Distinguishing and Key Recovery Attacks on the Reduced-Round SNOW-V and SNOW-Vi ⋆

. This paper presents distinguishing and key recovery attacks on the reduced-round SNOW-V and SNOW-Vi, which are stream ciphers proposed for standard encryption schemes for the 5G mobile communication system. First, we construct a MILP model to search for integral characteristics using the division property, and ﬁnd the best integral distinguisher in the 3-, 4, 5-round SNOW-V, and 5-round SNOW-Vi with time complexities of 2 8 , 2 16 , 2 48 , and 2 16 , respectively. Next, we construct a bit-level MILP model to eﬃciently search for diﬀerential characteristics, and ﬁnd the best diﬀerential characteristics in the 3-and 4-round versions. These characteristics lead to the 3-round diﬀerential distinguishers for SNOW-V and SNOW-Vi with time complexities of 2 17 and 2 12 and the 4-round diﬀerential distinguishers for SNOW-V and SNOW-Vi with time complexities of 2 97 and 2 39 , respectively. Then, we consider single-bit and dual-bit diﬀerential cryptanalysis, which is inspired by the existing study on Salsa and ChaCha. By carefully choosing the IV values and diﬀerences, we can construct practical bit-wise diﬀerential distinguishers for the 4-round SNOW-V, 4, and 5-round SNOW-Vi with time complexities of 2 4 . 466 , 2 1 . 000 , and 2 14 . 670 , respectively. Finally, we improve the existing diﬀerential attack based on probabilistic neutral bits, which is also inspired by the existing study on Salsa and ChaCha. As a result, we present the best key recovery attack on the 4-round SNOW-V and SNOW-Vi with time complexities of 2 153 . 97 and 2 233 . 99 and data complexities of 2 26 . 96 and 2 19 . 19 , respectively. Consequently, we significantly improve the existing best attacks in the initialization phase by the designers.


Introduction
1.1 Background SNOW-V, which is a new variant of a family of SNOW stream ciphers, was proposed for a standard encryption scheme for the 5G mobile communication system in 2019 by Ekdahl et al. [5].To achieve the strong security requirements by the 3GPP standardization organization for the 5G system, SNOW-V provides a 256-bit security level against key recovery attacks with a 256-bit key and 128bit IV, while the claimed security of distinguishing attacks is only 2 64 , i.e., the length of keystreams is limited to at most 2 64 and also for a fixed key, the number of different keystreams should be less than 2 64 .SNOW-V consists of a Linear Feedback Shift Register (LFSR) and Finite State Machine (FSM).The overall structure of SNOW-V follows the design strategy of SNOW 2.0 and SNOW-3G.It takes advantage of AES-NI and some SIMD operations for efficient implementation in high-end software environments.Each round has two AES-round operations to update the states of the FSM.As a result, SNOW-V achieves very impressive performance in software, e.g., 58 Gbps for a long message, which is almost six times faster than that of SNOW-3G.
A slightly modified version of SNOW-V stream cipher, called SNOW-Vi, was proposed by the same designers in 2021 [6].The structural differences between SNOW-V and SNOW-Vi are the LFSR update function and the location of the tap T 2 .The purpose of this change is to better accommodate a fast software implementation on lower grade CPUs which only supports 128-bit wide SIMD registers.As a result, the increase in software performance is approximately 50% in average, up to 92 Gbps for a long message.
The designers evaluated the security of division-property-based cube, timememory tradeoff, linear/correlation distinguishing, algebraic, and guess-anddetermine attacks on both ciphers [5,6].Among them, they found a key recovery attack on the 3-round SNOW-V and SNOW-Vi by division-property-based cube attacks, and concluded that more than four rounds provides sufficient security against these attacks as the division-property-based distinguisher reaches only four rounds of AES [17].As a third-party evaluation, Jiao et al. proposed a byte-based guess-and-determine attack on the full-round SNOW-V with a time complexity of 2 406 [11].After Jiao et al.'s study [11] was reported, the designers further improved the Jiao et al.'s attack, and proposed two guess-and-determine attack on the full-round SNOW-V with time complexities of 2 384 and 2 378 [19].These results improved the original evaluation by the designers [5], but its cost is still much larger than the exhaustive 256-bit key search.Thus, to the best of our knowledge, the best attack on SNOW-V and SNOW-Vi is the 3-round division-property-based cube attack by the designers, respectively.

Our Contribution
In this study, we present the security analysis of SNOW-V and SNOW-Vi with three attack vectors: integral, differential, and bit-wise differential attacks.These attacks are well-known attacks for stream ciphers.Nevertheless, the designers did not perform the security evaluations for these important attacks.To fill this gap, we evaluate thorough security against these attacks with state-of-the-art search tools and techniques, and we show that these attacks sufficiently improve the previous best attacks with respect to the attacked number of rounds and attack complexity, as shown in Table 1.The details of our attacks are given as follows.
Integral Attack By using a MILP-aided search method for the division property, we show practical integral distinguishers for the 3-, 4-round SNOW-V, and 5-round SNOW-Vi with time complexities of 2 8 , 2 16 , and 2 16 , respectively.Furthermore, we find a 5-round integral distinguisher with a time complexity of 2 48  for the initialization of SNOW-V.

