Fast computation of linear approximation over certain composition functions and applications to SNOW 2.0 and SNOW 3G | Designs, Codes and Cryptography Skip to main content
Springer Nature Link
Log in

Fast computation of linear approximation over certain composition functions and applications to SNOW 2.0 and SNOW 3G

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In this paper, we study the linear approximation of certain composition functions, with applications to SNOW 2.0 and SNOW 3G. We first propose an efficient algorithm to compute the linear approximation of certain composition functions with parallel operations, which has a linear-time complexity for any given mask tuple, and thus allows for a wide range of search for linear approximations. Naturally, we apply this algorithm to compute the linear approximations of the FSM of both SNOW 2.0 and SNOW 3G. For SNOW 2.0, we compute the linear approximation of the FSM for a wide range of linear masks, and obtain some results which enable us to slightly improve the data complexity of the known fast correlation attacks, by using multiple linear approximations and combining a small technique when applying the k-tree algorithm. For SNOW 3G, we make a careful search for the linear approximations of the FSM and obtain many mask tuples which yield high correlations. Using these linear approximations, we mount a fast correlation attack on SNOW 3G and recover the initial state of the LFSR with the total time complexity \(2^{222.33}\) and memory complexity \(2^{221.74}\), given \(2^{220.74}\) keystream words. Our attack does not pose a threat to the claimed 128-bit security of SNOW 3G.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. Note that \(w_{H}(x)\) denote the Hamming weight of x, which is the number of non-zero components of x.

  2. The notation \((\cdot ,...,\cdot )^{\mathrm {T}}\) represents the transpose of a matrix.

References

  1. Berbain C., Billet O., Canteaut A., Courtois N., Gilbert H., Goubin L., Gouget A., Granboulan L., Lauradoux C., Minier M., Pornin T., Sibert H.: Sosemanuk, a fast software-oriented stream cipher. In: Robshaw M., Billet O. (eds.) New Stream Cipher Designs, vol. 4986, pp. 98–118. LNCSSpringer, Berlin (2008).

    Chapter  Google Scholar 

  2. Canteaut A., Trabbia M.: Improved fast correlation attacks using parity-check equations of weight 4 and 5. In: Preneel B. (ed.) Advances in Cryptology—EUROCRYPT 2000, vol. 1807, pp. 573–588. LNCSSpringer, Berlin (2000).

    Chapter  Google Scholar 

  3. Coppersmith D., Halevi S., Jutla C.: Cryptanalysis of stream ciphers with linear masking. In: Yung M. (ed.) Advances in Cryptology–CRYPTO 2002, vol. 2442, pp. 515–532. LNCSSpringer, Berlin (2002).

    Chapter  Google Scholar 

  4. Chepyzhov V.V., Smeets B.: On a fast correlation attack on certain stream ciphers. In: Davies D.W. (ed.) Advances in Cryptology–EUROCRYPT 1991, vol. 547, pp. 176–185. LNCSSpringer, Berlin (1991).

    Google Scholar 

  5. Chepyzhov V.V., Johansson T., Smeets B.: A simple algorithm for fast correlation attacks on stream ciphers. In: Goos G., Hartmanis J., Leeuwen J.V., Schneier B. (eds.) Fast Software Encryption—FSE 2001, vol. 1978, pp. 181–195. LNCSSpringer, Berlin (2001).

    MATH  Google Scholar 

  6. Chose P., Joux A., Mitton M.: Fast correlation attacks: an algorithmic point of view. In: Knudsen L.R. (ed.) Advances in Cryptology—EUROCRYPT 2002, vol. 2332, pp. 209–221. LNCSSpringer, Berlin (2002).

    Chapter  Google Scholar 

  7. Ekdahl P., Johansson T.: SNOW—a new stream cipher. In: Proceedings of First Open NESSIE Workshop, pp. 167–168 (2000).

  8. Ekdahl P., Johansson T.: A new version of the stream cipher SNOW. In: Nyberg K., Heys H. (eds.) Selected Areas in Cryptography—SAC 2003, vol. 2595, pp. 47–61. LNCSSpringer, Berlin (2003).

