Fast computation of linear approximation of general word-oriented composite function

IF 1 3区数学 Q3 MATHEMATICS, APPLIED

Discrete Applied Mathematics Pub Date : 2024-12-25 DOI:10.1016/j.dam.2024.12.022

Sudong Ma , Chenhui Jin , Jie Guan , Ziyu Guan , Shuai Liu

{"title":"Fast computation of linear approximation of general word-oriented composite function","authors":"Sudong Ma , Chenhui Jin , Jie Guan , Ziyu Guan , Shuai Liu","doi":"10.1016/j.dam.2024.12.022","DOIUrl":null,"url":null,"abstract":"<div><div>The nonlinear component of word-oriented stream ciphers usually contains a Finite State Machine (FSM). The establishment of linear approximations of word-oriented FSM with high correlations is the basis of linear attack on stream cipher, including linear distinguishing attack and fast correlation attack. However, the existing methods can only give efficient algorithms for several specific word-oriented composite functions. In order to solve this problem, we first define a wider class of composite functions, namely Pseudo-Linear S-box Function Modulo <span><math><msup><mrow><mn>2</mn></mrow><mrow><mi>n</mi></mrow></msup></math></span> (PLSFM). New PLSFM extends the definition of Pseudo-Linear Function Modulo <span><math><msup><mrow><mn>2</mn></mrow><mrow><mi>n</mi></mrow></msup></math></span> (PLFM) by introducing S-box functions into PLFM, and covers more composite functions. Secondly, an efficient algorithm for fast calculating the correlation of a given linear approximation of PLSFM is proposed, which allows us to fast search for linear approximations with high correlations. Thirdly, we study the properties of linear approximations of a class of composite functions containing S-box functions, addition modulo <span><math><msup><mrow><mn>2</mn></mrow><mrow><mi>n</mi></mrow></msup></math></span> and subtraction modulo <span><math><msup><mrow><mn>2</mn></mrow><mrow><mi>n</mi></mrow></msup></math></span>. Finally, we give the linear approximations of MASHA stream cipher with absolute correlations of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mo>−</mo><mn>23</mn><mo>.</mo><mn>38</mn></mrow></msup></math></span> for the first time. If the controlled nonlinear feedback shift register of MASHA degenerates into a linear feedback function, a fast correlation attack with time/data/memory complexity of <span><math><mrow><mi>O</mi><mrow><mo>(</mo><msup><mrow><mn>2</mn></mrow><mrow><mn>197</mn><mo>.</mo><mn>26</mn></mrow></msup><mo>)</mo></mrow><mo>/</mo><mi>O</mi><mrow><mo>(</mo><msup><mrow><mn>2</mn></mrow><mrow><mn>194</mn><mo>.</mo><mn>96</mn></mrow></msup><mo>)</mo></mrow><mo>/</mo><mi>O</mi><mrow><mo>(</mo><msup><mrow><mn>2</mn></mrow><mrow><mn>196</mn><mo>.</mo><mn>96</mn></mrow></msup><mo>)</mo></mrow></mrow></math></span> can be given. For SNOW 2.0 stream cipher, we find two other linear approximations with the current best correlation of <span><math><msup><mrow><mn>2</mn></mrow><mrow><mo>−</mo><mn>14</mn><mo>.</mo><mn>41</mn></mrow></msup></math></span>, then we can give an improved fast correlation attack with time/data/memory complexity of <span><math><mrow><mi>O</mi><mrow><mo>(</mo><msup><mrow><mn>2</mn></mrow><mrow><mn>162</mn><mo>.</mo><mn>91</mn></mrow></msup><mo>)</mo></mrow><mo>/</mo><mi>O</mi><mrow><mo>(</mo><msup><mrow><mn>2</mn></mrow><mrow><mn>161</mn><mo>.</mo><mn>47</mn></mrow></msup><mo>)</mo></mrow><mo>/</mo><mi>O</mi><mrow><mo>(</mo><msup><mrow><mn>2</mn></mrow><mrow><mn>162</mn><mo>.</mo><mn>47</mn></mrow></msup><mo>)</mo></mrow></mrow></math></span>, respectively. The data complexity of the current best fast correlation attack can be reduced by half if using multiple linear approximations.</div></div>","PeriodicalId":50573,"journal":{"name":"Discrete Applied Mathematics","volume":"364 ","pages":"Pages 157-172"},"PeriodicalIF":1.0000,"publicationDate":"2024-12-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Discrete Applied Mathematics","FirstCategoryId":"100","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0166218X24005389","RegionNum":3,"RegionCategory":"数学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"MATHEMATICS, APPLIED","Score":null,"Total":0}

引用次数: 0

Abstract

The nonlinear component of word-oriented stream ciphers usually contains a Finite State Machine (FSM). The establishment of linear approximations of word-oriented FSM with high correlations is the basis of linear attack on stream cipher, including linear distinguishing attack and fast correlation attack. However, the existing methods can only give efficient algorithms for several specific word-oriented composite functions. In order to solve this problem, we first define a wider class of composite functions, namely Pseudo-Linear S-box Function Modulo

2^{n}

(PLSFM). New PLSFM extends the definition of Pseudo-Linear Function Modulo

2^{n}

(PLFM) by introducing S-box functions into PLFM, and covers more composite functions. Secondly, an efficient algorithm for fast calculating the correlation of a given linear approximation of PLSFM is proposed, which allows us to fast search for linear approximations with high correlations. Thirdly, we study the properties of linear approximations of a class of composite functions containing S-box functions, addition modulo

2^{n}

and subtraction modulo

2^{n}

. Finally, we give the linear approximations of MASHA stream cipher with absolute correlations of

2^{- 23.38}

for the first time. If the controlled nonlinear feedback shift register of MASHA degenerates into a linear feedback function, a fast correlation attack with time/data/memory complexity of

O (2^{197.26}) / O (2^{194.96}) / O (2^{196.96})

can be given. For SNOW 2.0 stream cipher, we find two other linear approximations with the current best correlation of

2^{- 14.41}

, then we can give an improved fast correlation attack with time/data/memory complexity of

O (2^{162.91}) / O (2^{161.47}) / O (2^{162.47})

, respectively. The data complexity of the current best fast correlation attack can be reduced by half if using multiple linear approximations.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Discrete Applied Mathematics 数学-应用数学

CiteScore

2.30

自引率

9.10%

发文量

422

审稿时长

4.5 months

期刊介绍： The aim of Discrete Applied Mathematics is to bring together research papers in different areas of algorithmic and applicable discrete mathematics as well as applications of combinatorial mathematics to informatics and various areas of science and technology. Contributions presented to the journal can be research papers, short notes, surveys, and possibly research problems. The "Communications" section will be devoted to the fastest possible publication of recent research results that are checked and recommended for publication by a member of the Editorial Board. The journal will also publish a limited number of book announcements as well as proceedings of conferences. These proceedings will be fully refereed and adhere to the normal standards of the journal. Potential authors are advised to view the journal and the open calls-for-papers of special issues before submitting their manuscripts. Only high-quality, original work that is within the scope of the journal or the targeted special issue will be considered.