Differential Attack
We perform a MILP-aided search for the differential characteristics in the chosen-IV setting where differences are inserted in the IV domain.Specifically, we build a bit-level model for each operation, such as the modular addition, S-box, and linear operations.Besides, we modify the objective function in our study [9] to obtain a more accurate differential probability.As a result of SNOW-V, we improve the time complexities of the 3-and 4-round differential distinguishers from 2 48 and 2 103 to 2 17 and 2 97 , respectively.For SNOW-Vi, we find the 3-and 4-round differential distinguishers with the time complexities of 2 12 and 2 39 , respectively.Although the distinguishing attack on the 4-round SNOW-V exceeds the data limitation of 2 64 , it is important to improve the understanding of the security of SNOW-V.

Bit-wise Differential Attack
We conduct a single-bit and dual-bit differential attack based on the existing study on the reduced-round Salsa and ChaCha as reported by Choudhuri and Maitra [3].In addition, we analyze the source code of the LFSR update algorithm, and suggest that choosing IVs by limiting the domain should suppress the propagation of differences throughout the internal state of the target ciphers.As a result, we find practical bit-wise differential distinguishers for the 4-round SNOW-V, 4-, and 5-round SNOW-Vi with time complexities of 2 4.466 , 2 1.000 , and 2 14.670 , respectively.No study has been reported on applying the bit-wise differential attack to LFSR-based stream ciphers; thus, we have demonstrated the effectiveness of the bit-wise differential attack on LFSR-based stream ciphers.

Key Recovery Attack
We apply the bit-wise differential attack based on probabilistic neutral bits (PNB), which was proposed by Aumasson et al. [2], to a key recovery attack on the target ciphers.To apply an existing attack, it is necessary to perform the backwards computation in the target ciphers, but it is difficult to perform this in LFSR-based stream ciphers.To solve this problem, we replace all the backwards computations in the existing attack procedure with forwards computations.As a result, we present a key recovery attack on the 4round SNOW-V and SNOW-Vi with time complexities of 2 153.97 and 2 233.99 and data complexities of 2 26.96 and 2 19.19 , respectively.To the best of our knowledge, our attack is the best key recovery attack on the reduced-round SNOW-V and SNOW-Vi.

Organization of the Paper
The rest of the paper is organized as follows.In Section 2, we briefly describe the specifications of SNOW-V and SNOW-Vi.In Section 3, we show the MILP model for searching integral characteristics and provide integral distinguishers for the 3-, 4-, 5-round SNOW-V, and 5-round SNOW-Vi.In Section 4, we show the MILP model for searching differential characteristics and provide differential distinguishers for the 3-and 4-round versions.In Section 5, we introduce the existing cryptanalysis method for bit-wise differential cryptanalysis and present the efficient chosen-IV technique.We then provide bit-wise differential distinguishers for the 4-, 5-round SNOW-V, 4-, 5-, and 6-round SNOW-Vi.In Section 6, we describe our improvements to the existing differential attack and present the best key recovery attack on the 4-round versions.Finally, Section 7 concludes the paper.

Structure of SNOW-V
The overall structure of SNOW-V is shown in Figure 1.It consists of a Linear Feedback Shift Register (LFSR) part and Finite State Machine (FSM) part.The LFSR part takes a circular construction consisting of two shift registers called LFSR-A and LFSR-B, both involving 16 cells with each cell size of 16 bits denoted by a 15 , . . ., a 0 and b 15 , . . ., b 0 , respectively.Each cell represents an element in F 16  2 , and the elements of LFSR-A and LFSR-B are generated by the following polynomials in F 2 [x]: g B (x) = x 16 + x 15 + x 14 + x 11 + x 8 + x 6 + x 5 + x + 1. ( Let α ∈ F A 2 16 be a root of g A (x) and β ∈ F B 2 16 be a root of g B (x).At time t ≥ 0, the LFSRs update sequences (a for i = 0, . . ., 14.The LFSRs update the internal state eight times in a single step, i.e., 16 cells of the total 32 cells in the LFSR part can be updated in a single step, and the two taps T 1 and T 2 will have the following new values: T 2 (t) = (a The FSM part takes the two taps, T 1 and T 2, from the LFSR part as the inputs and generates a 128-bit keystream block z (t) at time t ≥ 0 as the output.It consists of three 128-bit registers R1, R2, and R3.The symbol ⊕ denotes a bit-wise XOR operation, and the symbol ⊞ 32 denotes parallel application of four additions modulo 2 32 .The four 32-bit parts of the 128-bit words are added with carry, but the carry does not propagate from a lower 32-bit word to a higher one.At time t ≥ 0, the FSM first outputs the keystream block, z (t) , using the following expression: Then, registers R2 and R3 are updated throughout a full AES encryption round function as SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are denoted by AES R (IN, KEY ) with a 128-bit input block IN and a roundkey KEY .The three registers are updated by the following expressions: where σ is a byte-oriented permutation given by σ = [0, 4, 8, 12, 1, 5, 9, 13, 2, 6, 10, 14,3,7,11,15].

