Advances in Cryptology - ASIACRYPT 2008

Volume 5350 of the series Lecture Notes in Computer Science pp 524-538

Cryptanalysis of Sosemanuk and SNOW 2.0 Using Linear Masks

  • Jung-Keun LeeAffiliated withETRI Network & Communication Security Division
  • , Dong Hoon LeeAffiliated withETRI Network & Communication Security Division
  • , Sangwoo ParkAffiliated withETRI Network & Communication Security Division


In this paper, we present a correlation attack on Sosemanuk with complexity less than 2150. Sosemanuk is a software oriented stream cipher proposed by Berbain et al. to the eSTREAM call for stream cipher and has been selected in the final portfolio. Sosemanuk consists of a linear feedback shift register(LFSR) of ten 32-bit words and a finite state machine(FSM) of two 32-bit words. By combining linear approximation relations regarding the FSM update function, the FSM output function and the keystream output function, it is possible to derive linear approximation relations with correlation − 2− 21.41 involving only the keystream words and the LFSR initial state. Using such linear approximation relations, we mount a correlation attack with complexity 2147.88 and success probability 99% to recover the initial internal state of 384 bits. We also mount a correlation attack on SNOW 2.0 with complexity 2204.38.


stream cipher Sosemanuk SNOW 2.0 correlation attack linear mask