    Google Scholar 

  9. Ekdahl P., Johansson T., Maximov A., Yang J.: A new SNOW stream cipher called SNOW-V. http://eprint.iacr.org/2018/1143.pdf.

  10. ETSI/SAGE: Specification of the 3gpp confidentiality and integrity algorithms UEA2 & UIA2. Document 2: SNOW 3G Specification, version 1.1. http://www.3gpp.org/ftp/, September 2006.

  11. Funabiki Y., Todo Y., Isobe T., Morii M.: Several MILP-aided attacks against SNOW 2.0. In: Camenisch J., Papadimitratos P. (eds.) Cryptology and Network Security—CANS 2018. LNCS, vol. 11124, pp. 394–413. Springer, Berlin (2018).

  12. Johansson T., Jönsson F.: Improved fast correlation attacks on stream ciphers via convolutional codes. In: Stern J. (ed.) Advances in Cryptology–EUROCRYPT 1999, vol. 1592, pp. 347–362. LNCSSpringer, Berlin (1999).

    Google Scholar 

  13. Johansson T., Jönsson F.: Fast correlation attacks through reconstruction of linear polynomials. In: Bellare M. (ed.) Advances in Cryptology—CRYPTO 2000, vol. 1880, pp. 300–315. LNCSSpringer, Berlin (2000).

    Chapter  Google Scholar 

  14. Lee J.K., Lee D.H., Park S.: Cryptanalysis of Sosemanuk and SNOW 2.0 using linear masks. In: Pieprzyk J. (ed.) Advances in Cryptology—ASIACRYPT 2008. LNCS, vol. 5350, pp. 524–538. Springer, Berlin (2008).

  15. Lu Y., Vaudenay S.: Faster correlation attack on bluetooth keystream generator E0. In: Franklin M. (ed.) Advances in Cryptology—CRYPTO 2004. LNCS, vol. 3152, pp. 407–425. Springer, Berlin (2004).

  16. Matsui M.: Linear Cryptanalysis Method for DES Cipher. In: Advances in Cryptology—EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Berlin (1993).

  17. Meier W., Staffelbach O.: Fast correlation attacks on certain stream ciphers. J. Cryptol. 1, 159–176 (1989).

    Article  MathSciNet  Google Scholar 

  18. Nyberg K.: Correlation theorems in cryptanalysis. Discret. Appl. Math. 111, 177–188 (2001).

    Article  MathSciNet  Google Scholar 

  19. Nyberg K., Wallén J.: Improved linear distinguishers for SNOW 2.0. In: Robshaw M. (ed.) Fast Software Encryption—FSE 2006. LNCS, vol. 4047, pp. 144–162. Springer, Berlin (2006).

  20. Wagner D.: A generalized birthday problem. In: Yung M. (ed.) Advances in Cryptology–CRYPTO 2002, vol. 2442, pp. 288–304. LNCSSpringer, Berlin (2002).

    Chapter  Google Scholar 

  21. Watanabe D., Biryukov A., De Cannière C.: A Distinguishing attack of SNOW 2.0 with linear masking method. In: Matsui M., Zuccherato R.J. (eds.) Selected Areas in Cryptography—SAC 2003. LNCS, vol. 3006, pp. 222–233. Springer, Berlin (2004).

  22. Zhang B., Xu C., Meier W.: Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. In: Gennaro R., Robshaw M. (eds.) Advances in Cryptology—CRYPTO 2015. LNCS, vol. 9215, pp. 643–662. Springer, Berlin (2015).

  23. Zhang B., Gong X., Meier W.: Fast correlation attacks on Grain-like small state stream ciphers. IACR Trans. Symmetric Cryptol. 4, 58–81 (2017). https://doi.org/10.13154/tosc.v2017.i4.58-81.

