 Hello everyone, my name is Zhen Yang. In this video, I will present our work about improved case and determining and distinguishing attacks on snow wave. This was one work finished when I was a PhD student at Lund University and it was a joint work with Thomas Johansson from Lund University and Alexander Maximov from Ericsson Research. So my presentation would follow this outline. I would first give a short introduction to the confidentiality and integrity protection in 5G and the stream sign for snow wave we have designed for that. Then I will present our to guess and determine attacks against snow wave and our linear characteristics results of it and finally I will give a short conclusion. So let's start with the introduction. The confidentiality and integrity protection in cellular networks protects the data transmission between users and base stations by encrypting the data and adding authentication text. This is like adding some secret tunnel over the wireless channel as shown in the figure. So each user and base station will share a secret key and if they have some data to be transmitted they will use this secret key as one input to a 3GPP standardized algorithm to encrypt and authenticate the data. So in 4G there are three such ciphers which are Snow 3G, SUQ and AS. So they are all used to provide 128-bit secret level and are usually implemented in hardware because that can provide high speeds. So they work very well in 4G but how about 5G? When we come to 5G there are some new requirements on the confidentiality and integrity algorithms. The first requirement is about the speed. So they should be able to provide a speed of not less than 20 gigabits per second in software. The reason why we consider software is that the confidentiality and integrity protection in 5G is like moved to the cloud and implemented in software. Besides the 5G downing, peak data rate is 20 gigabits per second. The second requirement is about the security. So they should be able to provide a 256 bit secret level to resist against content quip nurses. For the 4G algorithms Snow 3G and SUQ, they might not be the best candidates for 5G. The first reason is that there exist academic attacks against them that are faster than exhaustive case search. And the second reason is that their speeds in software are mostly below 10 gigabits per second while 5G requires 20 gigabits per second. So based on the motivation in 2019, we designed a successor cypher of Snow 3G called Snow V intended for 5G use. The picture shows the structure of Snow V and we can see it follows the design rationale of Snow 3G with a linear part and a linear part. The linear part consists of two afters. We call them after A and after B. They are all defined over the finite fields of size 2 to the power of 16. Each after has 16 stages and so this gives the after 502 bits in total. We can regard the after state as 4 128 bit registers. That is, for example, the lower part of after A is regarded as A0 while the higher part of after A is denoted as A1. So these two afters are fading to each other. For example, A0 is fading to B50 and B0 is fading to A50. So we have carefully chosen the feedback polynomials such that such construction can provide the maximum pure rate. We also consider the implementation efficiency and the cryptography properties. So each time for updating the after cracks 8 times and after that 228 bit tabs T1 and T2 are sent to the FSM. For the FSM, it takes T1 and T2 as the inputs, then outputs a keychain word which is also 128 bit. It also has three registers R1, R2 and R3. They are all 128 bit. Then we use two AES encryption rounds as large S boxes to update the registers. For example, R2 is updated from R1 through one AES encryption round and also R3 is updated from R2 through another AES encryption round. While R1 is updated from R2, R3 and T2 through operations like XOR addition and permutation sigma. And here shows the expression of sigma. For example, the first byte, the fourth byte is moved to the first position while the first byte is moved to the fourth position and so on. When we use no way to encrypt data, we need to first perform the elicitation phase. During this phase, the cipher loads the key and IV to the FJARS. Then runs the cipher for 16 rounds without giving any output. After that, the cipher starts to produce key swing words. So in each iteration, it first outputs 128 bit key swing words. Then it updates the FSM part and then updates the FJARS part. After that, it enters the next iteration until all the data is encrypted. We also proposed an AEAD mode to also provide a indication for the data. Since no way has been published, there appeared some Kubernetes results, which include github return me attacks, linear Kubernetes, integral attacks, differential attacks and so on. So in our paper, we proposed two github return attacks of complexity to the power of 384 and to the power of 378, which are lower than existing results. We also proposed a distinguishing attack but against a simplified version of snow wave with complexity to the power of 303. One advantage of our