{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,5]],"date-time":"2026-05-05T07:00:05Z","timestamp":1777964405027,"version":"3.51.4"},"reference-count":15,"publisher":"Oxford University Press (OUP)","issue":"12","license":[{"start":{"date-parts":[[2020,3,6]],"date-time":"2020-03-06T00:00:00Z","timestamp":1583452800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/journals\/pages\/open_access\/funder_policies\/chorus\/standard_publication_model"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61902030"],"award-info":[{"award-number":["61902030"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61772517"],"award-info":[{"award-number":["61772517"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004739","name":"Youth Innovation Promotion Association CAS","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004739","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2020,12,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>The 5G mobile communication system is coming with a main objective, known also as IMT-2020, that intends to increase the current data rates up to several gigabits per second. To meet an accompanying demand of the super high-speed encryption, EIA and EEA algorithms face some challenges. The 3GPP standardization organization expects to increase the security level to 256-bit key length, and the international cryptographic field responds actively in cipher designs and standard applications. SNOW-V is such a proposal offered by the SNOW family design team, with a revision of the SNOW 3G architecture in terms of linear feedback shift register (LFSR) and finite state machine (FSM), where the LFSR part is new and operates eight times the speed of the FSM, consisting of two shift registers and each feeding into the other, and the FSM increases to three 128-bit registers and employs two instances of full AES encryption round function for update. It takes a 128-bit IV, employs 896-bit internal state and produces 128-bit keystream blocks. The result is competitive in pure software environment, making use of both AES-NI and AVX acceleration instructions. Thus, the security evaluation of SNOW-V is essential and urgent, since there is scarcely any definite security bound for it. In this paper, we propose a byte-based guess-and-determine attack on SNOW-V with complexity $2^{406}$ using only seven keystream blocks. We first improve the heuristic guessing-path auto-searching algorithm based on dynamic programming by adding initial guessing set, which is iteratively modified by sieving out the unnecessary guessing variables, in order to correct the guessing path according to the cipher structure and finally launch smaller guessing basis. For the specific design, we split all the computing units into bytes and rewrite all the internal operations correspondingly. We establish a backward-clock linear equation system according to the circular construction of the LFSR part. Then we further simplify the equations to adapt to the input requirements of the heuristic guessing-path auto-searching algorithm. Finally, the derived guessing path needs modification for the pre-simplification and post-reduction. This is the first complete guess-and-determine attack on SNOW-V as well as the first specific security evaluation to the full cipher.<\/jats:p>","DOI":"10.1093\/comjnl\/bxaa003","type":"journal-article","created":{"date-parts":[[2020,1,6]],"date-time":"2020-01-06T12:06:57Z","timestamp":1578312417000},"page":"1789-1812","source":"Crossref","is-referenced-by-count":23,"title":["A Guess-And-Determine Attack On SNOW-V Stream Cipher"],"prefix":"10.1093","volume":"63","author":[{"given":"Lin","family":"Jiao","sequence":"first","affiliation":[{"name":"State Key Laboratory of Cryptology, PO Box 5159, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yongqiang","family":"Li","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences,100093, Beijing, China"},{"name":"School of Cyber Security, University of Chinese Academy of Sciences, 100049, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yonglin","family":"Hao","sequence":"additional","affiliation":[{"name":"State Key Laboratory of Cryptology, PO Box 5159, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2020,3,6]]},"reference":[{"key":"2020121207433419300_ref1","article-title":"Specification of the 3GPP confidentiality and integrity algorithms UEA2 & UIA2. Document 