    Article  Google Scholar 

Download references

Acknowledgements

This work is supported by the National Key R&D Research programm (Grant No. 2017YFB0802504), the program of the National Natural Science Foundation of China (Grant No. 61572482), National Cryptography Development Fund (Grant No. MMJJ20170107).

Author information

Authors and Affiliations

  1. State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China

    Xinxin Gong & Bin Zhang

  2. TCA Laboratory, SKLCS, Institute of Software, Chinese Academy of Sciences, Beijing, China

    Bin Zhang

  3. University of Chinese Academy of Sciences, Beijing, 100049, China

    Bin Zhang

Authors
  1. Xinxin Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bin Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Xinxin Gong or Bin Zhang.

Additional information

Communicated by T. Iwata.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendices

Appendix A: Computing the mask \({\varLambda }'\) from the given mask \({\varLambda }\) such that \({\varLambda }'\cdot x={\varLambda }\cdot (M_1x)\)

Let \(lin: \mathbf{F }_{2^{32}}\rightarrow \mathbf{F }_{2^{32}}\) be a linear transformation with \({\varLambda }'=lin({\varLambda })\) being the linear mask computed from \({\varLambda }\) by combining the MixColumn matrix \(M_1\), i.e., \({\varLambda }'\cdot x={\varLambda }\cdot (M_1x)\). Let us briefly describe how to compute \({\varLambda }'\) from \({\varLambda }\). For \(\lambda =(\lambda _0\parallel \lambda _1\parallel \lambda _2\parallel \lambda _3\parallel \lambda _4\parallel \lambda _5\parallel \lambda _6\parallel \lambda _7)\in \mathbf{F }_{2^8}\), define \(\lambda '=trans(\lambda )=(\lambda '_0\parallel \lambda '_1\parallel \lambda '_2\parallel \lambda '_3\parallel \lambda '_4\parallel \lambda '_5\parallel \lambda '_6\parallel \lambda '_7)\) as:

$$\begin{aligned} \left\{ \begin{array}{l} {\lambda '_i} = {\lambda _{i + 1}},\quad i = 0,1,...,6\\ {\lambda '_7} = \underline{{\lambda _0} \oplus {\lambda _1} \oplus {\lambda _3} \oplus {\lambda _4}}. \end{array} \right. \end{aligned}$$

Write \({\varLambda }=({\varLambda }_0\parallel {\varLambda }_1\parallel {\varLambda }_2\parallel {\varLambda }_3)\), \({\varLambda }'=({\varLambda }_0'\parallel {\varLambda }_1'\parallel {\varLambda }_2'\parallel {\varLambda }_3')\), where \({\varLambda }_j\in \mathbf{F }_{2^8}\), \({\varLambda }_j'\in \mathbf{F }_{2^8}\), we have \(({\varLambda }_0'\parallel {\varLambda }_1'\parallel {\varLambda }_2'\parallel {\varLambda }_3')=lin({\varLambda }_0\parallel {\varLambda }_1\parallel {\varLambda }_2\parallel {\varLambda }_3)\) such that

$$\begin{aligned} \begin{aligned}&{\varLambda }_0'=\textit{trans}({\varLambda }_0)\oplus {\varLambda }_1\oplus {\varLambda }_2\oplus {\varLambda }_3\oplus \textit{trans}({\varLambda }_3).\\&{\varLambda }_1'=\textit{trans}({\varLambda }_1)\oplus {\varLambda }_2\oplus {\varLambda }_3\oplus {\varLambda }_0\oplus \textit{trans}({\varLambda }_0),\\&{\varLambda }_2'=\textit{trans}({\varLambda }_2)\oplus {\varLambda }_3\oplus {\varLambda }_0\oplus {\varLambda }_1\oplus \textit{trans}({\varLambda }_1),\\&{\varLambda }_3'=\textit{trans}({\varLambda }_3)\oplus {\varLambda }_0\oplus {\varLambda }_1\oplus {\varLambda }_2\oplus \textit{trans}({\varLambda }_2).\\ \end{aligned} \end{aligned}$$
(11)

