这是用户在 2025-1-2 1:00 为 https://app.immersivetranslate.com/pdf-pro/79229ec4-cb69-4524-871f-5dedb60d3592 保存的双语快照页面,由 沉浸式翻译 提供双语支持。了解如何保存?
distinguishing attack. In a recent paper by Coppersmith, Halevi and Jutla [1], they find such a correlation and for the resulting distinguishing attack they need about 2 95 2 95 2^(95)2^{95} words of output and the computational complexity is about 2 100 2 100 2^(100)2^{100}. By computer search we have also found other smaller correlations, often involving similar bit positions. The strong correlations seem to be caused by an interaction between the permutation in the S-box and the cyclic shift by 7 in the FSM.
区分攻击。在 Coppersmith、Halevi 和 Jutla 最近的一篇论文中,他们发现了这样的相关性,对于由此产生的区分攻击,他们需要大约 2 95 2 95 2^(95)2^{95} 个输出字,并且计算复杂度约为 2 100 2 100 2^(100)2^{100} 。通过计算机搜索,我们还发现了其他较小的相关性,通常涉及类似的位位置。强相关性似乎是由 S 盒中的置换与 FSM 中的 7 位循环移位之间的相互作用引起的。
Even if this indeed is a security flaw unpredicted by the authors, one could argue about the relevance of such a distinguishing attack. Using e.g. AES (or any other block cipher with block length 128 bits) in counter mode, there is an almost trivial distinguishing attack after seeing about 2 64 2 64 2^(64)2^{64} ciphertext blocks. However, as we regard security as the outmost important design criteria, we addressed all known weaknesses in SNOW 1.0 and propose a slightly modified design, SNOW 2.0.
即使这确实是作者未预见的安全漏洞,也可以对这种区分攻击的相关性进行辩论。使用例如 AES(或任何其他块长度为 128 位的块密码)在计数模式下,在看到大约 2 64 2 64 2^(64)2^{64} 个密文块后,几乎可以进行一个微不足道的区分攻击。然而,由于我们将安全性视为最重要的设计标准,我们解决了 SNOW 1.0 中所有已知的弱点,并提出了稍微修改的设计 SNOW 2.0。

