 The second talk is entitled fast correlation attacks over extension fields large unit linear approximation and analysis of snow 2.0 joint work between Bin Zhang Chao Shu and Willy Meyer and really will give the talk So this is joint work with Bin Zhang and Chao Su First I would like to give a brief outline. I start with background and motivation Then the first topic will be large unit linear Approximation and its distribution. The second topic is fast correlation attacks over extension fields Then we will apply these two concepts to key recovery attack on the snow to Stream ciphers and we detected that we can improve these results and then I'll come to conclusions So if you look back traditional stream ciphers before the European East Stream projects were mostly of two forms namely of Combiner generators or filter generators where you have one or more LFSRs and you have some Boolean Combining or output function So these two types of ciphers got very early crypt analysis in particular Sigmund Taller had a very early correlation attack for combining generators in already in 1985 So in 1988 Otmar Staffelbach and myself came up with so-called fast correlation attacks Which have sped up Sigmund Taller's attack by using some iterated decoding techniques So if you look a to history the design and analysis of these stream ciphers In history have matched well with the computing technologies in the appropriate period So in those days bitwise fast correlation attacks matched well with the hardware oriented Bitwise LFSR based designs in the 80s and 90s, but many more recent word oriented stream ciphers Are of a kind of a different type although the global structure still remained the same But it turns out that the previous fast correlation attacks are not well adapted to word oriented designs For example, we have if you translate the word oriented Design to a bit oriented design. We have really many feedback tabs and a large number of state variables So we have seen several improvements of fast correlation attacks and But one open problem remained how can fast correlation attacks be extended to larger units So that they adapt better to word oriented primitives and our aim is exactly to give a comprehensive answer to this problem here So we have to develop the necessary cryptanalytic tools to bridge the gap between the widely used word based primitives And the currently available bitwise fast correlation attacks So we have to develop a new algorithm to look for large unit linear approximations for a suitable class of functions And to efficiently compute the corresponding noise distributions Then we come up with fast correlation attacks over extension fields As we know fast correlation attacks have two steps We have to first to generate parity checks as of good quality as possible And then we have to decode a kind of linear code Then we apply this to snow too I guess successfully it's not a break but it's a considerable improvement over existing results So I come to large unit linear approximations Here a large unit means something 2-bit, 4-bit, 8-bit, it could be even 16-bit For example if we have a 32-bit entity Then in the bitwise case we have just a 32-bit dimensional vector But in a larger unit case the basic data unit is maybe 8-bit And X can be regarded as a 4-dimensional vector So we consider as is common in linear approximations We look at binary masks Then we look at the inner product of X Which is divided into these units And then we get a value which is in gf2 to the m So omega is called the n over m-dimensional binary linear mask of X over gf2 to the m So just for notation everybody knows what the distribution is However for the squared Euclidean imbalance of a distribution This is defined as delta of the distribution is due to the r times the sum of the squared biases Here 1 over 2 to the r is just the probability of the uniform distribution So just to give a very simple example We have here two inputs X1 and X2 Which are two independent 32-bit random variables Which have been divided into byte entities So we assume a binary mask of the form 1 0 0 1 And then the bitwise linear approximation of the integer sum of these two entities Is just the mask times in a product with the inter-tradition And the approximation is where we replace the inter-tradition simply by XOR Then we get a linear expression And the efficiency of such an approximation is given by the squared Euclidean imbalance Of the probability distribution of the difference function So we come to generalize pseudo linear functions, modulo 2 to the n Sudo linear functions, modulo 2 to the n Have been introduced by Maximov and Johansen at Asia Crypt 205 We generalize this concept to a slightly larger class of functions called GPLFM So X is a set of K uniformly distributed n-bit random variables With X, I and GF 2 to the n And C is just a set of n-bit constants And M is a set of n over m-dimensional binary masks of X and C So we give a definition We have the three sets X, C and M And we have A is an arithmetic term If it has only the operation of arithmetic For example it can just be an integer sum of one of many terms So B is a Boolean term If it only involves Boolean operations Or and X or it might be of the form T1, X or T2 and T3 And S is a simple term if it's just a symbol or a constant So omega times X X is here one of the terms