Improved Fast Correlation Attack Using Multiple Linear Approximations and Its Application on SOSEMANUK

At CRYPTO 2018, Todo et al. proposed an effective fast correlation attack using multiple linear approximations, and gave effective attacks on the Grain-like stream ciphers with the same size of LFSR and key. However, many stream ciphers require that the size of LFSR must be at least twice the key size. For this type of stream ciphers, we propose an improved fast correlation attack using multiple linear approximations. The main idea is to reduce the number of attacked bits of parity-check equations by XORing the same linear approximation at different clocks, and then further bypass some unknown variables of parity-check equations by multiple linear approximations with an expected probability. Finally, full unknown variables are recovered by solving systems of linear equations. SOSEMANUK is one of the finalists in the eSTREAM project. The best absolute correlation of linear approximations of SOSEMANUK we found is 2-20.84, which improves the linear approximations with current best absolute correlation of 2-21.41. Finally, the improved fast correlation attack method is applied to SOSEMANUK, and a fast correlation attack with time/data/memory complexity of O(2(139.75))/O(2(139.37)/O(2(139.37)) is given, and the success probability is 0.99. It improves the current best fast correlation attack with time/data/memory complexity of O(2(147.88))/O(2(145.5))/O(2(147.1)) (ASIACRYPT 2008). For the optional key size ranging from 128-bit to 256-bit of SOSEMANUK, our attack result shows that SOSEMANUK can only guarantee the security of 139-bit key. In addition, we declare that our new fast correlation attack method can be applied to the linear analysis of other LFSR-based stream ciphers.