4 SNOW 2.0

As we now turn to describe the new version SNOW 2.0, we want to emphasize that the notations from the previous sections are no longer valid and will be redefined in the following. The new version is schematically a small modification of the original construction, see Figure 2 The word size is unchanged (32 bits) and the LFSR length is again 16, but the feedback polynomial has been changed. The Finite State Machine (FSM) has two input words, taken from the LFSR, and the running key is formed as the XOR between the FSM output and the last element of the LFSR, as done in SNOW 1.0. The operation of the cipher is as follows. First, a key initialization is performed. This operation provides the LFSR with a starting state as well as giving the internal FSM registers R 1 R 1 R1R 1 and R 2 R 2 R2R 2 there initial values. Next the cipher is clocked once and the first keystream symbol is read out11. Then the cipher is clocked again and the second keystream symbol is read, etcetera.
当我们现在转向描述新版本 SNOW 2.0 时,我们想强调之前部分的符号不再有效,并将在以下内容中重新定义。新版本在结构上是对原始构造的小修改,见图 2。字长保持不变(32 位),LFSR 长度再次为 16,但反馈多项式已被更改。有限状态机(FSM)有两个输入字,来自 LFSR,运行密钥是 FSM 输出与 LFSR 最后一个元素之间的异或,和 SNOW 1.0 中的做法相同。密码的操作如下。首先,执行密钥初始化。此操作为 LFSR 提供了一个起始状态,并为内部 FSM 寄存器 R 1 R 1 R1R 1 R 2 R 2 R2R 2 提供了初始值。接下来,密码时钟一次,读取第一个密钥流符号。然后再次时钟密码,读取第二个密钥流符号,依此类推。
Let us give a detailed description of the cipher, starting with the LFSR. The main reason for the specific feedback polynomial chosen in SNOW 1.0, was to have a fast realization in software. By choosing a multiplication with the same primitive element as the base is constructed from, we can realize the multiplication with just one left shift and a possible XOR with a known pattern. However, this choice opens up possible weaknesses, as discussed in Section 3 In SNOW 2.0, we have two different elements involved in the feedback loop, α α alpha\alpha and α 1 α 1 alpha^(-1)\alpha^{-1}, where α α alpha\alpha now is a root of a primitive polynomial of degree 4 over F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}}. To be more precise, the feedback polynomial of SNOW 2.0 is given by
让我们详细描述这个密码,首先从 LFSR 开始。在 SNOW 1.0 中选择特定反馈多项式的主要原因是为了在软件中实现快速。通过选择与构造基础相同的原始元素进行乘法,我们可以仅通过一次左移和可能与已知模式的异或来实现乘法。然而,这一选择也带来了可能的弱点,如第 3 节所讨论的。在 SNOW 2.0 中,我们在反馈循环中涉及两个不同的元素, α α alpha\alpha α 1 α 1 alpha^(-1)\alpha^{-1} ,其中 α α alpha\alpha 现在是 F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}} 上 4 度原始多项式的根。更准确地说,SNOW 2.0 的反馈多项式为
π ( x ) = α x 16 + x 14 + α 1 x 5 + 1 F 2 32 [ x ] π ( x ) = α x 16 + x 14 + α 1 x 5 + 1 F 2 32 [ x ] pi(x)=alphax^(16)+x^(14)+alpha^(-1)x^(5)+1inF_(2^(32))[x]\pi(x)=\alpha x^{16}+x^{14}+\alpha^{-1} x^{5}+1 \in \mathbb{F}_{2^{32}}[x]
where α α alpha\alpha is a root of x 4 + β 23 x 3 + β 245 x 2 + β 48 x + β 239 F 2 8 [ x ] x 4 + β 23 x 3 + β 245 x 2 + β 48 x + β 239 F 2 8 [ x ] x^(4)+beta^(23)x^(3)+beta^(245)x^(2)+beta^(48)x+beta^(239)inF_(2^(8))[x]x^{4}+\beta^{23} x^{3}+\beta^{245} x^{2}+\beta^{48} x+\beta^{239} \in \mathbb{F}_{2^{8}}[x], and β β beta\beta is a root of x 8 + x 7 + x 5 + x 3 + 1 F 2 [ x ] x 8 + x 7 + x 5 + x 3 + 1 F 2 [ x ] x^(8)+x^(7)+x^(5)+x^(3)+1inF_(2)[x]x^{8}+x^{7}+x^{5}+x^{3}+1 \in \mathbb{F}_{2}[x].
其中 α α alpha\alpha x 4 + β 23 x 3 + β 245 x 2 + β 48 x + β 239 F 2 8 [ x ] x 4 + β 23 x 3 + β 245 x 2 + β 48 x + β 239 F 2 8 [ x ] x^(4)+beta^(23)x^(3)+beta^(245)x^(2)+beta^(48)x+beta^(239)inF_(2^(8))[x]x^{4}+\beta^{23} x^{3}+\beta^{245} x^{2}+\beta^{48} x+\beta^{239} \in \mathbb{F}_{2^{8}}[x] 的一个根,而 β β beta\beta x 8 + x 7 + x 5 + x 3 + 1 F 2 [ x ] x 8 + x 7 + x 5 + x 3 + 1 F 2 [ x ] x^(8)+x^(7)+x^(5)+x^(3)+1inF_(2)[x]x^{8}+x^{7}+x^{5}+x^{3}+1 \in \mathbb{F}_{2}[x] 的一个根。
Fig. 2. A schematic picture of SNOW 2.0
图 2. SNOW 2.0 的示意图
Let the state of the LFSR at time t 0 t 0 t >= 0t \geq 0 be denoted ( s t + 15 , s t + 14 , , s t ) , s t + i s t + 15 , s t + 14 , , s t , s t + i (s_(t+15),s_(t+14),dots,s_(t)),s_(t+i)in\left(s_{t+15}, s_{t+14}, \ldots, s_{t}\right), s_{t+i} \in F 2 32 , i 0 F 2 32 , i 0 F_(2^(32)),i >= 0\mathbb{F}_{2^{32}}, i \geq 0. The element s t s t s_(t)s_{t} is the rightmost element (or first element to exit) as indicated in Figure 2 and the sequence produced by the LFSR is ( s 0 , s 1 , s 2 , ) s 0 , s 1 , s 2 , (s_(0),s_(1),s_(2),dots)\left(s_{0}, s_{1}, s_{2}, \ldots\right). By time t = 0 t = 0 t=0t=0, we mean the time instance directly after the key initialization. Then the cipher is clocked once before producing the first keystream symbol, i.e., the first keystream symbol, denoted z 1 z 1 z_(1)z_{1}, is produced at time t = 1 t = 1 t=1t=1. The produced keystream sequence is denoted ( z 1 , z 2 , z 3 , ) z 1 , z 2 , z 3 , (z_(1),z_(2),z_(3),dots)\left(z_{1}, z_{2}, z_{3}, \ldots\right).
让 LFSR 在时间 t 0 t 0 t >= 0t \geq 0 的状态表示为 ( s t + 15 , s t + 14 , , s t ) , s t + i s t + 15 , s t + 14 , , s t , s t + i (s_(t+15),s_(t+14),dots,s_(t)),s_(t+i)in\left(s_{t+15}, s_{t+14}, \ldots, s_{t}\right), s_{t+i} \in F 2 32 , i 0 F 2 32 , i 0 F_(2^(32)),i >= 0\mathbb{F}_{2^{32}}, i \geq 0 。元素 s t s t s_(t)s_{t} 是最右边的元素(或第一个退出的元素),如图 2 所示,LFSR 产生的序列为 ( s 0 , s 1 , s 2 , ) s 0 , s 1 , s 2 , (s_(0),s_(1),s_(2),dots)\left(s_{0}, s_{1}, s_{2}, \ldots\right) 。我们所说的时间 t = 0 t = 0 t=0t=0 是指密钥初始化后直接的时间实例。然后在产生第一个密钥流符号之前,密码被时钟一次,即第一个密钥流符号,表示为 z 1 z 1 z_(1)z_{1} ,是在时间 t = 1 t = 1 t=1t=1 产生的。产生的密钥流序列表示为 ( z 1 , z 2 , z 3 , ) z 1 , z 2 , z 3 , (z_(1),z_(2),z_(3),dots)\left(z_{1}, z_{2}, z_{3}, \ldots\right)
The Finite State Machine (FSM) has two registers, denoted R 1 R 1 R1R 1 and R 2 R 2 R2R 2, each holding 32 bits. The value of the registers at time t 0 t 0 t >= 0t \geq 0 is denoted R 1 t R 1 t R1_(t)R 1_{t} and R 2 t R 2 t R2_(t)R 2_{t} respectively. The input to the FSM is ( s t + 15 , s t + 5 ) s t + 15 , s t + 5 (s_(t+15),s_(t+5))\left(s_{t+15}, s_{t+5}\right) and the output of the FSM, denoted F t F t F_(t)F_{t}, is calculated as
有限状态机(FSM)有两个寄存器,分别表示为 R 1 R 1 R1R 1 R 2 R 2 R2R 2 ,每个寄存器保存 32 位。时间 t 0 t 0 t >= 0t \geq 0 时寄存器的值分别表示为 R 1 t R 1 t R1_(t)R 1_{t} R 2 t R 2 t R2_(t)R 2_{t} 。FSM 的输入为 ( s t + 15 , s t + 5 ) s t + 15 , s t + 5 (s_(t+15),s_(t+5))\left(s_{t+15}, s_{t+5}\right) ,FSM 的输出,表示为 F t F t F_(t)F_{t} ,计算为
F t = ( s t + 15 R 1 t ) R 2 t , t 0 F t = s t + 15 R 1 t R 2 t , t 0 F_(t)=(s_(t+15)⊞R1_(t))o+R2_(t),quad t >= 0F_{t}=\left(s_{t+15} \boxplus R 1_{t}\right) \oplus R 2_{t}, \quad t \geq 0
and the keystream is given by
密钥流由以下给出
z t = F t s t , t 1 z t = F t s t , t 1 z_(t)=F_(t)o+s_(t),quad t >= 1z_{t}=F_{t} \oplus s_{t}, \quad t \geq 1
Here we use the notation \boxplus for integer addition modulo 2 32 2 32 2^(32)2^{32} and o+\oplus for bitwise addition (XOR). The registers R 1 R 1 R1R 1 and R 2 R 2 R2R 2 are updated with new values according to
在这里,我们使用符号 \boxplus 表示整数加法模 2 32 2 32 2^(32)2^{32} ,使用 o+\oplus 表示按位加法(异或)。寄存器 R 1 R 1 R1R 1 R 2 R 2 R2R 2 根据新值进行更新。
R 1 t + 1 = s t + 5 R 2 t and R 2 t + 1 = S ( R 1 t ) t 0 . R 1 t + 1 = s t + 5 R 2 t  and  R 2 t + 1 = S R 1 t t 0 . {:[R1_(t+1)=s_(t+5)⊞R2_(t)quad" and "],[R2_(t+1)=S(R1_(t))quad t >= 0.]:}\begin{aligned} & R 1_{t+1}=s_{t+5} \boxplus R 2_{t} \quad \text { and } \\ & R 2_{t+1}=S\left(R 1_{t}\right) \quad t \geq 0 . \end{aligned}