2: SNOW 3G specification","author":"SAGE","year":"2006"},{"key":"2020121207433419300_ref2","volume-title":"The Design of Rijndael: AES\u2014The Advanced Encryption Standard","author":"Daemen","year":"2013"},{"key":"2020121207433419300_ref3","article-title":"Specification of the 3GPP confidentiality and integrity algorithms 128-EEA3 & 128-EIA3. Document 2: ZUC specification","author":"SAGE","year":"2011"},{"key":"2020121207433419300_ref4","article-title":"The ZUC-256 stream cipher","year":"2018"},{"key":"2020121207433419300_ref5","first-page":"1143","article-title":"A new SNOW stream cipher called SNOW-V","volume":"2018","author":"Ekdahl","year":"2018","journal-title":"IACR Trans. Symmetric Cryptol."},{"key":"2020121207433419300_ref6","article-title":"Snow\u2014A New Stream Cipher","volume-title":"Proc. First Open NESSIE Workshop","author":"Ekdahl","year":"2001"},{"key":"2020121207433419300_ref7","doi-asserted-by":"crossref","first-page":"515","DOI":"10.1007\/3-540-45708-9_33","article-title":"Cryptanalysis of Stream Ciphers with Linear Masking","volume-title":"Advances in Cryptology\u2014CRYPTO 2002, 22nd Annual Int. Cryptology Conf.","author":"Coppersmith","year":"2002"},{"key":"2020121207433419300_ref8","first-page":"37","article-title":"Guess-And-Determine Attacks on SNOW","volume-title":"Selected Areas in Cryptography, 9th Annual Int. Workshop, SAC 2002","author":"Hawkes","year":"2002"},{"key":"2020121207433419300_ref9","first-page":"47","article-title":"A New Version of the Stream Cipher SNOW","volume-title":"Selected Areas in Cryptography, 9th Annual Int. Workshop, SAC 2002","author":"Ekdahl","year":"2002"},{"key":"2020121207433419300_ref10","first-page":"144","article-title":"Improved Linear Distinguishers for SNOW 2.0","volume-title":"Fast Software Encryption, 13th Int. Workshop, FSE 2006","author":"Nyberg","year":"2006"},{"key":"2020121207433419300_ref11","doi-asserted-by":"crossref","first-page":"643","DOI":"10.1007\/978-3-662-47989-6_31","article-title":"Fast Correlation Attacks over Extension Fields, Large-Unit Linear Approximation and Cryptanalysis of Snow 2.0","volume-title":"Advances in Cryptology\u2014CRYPTO 2015","author":"Zhang","year":"2015"},{"key":"2020121207433419300_ref12","doi-asserted-by":"crossref","first-page":"239","DOI":"10.1007\/3-540-69053-0_17","article-title":"Cryptanalysis of Alleged A5 Stream Cipher","volume-title":"Advances in Cryptology\u2014EUROCRYPT \u201997, Int. Conf. Theory and Application of Cryptographic Techniques","author":"Golic","year":"1997"},{"key":"2020121207433419300_ref13","doi-asserted-by":"crossref","first-page":"146","DOI":"10.1007\/978-3-642-17373-8_9","article-title":"A Byte-Based Guess and Determine Attack on SOSEMANUK","volume-title":"Advances in Cryptology\u2014ASIACRYPT 2010\u201416th Int. Conf. Theory and Application of Cryptology and Information Security","author":"Feng","year":"2010"},{"key":"2020121207433419300_ref14","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1049\/iet-ifs.2008.0013","article-title":"Heuristic guess-and-determine attacks on stream ciphers","volume":"3","author":"Ahmadi","year":"2009","journal-title":"IET Inf. Secur."},{"key":"2020121207433419300_ref15","first-page":"1324","article-title":"Guess and determine attack on SNOW3G and ZUC","volume":"6","author":"Guan","year":"2013","journal-title":"J. Softw."}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/comjnl\/article-pdf\/63\/12\/1789\/34867812\/bxaa003.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/comjnl\/article-pdf\/63\/12\/1789\/34867812\/bxaa003.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,12,12]],"date-time":"2020-12-12T12:43:49Z","timestamp":1607777029000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/63\/12\/1789\/5739948"}},"subtitle":[],"editor":[{"given":"Chris","family":"Mitchell","sequence":"additional","affiliation":[],"role":[{"role":"editor","vocabulary":"crossref"}]}],"short-title":[],"issued":{"date-parts":[[2020,3,6]]},"references-count":15,"journal-issue":{"issue":"12","published-online":{"date-parts":[[2020,3,6]]},"published-print":{"date-parts":[[2020,12,17]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxaa003","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"value":"0010-4620","type":"print"},{"value":"1460-2067","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2020,12]]},"published":{"date-parts":[[2020,3,6]]}}}