 Hello everyone, I'm Shizhen from PLA SSF, Information Engineering University. Now let me introduce you our work on the two stream servers, Snow5 and Snow6. This is a joint work with Jingchenghui, Zhang Jinyan, Cui Ting, Ding Lian and Jin Yu. I will make the presentation from the following five aspects. The brief description of Snow5 and Snow6. The way to find the linear approximation of Snow5. The automatic search tool we use. The class of binary linear approximation of Snow5 and the correlation attack on full Snow5 and Snow6. Snow5 is a new member of Snow family proposed in 2018 and was announced satisfying the 256-bit security level for the 5G system. In 2021, Snow6 was proposed as an improved version of Snow5. This is a framework of Snow5. Like most LFSR-based stream servers, it consists of an LFSR part and an FSM part. Each type of the LFSR and each memory has a scale of 128 bits. This leads to difficulties to find the distinguishes for correlation attacks. Snow6 is the same as Snow5 except the tab T2 is switched to the left half. The previous results are listed here. As we can see, there is no result faster than exhaustive key search on Snow5 or Snow6. Now we introduce our way to construct the correlation attack distinguisher. Our motivation is to find a biased binary approximation of this form. A distinguisher only relates to the output words and FSR states. The method is to convert the linear approximation equation into the approximation of a composite function. Besides, there is a linear relationship between the four tabs, meaning we can use three of them to generate the rest one. For the approximation of a composite function, we can compute the correlation by the widely used Welsh spectrum theory. It is worth noting that the input variables x in this formula must be mutually independent and uniformly distributed. The core step is to compute the correlation of the distinguisher. We expand it and get the equivalent linear approximation equation and observe that the black variables can be generated by the red ones because there is a one-to-one mapping between the red variables and the memories R1, R2, R3 and the three LFSR tabs. So it is easy to get the function that can generate the black variables using the red ones and the correlation of the equation is exactly the Welsh spectrum of this function. And we construct six sub-functions and their composite function f. Thus, we have theorem 1. The correlation of this linear approximation of the function f is equal to that of the distinguisher. By this way, we convert the problem of finding distinguishers into searching for linear approximations of function f equivalently and we can evaluate the correlation of linear approximations by measuring the linear trials directly. If this equation holds, we'll get a linear approximation equation contains only the output words, namely a distinguisher for distinguishing attack. When the equation does not work, we shall get a distinguisher for correlation attack. The linear approximation process is shown here and we can search for linear trials on handling it. The correlation of a linear trial can be calculated by this formula and get the accurate correlation of an approximation by summing up all the correlations of the trials containing it. For Snow 5, we can get the accurate correlation by exhausting the intermediate marks A, B, C, D and Q. We modeled a set-based automatic search program and used the STP solver to search for linear trials with high correlations. There are two nonlinear transformations in the approximation process, the modular addition and S-box. For modular addition, the characterization based on both SET and MILP have been given. We can characterize it in this way. Z is the dummy variable. T is the parameter used to keep the modular addition the same precision as S-boxes. Here is the characterization of the S-box of AES. We first adopt the idea of Abdel-Kalak to split the linear correlation table into eight Boolean functions. Then we need to get the product of sum representation of each Boolean function and convert it into a series of shorter constraints that are fully satisfied by the software logical Friday. Finally, we add the bijective constraint. We can see that fk equals 1 if and only if the corresponding absolute correlation equals 4 times k divided by 256. As the STP solver does not support the floating point data type, we also use the parameter t to adjust its accuracy. The absolute correlation of a trial can be evaluated by summing up degrees of the modular additions and S-boxes. After STP solver returns a linear trial, we verify it, recompute its correlation and get its sign. We can keep searching for other solutions by adding these constraints to avoid the same solution and we can approximate the accurate correlation step by step in this way. And the best trial we've found is this one. Well, we also focus on another trial with a smaller absolute correlation. In fact, the trials we've searched out have part of masks in common and we can get the accurate correlation of these type of approximations by costing the intermediate masks. By the property of modular addition, we can reduce the exhaust of c to 255 and so as a, b and q. For d, we prove that 0 is a unique solution. Thus, we only need to exhaust 4 bytes to get all the trials with non-zero correlations and reach the accurate correlation for fixed alpha, beta, gamma, l, m, n and h. We can also traverse 2 bytes of alpha and beta to find the absolute correlations as large as possible. Based on the two trials we have searched out, we calculated their correlations. The second one is the best result we got. The last part is to launch a correlation on Snow 5 using the distinguisher. Assume u and u hat are the initial state and guessed initial state respectively. The distinguisher will show the correlation if u hat equals u. Otherwise, the distinguisher phi t shall be uniformly distributed. We cannot guess all the initial state bits at once, so we will find some effective collisions such that part of the masks of the initial state are zero in the preprocessing stage. By collision, we can get parity check equations of this form, which only contains part of initial state bits. The number of check equations can be calculated from the collision probability. In processing stage, we set up the statistic t. Evaluate each parity check equation by plugging output words and guessed initial states and predict the u hat that maximizes t as the correct one. For the remaining bits, we can recover them by repeating the same process. Thus, we launch a correlation attack on Snow 5. The best of our knowledge, this is the first attack on full Snow 5 with the time complexity less than exhaustive key search. For Snow 6, we can construct sub-functions and the composite function in the same way. As the four LFSR tabs are mutually independent, in Snow 6, we shall take all of them and they input variables, which differs from the composite function of Snow 5. Using the same method, we can get the linear approximation process of it and the correlations of linear trials. Compared with the trials of Snow 5, we have the observation that the linear approximation trials of Snow 6 respond one to one to the trials with D equals zero of Snow 5. And this observation indicates the set consisting of all linear trials of Snow 6 is a subset of that of Snow 5. So the results of Snow 5 are also appropriate for Snow 6. And the correlation attack on Snow 5 is effective for Snow 6 as well. This is also the first attack, better than exhaustive key search on full Snow 6. To summarize, we propose a carefully designed method to convert the linear approximation of the LFSR and part of Snow 5 into that of our composite function equivalent. Based on this method, we present a full coverage automatic search of Snow 5 and find a valid binary distribution. Using this approximation, we mount the first correlation attack on full Snow 5 with the time complexity less than exhaustive key search. And we prove that the correlation attack is effective for Snow 6 as well. That's all. Thanks for your attention.