4.1 The S-box  4.1 S 盒

The S-box, denoted by S ( w ) S ( w ) S(w)S(w), is a permutation on Z 2 32 Z 2 32 Z_(2^(32))\mathbb{Z}_{2^{32}} based on the round function of Rijndael [4]. Let w = ( w 3 , w 2 , w 1 , w 0 ) w = w 3 , w 2 , w 1 , w 0 w=(w_(3),w_(2),w_(1),w_(0))w=\left(w_{3}, w_{2}, w_{1}, w_{0}\right) be the input to the S-box, where w i , i = 0 3 w i , i = 0 3 w_(i),i=0dots3w_{i}, i=0 \ldots 3 is the four bytes of w w ww. Assume w 3 w 3 w_(3)w_{3} to be the most significant byte. Let
S 盒,记作 S ( w ) S ( w ) S(w)S(w) ,是基于 Rijndael [4]的轮函数对 Z 2 32 Z 2 32 Z_(2^(32))\mathbb{Z}_{2^{32}} 的一个置换。设 w = ( w 3 , w 2 , w 1 , w 0 ) w = w 3 , w 2 , w 1 , w 0 w=(w_(3),w_(2),w_(1),w_(0))w=\left(w_{3}, w_{2}, w_{1}, w_{0}\right) 为 S 盒的输入,其中 w i , i = 0 3 w i , i = 0 3 w_(i),i=0dots3w_{i}, i=0 \ldots 3 w w ww 的四个字节。假设 w 3 w 3 w_(3)w_{3} 是最高有效字节。
w = ( w 0 w 1 w 2 w 3 ) w = w 0 w 1 w 2 w 3 w=([w_(0)],[w_(1)],[w_(2)],[w_(3)])w=\left(\begin{array}{l} w_{0} \\ w_{1} \\ w_{2} \\ w_{3} \end{array}\right)
be a vector representation of the input to the S-box. First we apply the Rijndael S-box, denoted S R S R S_(R)S_{R} to each byte, giving us the vector
成为输入到 S-box 的向量表示。首先,我们将 Rijndael S-box(记作 S R S R S_(R)S_{R} )应用于每个字节,从而得到向量。
( S R [ w 0 ] S R [ w 1 ] S R [ w 2 ] S R [ w 3 ] ) . S R w 0 S R w 1 S R w 2 S R w 3 . ([S_(R)[w_(0)]],[S_(R)[w_(1)]],[S_(R)[w_(2)]],[S_(R)[w_(3)]]).\left(\begin{array}{c} S_{R}\left[w_{0}\right] \\ S_{R}\left[w_{1}\right] \\ S_{R}\left[w_{2}\right] \\ S_{R}\left[w_{3}\right] \end{array}\right) .
In the MixColumn transformation of Rijndael’s round function, each 4 byte word is considered a polynomial in y y yy over F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}}, defined by the irreducible polynomial x 8 + x 4 + x 3 + x + 1 F 2 [ x ] x 8 + x 4 + x 3 + x + 1 F 2 [ x ] x^(8)+x^(4)+x^(3)+x+1inF_(2)[x]x^{8}+x^{4}+x^{3}+x+1 \in \mathbb{F}_{2}[x]. Each word can be represented by a polynomial of at most degree 3 . Next we consider the vector in (12) as representing a polynomial over F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}} and multiply with a fixed polynomial c ( y ) = ( x + 1 ) y 3 + y 2 + y + x F 2 8 [ y ] c ( y ) = ( x + 1 ) y 3 + y 2 + y + x F 2 8 [ y ] c(y)=(x+1)y^(3)+y^(2)+y+x inF_(2^(8))[y]c(y)=(x+1) y^{3}+y^{2}+y+x \in \mathbb{F}_{2^{8}}[y] modulo y 4 + 1 F 2 8 [ y ] y 4 + 1 F 2 8 [ y ] y^(4)+1inF_(2^(8))[y]y^{4}+1 \in \mathbb{F}_{2^{8}}[y]. This polynomial multiplication can (as done in Rijndael) be computed as a matrix multiplication,
在 Rijndael 的轮函数的 MixColumn 变换中,每个 4 字节的字被视为在 F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}} 上的 y y yy 中的多项式,由不可约多项式 x 8 + x 4 + x 3 + x + 1 F 2 [ x ] x 8 + x 4 + x 3 + x + 1 F 2 [ x ] x^(8)+x^(4)+x^(3)+x+1inF_(2)[x]x^{8}+x^{4}+x^{3}+x+1 \in \mathbb{F}_{2}[x] 定义。每个字最多可以表示为一个 3 度的多项式。接下来,我们考虑(12)中的向量作为在 F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}} 上的多项式,并与固定多项式 c ( y ) = ( x + 1 ) y 3 + y 2 + y + x F 2 8 [ y ] c ( y ) = ( x + 1 ) y 3 + y 2 + y + x F 2 8 [ y ] c(y)=(x+1)y^(3)+y^(2)+y+x inF_(2^(8))[y]c(y)=(x+1) y^{3}+y^{2}+y+x \in \mathbb{F}_{2^{8}}[y] 进行模 y 4 + 1 F 2 8 [ y ] y 4 + 1 F 2 8 [ y ] y^(4)+1inF_(2^(8))[y]y^{4}+1 \in \mathbb{F}_{2^{8}}[y] 的乘法。这个多项式乘法可以(如在 Rijndael 中所做)作为矩阵乘法来计算,
( r 0 r 1 r 2 r 3 ) = ( x x + 1 1 1 1 x x + 1 1 1 1 x x + 1 x + 1 1 1 x ) ( S R [ w 0 ] S R [ w 1 ] S R [ w 2 ] S R [ w 3 ] ) r 0 r 1 r 2 r 3 = x x + 1 1 1 1 x x + 1 1 1 1 x x + 1 x + 1 1 1 x S R w 0 S R w 1 S R w 2 S R w 3 ([r_(0)],[r_(1)],[r_(2)],[r_(3)])=([x,x+1,1,1],[1,x,x+1,1],[1,1,x,x+1],[x+1,1,1,x])([S_(R)[w_(0)]],[S_(R)[w_(1)]],[S_(R)[w_(2)]],[S_(R)[w_(3)]])\left(\begin{array}{l} r_{0} \\ r_{1} \\ r_{2} \\ r_{3} \end{array}\right)=\left(\begin{array}{cccc} x & x+1 & 1 & 1 \\ 1 & x & x+1 & 1 \\ 1 & 1 & x & x+1 \\ x+1 & 1 & 1 & x \end{array}\right)\left(\begin{array}{c} S_{R}\left[w_{0}\right] \\ S_{R}\left[w_{1}\right] \\ S_{R}\left[w_{2}\right] \\ S_{R}\left[w_{3}\right] \end{array}\right)
where ( r 3 , r 2 , r 1 , r 0 ) r 3 , r 2 , r 1 , r 0 (r_(3),r_(2),r_(1),r_(0))\left(r_{3}, r_{2}, r_{1}, r_{0}\right) are the output bytes from the S-box. These bytes are concatenated to form the word output from the S-box, r = S ( w ) r = S ( w ) r=S(w)r=S(w).
其中 ( r 3 , r 2 , r 1 , r 0 ) r 3 , r 2 , r 1 , r 0 (r_(3),r_(2),r_(1),r_(0))\left(r_{3}, r_{2}, r_{1}, r_{0}\right) 是来自 S-box 的输出字节。这些字节被连接在一起形成来自 S-box 的字输出 r = S ( w ) r = S ( w ) r=S(w)r=S(w)

