Fast computation of linear approximation over certain composition functions and applications to SNOW 2.0 and SNOW 3G

Abstract

In this paper, we study the linear approximation of certain composition functions, with applications to SNOW 2.0 and SNOW 3G. We first propose an efficient algorithm to compute the linear approximation of certain composition functions with parallel operations, which has a linear-time complexity for any given mask tuple, and thus allows for a wide range of search for linear approximations. Naturally, we apply this algorithm to compute the linear approximations of the FSM of both SNOW 2.0 and SNOW 3G. For SNOW 2.0, we compute the linear approximation of the FSM for a wide range of linear masks, and obtain some results which enable us to slightly improve the data complexity of the known fast correlation attacks, by using multiple linear approximations and combining a small technique when applying the k-tree algorithm. For SNOW 3G, we make a careful search for the linear approximations of the FSM and obtain many mask tuples which yield high correlations. Using these linear approximations, we mount a fast correlation attack on SNOW 3G and recover the initial state of the LFSR with the total time complexity $$2^{222.33}$$ and memory complexity $$2^{221.74}$$ , given $$2^{220.74}$$ keystream words. Our attack does not pose a threat to the claimed 128-bit security of SNOW 3G.