Provable Security Evaluations of XOR-Versions of SNOW Family Stream Ciphers Against Fast Correlation Attacks

Fast correlation attack is one of the most powerful attack methods for LFSR-based stream ciphers, and the primary problem of the attack is to construct the linear approximations with great absolute correlations. For some stream ciphers with complex structures of linear approximations, the search for the maximum absolute correlation of linear approximations has always been a difficult problem because of the extremely high amount of masks that need to be searched. In this paper, an analysis method for searching maximum absolute correlation based on the linear mask structure is developed, including the filtering technology based on mask propagation trail, a structural characteristic of linear approximations of linear transformations with fewer active bytes, and linear approximation equivalence theorem of composite function composed of the parallel identical S-boxes and linear transformation. These methods efficiently reduce the exhaustive time complexity of the masks. As applications, this paper proves that the suprema of absolute correlations of all the linear approximations for the five XOR-versions of SNOW family stream ciphers (i.e., SNOW $2.0_{\oplus }$ , SNOW $\text{3G}_{\oplus }$ , SNOW- $\text{V}_{\oplus }$ , SNOW- $\text{Vi}_{\oplus }$ , SNOW $\text{5G}_{\oplus }$ ) are ${2^{ - 9}}/{2^{ - 15.893}}/{2^{ - 37.964}}/{2^{ - 37.964}}/{2^{ - 37.964}}$ . The exhaustive time complexity of the masks can be reduced from $O({2^{32}})/O({2^{96}})/O({2^{384}})/O({2^{384}})/O({2^{384}})$ to $O({2^{24}})/O({2^{31.98}})/O({2^{39.98}})/O({2^{39.98}})/~O({2^{39.98}})$ , respectively. Furthermore, we give the provable security evaluations of the five ciphers against fast correlation attacks under the success probability of 0.99 for the known fast correlation attack method. For SNOW- $\text{V}_{\oplus }$ /SNOW- $\text{Vi}_{\oplus }$ /SNOW $\text{5G}_{\oplus }$ , the time/data/memory complexity of the optimal fast correlation attacks are all $O(2^{227.54})/O(2^{227.72})/O(2^{227.72})$ . The results show that SNOW- $\text{V}_{\oplus }$ /SNOW- $\text{Vi}_{\oplus }$ /SNOW $\text{5G}_{\oplus }$ cannot guarantee the claimed 256-bit key security for the known fast correlation attack methods if we ignore the design constraint that the maximum length of keystream for a single pair of key and IV is $2^{64}$ . For SNOW $2.0_{\oplus }$ and SNOW $\text{3G}_{\oplus }$ , the time/data/memory complexity of the optimal fast correlation attacks are $O({2^{151.94}})/O({2^{151.35}})/O({2^{151.35}})$ and $O(2^{165.91})/O(2^{165.43})/O(2^{165.43})$ , respectively. The results show that both SNOW $2.0_{\oplus }$ and SNOW $\text{3G}_{\oplus }$ can guarantee the claimed 128-bit key security for the known fast correlation attack methods. In addition, this paper also discusses that the existing fast correlation attacks based on multiple linear approximations are invalid for these five ciphers.