4.2 Key Initialization  4.2 密钥初始化

SNOW 2.0 takes two parameters as input values; a secret key of either 128 or 256 bits and a publicly known 128 bit initialization variable I V I V IVI V. The I V I V IVI V value is considered as a four word input I V = ( I V 3 , I V 2 , I V 1 , I V 0 ) I V = I V 3 , I V 2 , I V 1 , I V 0 IV=(IV_(3),IV_(2),IV_(1),IV_(0))I V=\left(I V_{3}, I V_{2}, I V_{1}, I V_{0}\right), where I V 0 I V 0 IV_(0)I V_{0} is the least significant word. The possible range for I V I V IVI V is thus 0 2 128 1 0 2 128 1 0dots2^(128)-10 \ldots 2^{128}-1. This means that for a given secret key K K KK, SNOW 2.0 implements a pseudo-random length-increasing function from the set of I V I V IVI V values to the set of possible output
SNOW 2.0 接受两个参数作为输入值;一个 128 位或 256 位的秘密密钥和一个公开已知的 128 位初始化变量 I V I V IVI V I V I V IVI V 值被视为一个四字输入 I V = ( I V 3 , I V 2 , I V 1 , I V 0 ) I V = I V 3 , I V 2 , I V 1 , I V 0 IV=(IV_(3),IV_(2),IV_(1),IV_(0))I V=\left(I V_{3}, I V_{2}, I V_{1}, I V_{0}\right) ,其中 I V 0 I V 0 IV_(0)I V_{0} 是最低有效字。 I V I V IVI V 的可能范围因此是 0 2 128 1 0 2 128 1 0dots2^(128)-10 \ldots 2^{128}-1 。这意味着对于给定的秘密密钥 K K KK ,SNOW 2.0 实现了一个从 I V I V IVI V 值集合到可能输出集合的伪随机长度增加函数。

sequences. The use of a I V I V IVI V value is optional and applications requiring a I V I V IVI V value typically reinitialize the cipher frequently with a fixed key but the I V I V IVI V value is changed. This could be the case if two parties agreed on a common secret key but wish to communicate multiple messages, e.g. in a frame based setting. Frequent reinitialization could also be desirable from a resynchronization perspective in e.g. a radio based environment.
序列。使用 I V I V IVI V 值是可选的,通常需要 I V I V IVI V 值的应用程序会频繁地使用固定密钥重新初始化密码,但 I V I V IVI V 值会发生变化。如果两个方同意一个共同的秘密密钥,但希望传递多个消息,例如在基于帧的设置中,这可能是情况。频繁的重新初始化在例如基于无线电的环境中,从重新同步的角度来看,也可能是可取的。
The key initialization is done as follows. Denote the registers in the LFSR by ( s 15 , s 14 , , s 0 ) s 15 , s 14 , , s 0 (s_(15),s_(14),dots,s_(0))\left(s_{15}, s_{14}, \ldots, s_{0}\right) from left to right in Figure 2. Thus, s 15 s 15 s_(15)s_{15} corresponds to the element holding s t + 15 s t + 15 s_(t+15)s_{t+15} during normal operation of the cipher. Let the secret key be denoted by K = ( k 3 , k 2 , k 1 , k 0 ) K = k 3 , k 2 , k 1 , k 0 K=(k_(3),k_(2),k_(1),k_(0))K=\left(k_{3}, k_{2}, k_{1}, k_{0}\right) in the 128 bit case and by K = K = K=K= ( k 7 , k 6 , k 5 , k 4 , k 3 , k 2 , k 1 , k 0 ) k 7 , k 6 , k 5 , k 4 , k 3 , k 2 , k 1 , k 0 (k_(7),k_(6),k_(5),k_(4),k_(3),k_(2),k_(1),k_(0))\left(k_{7}, k_{6}, k_{5}, k_{4}, k_{3}, k_{2}, k_{1}, k_{0}\right) in the 256 bit case, where each k i k i k_(i)k_{i} is a word and k 0 k 0 k_(0)k_{0} is the least significant word. First, the shift register is initialized with K K KK and I V I V IVI V according to
密钥初始化如下进行。将 LFSR 中的寄存器从左到右表示为 ( s 15 , s 14 , , s 0 ) s 15 , s 14 , , s 0 (s_(15),s_(14),dots,s_(0))\left(s_{15}, s_{14}, \ldots, s_{0}\right) ,因此 s 15 s 15 s_(15)s_{15} 对应于在密码正常操作期间持有 s t + 15 s t + 15 s_(t+15)s_{t+15} 的元素。设秘密密钥在 128 位情况下表示为 K = ( k 3 , k 2 , k 1 , k 0 ) K = k 3 , k 2 , k 1 , k 0 K=(k_(3),k_(2),k_(1),k_(0))K=\left(k_{3}, k_{2}, k_{1}, k_{0}\right) ,在 256 位情况下表示为 K = K = K=K= ( k 7 , k 6 , k 5 , k 4 , k 3 , k 2 , k 1 , k 0 ) k 7 , k 6 , k 5 , k 4 , k 3 , k 2 , k 1 , k 0 (k_(7),k_(6),k_(5),k_(4),k_(3),k_(2),k_(1),k_(0))\left(k_{7}, k_{6}, k_{5}, k_{4}, k_{3}, k_{2}, k_{1}, k_{0}\right) ,其中每个 k i k i k_(i)k_{i} 是一个字, k 0 k 0 k_(0)k_{0} 是最低有效字。首先,移位寄存器根据 K K KK I V I V IVI V 进行初始化。
s 15 = k 3 I V 0 , s 14 = k 2 , s 13 = k 1 , s 12 = k 0 I V 1 , s 11 = k 3 1 , s 10 = k 2 1 I V 2 , s 9 = k 1 1 I V 3 , s 8 = k 0 1 , s 15 = k 3 I V 0 , s 14 = k 2 , s 13 = k 1 , s 12 = k 0 I V 1 , s 11 = k 3 1 , s 10 = k 2 1 I V 2 , s 9 = k 1 1 I V 3 , s 8 = k 0 1 , {:[s_(15)=k_(3)o+IV_(0)","quads_(14)=k_(2)","quads_(13)=k_(1)","quads_(12)=k_(0)o+IV_(1)","],[s_(11)=k_(3)o+1","quads_(10)=k_(2)o+1o+IV_(2)","s_(9)=k_(1)o+1o+IV_(3)","quads_(8)=k_(0)o+1","]:}\begin{aligned} & s_{15}=k_{3} \oplus I V_{0}, \quad s_{14}=k_{2}, \quad s_{13}=k_{1}, \quad s_{12}=k_{0} \oplus I V_{1}, \\ & s_{11}=k_{3} \oplus \mathbf{1}, \quad s_{10}=k_{2} \oplus \mathbf{1} \oplus I V_{2}, s_{9}=k_{1} \oplus \mathbf{1} \oplus I V_{3}, \quad s_{8}=k_{0} \oplus \mathbf{1}, \end{aligned}
and for the second half,
和下半场,