distinguishing attack is that it does not need long key swings but only need many short key swings. So next, I will present more details of the two github return me attacks. The basic idea of github return me attack is to github some variables, determine others based on some publicly lower relations. In an external evaluation report of snow wave, the authors proposed a github return me attack. So they regard the internal state of snow wave as 7128-bit variables. Then the first github three variables are 1, R2 and R3 and based on the github values, they can determine the values of B0 and B1 and A0 and in the end, they need to guess the final variable A1. So the guess and the determine process can be illustrated as a tree and each branch is the guess and the determine path. Since the github basis involves four variables, so the complexity is to the power of 500 and 12. So in our paper, we have one observation that if a variable appears twice in an equation with some nonlinear operations in between, then this variable may have zero solutions. Then for this guess and the determine path, we should just chunk them instead of going to the end. So in our first guess and the determine attack, in the first step, we need to guess R1, R2 and R3 with complexity to the power of 384. This step is similar to the existing guess and the determine attack. Then we can determine the values of B0 and B1 and A0 and A1 remain unknown. The second step is to determine the values of A0. We found a conflicting equation for A0, which is showing in the block. So we can see A0 appears twice in the equation and there are some nonlinear operations in between like modular additions. So the question becomes how to efficiently get the solutions of A0 and we don't want to loop it because that requires high complexity. In our paper, we proposed a 10-step algorithm to get the solutions of A0. The basic idea is to divide A0 into bytes and then categorize them into 10 groups of equations and get the solutions recursively with considering carries, for example. The figure shows how we compute the solutions of each group. We compute the solutions from right to the left. When we compute the solution, when we get the solutions of the equations on the right, we can automatically get the values of the carries and these values of carries will be used to solve the equations on the left. For each group of equations, we can use lookup tables to get the to quickly get the solutions and the maximum size of table is 2 to the power of 68 to 256 times 20. We experimentally compute the probability of vanishing the solutions, which is 2 to the power of minus 3.91 and the average number of valid guess and determine pass is 1. So till now, we have on average 2 to the power of 384 solutions and A1 still remains unknown. So our last step is to determine the value of A1. Luckily, we can find another conflicting equation for A1 as shown in the block and we can see it has quite a similar form to the equation for A0 and we can use the same way to derive the solutions of A1. The results are the same, that is, there is on average 1 valid guess and determine pass. So in our first guess and determine attack, we guess the values of R1, R2 and R3 determine the values of B0 and B1 and solve the A0 and A1 using the 10 step algorithm with little complexity. So the total complexity is 2 to the power of 384. So we were wondering if we can exploit more key swing symbols to further reduce the complexity and in our second guess and determine attack, we also used the key swing word Z at clock T-2. So we found another conflicting equation for another intermediate variable B0 at clock T-1. We computed the probability of finding the solutions of B0 at clock T-1, which is 2 to the power of minus 5.84. So only when B0 at clock T-1 has solutions, we will proceed with guessing the three variables R1, R2 and R3. So the complexity is computed as PZ times 2 to the power of 384 and which is 2 to the power of 378. But this attack leads a table of size 2 to the power of 128. So to summarize our guess and determine attacks, we found three conflicting equations for A0, A1 and another intermediate variable. And if we found there are no solutions for these variables, we don't need to go deeper but just twist back to get some other values. For example, at this guess and determine path, we found that A0 does not have any solutions, then we don't need to go to A1, we just twist back and go to another guess and determine path. By doing this, we can reduce the complexity from 2 to the power of 512 to 2 to the power of 378. Next, I will show our linear catalysis of snow-way. Actually, we were considering a simplified version of snow-way in which the 32-bit address are replaced with x or operations. Then the only nonlinear operations in this version is S-box. So, we considered three consecutive case-man words and the expressions are shown here. B0, B1, A0 are the contributions from the F-sharp and we want to cancel them out. So, to cancel out B0 and B1, we only need to apply two linear masks to Z-team minus 1 and Z-team. Specifically, we will apply the