A General Correlation Evaluation Model on LFSR-Based Stream Ciphers

Abstract

In this paper, a general model for evaluating the correlations of correlation attack distinguishers for an LFSR-based stream cipher is given by the Walsh spectrum theory of composite functions. We transform equivalently the linear approximations with <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">k</i> consecutive keystream words into that of a composite function consisting of several simple functions, which enables cryptanalysts to derive linear approximations of any LFSR-based stream cipher by this model and to search for linear trails with high absolute correlations. This model suits any LFSR-based stream cipher, does not need the implicit independence assumption widely used in previous cryptanalysis, and can theoretically ensure that the correlation obtained is the accurate correlation of a correlation attack distinguisher. In addition, we prove that it is enough to consider the distinguishers where the masks of all LFSR elements are zero except for those of a maximal linearly independent system of LFSR elements involved in the update function and output function. As applications, the approximation processes for the correlation attack distinguishers of SNOW-V, SNOW2.0, ZUC, and Grain-128 are exhibited respectively by this method. Moreover, by the proposed method we can perform a full coverage search for binary linear approximations of them. For SNOW-V, we prove that the approximation given by our model is equivalent to that by Shi et al. at EUROCRYPT 2022, and is simpler and more intuitive. For SNOW2.0, we find more linear approximations with the best correlation. For ZUC, for the first time we get the accurate correlations of a series of linear approximations including the known results, and give the supremum of the absolute correlations for a larger set of linear approximations. For Grain-128, utilizing our method, we rediscover the best known correlation as well, which provides more support for the validity of our general model. Our work can give some evidence for the provable security of LFSR-based stream ciphers against correlation attack to some extent, and may provide the key clues in the analysis of complex stream ciphers.