Fast Correlation Attacks over Extension Fields, Large-Unit Linear Approximation and Cryptanalysis of SNOW 2.0

  • Bin Zhang
  • Chao Xu
  • Willi Meier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9215)


Several improvements of fast correlation attacks have been proposed during the past two decades, with a regrettable lack of a better generalization and adaptation to the concrete involved primitives, especially to those modern stream ciphers based on word-based LFSRs. In this paper, we develop some necessary cryptanalytic tools to bridge this gap. First, a formal framework for fast correlation attacks over extension fields is constructed, under which the theoretical predictions of the computational complexities for both the offline and online/decoding phase can be reliably derived. Our decoding algorithm makes use of Fast Walsh Transform (FWT) to get a better performance. Second, an efficient algorithm to compute the large-unit distribution of a broad class of functions is proposed, which allows to find better linear approximations than the bitwise ones with low complexity in symmetric-key primitives. Last, we apply our methods to SNOW 2.0, an ISO/IEC 18033-4 standard stream cipher, which results in the significantly reduced complexities all below \(2^{164.15}\). This attack is more than \(2^{49}\) times better than the best published result at Asiacrypt 2008. Our results have been verified by experiments on a small-scale version of SNOW 2.0.


Stream ciphers Cryptanalysis Large-unit SNOW 2.0 Finite state machine (FSM) Linear feedback shift register (LFSR) 



This work is supported by the National Grand Fundamental Research 973 Program of China (Grant No. 2013CB338002), and the programs of the National Natural Science Foundation of China (Grant No. 60833008, 60603018, 61173134, 91118006, 61272476). The third author was supported in part by the Research Council KU Leuven: a senior postdoctoral scholarship SF/14/010 linked to the GOA TENSE (GOA/11/007).

Supplementary material


  1. 1.
    Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  2. 2.
    Berbain, C., et al.: Sosemanuk, a fast software-oriented stream cipher. In: Robshaw, M., Billet, O. (eds.) New Stream Cipher Designs. LNCS, vol. 4986, pp. 98–118. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  3. 3.
    Canteaut, A.: Fast correlation attacks against stream ciphers and related open problems. In: 2005 IEEE Information Theory Workshop on Theory and Practice in Information-Theoretic Security, pp. 49–54 (2005)Google Scholar
  4. 4.
    Chepyzhov, V.V., Johansson, T., Smeets, B.: A simple algorithm for fast correlation attacks on stream ciphers. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 181–195. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  5. 5.
    Chose, P., Joux, A., Mitton, M.: Fast correlation attacks: An algorithmic point of view. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 209–221. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  6. 6.
    Ekdahl, P., Johansson, T.: A new version of the stream cipher SNOW. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 47–61. Springer, Berlin (2003)Google Scholar
  7. 7.
    Englund, H., Maximov, A.: Attack the dragon. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 130–142. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  8. 8.
    ETSI/SAGE. Specification of the 3GPP confidentiality and integrity algorithms uea2 & uia2. In: Document 2: SNOW 3G Specification, version 1.1, September 2006.
  9. 9.
    Hermelin, M., Cho, J.Y., Nyberg, K.: Multidimensional extension of Matsui’s algorithm 2. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 209–227. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  10. 10.
    Jönsson, F., Johansson, T.; Correlation attacks on stream ciphers over \(\text{ GF }(2^n)\). In: 2001 IEEE International Symposium on Information Theory-ISIT 2001, p. 140 (2001)Google Scholar
  11. 11.
    Johansson, T., Jönsson, F.: Fast correlation attacks through reconstruction of linear polynomials. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 300–315. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  12. 12.
    Jönsson, F.: Some results on fast correlation attacks. Ph.D. thesis, Lund University, Sweden (2002)Google Scholar
  13. 13.
    Lee, J.-K., Lee, D.-H., Park, S.: Cryptanalysis of SOSEMANUK and SNOW 2.0 using linear masks. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 524–538. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  14. 14.
    Lu, Y., Vaudenay, S.: Faster correlation attack on Bluetooth keystream generator E0. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 407–425. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  15. 15.
    Massey, J.L.: Shift-register synthesis and BCH decoding. IEEE Trans. Inf. Theor. IT–15(1), 122–127 (1969)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994) Google Scholar
  17. 17.
    Maximov, A., Johansson, T.: Fast computation of large distributions and its cryptographic applications. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 313–332. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  18. 18.
    Meier, W.: Fast correlation attacks: methods and countermeasures. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 55–67. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  19. 19.
    Meier, W., Staffelbach, O.: Fast correlation attacks on certain stream ciphers. J. Cryptology 1, 159–176 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Musa, M.A., Schaefer, E.F., Wedig, S.: A simplified AES algorithm and its linear and differential cryptanalyses. Cryptologia 27(2), 148–177 (2003)CrossRefGoogle Scholar
  21. 21.
    Nyberg, K., Hermelin., M.: Multidimensional Walsh transform and a characterization of bent functions. In: 2007 IEEE Information Theory Workshop on Information Theory for Wireless Networks, pp. 1–4 (2007)Google Scholar
  22. 22.
    Nyberg, K., Wallén, J.: Improved linear distinguishers for SNOW 2.0. In: Robshaw, M. (ed.) FSE 2006. LNCS, vol. 4047, pp. 144–162. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  23. 23.
    Shannon, C.E.: A mathematical theory of communication. ACM Sigmobile Mob. Comput. Commun. Rev. 5(1), 3–55 (2001)CrossRefGoogle Scholar
  24. 24.
    Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  25. 25.
    Yarlagadda, R.K.R., Hershey, J.E.: Hadamard Matrix Analysis and Synthesis with Applications to Communications and Signal/Image Processing. Kluwer Academic Publishers, Boston (1997) Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.TCA Laboratory, SKLCS, Institute of Software, Chinese Academy of SciencesBeijingChina
  2. 2.State Key Laboratory of CryptologyBeijingChina
  3. 3.FHNWWindischSwitzerland

Personalised recommendations