The stream cipher MICKEY

Transcription

1 The stream cpher MICKEY Steve Babbage Vodafone Group R&D, Newbury, UK Matthew Dodd Independent consultant 30 th June 2006 Abstract: We present a strengthened verson 2.0 of the stream cpher MICKEY-128. MICKEY-128 (whch stands for Mutual Irregular Clockng KEYstream generator wth a 128-bt key) s amed at resource-constraned hardware platforms, but where a key sze of 128 bts s requred. It s ntended to have low complexty n hardware, whle provdng a hgh level of securty. It uses rregular clockng of shft regsters, wth some novel technques to balance the need for guarantees on perod and pseudorandomness aganst the need to avod certan cryptanalytc attacks. Keywords: MICKEY, MICKEY-128, stream cpher, ECRYPT, rregular clockng. 1. Introducton We present the stream cpher MICKEY (whch stands for Mutual Irregular Clockng KEYstream generator wth a 128-bt key). MICKEY s amed at resource-constraned hardware platforms, but where a key sze of 128 bts s requred. It s ntended to have low complexty n hardware, whle provdng a hgh level of securty. 2. Input and output parameters MICKEY takes two nput parameters: a 128-bt secret key K, whose bts are labelled k0k k127 ; an ntalsaton varable IV, anywhere between 0 and 128 bts n length, whose bts are labelled v0k v IVLENGTH 1. The keystream bts output by MICKEY are labelled z, z, 0 1 K. Cphertext s produced from plantext by btwse XOR wth keystream bts, as n most stream cphers. 3. Acceptable use The maxmum length of keystream sequence that may be generated wth a sngle ( ) IV K, par s 2 64 bts. It s acceptable to generate 2 64 such sequences (tme permttng!), all from the same K but wth dfferent values of IV. It s not acceptable to use two ntalsaton varables of dfferent lengths wth the same K. And t s not, of course, acceptable to reuse the same value of IV wth the same K.

2 MICKEY specfcaton 2 4. Components of the keystream generator 4.1 The regsters The generator s bult from two regsters R and S. Each regster s 160 stages long, each stage contanng one bt. We label the bts n the regsters r0k r and s0k s respectvely. Broadly speakng, we thnk of R as the lnear regster and S as the non-lnear regster. 4.2 Clockng the regster R Defne a set of feedback tap postons for R : RTAPS = {0,4,5,8,10,11,14,16,20,25,30,32,35,36,38,42,43,46,50,51,53,54,55,56,57,60,61,62, 63,65,66,69,73,74,76,79,80,81,82,85,86,90,91,92,95,97,100,101,105,106,107,108, 109,111,112,113,115,116,117,127,128,129,130,131,133,135,136,137,140,142,145,148, 150,152,153,154,156,157} We defne an operaton CLOCK_R ( R, follows: INPUT _ BIT _ R, CONTROL _ BIT _ R ) as Let r0k r be the state of the regster R before clockng, and let r 0 K r be the state of the regster R after clockng. FEEDBACK _ BIT = r INPUT _ BIT For 1, r = r 1 ; r = 0 0 For 0, f RTAPS, r = r FEEDBACK _ BIT If CONTROL _ BIT = 1 : For 0, r = r r 4.3 Clockng the regster S Defne four sequences COMP 01K COMP 0158, COMP1 K COMP 1158, FB00K FB0, FB10 K FB1 as follows: COMP COMP FB FB COMP COMP FB FB

3 MICKEY specfcaton COMP COMP FB FB COMP COMP FB FB COMP COMP FB FB COMP COMP FB FB We defne an operaton CLOCK_S (S, follows: INPUT_BIT _ S, CONTROL _ BIT _ S ) as Let s0k s be the state of the regster S before clockng, and let s 0 K s be the state of the regster after clockng. We wll also use ˆ s ˆ 0K s as ntermedate varables to smplfy the specfcaton. FEEDBACK _ BIT = s INPUT _ BIT For 1 158, ˆ s s ( ( s COMP 0 )(. s COMP1 )) If CONTROL _ BIT = 0 : For 0 = ; ˆ0 = 0, s = ˆ s ( FB0. FEEDBACK _ BIT ) If nstead CONTROL _ BIT = 1 : For 0, s = ˆ s ( FB1. FEEDBACK _ BIT ) s ; ˆ s = s Clockng the overall generator We defne an operaton CLOCK_KG ( R, S, MIXING, INPUT _ BIT ) as follows: CONTROL _ BIT _ R = s54 r106 CONTROL _ BIT _ S = s106 r53