Structure of SNOW-Vi
The overall structure of SNOW-Vi is almost the same as that of SNOW-V, with the only difference in the LFSR update function and the tap T 2 moved to the upper half of LFSR-A.The LFSR structure of SNOW-Vi is shown in Figure 2. The elements of LFSR-A and LFSR-B are generated by the following polynomials in F 2 [x]: = a for i = 0, . . ., 14.After updating the LFSRs, the tap T 2 will have the new value, such as T 2 (t) = (a 8 ).

Initialization
Let K = (k 15 , . . ., k 0 ) denote a 256-bit key and IV = (iv 7 , . . ., iv 0 ) denote a 128-bit initialization vector (IV), where each k i and iv j are 16-bit vectors for 0 ≤ i ≤ 15 and 0 ≤ j ≤ 7, respectively.The initialization begins with loading the key and IV into the LFSRs and setting zero into the three registers using the following expressions: (a 15 , . . ., a 0 ) = (k 7 , . . ., k 0 , iv 7 , . . ., iv 0 ), The initialization consists of r steps (r = 16 in the original version), where the structure is updated in the same way as in the keystream generation, with the exception that the 128-bit keystream block z is not an output but is XORed into the LFSR-A to positions (a 15 , . . ., a 8 ) in every step.Additionally, at the two last steps of the initialization, the 256-bit key is loaded into the register R1 using the following expressions: where time t = r − 1 denotes the last step of the initialization.The designers limited the length of the keystream to a maximum of 2 64 bits for a single key-IV pair and the number of different IVs to a maximum of 2 64 for each key.

MILP-aided Integral Distinguisher
In this section, we explore the security of SNOW-V and SNOW-Vi against integral attacks.To efficiently search for integral distinguishers in the initialization phase of SNOW-V and SNOW-Vi, we exploit the division property proposed by Todo [16].Specifically, we utilize the MILP-based method [18] to evaluate the propagation of the bit-based division property [17].

The MILP Model
In this part, we describe how to construct the linear inequalities to model the propagation of the division property for SNOW-V and SNOW-Vi.First, we will show the constraints for the propagation of the bit-based division property through COPY, XOR, and AND operations based on the work by Xiang et al. [18].Then, we elaborate the MILP model for SNOW-V and SNOW-Vi based on these constraints.Since SNOW-V and SNOW-Vi are basically the same structure without the LFSR update function and the place of tap T 2 , we mainly describe how to construct an MILP model for SNOW-V.
To find an integral distinguisher with the division property with MILP, we do not need to optimize the objective function.Instead, we only need to confirm whether the constructed MILP model is feasible or not, because we search the properties such that the output is balanced or not by bit-wise.If it is infeasible, an integral distinguisher can be obtained.
Xiang et al. first proposed the modeling method [18] for the propagation of the bit-based division property through COPY, XOR, and AND operations.Then, Sun et al. generalized these models [14] as specified below, which will be the components in our MILP model for SNOW-V and SNOW-Vi.MILP Model of COPY [14] : MILP Model of XOR [14] : MILP Model of AND [18] : The pseudo code of our MILP model for SNOW-V is displayed in Algorithm 1, where R denotes the number of rounds in the initialization phase and the explanations for load, funcADD, funcAES, sigma, and funcLFSR are given below.
load.K and IV are loaded into internal states.funcADD.This function is a model for the 32-bit modular addition.We use the modeling method proposed by Sun et al. [15] with COPY, XOR, and AND.funcAES.This function consists of SubBytes, ShiftRow, MixColumns, and Ad-dRoundKey of AES.For the modeling of the S-box, we use the modeling method proposed in [18].Logic Friday [4] is utilized to generate the constraints for the S-box.Thus, we obtain 241 linear inequalities to model the S-box of AES.For the modeling of MixColumns, we use the modeling method proposed in [14].Specifically, the 4 × 4 MDS matrix over the filed F 8 2 is converted to a 32 × 32 binary matrix over the field, F 2 [13].Then, we construct the model for MixColumn with COPY and XOR.Thus, 64 linear inequalities can be used to model the MDS matrix used in AES.
Our MILP model for SNOW-Vi is almost the same as Algorithm 1.To construct an MILP model for SNOW-Vi, we need to change line 6 in Algorithm 1 into "(M, T 2 r , S r 0,...,127 ) = COPY(M, S r 128,...,255 )" and funcLFSR into that of SNOW-Vi.

