In this paper, we study the linear approximation of certain composition functions, with applications to SNOW 2.0 and SNOW 3G. We first propose an efficient algorithm to compute the linear approximation of certain composition functions with parallel operations, which has a linear-time complexity for any given mask tuple, and thus allows for a wide range of search for linear approximations. Naturally, we apply this algorithm to compute the linear approximations of the FSM of both SNOW 2.0 and SNOW 3G. For SNOW 2.0, we compute the linear approximation of the FSM for a wide range of linear masks, and obtain some results which enable us to slightly improve the data complexity of the known fast correlation attacks, by using multiple linear approximations and combining a small technique when applying the k-tree algorithm. For SNOW 3G, we make a careful search for the linear approximations of the FSM and obtain many mask tuples which yield high correlations. Using these linear approximations, we mount a fast correlation attack on SNOW 3G and recover the initial state of the LFSR with the total time complexity $$2^{222.33}$$ and memory complexity $$2^{221.74}$$ , given $$2^{220.74}$$ keystream words. Our attack does not pose a threat to the claimed 128-bit security of SNOW 3G.

中文翻译：

---

对某些组合函数的线性近似的快速计算以及对 SNOW 2.0 和 SNOW 3G 的应用

在本文中，我们研究了某些组合函数的线性近似，并将其应用于 SNOW 2.0 和 SNOW 3G。我们首先提出了一种有效的算法来计算具有并行操作的某些组合函数的线性逼近，该算法对任何给定的掩码元组都具有线性时间复杂度，因此允许对线性逼近进行广泛的搜索。自然地，我们应用此算法来计算 SNOW 2.0 和 SNOW 3G 的 FSM 的线性近似值。对于 SNOW 2.0，我们计算了大范围线性掩码的 FSM 线性逼近，并获得了一些结果，通过使用多个线性逼近并结合一个小技术，我们可以稍微提高已知快速相关攻击的数据复杂度在应用 k 树算法时。对于 SNOW 3G，我们仔细搜索 FSM 的线性近似，并获得许多产生高相关性的掩码元组。使用这些线性近似值，我们对 SNOW 3G 进行快速相关攻击，并以总时间复杂度 $$2^{222.33}$$ 和内存复杂度 $$2^{221.74}$$ 恢复 LFSR 的初始状态，给定 $$2 ^{220.74}$$ 关键字流。我们的攻击不会对 SNOW 3G 声称的 128 位安全性构成威胁。