s 7 = k 3 , s 6 = k 2 , s 5 = k 1 , s 4 = k 0 s 7 = k 3 , s 6 = k 2 , s 5 = k 1 , s 4 = k 0 s_(7)=k_(3),quads_(6)=k_(2),quads_(5)=k_(1),quads_(4)=k_(0)s_{7}=k_{3}, \quad s_{6}=k_{2}, \quad s_{5}=k_{1}, \quad s_{4}=k_{0},
s 3 = k 3 1 , s 2 = k 2 1 , s 1 = k 1 1 , s 0 = k 0 1 s 3 = k 3 1 , s 2 = k 2 1 , s 1 = k 1 1 , s 0 = k 0 1 s_(3)=k_(3)o+1,quads_(2)=k_(2)o+1,quads_(1)=k_(1)o+1,quads_(0)=k_(0)o+1s_{3}=k_{3} \oplus \mathbf{1}, \quad s_{2}=k_{2} \oplus \mathbf{1}, \quad s_{1}=k_{1} \oplus \mathbf{1}, \quad s_{0}=k_{0} \oplus \mathbf{1},
where 1 denotes the all one vector ( 32 bits).
其中 1 表示全一向量(32 位)。

In the 256 bit case, the LFSR initialization is correspondingly,
在 256 位的情况下,LFSR 初始化相应地,
s 15 = k 7 I V 0 , s 14 = k 6 , s 13 = k 5 , s 12 = k 4 I V 1 , s 11 = k 3 , s 10 = k 2 I V 2 , s 9 = k 1 I V 3 , s 8 = k 0 , s 7 = k 7 1 , s 6 = k 6 1 , s 0 = k 0 1 . s 15 = k 7 I V 0 ,      s 14 = k 6 ,      s 13 = k 5 ,      s 12 = k 4 I V 1 , s 11 = k 3 ,      s 10 = k 2 I V 2 ,      s 9 = k 1 I V 3 ,      s 8 = k 0 , s 7 = k 7 1 ,      s 6 = k 6 1      ,      s 0 = k 0 1 . {:[s_(15)=k_(7)o+IV_(0)",",s_(14)=k_(6)",",s_(13)=k_(5)",",s_(12)=k_(4)o+IV_(1)","],[s_(11)=k_(3)",",s_(10)=k_(2)o+IV_(2)",",s_(9)=k_(1)o+IV_(3)",",s_(8)=k_(0)","],[s_(7)=k_(7)o+1",",s_(6)=k_(6)o+1,dots",",s_(0)=k_(0)o+1.]:}\begin{array}{llll} s_{15}=k_{7} \oplus I V_{0}, & s_{14}=k_{6}, & s_{13}=k_{5}, & s_{12}=k_{4} \oplus I V_{1}, \\ s_{11}=k_{3}, & s_{10}=k_{2} \oplus I V_{2}, & s_{9}=k_{1} \oplus I V_{3}, & s_{8}=k_{0}, \\ s_{7}=k_{7} \oplus \mathbf{1}, & s_{6}=k_{6} \oplus \mathbf{1} & \ldots, & s_{0}=k_{0} \oplus \mathbf{1} . \end{array}
After the LFSR has been initialized, R1 and R2 are both set to zero. Now, the cipher is clocked 32 times without producing any output symbols. Instead, the output of the FSM is incorporated in the feedback loop, see Figure 3. Thus, during the 32 clocks in the key initialization, the next element to be inserted into the LFSR is given by
在 LFSR 初始化后,R1 和 R2 都被设置为零。现在,密码被时钟驱动 32 次而没有产生任何输出符号。相反,FSM 的输出被纳入反馈环路,见图 3。因此,在密钥初始化的 32 个时钟周期中,插入 LFSR 的下一个元素由
s t + 16 = α 1 s t + 11 s t + 2 α s t F t s t + 16 = α 1 s t + 11 s t + 2 α s t F t s_(t+16)=alpha^(-1)s_(t+11)o+s_(t+2)o+alphas_(t)o+F_(t)s_{t+16}=\alpha^{-1} s_{t+11} \oplus s_{t+2} \oplus \alpha s_{t} \oplus F_{t}
After the 32 clockings the cipher is shifted back to normal operation (Figure 2) and clocked once before the first keystream symbol is produced. The maximum number of keystream words allowed is set to 2 50 2 50 2^(50)2^{50}, then the cipher must be rekeyed. This limit provides a bound for cryptanalysis and implies no practical limits to the operation of the cipher. The need for producing more than 2 50 2 50 2^(50)2^{50} words using the same key, is quite unlikely.
在 32 次时钟后,密码恢复到正常操作(图 2),并在生成第一个密钥流符号之前时钟一次。允许的最大密钥流字数设置为 2 50 2 50 2^(50)2^{50} ,然后密码必须重新密钥。这一限制为密码分析提供了界限,并暗示密码操作没有实际限制。使用相同密钥生成超过 2 50 2 50 2^(50)2^{50} 个字的需求是相当不可能的。

5 Design Differences from SNOW 1.0
5 个与 SNOW 1.0 的设计差异

In this section we highlight the differences between SNOW 2.0 and SNOW 1.0 and their expected security improvements. We start with the choice of feedback
在本节中,我们强调 SNOW 2.0 和 SNOW 1.0 之间的差异及其预期的安全改进。我们从反馈的选择开始。