mask L-beta and H-beta. So, when we add the three case-man words, the L-beta, B0 and H-beta, B1 will be cancelled. Then we need to cancel A0. Remember that the expression of sigma is shown here. We can introduce term bytes based on sigma. For example, the byte E1 is computed as W1. x or W4. This means because the fourth byte is moved to position 1, while the first byte is moved to position 4. So, if we add these two bytes, sigma A0 plus A0 at this position, these two positions will be cancelled out. So, through these 10 bytes, the F-sharp contribution is cancelled. So, now each EI byte only contains bytes from R1, R2, R3 and their S-boxes or inverse S-boxes. And now it is possible to explore all bytes locally. That means we only need very short key streams. So, we can introduce ONOIS-N, which is the linear combination of the 10 bytes. And the CIs are linear masking matrices that we want to explore. So, we can expand the expression of ONOIS-N. And A and B matrices are the coefficient matrices. So, each row of the two vectors actually denotes one S-box approximation. For example, the first row, the R1 at byte 0 and SR1 at byte 0 denotes one S-box approximation. And the coefficients of the S-box approximation is determined by A, B and also C. In this case, there are in total up to 48 S-boxes. And if the same column of C A and C B here are 0, this corresponding S-box approximation will be cancelled. So, now our goal is to choose a linear masking matrix C to cancel as many S-boxes as possible. Note that if T S-box approximations can be cancelled, then C A and C B at these two columns should be 0. So, we can choose different K columns of C A and C B and construct a matrix K. And we want to find a non-zero matrix C such that C times K equals to 0. That means the S-boxes are cancelled. So, what we need to do is to perform Gaussian elimination on K and at the same time perform the same operations on the identity matrix I. So, if the last W rows of K are 0, the last W of I becomes the same mask. So, then the value of W is also determined. In our attack, we can cancel nine S-boxes and W equals 16. We have computed the bias is true to the power of minus 300 industry. And also, then we can have a distinguishing attack of complexity true to the power of 300 industry. As I mentioned, our distinguishing attack does not need any long K streams. And this is because after contribution A0 B0 B1 appears twice in the expression of three K stream words. And then we can just cancel them locally. Then it becomes possible to explore or bias the combination between the three registers in the FSM. On the other hand, the last LFR variable A1 does not appear at all in the expression of the three K stream words. So, in our proposed snow v variant snow v I, based on this observation, we made one modification. The two figures show the modifications in the after part of snow v. And the modifications are colored colored. The red one denotes some modification which is relevant to our distinguishing attack. So, specifically, we have moved the type position of T2 from the lower part, that is A0, to the higher part of LFRA, that is A1. And in this case, the van of A1 will be send to the FSM quickly and then will appear in the K stream word. And it only appears once in the expression. And this means that the linear combination of the three K stream words will become balanced. Then we cannot explore or bias anymore. So, finally, I would like to give a conclusion. Snow v is a cypher designed for 5G and it is currently under evaluation in the SAGE group. In our paper, we proposed two Gesson-determined attacks against snow v with complexity to the power of 384 and to the power of 378. We pointed out in our paper that the complexity of the Gesson-determined attacks should be determined by the number of the full Gesson-determined paths. And based on this, we designed Gesson-determined strategies to explore conflicts and chunk it some Gesson-determined paths. Our linear hypnosis results into a distinguishing attack of a variant of snow v with complexity to the power of 303. And this attack results in one modification in snow v-I. In the end, I would like to mention our latest attack against snow v. This work was published in the EuroCapture conference this year. It was a correction attack and the complexity is to the power of 240. This attack does not pose a direct threat to the practical use of snow v because the length of the key streams in snow v is limited to the power of 64. But it still indicates that snow v can be improved. So in the 3GPP document draft on snow 3G and snow v, it writes SA3 kindly asks Sage to assess the research paper mentioned above and determine any implications on snow v. And subject to the outcome of the previous action, SA3 kindly asks Sage to proceed with the development of 256-bit encryption and integrate algorithm specifications based on snow v. So this indicates that snow v might need some further modifications and also it still indicates that snow v can still be promising for 5GUs. So with that, I would end my presentation. Thank you very much for listening.