Our Search and Results
Since there are a total of 2 128 patterns for IV on both SNOW-V and SNOW-Vi, it is computationally infeasible to take all of them into account when searching for integral distinguishers.Thus, we use a 3-step approach to efficiently find the integral distinguisher for SNOW-V and SNOW-Vi.As an explanation of our method, a, c, b, and u represent an active bit, a constant bit, a balanced bit, and an unknown bit, respectively.In addition, A, C, B, and U denote an active byte, a constant byte, a balanced byte, and an unknown byte, respectively.Our search used Gurobi optimization 9.0 [10] as the solver with a 48-core Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz for our experiments.
Step 1.We try to find the longest integral distinguisher by setting the 128-bit IV as all A.
Step 2. To reduce the data complexity, we consider the case where there is at least one byte in IV assigned to C and at least one byte assigned to A. When 16-byte input is all A, it is the same as Step 1. Also, when 16-byte input is all C, the outputs becomes constants.Thus, these two patterns can be omitted.As a result, there are 2 16 − 2 such patterns in total.
Step 3. We utilize the method [8] to reduce the data complexity.In [8], a is only assigned to the MSB of each byte.First, we consider the case when there is only one active bit and the total number of such patterns is ( ) .Then, we increase the number of a if we can find an integral distinguisher, i.e., consider the case when there are 2, 3, 4, . . ., 16 active bits because IV is a 16-byte value.Thus, a total of 2 16 − 1 patterns is taken into account in our search.
Results for SNOW-V Our search found integral distinguishers in 3-and 4-round distinguishers with time complexities of 2 8 and 2 16 , as shown in Tables 2 and  3.Moreover, we can find a 5-round integral distinguisher for the initialization phase of SNOW-V, as shown in Table 4. Specifically, when iv 7 , iv 6 , iv 4 and iv 0 is constant, the least significant byte of iv 2 and iv 1 is constant, and the remaining bytes of IV take all the possible 2 48 values, we can compute the sum of the keystreams, z, generated by these 2 48 different IV ; thus, the sum in each of the least two significant bits of z is always zero.Results for SNOW-Vi Our search found integral distinguishers in 5-round with the time complexity of 2 16 as shown in Table 5.This is the same result as that of SNOW-V in terms of the number of rounds, however, it should be mentioned that the time complexity is reduced from 2 48 to 2 16 compared to SNOW-V.

MILP-aided Differential Distinguisher
In this section, we describe our investigation of the resistance of SNOW-V and SNOW-Vi against differential attacks.Specifically, we focus on the initialization phase and our aim is to find differential characteristics with a probability higher than 2 −128 using a MILP-based method [1,7] as the IV size where differences of 128 bits can be inserted.
According to the specification of SNOW-V and SNOW-Vi, it can be observed that there are 32 AES S-boxes and 8 modular additions (modulo 2 32 ) used for

The MILP Model
Here, we explain the details of our MILP modeling for searching differential characteristics of SNOW-V and SNOW-Vi.Similarly to the case of the integral attack, we mainly describe how to construct an MILP model for SNOW-V.Throughout this paper, M.var, M.con, and M.obj represent the variables, the constraints and the objective function in the MILP model, respectively.
Because the operations used in SNOW-V and SNOW-Vi include XOR, Sub-Bytes, ShiftRows, MixColumns, modular addition, α, α −1 , β, β −1 , and sigma (the byte-wise permutation), to construct an accurate model to describe the bit-wise difference in propagation using these components, it is necessary to construct the corresponding linear inequalities for each of them.
To search for the best differential characteristic, we minimize the objective function, as follows: ) However, we do not take probabilities of    significant bit, respectively.We consider the differential probability of the modular addition according to [7], and we consider that the differential probability of AES S-box with 2 −7 because we consider the worst case in the S-box.Algorithm 2 shows the MILP model of differential characteristics for SNOW-V.
Similarly to the case of the integral attack, we can construct an MILP model for SNOW-Vi based on that of SNOW-V with small changes.To construct an MILP model for SNOW-Vi, we need to change line 8 in Algorithm 2 into "(M, V ) = XOR(M, S r 0,...,127 , R3)" and funcLFSR into that of SNOW-Vi.As the same reason of the case of SNOW-V, we do not take probabilities of T 1 R−1 ⊞ R1 R−1 and AES(R2 R−1 ) into account in the objective function.

Our Search and Results
We search that assuming the differential characteristics are independent of each round.In our search, a difference will only be inserted in IV , i.e., we do not consider related-key differential characteristics.We conduct this search on a Results for SNOW-V The search results of SNOW-V are displayed in Table 6.For 3-rounds, the best differential probability of a single trail is estimated as 2 −17 as shown in Table 7.It implies that a distinguishing attacks on 3-rounds is feasible with 2 17 chosen IVs.Since we search the whole space of IV, these differential probabilities are optimal for 1-to 3-rounds.
To search for more rounds, we constrain that the hamming weight of the IV difference is one because the above optimal characteristic of 1-to 3-rounds are started from the IV difference whose hamming weight one.In this way, we search for differential characteristics up to 4-initialization rounds.As a result, we found a differential characteristic with probability of 2 −97 as shown in Table 8.To mount the attack using this characteristic, it requires 2 97 chosen IVs.So, it exceeds the data limitations for a fixed key of 2 64 .However, we believe that it is meaningful for deeply understanding the security of SNOW-V, e.g., it might be feasible in the weak-key setting.

Results for SNOW-Vi
The search results of SNOW-Vi are displayed in Table 9.
For SNOW-Vi, we can evaluate the best differential probability of a single trail in the whole IV space over 4-round.As a result, we found the differential characteristic with probability of 2 −39 .The detailed differential characteristic is shown in Table 10.It implies that a distinguishing attack on 4-round is feasible with 2 39 chosen IVs.It should be mentioned that this characteristic is the optimal for 4-round of SNOW-Vi.