Fig. 3. Cipher operation during key initialization.
图 3. 密钥初始化期间的密码操作。

polynomial. In SNOW 1.0 the multiplication could be implemented by a single left shift of the word followed by a possible XOR with a known pattern of weight 6 . This means that the resulting word was in many positions only a shift of the original word. In SNOW 2.0 we define F 2 32 F 2 32 F_(2^(32))\mathbb{F}_{2^{32}} as an extension field over F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}} and each of the two multiplications can be implemented as a byte shift together with a unconditional XOR with one of 256 possible patterns. This results in a better spreading of the bits in the feedback loop, and improves the resistance against certain correlation attack, as discussed in [6]. The use of two constants in the feedback loop also improves the resistance against bitwise linear approximation attacks, as discussed in Section 3. To the authors, there is no known method to manipulate the feedback polynomial such that the resulting linear recurrence hold for each bit position and have reasonably low weight. The unconditional XOR also seems to improve speed, by removing the possible branch prediction error in a pipelined processor.
多项式。在 SNOW 1.0 中,乘法可以通过对字进行一次左移,然后可能与已知的权重为 6 的模式进行异或来实现。这意味着结果字在许多位置上仅是原始字的一个移位。在 SNOW 2.0 中,我们将 F 2 32 F 2 32 F_(2^(32))\mathbb{F}_{2^{32}} 定义为 F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}} 上的扩展域,并且这两个乘法都可以实现为字节移位,并与 256 种可能模式之一进行无条件异或。这导致反馈环路中比特的更好扩散,并提高了对某些相关攻击的抵抗力,如[6]中所讨论的。在反馈环路中使用两个常量也提高了对按位线性近似攻击的抵抗力,如第 3 节中所讨论的。对作者而言,尚无已知方法可以操纵反馈多项式,使得结果线性递归在每个位位置上都成立并具有合理的低权重。无条件异或似乎也通过消除流水线处理器中的可能分支预测错误来提高速度。
The FSM in SNOW 2.0 now takes two inputs. This makes a guess-anddetermine type of attack more difficult. Given the output of the FSM, together with R 1 R 1 R1R 1 and R 2 R 2 R2R 2 it is no longer possible to deduce the next FSM state directly. The update of R 1 R 1 R1R 1 does not depend on the output of the FSM, but on a word taken from the LFSR. This also suggests that similar correlations as those found in (1) would be much weaker.
SNOW 2.0 中的 FSM 现在接受两个输入。这使得猜测和确定类型的攻击变得更加困难。考虑到 FSM 的输出,以及 R 1 R 1 R1R 1 R 2 R 2 R2R 2 ,现在无法直接推断下一个 FSM 状态。 R 1 R 1 R1R 1 的更新不依赖于 FSM 的输出,而是依赖于从 LFSR 中提取的一个字。这也表明,类似于(1)中发现的相关性将会弱得多。
The S-box in SNOW 1.0 was also byte oriented but the final bit permutation did not diffuse as much as the new design. In SNOW 1.0, each input byte to the S-box affected only 8 bits of the output word. The choice of the new S-box, based on the round function of Rijndael, provides a much stronger diffusion. Each output bit now depends on each input bit.
SNOW 1.0 中的 S 盒也是字节导向的,但最终的位置换没有像新设计那样扩散。在 SNOW 1.0 中,输入到 S 盒的每个字节仅影响输出字的 8 位。基于 Rijndael 的轮函数的新 S 盒的选择提供了更强的扩散。现在每个输出位都依赖于每个输入位。

