Efficient and extensive search for precise linear approximations with high correlations of full SNOW-V

Abstract

SNOW-V is a stream cipher recently designed for the 5G communication systems. This paper proposes two efficient algorithms to evaluate precise correlations of SNOW-V’s two main nonlinear components, fully considering the linear hull effects. Based on these algorithms, we can efficiently find more high-correlation linear approximations than before. The ideas of these algorithms can be generalized to other similar nonlinear components in symmetric cipher. We apply our algorithms to the full SNOW-V stream cipher to search for different types of high-correlation linear approximations. Our results depict more linear approximations with higher correlations than those recently proposed for full SNOW-V and SNOW-\(\text {V}_{\boxplus _{32},\boxplus _8}\). The best linear approximation we found has an absolute correlation \(2^{-47.567}\). There are at least 8, 135 and 1092 linear approximations, whose absolute correlations are greater than \(2^{-47.851}\), \(2^{-49}\) and \(2^{-50}\), respectively. These linear approximations can derive a fast correlation attack with time/memory/data complexities \(2^{240.86}\), \(2^{240.37}\) and \(2^{236.87}\), which is better than previously known fast correlation attacks on full SNOW-V. Moreover, we propose some properties for linear trails with three active S-boxes, which give a theoretical explanation of what the automatic search method lacks of. Our work provides more detailed linear approximation properties for the full SNOW-V.

Appendices

Appendix A: Search for binary linear approximations of \(e2_t\)

The technique of searching for linear approximations of \(e2_t\) is similar to that of \(e1_t\). The pruning strategy of Algorithm 1 is also applicable. A major difference is that the correlation of linear approximation of another S-box layer must be considered at the same time. Let \(c(u_k^b,h_k^b)\) denote the correlation of linear approximation for the S-box with the input mask \(u_k^b\) and the output mask \(h_k^b\). Algorithm 5 explains these differences in more detail.

Appendix B: A small-scale experiment to check the independency

Let the extension finite field \({\mathbb {F}}_{2^4}\cong {\mathbb {F}}_2[x]/(x^4+x+1)\), variables \(x,y,z\in {\mathbb {F}}_{2^4}^{3}\), and \(S^3\) denote three parallel S-boxes of the block cipher PRESENT. Suppose two linear approximations are as follows

$$\begin{aligned} \begin{aligned}&\Gamma ^{(1)}\cdot (S^3(x)\boxplus _{16} y)\oplus \Gamma ^{(2)}\cdot x \oplus \Gamma ^{(3)}\cdot y,\\&\Lambda ^{(1)}\cdot (x\boxplus _{16} z)\oplus \Lambda ^{(2)}\cdot x \oplus \Lambda ^{(3)}\cdot z, \end{aligned} \end{aligned}$$

(B1)

where \(\Lambda ^{(1)}\xrightarrow {B}\Gamma ^{(1)}\). B is an MDS matrix, whose three rows are (1, 1, 2), (1, 2, 1) and (2, 1, 1), respectively.

To simplify the experiment, we require that \(\Lambda ^{(1)}=\Lambda ^{(2)}=\Lambda ^{(3)}\), \(\Gamma ^{(1)}=\Gamma ^{(3)}\) and \(\Lambda ^{(1)}\) is sparse. After computing their individual and joint probability distributions, we evaluate the relative entropy between the joint distribution and the multiplication of two individual distributions. The simulation results show that their differences are very tiny. For example, when \(\Gamma ^{(1)}=\Gamma ^{(3)}=(1,0,0,0)\), the relative entropy is 0.007913. The reason may be that the word weight of \(\Lambda ^{(1)}\) and \(\Gamma ^{(1)}\) are not equal.

Appendix C: Experiments for Algorithm 2

Table 3 A group of test values for Algorithm 2

Table 3 indicates a group of test values for Algorithm 2. Furthermore, to verify Algorithm 2, some random sample experiments were performed. For example, let mask \(U=(\text {0x800081c1,0x80000081,0x00000000,0x80008080})\) and \(U=V=\sigma (W)=\sigma (T)\) holds. The theoretical correlation is \(2^{-13.68}\), calculated by Algorithm 2. As more than \(2^{-13.68\times 2}\) of samples are expected to verify the theoretical correlation, we computed empirical correlations through random sample experiments with sample size \(2^{30}\). Moreover, we performed 256 random experiments over several hours, each with a sample size of \(2^{30}\). The sample average and sample variance of the empirical correlation are \(2^{-13.70}\) and \(2^{-30.05}\), respectively, which means that the empirical and theoretical correlation is very close. This result more clearly confirms the theoretical correlation derived by Algorithm 1.

Appendix D: Some good masks of \(\sigma \) modular addition

Table 4 Some good masks for \(\sigma \) modular addition

Table 4 lists several groups of masks with high correlations when there are three active S-boxes. According to Sect. 5.1, we choose \(\Lambda ^{(3)} = \Lambda ^* \oplus \Lambda \). Each cell in the column of \(\Theta _{12}\) has one, two or three values, which are optimal choices for \(\Theta _{12}\). The last column illustrates the correlation \(|c(\sigma (\Theta ),\Lambda ^{(3)},\Lambda ^*)|\) corresponding to these different \(\Theta _{12}\). For example, \(|c(\sigma (\Theta ),\Lambda ^{(3)},\Lambda ^*)|=2^{-18}\) in the first row, when \(\Theta _{12}=\text {0x}c1\). The absolute correlation \(|c(\sigma (\Theta ),\Lambda ^{(3)},\Lambda ^*)|=2^{-19}\), when \(\Theta _{12}=\text {0x}a1\).

Appendix E: Linear approximations with high correlations for full SNOW-V

Table 5 Some good linear approximations with three active S-boxes

Table 6 A binary linear approximation with \(|c_{FSM}|=2^{-87.24}\) with 12 active S-boxes

We list all the eight linear approximations with absolute correlation \(> 2^{-48}\) in Table 5, which corresponds to the work in Sect. 5.1. The last column shows the total correlations. We also list one linear approximation with absolute correlation \(2^{-87.24}\) in Table 6, which corresponds to the work in Sect. 5.2.