Bit-wise Differential Distinguisher
In this section, we first introduce single-bit and dual-bit differential cryptanalysis based on the study by Choudhuri and Maitra [3].Then, we present an effective chosen-IV technique for our cryptanalysis of the 4-round SNOW-V and the 5-round SNOW-Vi.Finally, we provide the experimental results for bit-wise differential biases using the chosen-IV technique.

Single-bit and Dual-bit Differential Cryptanalysis
To search for bit-wise differential biases of the reduced-round SNOW-V and SNOW-Vi, we utilize single-bit and dual-bit differential cryptanalysis based on the study on the reduced-round Salsa and ChaCha, as reported by Choudhuri and Maitra [3].Let iv i [j] be the j-th bit of the i-th element in IV for 0 ≤ i ≤ 7 and 0 ≤ j ≤ 15 and let iv ′ i [j] be an associated bit with the input difference , which is described as ID.Let z p [q] be the q-th bit of the p-th word in the first output keystream block z for 0 ≤ p ≤ 15 and 0 ≤ q ≤ 7 and let z ′ p [q] be an associated bit with the r-round output difference ∆ (r) , which is described as OD.Note that iv 0 [0] and iv 7 [15] are the least significant bit (LSB) and most significant bit (MSB) of IV, and z 0 [0] and z 15 [7] are the LSB and MSB of z, respectively.For a fixed key and all possible choices of IVs, single-bit and dual-bit differential probabilities are defined by where ϵ d denotes the bias of the OD.
To distinguish the first keystream block z generated by the reduced-round SNOW-V from true random number sequences, we utilize the following theorem proved by Mantin and Shamir [12].

Theorem 1 ([12, Theorem 2]). Let X and Y be two distributions, and suppose that the event e occurs in X with a probability p and Y with a probability p•(1+q).
Then, for small p and q, O( 1 p•q 2 ) samples suffice to distinguish X from Y with a constant probability of success.
Let X be a distribution of the OD of true random number sequences, and Y be a distribution of the OD of the first keystream block z generated by the reducedround SNOW-V.Based on single-bit and dual-bit differential probabilities, the number of samples to distinguish X and ) since p and q are equal to 1 2 and ϵ d , respectively.

Chosen-IV Technique
We analyze the source code of the LFSR update algorithm in SNOW-V (refer to Listing 1 for details) and notice the following two properties.

Experimental Results
We have conducted experiments to search for the bit-wise differential biases of the reduced-round SNOW-V and SNOW-Vi.The following is our experimental environment: five Linux machines with 40-core Intel(R) Xeon(R) CPU E5-2660 v3 (2.60GHz), 128.0 GB of main memory, a gcc 7.2.0 compiler, and the C programming language.

Bit-wise Differential Biases of SNOW-V
To search for single-bit (or dual-bit) differential biases of the reduced-round SNOW-V, our experiments have been conducted with 2 8 (or 2 6 ) trials using 2 24 IDs for each key, excluding domain V 7 .Since domain V 7 contains only 2 16 elements, we have conducted experiments with 2 16 (or 2 14 ) trials using 2 16 IDs for each key to search for the single-bit (or dual-bit) differential biases.
Tables 11 and 12 show the best single-bit and dual-bit differential biases for the 4-and 5-round SNOW-V.As shown in Table 11, we obtain higher biases when the domain is restricted using the chosen-IV technique.For example, we obtain the best single-bit (or dual-bit) differential bias of |ϵ d | = 2 −4.268 (or 2 −1.733 ) for domain V 7 , whereas we find |ϵ d | = 2 −10.299 (or 2 −9.432 ) for domain V 0 .However, as shown in Table 12, all of the best single-bit and dual-bit differential biases are almost constant regardless of the domain in the 5-round SNOW-V.These results demonstrate that the chosen-IV technique is valid for the 4-round SNOW-V, but not for the 5-round SNOW-V.

Domain
Single-bit Dual-bit Table 14 shows the best single-and dual-bit differential biases for the 5-round SNOW-Vi, and we obtain higher biases when the domain is restricted using the chosen-IV technique, e.g., the best single-bit (or dual-bit) differential bias of |ϵ d | = 2 −6.835 (or 2 −7.216 ) for domain V ′ 2 , whereas |ϵ d | = 2 −10.910 (or 2 −11.508 ) for domain V ′ 0 .For the 5-round SNOW-Vi, the best single-bit differential bias in domain V ′ 2 , i.e., |ϵ d | = 2 −6.835 , also provides a practical bit-wise differential distinguisher.Thus, 2 14.670 samples suffice to distinguish the 4-round SNOW-V from a true random number generator with a constant probability of success.
Table 15 shows the best single-and dual-bit differential biases for the 6-round SNOW-Vi, and all of the best single-bit and dual-bit differential biases are almost constant regardless of the domain in the 6-round SNOW-Vi; thus, these results demonstrate that the chosen-IV technique is valid for the 5-round SNOW-Vi, but not for the 6-round SNOW-Vi.For the 6-round SNOW-Vi, the best dualbit differential bias in domain V ′ 1 , i.e., |ϵ d | = 2 −13.546 , provides the best bitwise differential distinguisher with 2 28.092 samples.However, the accuracy of the experimental results may be insufficient because we have conducted experiments with only 2 24 IDs to observe the differential biases.To search for more precise single-and dual-bit differential biases for the 6-round SNOW-Vi, we have focused on the best ID-OD pair in each domain listed in Table 15, and have conducted additional experiments with 2 8 trials using 2 32 IDs for each key.Consequently, we obtain the best single-bit differential biases in domain 2,6 , and |ϵ d | is approximately 2 −18.597 ; thus, our experiments have revealed that at least 2 38.194 samples suffice to distinguish the 6-round SNOW-Vi from a true random number generator. -14.045 -13.647 -13.951 ∆ (0) 10,5 -14.726