6 Implementation Aspects
6 个实施方面

The design of SNOW 2.0 was done with a fast software implementation in mind. We have chosen a minimum number of different operations; XOR, integer addition, byte shift of a word, and table lookups, all available on modern processors. Even though there are many possible tradeoffs in a software implementation, we will discuss some of the design aspects which have high impact in software.
SNOW 2.0 的设计是考虑到快速软件实现的。我们选择了最少的不同操作;异或、整数加法、字节移位和表查找,这些在现代处理器上都可用。尽管在软件实现中有许多可能的权衡,我们将讨论一些在软件中影响较大的设计方面。
We start with the LFSR. The field F 2 32 F 2 32 F_(2^(32))\mathbb{F}_{2^{32}} is defined as an extension field over F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}}, with α F 2 32 α F 2 32 alpha inF_(2^(32))\alpha \in \mathbb{F}_{2^{32}} being the root of the degree 4 polynomial
我们从 LFSR 开始。域 F 2 32 F 2 32 F_(2^(32))\mathbb{F}_{2^{32}} 被定义为在 F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}} 上的扩展域, α F 2 32 α F 2 32 alpha inF_(2^(32))\alpha \in \mathbb{F}_{2^{32}} 是 4 次多项式的根。
x 4 + β 23 x 3 + β 245 x 2 + β 48 x + β 239 F 2 8 [ x ] x 4 + β 23 x 3 + β 245 x 2 + β 48 x + β 239 F 2 8 [ x ] x^(4)+beta^(23)x^(3)+beta^(245)x^(2)+beta^(48)x+beta^(239)inF_(2^(8))[x]x^{4}+\beta^{23} x^{3}+\beta^{245} x^{2}+\beta^{48} x+\beta^{239} \in \mathbb{F}_{2^{8}}[x]
Hence, we have the degree reduction of α α alpha\alpha given by
因此,我们有由 α α alpha\alpha 给出的度数减少
α 4 = β 23 α 3 + β 245 α 2 + β 48 α + β 239 α 4 = β 23 α 3 + β 245 α 2 + β 48 α + β 239 alpha^(4)=beta^(23)alpha^(3)+beta^(245)alpha^(2)+beta^(48)alpha+beta^(239)\alpha^{4}=\beta^{23} \alpha^{3}+\beta^{245} \alpha^{2}+\beta^{48} \alpha+\beta^{239}
In the feedback loop, multiplication with α α alpha\alpha and α 1 α 1 alpha^(-1)\alpha^{-1} can be implemented as a simple byte shift plus an additional XOR with one of 256 possible patterns. This can be seen from the representation of a word as a polynomial in F 2 8 [ x ] F 2 8 [ x ] F_(2^(8))[x]\mathbb{F}_{2^{8}}[x] using ( α 3 , α 2 , α , 1 ) α 3 , α 2 , α , 1 (alpha^(3),alpha^(2),alpha,1)\left(\alpha^{3}, \alpha^{2}, \alpha, 1\right) as base. Thus, any element w w ww in F 2 32 F 2 32 F_(2^(32))\mathbb{F}_{2^{32}} can be written as
在反馈循环中,与 α α alpha\alpha α 1 α 1 alpha^(-1)\alpha^{-1} 的乘法可以通过简单的字节移位加上与 256 种可能模式之一的额外异或实现。这可以从将一个字表示为以 ( α 3 , α 2 , α , 1 ) α 3 , α 2 , α , 1 (alpha^(3),alpha^(2),alpha,1)\left(\alpha^{3}, \alpha^{2}, \alpha, 1\right) 为基数的 F 2 8 [ x ] F 2 8 [ x ] F_(2^(8))[x]\mathbb{F}_{2^{8}}[x] 中的多项式的表示中看出。因此, F 2 32 F 2 32 F_(2^(32))\mathbb{F}_{2^{32}} 中的任何元素 w w ww 都可以写成
w = c 3 α 3 + c 2 α 2 + c 1 α + c 0 w = c 3 α 3 + c 2 α 2 + c 1 α + c 0 w=c_(3)alpha^(3)+c_(2)alpha^(2)+c_(1)alpha+c_(0)w=c_{3} \alpha^{3}+c_{2} \alpha^{2}+c_{1} \alpha+c_{0}
where ( c 3 , c 2 , c 1 , c 0 ) c 3 , c 2 , c 1 , c 0 (c_(3),c_(2),c_(1),c_(0))\left(c_{3}, c_{2}, c_{1}, c_{0}\right) are the bytes of w , c 0 w , c 0 w,c_(0)w, c_{0} being the least significant byte. Multiplying w w ww with α α alpha\alpha, will yield a reduction according to (16) as follows
其中 ( c 3 , c 2 , c 1 , c 0 ) c 3 , c 2 , c 1 , c 0 (c_(3),c_(2),c_(1),c_(0))\left(c_{3}, c_{2}, c_{1}, c_{0}\right) w , c 0 w , c 0 w,c_(0)w, c_{0} 的字节, w , c 0 w , c 0 w,c_(0)w, c_{0} 是最低有效字节。将 w w ww α α alpha\alpha 相乘,将根据 (16) 产生如下减少。
α w = c 3 α 4 + c 2 α 3 + c 1 α 2 + c 0 α = ( c 3 β 23 + c 2 ) α 3 + ( c 3 β 245 + c 1 ) α 2 + ( c 3 β 48 + c 0 ) α + c 3 β 239 α w = c 3 α 4 + c 2 α 3 + c 1 α 2 + c 0 α = c 3 β 23 + c 2 α 3 + c 3 β 245 + c 1 α 2 + c 3 β 48 + c 0 α + c 3 β 239 {:[alpha w=c_(3)alpha^(4)+c_(2)alpha^(3)+c_(1)alpha^(2)+c_(0)alpha],[=(c_(3)beta^(23)+c_(2))alpha^(3)+(c_(3)beta^(245)+c_(1))alpha^(2)+(c_(3)beta^(48)+c_(0))alpha+c_(3)beta^(239)]:}\begin{aligned} \alpha w & =c_{3} \alpha^{4}+c_{2} \alpha^{3}+c_{1} \alpha^{2}+c_{0} \alpha \\ & =\left(c_{3} \beta^{23}+c_{2}\right) \alpha^{3}+\left(c_{3} \beta^{245}+c_{1}\right) \alpha^{2}+\left(c_{3} \beta^{48}+c_{0}\right) \alpha+c_{3} \beta^{239} \end{aligned}
Similar calculations can be done for the multiplication with α 1 α 1 alpha^(-1)\alpha^{-1}. Thus, to get a fast implementation of the LFSR feedback, one can use precomputed tables
可以对与 α 1 α 1 alpha^(-1)\alpha^{-1} 的乘法进行类似的计算。因此,为了快速实现 LFSR 反馈,可以使用预计算的表。
M U L α [ c ] = ( c β 23 , c β 245 , c β 48 , c β 239 ) M U L α 1 [ c ] = ( c β 16 , c β 39 , c β 6 , c β 64 ) M U L α [ c ] = c β 23 , c β 245 , c β 48 , c β 239 M U L α 1 [ c ] = c β 16 , c β 39 , c β 6 , c β 64 {:[MUL_(alpha)[c]=(cbeta^(23),cbeta^(245),cbeta^(48),cbeta^(239))],[MUL_(alpha^(-1))[c]=(cbeta^(16),cbeta^(39),cbeta^(6),cbeta^(64))]:}\begin{aligned} M U L_{\alpha}[c] & =\left(c \beta^{23}, c \beta^{245}, c \beta^{48}, c \beta^{239}\right) \\ M U L_{\alpha^{-1}}[c] & =\left(c \beta^{16}, c \beta^{39}, c \beta^{6}, c \beta^{64}\right) \end{aligned}
where c c cc runs through all elements in F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}}. The pseudo-code for the multiplication would be
其中 c c cc 遍历 F 2 8 F 2 8 F_(2^(8))\mathbb{F}_{2^{8}} 中的所有元素。乘法的伪代码将是
// Multiplication w*alpha ("<<" is left shift,">>" is right shift)
result=(w<<8) XOR MUL_a[w>>24];
// Multiplication w*alpha^-1
result=(w>>8) XOR MUL_ainverse[w and 0xff];
The S-box are implemented using the same techniques as done in Rijndael [4] and SCREAM [2]. Recall the expression for the S-box, r = S ( w ) r = S ( w ) r=S(w)r=S(w)
S 盒的实现采用与 Rijndael [4] 和 SCREAM [2] 相同的技术。回忆一下 S 盒的表达式, r = S ( w ) r = S ( w ) r=S(w)r=S(w)
( r 0 r 1 r 2 r 3 ) = ( x x + 1 1 1 1 x x + 1 1 1 1 x x + 1 x + 1 1 1 x ) ( S R [ w 0 ] S R [ w 1 ] S R [ w 2 ] S R [ w 3 ] ) . r 0 r 1 r 2 r 3 = x x + 1 1 1 1 x x + 1 1 1 1 x x + 1 x + 1 1 1 x S R w 0 S R w 1 S R w 2 S R w 3 . ([r_(0)],[r_(1)],[r_(2)],[r_(3)])=([x,x+1,1,1],[1,x,x+1,1],[1,1,x,x+1],[x+1,1,1,x])([S_(R)[w_(0)]],[S_(R)[w_(1)]],[S_(R)[w_(2)]],[S_(R)[w_(3)]]).\left(\begin{array}{l} r_{0} \\ r_{1} \\ r_{2} \\ r_{3} \end{array}\right)=\left(\begin{array}{cccc} x & x+1 & 1 & 1 \\ 1 & x & x+1 & 1 \\ 1 & 1 & x & x+1 \\ x+1 & 1 & 1 & x \end{array}\right)\left(\begin{array}{c} S_{R}\left[w_{0}\right] \\ S_{R}\left[w_{1}\right] \\ S_{R}\left[w_{2}\right] \\ S_{R}\left[w_{3}\right] \end{array}\right) .
The matrix multiplication can be split up into a linear combinations of the columns
矩阵乘法可以分解为列的线性组合
( r 0 r 1 r 2 r 3 ) = S R [ w 0 ] ( x 1 1 x + 1 ) + S R [ w 1 ] ( x + 1 x 1 1 ) + S R [ w 2 ] ( 1 x + 1 x 1 ) + S R [ w 3 ] ( 1 1 x + 1 x ) r 0 r 1 r 2 r 3 = S R w 0 x 1 1 x + 1 + S R w 1 x + 1 x 1 1 + S R w 2 1 x + 1 x 1 + S R w 3 1 1 x + 1 x {:[([r_(0)],[r_(1)],[r_(2)],[r_(3)])=S_(R)[w_(0)]([x],[1],[1],[x+1])+S_(R)[w_(1)]([x+1],[x],[1],[1])+],[S_(R)[w_(2)]([1],[x+1],[x],[1])+S_(R)[w_(3)]([1],[1],[x+1],[x])]:}\begin{array}{r} \left(\begin{array}{l} r_{0} \\ r_{1} \\ r_{2} \\ r_{3} \end{array}\right)=S_{R}\left[w_{0}\right]\left(\begin{array}{c} x \\ 1 \\ 1 \\ x+1 \end{array}\right)+S_{R}\left[w_{1}\right]\left(\begin{array}{c} x+1 \\ x \\ 1 \\ 1 \end{array}\right)+ \\ S_{R}\left[w_{2}\right]\left(\begin{array}{c} 1 \\ x+1 \\ x \\ 1 \end{array}\right)+S_{R}\left[w_{3}\right]\left(\begin{array}{c} 1 \\ 1 \\ x+1 \\ x \end{array}\right) \end{array}
By using four tables of words, each of size 256, defined by
通过使用四个大小为 256 的单词表定义的
T 0 [ a ] = ( x S R [ a ] S R [ a ] S R [ a ] ( x + 1 ) S R [ a ] ) , T 1 [ a ] = ( ( x + 1 ) S R [ a ] x S R [ a ] S R [ a ] S R [ a ] ) , T 2 [ a ] = ( S R [ a ] ( x + 1 ) S R [ a ] x S R [ a ] S R [ a ] ) , T 3 [ a ] = ( S R [ a ] S R [ a ] ( x + 1 ) S R [ a ] x S R [ a ] ) , T 0 [ a ] = x S R [ a ] S R [ a ] S R [ a ] ( x + 1 ) S R [ a ] , T 1 [ a ] = ( x + 1 ) S R [ a ] x S R [ a ] S R [ a ] S R [ a ] , T 2 [ a ] = S R [ a ] ( x + 1 ) S R [ a ] x S R [ a ] S R [ a ] , T 3 [ a ] = S R [ a ] S R [ a ] ( x + 1 ) S R [ a ] x S R [ a ] , {:[T_(0)[a]=([xS_(R)[a]],[S_(R)[a]],[S_(R)[a]],[(x+1)S_(R)[a]])","T_(1)[a]=([(x+1)S_(R)[a]],[xS_(R)[a]],[S_(R)[a]],[S_(R)[a]])","],[T_(2)[a]=([S_(R)[a]],[(x+1)S_(R)[a]],[xS_(R)[a]],[S_(R)[a]])","T_(3)[a]=([S_(R)[a]],[S_(R)[a]],[(x+1)S_(R)[a]],[xS_(R)[a]])","]:}\begin{aligned} & T_{0}[a]=\left(\begin{array}{c} x S_{R}[a] \\ S_{R}[a] \\ S_{R}[a] \\ (x+1) S_{R}[a] \end{array}\right), T_{1}[a]=\left(\begin{array}{c} (x+1) S_{R}[a] \\ x S_{R}[a] \\ S_{R}[a] \\ S_{R}[a] \end{array}\right), \\ & T_{2}[a]=\left(\begin{array}{c} S_{R}[a] \\ (x+1) S_{R}[a] \\ x S_{R}[a] \\ S_{R}[a] \end{array}\right), T_{3}[a]=\left(\begin{array}{c} S_{R}[a] \\ S_{R}[a] \\ (x+1) S_{R}[a] \\ x S_{R}[a] \end{array}\right), \end{aligned}
we can easily implement the S-box by addressing the tables with the bytes ( w 3 , w 2 , w 1 , w 0 ) w 3 , w 2 , w 1 , w 0 (w_(3),w_(2),w_(1),w_(0))\left(w_{3}, w_{2}, w_{1}, w_{0}\right) of the input word w w ww. In pseudo-code we can write
我们可以通过使用输入字 w w ww 的字节 ( w 3 , w 2 , w 1 , w 0 ) w 3 , w 2 , w 1 , w 0 (w_(3),w_(2),w_(1),w_(0))\left(w_{3}, w_{2}, w_{1}, w_{0}\right) 来轻松实现 S-box。在伪代码中,我们可以写道

