMDTO attack needs memory space of at least $O\left(2^{170.67}\right)$, in order to offer an attack on SNOW-V that is faster than Grover’s algorithm. In other words, a quantum TMDTO attack on SNOW-V offers, strictly, better online time complexity than Grover’s algorithm for any $M>2^{170.67}$.

6. Conclusions

SNOW-V is a new stream cipher, designed for high-speed encryption in virtualized environments, to provide confidentiality and integrity for 5G communications. Up to now, there have been no TMDTO attacks published on this stream cipher. This paper analyzes the security of SNOW-V against TMDTO attacks and quantum TMDTO attacks. The results show that SNOW-V is secure against BS-TMDTO attacks, while the attacker can mount a BG-TMDTO attack, where none of the online time complexity, the memory complexity and the offline time complexity is bigger than $2^{256}$, if the keystream sequences generated by the secret key, together with different IVs, are provided to the attacker. Furthermore, we analyze the security of SNOW-V against quantum TMDTO attacks, and the results show that a quantum TMDTO attack offers, strictly, better online time complexity than Grover’s algorithm, when the available memory space is bigger than $2^{170.67}$. The results of this paper are helpful in evaluating the security of SNOW-V against (quantum) TMDTO attacks, and we look forward to further work in evaluating SNOW-V against other kinds of cryptanalytic attacks.