Key Recovery Attack
In this section, we describe a key recovery attack on the 4-round SNOW-V and SNOW-Vi.To the best of our knowledge, our attack is the best key recovery attack on the reduced-round SNOW-V and SNOW-Vi since the cube attack on the 3-round SNOW-V and SNOW-Vi proposed by Ekdahl et al. [5,6], which was the best to date.Our proposed attack is an improvement on the differential attack based on a technique called probabilistic neutral bits (PNB) proposed by Aumasson et al. [2].

Differential Attack Based on Probabilistic Neutral Bits (PNB)
Aummason et al. proposed a differential attack based on PNB and applied it to Salsa and ChaCha [2].In this subsection, we introduce their attack to clarify the difference from our proposed attack, which is described in Section 6.2.Their attack consists of two phases: precomputation and online phases.The precomputation phase is further divided into three phases: differential characteristic search (as described in Section 5.1), PNB identification, and probabilistic backwards computation phases.
PNB Identification Phase.PNB is a concept which divides the secret key bits into two sets: m-bit significant key bits and n-bit non-significant key bits.
To identify these two sets, Aumasson et al. focused on the amount of influence which each secret key bit has on the output difference OD, and defined that amount as neutral measure.

Definition 1 ([2, Definition 1]
).The neutral measure of the key bit κ i with respect to the output difference OD is defined as γ i , where Pr = 1 2 (1 + γ i ) is the probability that complementing the key bit κ i does not change the OD.
For example, according to Definition 1, we have the following singular cases of the neutral measure: γ i = 1: OD does not depend on the i-th key bit, i.e., it is non-significant.
γ i = 0: OD is statistically independent of the i-th key bit, i.e., it is significant.
To identify the PNB by using the concept of the neutral measure, we perform the following procedure after the differential characteristic search phase: Step 1. Compute the keystream pair Z, Z ′ corresponding to the input pair X (0) , X ′(0) with the input difference ∆ (0) i,j .Note that the keystream Z is derived by X (0) + X (R) in the case of Salsa and ChaCha.
Step 2. Prepare a new input pair X (0) , X ′ (0) with the key bit position i of the original input pair X (0) , X ′(0) flipped by one bit.Step 3. Compute the internal state pair Y (r) , Y ′(r) with Z − X (0) , Z ′ − X ′ (0) for r < R, as inputs to the inverse function of the initialization in the case of Salsa and ChaCha.
, where y p [q] and y ′ p [q] are the q-th bit of the p-th word of Y (r) and Y ′(r) , respectively.
Step 5. Repeatedly perform Steps 1-4 by using different input pairs with the same ∆ (0) i,j ; compute the neutral measure as Pr(∆ (r) p,q is the output difference derived during the differential characteristic search (as described in Section 5.1).
Step 6. Set a threshold γ and put all key bits with γ i < γ into a set of significant key bits (of size m) and those with γ i ≥ γ into a set of non-significant key bits (of size n).
Probabilistic Backwards Computation Phase.In the differential characteristic search phase, we derive the r-th round differential biases from input pairs with the chosen input difference, i.e., this implies that we perform the forwards computation in the target cipher.However, in the case of Salsa and ChaCha, we can also derive the r-th round differential biases from the obtained keystream by performing the backwards computation, which is called the probabilistic backwards computation.
In the probabilistic backwards computation phase, we perform the following procedure after the PNB identification phase: Step 1. Compute the keystream pair Z, Z ′ corresponding to the input pair X (0) , X ′(0) with the input difference ∆ (0) i,j .
Step 2. Prepare a new input pair X(0) , X′(0) with only non-significant key bits reset to a fixed value (e.g., all zero) from the original input pair X (0) , X ′(0) .Step 3. Compute the internal state pair Ŷ (r) , Ŷ ′(r) with Z − X(0) , Z ′ − X′(0) for r < R, as inputs to the inverse function of the initialization in the case of Salsa and ChaCha.
Step 5. Repeatedly perform Steps 1-4 by using different input pairs with the same ∆ (0) i,j ; compute the r-round bias ϵ a as Pr(∆ (r) p,q is the output difference derived during the differential characteristic search (as described in Section 5.1).
According to [2], the bias ϵ is approximated as ϵ d • ϵ a and considered to compute the overall complexity of the attack on the R-round target cipher.
Step 1. Prepare a new input pair X (0) , X ′ (0) with the key bit position i of the original input pair X (0) , X ′(0) flipped by one bit.Note that, according to Section 2.3, an input X (0) of SNOW-V and SNOW-Vi is initialized from a secret key and an initialization vector.
Step 2. Compute the keystream pair z, z ′ with X (0) , X ′ (0) as inputs to the r-round initialization of SNOW-V and SNOW-Vi.
, where z p [q] and z ′ p [q] are the q-th bit of the p-th word of z and z ′ , respectively.
Step 4. Repeatedly perform Steps 1-4 by using different input pairs with the same ∆ (0) i,j ; compute the neutral measure as Pr(∆ (r) p,q is the output difference derived during the differential characteristic search (as described in Section 5.1).
Step 5. Set a threshold γ, put all key bits with γ i < γ into a set of significant key bits (of size m) and those with γ i ≥ γ into a set of non-significant key bits (of size n).
Probabilistic Forwards Computation Phase.Similar to the proposed PNB identification phase, we improve the existing probabilistic backwards computation phase.In summary, for the application to SNOW-V and SNOW-Vi, we perform the following procedure after the PNB identification phase: Step 1. Prepare a new input pair X(0) , X′(0) with only non-significant key bits reset to a fixed value (e.g., all zero) from the original input pair X (0) , X ′(0) .Step 2. Compute the keystream pair ẑ, ẑ′ with X(0) , X′(0) as inputs to the r-round initialization of SNOW-V and SNOW-Vi.Step 3. Compute Γ (r) p,q = ẑp [q] ⊕ ẑ′ p [q], where ẑp [q] and ẑ′ p [q] are the q-th bit of the p-th word of ẑ(r) and ẑ′(r) , respectively.
Step 4. Repeatedly perform Steps 1-4 by using different input pairs with the same ∆ (0) i,j ; compute the r-round bias ϵ a as Pr(∆ (r) p,q is the output difference derived during the differential characteristic search (as described in Section 5.1).