A, B or S It's just the inner product result of the term X with a binary mask And we call GPLFM a function If it can be recursively be expressed in the inner product Of a mask with one of these terms Again a simple example here We have three inputs for integer addition And in principle we might have different masks for each term here And here n is the noise variable n is just the XOR difference of the true expression Added XOR with a linearized expression So if the modular sum is over GF2 to the 32 Then the straightforward approach to compute the distribution of n Needs a rather high complexity of 2 to the 96 Which is invisible to implementing practice So assume we have such a function f of our extended class here And we assume that the basic data unit we are interested in is m bit So if n is larger than 32 and k The number of inputs is larger at least as 2 Then a straightforward complexity is 2 to the n times k So depending on the masks we are interested in We split the inputs x i accordingly And also we split the function f into n over n sub functions f i So this is very easy and the motivation for this is Because then we can reduce the problem to the algorithms Developed by Maximov and Johansson for their pseudo linear functions However there is a problem here As soon as we have integer addition Then we have a carry propagation as we know And we have to deal with it in an algorithmic way For this we use a connection matrix to characterize this connection So I think this can be illustrated in a picture So it's a little bit more complicated than that one might think We have not just a function from gf2 to the n To the k to bi where bi is the output But we have also to take into account the image of the previous function And a carry vector Here this is a vector because we may have s different arithmetic terms here So but the procedures, algorithmic procedures We start here with the lowest function and go up step by step So this is kind of loop then in the algorithm So again as an example, a very simple example We have just integer addition and the mask is just a lower chunk and an upper chunk And then the first function is just truncation over the lower half But f2 has now carry expressions here So I won't go into detail with the algorithm here We can just say we have a triple loop obviously And an important thing is that we have to call another algorithm Within algorithm one here And this algorithm two, its aim is just to embed the algorithm by Maximov And Johan's own in our setting roughly So one can compute the complexities of both algorithms I won't go into detail in it We shall see some applications of them But just to give an illustrative example here The complexity drops from 2 to the 96 If you do it just with trial and error So 2 or exhaustive search, 2 to the 24 So it's a dramatic reduction Again an example which I mentioned already So if we would have here three summands for integer addition And if the mask would look like 1011 in gf2 to the 4 Then we would have here this expression here For the noise variable here And indeed we are able to compute the distribution of this noise variable In 2 to the 24 operations So I won't go into this example here How to compute this noise distribution Rather I skip here to model for fast correlation attacks over extension fields Maybe you have seen this picture already in ordinary fast correlation attacks It's quite common to model a fast correlation attack By using a discrete memoryless channel So we have the output of an LFSR Which is perturbed by some noise And then we know the output which is just the key stream And our goal is to determine the contents of the LFSR despite the noise Of course one way would be just to do exhaustive search Overall states of the LFSR until a number of agreements is optimized But this is much far too complicated So instead we model the whole scenario as an NL linear code Where N is the number of key stream symbols L is the length of the code Where L is just the length of the LFSR And here we need some other notions The capacity of a discrete memoryless channel Is defined as log 2 to the N minus the entropy The code rate that's just the definition here is log 2 to the N times L divided by N So an important thing that we shall need for estimating the complexity And efficiency of our attack is the relation between the noise distribution And the capacity of the discrete memoryless channel So CDMC is the capacity and assume the noise variable has some distribution Then CDMC is just the squared Euclidean impedance divided by 2 times ln2 So now I come to the idea which is already known in principle for fast correlation attacks We have too many information symbols, we have L symbols We don't want to guess and determine all symbols We would like to transfer this initial code into a new code with a smaller number of information symbols The idea is just to linearly combine columns in the generator matrix given by the LFSR To come up with a code with less information symbols So there is a trade-off of course We might have very few information symbols But then we introduce a lot of noise Maybe if we have to linearly combine many columns Then we have very heavy noise So usually this number of columns to be combined is relatively small A good guess for ordinary correlation attacks was 4 And interestingly here, it's much the same