Differential attacks on reduced‐round SNOW 3G and SNOW 3G ⊕

The stream cipher SNOW 3G is the core of the 3G Partnership Project (3GPP) for implementing a confidentiality algorithm and data integrity algorithm. In this study, the authors analyse the initialisation stage based on the chosen IV differential attacks on the reduced‐round SNOW 3G and SNOW 3 G ⊕ . Firstly, they show a distinguisher for 12‐round SNOW 3G and 255 distinguishers for 13‐round SNOW 3 G ⊕ , respectively. Secondly, they use the input differences and the output differences of the S‐box to recover the input of S‐box, which can recover full keys in real‐time for 12‐round SNOW 3 G ⊕ . The data complexity is 36 and the time complexity is small. Finally, they use the impossible differences of the S‐box as a filter to extend the initialisation rounds of the attack to 16‐round SNOW 3 G ⊕ . The data complexity is 28 and the time complexity is O ( 2 115.75 ) . So far, the authors’ attack results are the best in terms of chosen IV differential attacks. At the same time, their attack results are superior to multiset collision attacks in terms of data complexity, and their attack method can recover full keys, while multiset collision attacks can only partially recover the internal states in 15‐round SNOW 3 G ⊕ .