Complexity Estimation. In our proposed attack, we can construct the following two independent distinguishers:
-A distinguisher based on the differential bias ϵ d .
-A distinguisher based on the bias ϵ a .This is because these biases are derived from the (secret) internal states in the existing attacks, whereas they are derived from the keystreams, which are obtained by an adversary under the known plaintext attack scenario, in the application to SNOW-V and SNOW-Vi.Thus, the number of samples N for our attack is given by ) .Additionally, the time complexity of our attack is given in the same way as that of the existing attacks [2,3], as described in Section 6.1.

Experimental Results
We have conducted experiments to find the best parameters for our attack on the reduced-round SNOW-V and SNOW-Vi.The following is our experimental environment: five Linux machines with 40-core Intel(R) Xeon(R) CPU E5-2660 v3 (2.60GHz), 128.0 GB of main memory, a gcc 7.2.0 compiler, and the C programming language.
Key Recovery Attack on SNOW-V To find the best parameters for our attack on the reduced-round SNOW-V, our experiments have been conducted with 2 8 trials using 2 24 IDs for each key excluding domain V 7 .Since domain V 7 contains only 2 16 elements, we have conducted experiments with 2 16 trials using 2 16 IDs for each key.In addition, we need to consider the possibility that our attack has no validity because the application to SNOW-V, unlike the existing attacks on Salsa and ChaCha, only perform the forwards computation throughout all phases.To calculate the success probability of our attack, our experiments have been conducted with 1000 trials by using the best parameters obtained from the experiments.In our experiments, we consider the attack to be failed if we can guess a subkey candidate with a higher bias ϵ * a than the bias ϵ a obtained from the correctly guessed subkey.
Tables 16 and 17 show the best parameters for our attack in domains V 0 and V 7 on the 4-round SNOW-V for each threshold γ.Based on these tables, we appear to be able to perform our attack on the 4-round SNOW-V with the least time complexity of 2 60.35 by using the parameter for the threshold γ = 0.50 in domain V 7 , but it has no validity because its success probability is zero.However, as shown in these tables, we can perform our attack with a success probability of one by using the parameter for the threshold γ = 1.00 in both domains V 0 and V 7 .This is because all key bits with a threshold γ i ≥ γ = 1.00 are put into the set of non-significant key bits, and these have no influence on the output difference, i.e., this implies that we can always guess all the m-bits subkeys in the online phase.As a result, we can perform our attack on the 4-round SNOW-V with a time complexity of 2 153.97 and data complexity of 2 26.96 by using the parameter for the threshold γ = 1.00 in domain V 0 ; this is the best key recovery attack on the reduced-round SNOW-V.