here So if I express this in this formula, this idea looks a bit technical But it's just this idea which I have described in words To find such good linear combinations We use Wagner's generalized birthday algorithm to compute the parity checks So we know that decoding a random linear code over an extension field is NP-hard problem But it lies at the core of many cryptosystems both symmetric and asymmetric For example also LWE So we use decoding with statistical theory Then we have a distinguisher I Which could be derived from the LFSR and from the output Where ET is now the convoluted noise So in order to recover the right guess We need to compute the squared Euclidean imbalance of this distinguisher But this is a vectorial pulling function And we cannot directly apply the fast Walsh transform to accelerate it We need a lemma to reduce this to a set of one-dimensional problems I'll skip this lemma And the idea is just to split the pulling function i into n linearly independent pulling functions i1 up to en Then we compute the correlation of each ii by established fast Walsh transform Then we combine this lemma to compute the squared Euclidean imbalance of i And we can again precisely estimate the computational complexity Of decoding this improved code C2 So come now to the application to SNO2 We see here an LFSR, a word-based LFSR The words are length 32 bit And we have 16 entities here And here we have a finite state machine We see here the output of this machine And here we have two memory words And these words are updated by these formulas here Here S is derived from the AES block cipher It's essentially sub bytes and mixed column SNO2 has served as a benchmark stream cipher in the E-stream project And I think it remains still one of the strongest and fastest stream ciphers available so far So I think it's an interesting target So here is a brief description of this function S Here we see this mixed column and here we see sub bytes So this is a bit technical here I just say we have two expressions here An upper one and a lower one Actually because we have two memory words We need to consider two consecutive output words In order to reduce the influence of the memory Because finally we would like to end up Between relations between the output and the LFSR entities And we don't like the memory or other terms in it Here we have two precise expressions derived from this picture here And which are heavily non-linear We have to linearize them And we use two linear approximations One and two here And these are not quite simple The second one actually fits into our concept Of our previous approximations Whereas the first one is of different kind to these S boxes But fortunately as we have seen the S box is coming in parallel So it's possible to derive an algorithm To compute the distribution of the linearization approximation So I won't go into detail here But finally we end up with what we would like to have We have now a mass expression The x or sum of consecutive output words And here we have a linear approximation A linear expression in LFSR words Plus the noise And the nice thing is we are able to compute The squared influence of the noise It's 2 to the minus 43.23 So now we are in position to apply the fast correlation attack Over gf 2 to the 8 to recover the initial state Over the gf 2 to the 8 to 64 Which means the 512-bit state of snow So for the decoding algorithm L is obviously 64 But a relevant thing is the number of bytes we need to guess And here it turns out an optimal value is 17 bytes 17, tau is the number of columns that we combine Is 4 as predicted And then the complexity is 2 to the 186 So that's still a huge number Because the key size is 128-bit But it's already a drop in complexity By a factor 2 to the 25 Compared to the best previous result It's back to Asia-Crypt 208 So there is one technical issue We use GNU GMP library to compute the squared imbalance We have seen it's a relatively small number And we have to evaluate it with good precision In order to come up with good complexity estimates Then we can apply the algorithm 1 Fast correlation attack over extension fields To a small scale version of snow Because we have seen we have many ingredients To be combined for this kind of attack Therefore it's essential to verify it on a downsized version And fortunately the simulations fully confirm The theoretical analysis So interestingly if you look at non-binary masks Then the results are getting even better I won't go into detail here But we see that the squared Euclidean imbalance Increases a lot So this gives a decrease in total complexity So the resulting complexity is 2 to the 164 Which is almost 2 to the 50 times better than the previous result So I come to conclusions I think we answer a well-known open problem In correlation attacks And we have developed two new cryptanalytic tools To analyze the word-oriented stream ciphers And we come up as an application With an improved key recovery attack on snow too So there are some open problems We know that there are Hydrative probabilistic decoding methods In the bitwise case for fast correlation attacks And the question is can we come up with something similar Over larger units And of course it would be attractive to see Whether other primitives could be Cryptanalized using similar techniques Thank you Thank you very much