Appendix B: Computing the mask \({\varLambda }''\) from the given mask \({\varLambda }\) such that \({\varLambda }''\cdot x={\varLambda }\cdot (M_2x)\)

Let \(lin': \mathbf{F }_{2^{32}}\rightarrow \mathbf{F }_{2^{32}}\) be another linear transformation with \({\varLambda }''=lin'({\varLambda })\) being the linear mask computed from \({\varLambda }\) by combining the MixColumn matrix \(M_2\), i.e., \({\varLambda }''\cdot x={\varLambda }\cdot (M_2 x)\). We now describe how to compute \({\varLambda }''\) from \({\varLambda }\). For \(\lambda =(\lambda _0\parallel \lambda _1\parallel \lambda _2\parallel \lambda _3\parallel \lambda _4\parallel \lambda _5\parallel \lambda _6\parallel \lambda _7)\in \mathbf{F }_{2^8}\), define \(\lambda ''=trans'(\lambda )=(\lambda ''_0\parallel \lambda ''_1\parallel \lambda ''_2\parallel \lambda ''_3\parallel \lambda ''_4\parallel \lambda ''_5\parallel \lambda ''_6\parallel \lambda ''_7)\) as:

$$\begin{aligned} \left\{ \begin{array}{l} {\lambda ''_i} = {\lambda _{i + 1}},\quad i = 0,1,...,6\\ {\lambda ''_7} = \underline{{\lambda _0} \oplus {\lambda _3} \oplus {\lambda _5} \oplus {\lambda _6}}. \end{array} \right. \end{aligned}$$

Writing \({\varLambda }=({\varLambda }_0\parallel {\varLambda }_1\parallel {\varLambda }_2\parallel {\varLambda }_3)\), \({\varLambda }''=({\varLambda }_0''\parallel {\varLambda }_1''\parallel {\varLambda }_2''\parallel {\varLambda }_3'')\), where \({\varLambda }_j\in \mathbf{F }_{2^8}\), \({\varLambda }_j''\in \mathbf{F }_{2^8}\), we have \(({\varLambda }_0''\parallel {\varLambda }_1''\parallel {\varLambda }_2''\parallel {\varLambda }_3'')=lin'({\varLambda }_0\parallel {\varLambda }_1\parallel {\varLambda }_2\parallel {\varLambda }_3)\) such that

$$\begin{aligned} \begin{aligned}&{\varLambda }_0''=\textit{trans}'({\varLambda }_0)\oplus {\varLambda }_1\oplus {\varLambda }_2\oplus {\varLambda }_3\oplus trans'({\varLambda }_3),\\&{\varLambda }_1''=\textit{trans}'({\varLambda }_1)\oplus {\varLambda }_2\oplus {\varLambda }_3\oplus {\varLambda }_0\oplus trans'({\varLambda }_0),\\&{\varLambda }_2''=\textit{trans}'({\varLambda }_2)\oplus {\varLambda }_3\oplus {\varLambda }_0\oplus {\varLambda }_1\oplus trans'({\varLambda }_1),\\&{\varLambda }_3''=\textit{trans}'({\varLambda }_3)\oplus {\varLambda }_0\oplus {\varLambda }_1\oplus {\varLambda }_2\oplus \textit{trans}'({\varLambda }_2). \end{aligned} \end{aligned}$$

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gong, X., Zhang, B. Fast computation of linear approximation over certain composition functions and applications to SNOW 2.0 and SNOW 3G. Des. Codes Cryptogr. 88, 2407–2431 (2020). https://doi.org/10.1007/s10623-020-00790-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-020-00790-3

Keywords

Mathematics Subject Classification

Search

Navigation