Key Recovery Attack on SNOW-Vi
To find the best parameters for our attack on the reduced-round SNOW-Vi, our experiments have been conducted with 2 8 trials using 2 24 IDs for each key.As discussed at the previous paragraph, we can perform our attack on the 4-round SNOW-V with a success probability of one by using the parameter for the threshold γ = 1.00; thus, we should perform our attack on the reduced-round SNOW-Vi by focusing solely on the threshold γ = 1.00.As described in Section 5, we obtain the best single-and dual-bit differential biases of |ϵ d | = 1 for the 4-round SNOW-Vi.However, ID-OD pairs with these biases cannot be used in our attack because they do not work properly in the PNB identification phase (i.e., all key bits can be included in the set of nonsignificant key bits).Due to this, we randomly selected 40 ID-OD pairs with biases of |ϵ d | < 1 to properly perform our attack on the 4-round SNOW-Vi.
Table 18 shows our findings of the best parameters for our attack on the 4and 5-round SNOW-Vi, respectively.We can perform our attack on the 4-round SNOW-Vi with a time complexity of 2 233.99 and a data complexity of 2 7.94 by using the best parameter, such that domain is V ′ 0 , ID is ∆ (0) 9,5 , OD is ∆ (4) 0,7 , and α = 27.Similarly, we can perform our attack on the 5-round SNOW-Vi with a time complexity of 2 258.34 and a data complexity of 2 19.19 by using the best parameter, such that domain is V ′ 2 , ID is ∆ (0) 1,0 , OD is ∆ (5) 0,0 , and α = 1; however, this is beyond the security level of SNOW-Vi.Consequently, we have presented the best key recovery attack on the 4-round SNOW-Vi.It should be noted here that our attack still has room for improvement since we have tried only 40 ID-OD pairs with biases of |ϵ d | < 1 to properly perform our attack on the 4-round SNOW-Vi.

Discussion
The distinguishing attack on the reduced-round SNOW-Vi can be a little stronger than that on the reduced-round SNOW-V.This is because we can construct the 5-round practical distinguisher for SNOW-Vi, even though we can only construct the 4-round practical distinguisher for SNOW-V.Conversely, the key recovery attack on the reduced-round SNOW-Vi may be slightly weaker than that on the reduced-round SNOW-V, as described in this section.Here, we discuss the factors that induce the difference between the distinguishing and key recovery attacks on the reduced-round SNOW-V and SNOW-Vi.
The structural differences between SNOW-V and SNOW-Vi are the LFSR update function and the location of the tap T 2 .First, we focus on the difference in the LFSR update function.According to [6, Section 3.2], the new LFSR in SNOW-Vi has a maximum cycle length of 2 512−1 ; thus, it has the same property as the LFSR in SNOW-V.Next, we focus on the difference in the location of the tap T 2 , whose values are loaded into the register R1 in the FSM part.The tap T 2 in SNOW-V is the location where the 128-bit IV is loaded during the initilization phase, while the tap T 2 in SNOW-Vi is the location where a half of the 256-bit key is loaded during the initilization phase.Given that our distinguishing attacks use the IV difference, it should be more resistant to our distinguishing attacks if the IV difference is easily propagated to the FSM part immediately after the initialization phase; thus, this factor leads to strong resistance to our distinguishing attacks on SNOW-V, due to the location of the tap T 2 .On the other hand, we use the key difference in our key recovery attack since non-significant key bits are reset to a fixed value (e.g., all zero) during the probabilistic forwards computation phase (see Section 6.2).It should be more resistant to our key recovery attack if the key difference is easily propagated to the FSM part immediately after the initialization phase; thus, this factor leads to strong resistance to our key recovery attack on SNOW-Vi, due to the location of the tap T 2 .

Conclusion
In this study, we have analyzed the security of SNOW-V and SNOW-Vi with three attacks: the MILP-aided integral attack, the MILP-aided differential attack, and the bit-wise differential attack.These attacks allow us to construct practical distinguishers of up to four rounds for SNOW-V and five rounds for SNOW-Vi.Furthermore, the differential biases obtained by the bit-wise differential attack can be integrated into our improved key recovery attack based on probabilistic neutral bits, which is inspired by the existing study on Salsa and
load.K and IV are loaded into internal states.funcAES.This function consists of the SubBytes, ShiftRows, MixColumns and AddRoundKey of AES.As proposed in ref. [1], we utilize Logic Friday [4] to automatically generate the linear inequalities for the AES S-box.There are a total of 8302 linear inequalities needed to describe the difference distribution Algorithm 2 MILP model of differential characteristics for SNOW-V 1: procedure SNOWVcore(round R) 2: Prepare an empty MILP model M 3: α r m [n] and β r m [n] denote the variables of modular addition inputs, and γ r m [n] denotes the variables of modular addition output, and, α r m [0], β r m [0], γ r m [0] are the most

Table 1 .
Summary of our results.

Table 5 .
5-Round Integral Distinguisher of SNOW-Vi the 1-round state update, which are the only components where the difference transitions are probabilistic.

Table 7 .
The differential characteristic for 3-initialization rounds of SNOW-V.

Table 8 .
The differential characteristic for 4-initialization rounds of SNOW-V.

Table 9 .
Differential characteristic probability (DCP) for the reduced initialization round of SNOW-Vi.

Table 10 .
The differential characteristic for 4-initialization rounds of SNOW-Vi.
Property 1.The mul x function is executed 16 times in the LFSR update algorithm, and the output varies with the value of the MSB.

Table 16 .
The best parameters for our attack in domain V0 for the 4-round SNOW-V for each threshold γ, where m is the size of significant key bits.

Table 17 .
The best parameters for our attack in domain V7 for the 4-round SNOW-V for each threshold γ, where m is the size of significant key bits.

Table 18 .
The best parameters for our attack on the 4-and 5-round SNOW-Vi for the threshold γ = 1.00,where m is the size of significant key bits.