4 MICKEY specfcaton 4 If MIXING = TRUE, CLOCK_R (R, INPUT _ BIT _ R = INPUT _ BIT s80, CONTROL _ BIT _ R = CONTROL _ BIT ) CLOCK_S (S, INPUT _ BIT _ S = INPUT _ BIT, CONTROL _ BIT _ S = CONTROL _ BIT ) If nstead MIXING = FALSE, CLOCK_R (R, INPUT _ BIT _ R = INPUT _ BIT, CONTROL _ BIT _ R = CONTROL _ BIT ) CLOCK_S (S, INPUT _ BIT _ S = INPUT _ BIT, CONTROL _ BIT _ S = CONTROL _ BIT ) 5. Key loadng and ntalsaton The regsters are ntalsed from the nput varables as follows: Intalse the regsters R and S wth all zeros. (Load n IV.) For 0 IVLENGTH 1: CLOCK_KG (R, S, MIXING = TRUE, INPUT_BIT = v ) (Load n K.) For : CLOCK_KG (R, S, MIXING = TRUE, INPUT_BIT = k ) (Preclock.) For 0 : CLOCK_KG (R, S, MIXING = TRUE, INPUT_BIT = 0 ) 6. Generatng keystream Havng loaded and ntalsed the regsters, we generate keystream bts z 0K 1 as follows: For 0 L 1 : z = r 0 s0 z L CLOCK_KG (R, S, MIXING = FALSE, INPUT_BIT = 0 ) 7. Desgn prncples The desgn prncples of MICKEY are exactly the same as those of MICKEY 2.0 [1]. We wll not repeat them here. We have treated MICKEY as a separate algorthm purely to keep the specfcaton of each verson smpler. In secton 7.1 of the MICKEY 2.0 specfcaton [1], we menton a value J = related to the clockng of regster R. For MICKEY , the correspondng value of J s

5 MICKEY specfcaton 5 8. Changes from MICKEY-128 verson 1 The changes are very smple: the two regsters have each been ncreased from 128 stages to 160 stages. Some detaled values, such as control bt tap locatons, have been scaled accordngly. There are no other changes. For an explanaton of the ratonale behnd these changes, see secton 8 of [1]. 9. The ntended strength of the algorthm When used n accordance wth the rules set out n secton 3, MICKEY s ntended to resst any attack faster than exhaustve key search. The desgners have not delberately nserted any hdden weaknesses n the algorthm. 10. Performance of the algorthm MICKEY s not desgned for notably hgh speeds n software, although t s straghtforward to mplement t reasonably effcently. Our own reasonably effcent (but not turbo-charged) mplementaton generated 10 8 bts of keystream n 4.81 seconds 1, usng a PC wth a 3.4GHz Pentum 4 processor. There may be scope for more effcent software mplementatons that produce several bts of keystream at a tme, makng use of look-up tables to mplement the regster clockng and keystream dervaton. 11. IPR The desgners of the algorthm do not clam any IPR over t, and make t freely avalable for any purpose. To the best of our knowledge no one else has any relevant IPR ether. We wll update the ECRYPT stream cpher project coordnators f we ever dscover any. 12. References [1] S.H.Babbage, M.W.Dodd, The stream cpher MICKEY 2.0, revsed ECRYPT stream cpher submsson, expected to become avalable va the ECRYPT web ste. 1 Ths s faster than the fgure we quoted n the MICKEY-128 v1 specfcaton, whch may surprse the reader. We found that a slght reorgansaton of our testng code allowed our compler to make nlnng optmsatons that t had faled to make before. The fgures we quote here are stll based on the MICKEY faster C code that we have submtted to estream.