Login | Register

On the sliding property of SNOW 3G and SNOW 2.0


On the sliding property of SNOW 3G and SNOW 2.0

Kircanski, A. and Youssef, Amr M. (2011) On the sliding property of SNOW 3G and SNOW 2.0. IET Information Security, 5 (4). p. 199. ISSN 17518709

Text (application/pdf)
amr2011b.pdf - Accepted Version

Official URL: http://dx.doi.org/10.1049/iet-ifs.2011.0033


SNOW 3G is a stream cipher chosen by the 3rd Generation Partnership Project (3GPP) as a crypto-primitive to substitute KASUMI in case its security is compromised. SNOW 2.0 is one of the stream ciphers chosen for the ISO/IEC standard IS 18033-4. In this study, the authors show that the initialisation procedure of the two ciphers admits a sliding property, resulting in several sets of related-key pairs. In case of SNOW 3G, a set of 232 related-key pairs is presented, whereas in the case of SNOW 2.0, several such sets are found, out of which the largest are of size 264 and 2192 for the 128-bit and 256-bit variant of the cipher, respectively. In addition to allowing related-key recovery attacks against SNOW 2.0 with 256-bit keys, the presented properties reveal non-random behaviour that yields related-key distinguishers and also questions the validity of the security proofs of protocols that are based on the assumption that SNOW 3G and SNOW 2.0 behave like perfect random functions of the key-IV.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Article
Authors:Kircanski, A. and Youssef, Amr M.
Journal or Publication:IET Information Security
Digital Object Identifier (DOI):10.1049/iet-ifs.2011.0033
Keywords:3G mobile communication , cryptography , mobile computing
ID Code:976804
Deposited On:28 Jan 2013 13:41
Last Modified:18 Jan 2018 17:43


[1] 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects, 3G security, V3.1.1: ‘Specification of the 3GPP Confidentiality and Integrity Algorithms: Document 2: KASUMI Specification’, 2001

[2] Biham, E., Dunkelman, O., and Keller, N.: ‘A Related-Key Rectangle Attack on the Full KASUMI’. Proc. ASIACRYPT, Chennai, India, 2005, LNCS-3788, Springer, pp. 443-461

[3] Dunkelman, O., Keller, N., and Shamir, A.: ‘A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony’. Proc. CRYPTO 2010, Santa Barbara, California, 2010, LNCS-6223, pp. 393-410

[4] ETSI/SAGE: ‘Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2&UIA2. Document 2: SNOW 3G Specification, version 1.1’ (September 2006) http://www.3gpp.org/ftp

[5] Ekdahl, P., and Johansson, T.: ‘A New Version of the Stream Cipher SNOW’. Proc. SAC, St. Johns, Canada, 2002, LNCS-2595, Springer-Verlag, pp. 47-61

[6] Berbain, C., Billet, O., Canteaut, A., Courtois, N., Debraize, B., Gilbert, H., Goubin, L., Gouget, A., Granboulan, L., Lauradoux, C., Minier, M., Pornin, T. and Siber H.: ‘Decimv2, The eSTREAM Finalists’. (2008), LNCS-4986, Springer, pp. 140-151

[7] Watanabe, D., Furuya, S., Takaragi, K. and Preneel, B: ‘A New Keystream Generator MUGI’, Proc. FSE 2002, LNCS-2259, Springer-Verlag, pp. 179-194

[8] Boesgaard, M., Vesterager, M., Pedersen, T., Christiansen, J. and Scavenius, O.: ‘Rabbit: A High-Performance Stream Cipher’, Proc. FSE 2003, LNCS-2887, Springer, pp. 307-329

[9] ETSI/SAGE: ‘Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2&UIA2. Document 5: Design and Evaluation Report, version 1.1’ (September 2006), http://www.3gpp.org/ftp

[10] Biryukov, A., Priemuth-Schmid D. and Zhang B.: ‘Multiset Collision Attacks on Reduced-Round SNOW 3G and SNOW 3G©’, ACNS 2010, LNCS, Vol. 6123, pp. 139-153, Springer-Verlag, 2010

[11] Iwata, T., and Kohno, T.: ‘New Security Proofs for the 3GPP Confidentiality and Integrity Algorithms’, Proc. FSE, New Delhi, India, 2004, LNCS-3017, Springer-Verlag, pp. 427-445

[12] De Cannie`re C., O¨ zgu¨l Ku¨c¸u¨k and Preneel B.: ‘Analysis of Grain’s Initialization Algorithm’, Proc. AFRICACRYPT, Casablanca, Marocco, 2008, LNCS-4047, Springer-Verlag, pp. 276-289

[13] Priemuth-Schmid, D., and Biryukov, A.: ‘Slid Pairs in Salsa20 and Trivium’, Proc. INDOCRYPT, Khargpur, India, 2008, Springer-Verlag, LNCS-5365, pp. 1-14

[14] Wu, H. and Preneel, B.: ‘Resynchronization Attacks on WG and LEX’, Proc. FSE, Graz, Austria, 2006, LNCS-4047, Springer, pp.422-432

[15] Daemen, J., and Rijmen, V.: ‘The Design of Rijndael: AES - The Advanced Encryption Standard (Information Security and Cryptography’, (Springer, 2002, 1st edition)

[16] Knudsen, L., and Rijmen, V.: ‘Known-Key Distinguishers for Some Block Ciphers’, Proc. ASIACRYPT, Kuching, Sarawak, Malasia,2007, LNCS-4833, pp. 315-324

[17] Biryukov, A., Khovratovich, D., and Nikolic, I.: ‘Distinguisher and related-key attack on the full AES-256’, Proc. CRYPTO, Santa Barbara, California, 2009, LNCS-5677, pp. 231-249

[18] ETSI/SAGE: ‘Document 2: Specification of the 3GPP Confidentiality and Integrity Algorthithms 128-EEA3 & 128-EUA3: ZUC specification’, Version 1.4, 2010. Available at: http://gsmworld.com/our-work/programmes-and-initiatives/fraud-and-security/gsm_security_algorithms.htm

[19] Wu, H., Nguyen, P., Wang, H., Ling, S.: Cryptanalysis of Stream Cipher ZUC in the 3GPP Confidentiality & Integrity Algorithms 128-EEA3 & 128-EIA3’, Asiacrypt 2010 Rump Session talk. Available at: http://www.spms.ntu.edu.sg/Asiacrypt2010/Common/rumpsession.html
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Back to top Back to top