// Calculate r=S-box(w)  // 计算 r=S-box(w)
r=T0[byte0(w)] XOR T1[byte1(w)] XOR T2[byte2(w)] XOR T3[byte3(w)];
where byte 0 ( w ) 0 ( w ) 0(w)0(\mathrm{w}) means the least significant byte of w w ww, etcetera.
其中字节 0 ( w ) 0 ( w ) 0(w)0(\mathrm{w}) 表示 w w ww 的最低有效字节,等等。

We have two different C implementations, both using tables for feedback multiplication and S-box operations. The first version (version 1) implements the LFSR with an array using the sliding window technique, see e.g. 10. This version is considered an “easy to read” standard reference version. The second version (version 2) implements the cipher with “hard coded” variables for the LFSR. This version produces 16 32 = 512 16 32 = 512 16*32=51216 \cdot 32=512 bits of keystream in each procedure call, corresponding to 16 consecutive clockings. Table 1 indicates the speed of the two implementations versions. For the key setup in SNOW 1.0, the IV mode is used as reference, since it also uses 32 clockings in the initialization phase. This accounts for a more reasonable comparison. The tests where run on an PC with Intel 4 processor running at 1.8 GHz , 512 Mb 1.8 GHz , 512 Mb 1.8GHz,512Mb1.8 \mathrm{GHz}, 512 \mathrm{Mb} of memory. Each program was compiled using gcc with optimization parameter “-O3” and inline directives in the code.
我们有两个不同的 C 实现,均使用表格进行反馈乘法和 S 盒操作。第一个版本(版本 1)使用滑动窗口技术实现了带有数组的 LFSR,参见例如 10。这个版本被认为是“易于阅读”的标准参考版本。第二个版本(版本 2)使用“硬编码”变量实现了密码算法的 LFSR。这个版本在每次过程调用中产生 16 32 = 512 16 32 = 512 16*32=51216 \cdot 32=512 位密钥流,对应于 16 次连续时钟。表 1 显示了两个实现版本的速度。对于 SNOW 1.0 中的密钥设置,IV 模式被用作参考,因为它在初始化阶段也使用了 32 次时钟。这使得比较更加合理。测试在一台配备 Intel 4 处理器和 1.8 GHz , 512 Mb 1.8 GHz , 512 Mb 1.8GHz,512Mb1.8 \mathrm{GHz}, 512 \mathrm{Mb} 内存的 PC 上进行。每个程序都使用 gcc 编译,并带有优化参数“-O3”和代码中的内联指令。

7 Conclusions  7 结论

We have proposed a new stream cipher SNOW 2.0. The design is based on the NESSIE proposal SNOW 1.0 and addresses all weaknesses found in the original
我们提出了一种新的流密码 SNOW 2.0。该设计基于 NESSIE 提案 SNOW 1.0,并解决了原始版本中发现的所有弱点。

  1. 1 1 ^(1){ }^{1} Observe the change from the original version where the first symbol was read out before the cipher was clocked.
    1 1 ^(1){ }^{1} 观察与原始版本的变化,其中第一个符号在密码被记录之前被读出。