The stream cipher MICKEY

Similar documents
The stream cipher MICKEY 2.0

The MICKEY stream ciphers

Improved Integral Cryptanalysis of FOX Block Cipher 1

A Differential Fault Attack on Plantlet

Lecture 5, October 8. DES System (Modification)

Cube Attack on Reduced-Round Quavium

Department of Electrical & Electronic Engineeing Imperial College London. E4.20 Digital IC Design. Median Filter Project Specification

The Synchronous 8th-Order Differential Attack on 12 Rounds of the Block Cipher HyRAL

Calculation of time complexity (3%)

An Interactive Optimisation Tool for Allocation Problems

Durban Watson for Testing the Lack-of-Fit of Polynomial Regression Models without Replications

Notes on Frequency Estimation in Data Streams

18.1 Introduction and Recap

Impossible differential attacks on 4-round DES-like ciphers

Research on State Collisions of Authenticated Cipher ACORN

Week 5: Neural Networks

Attack on cascaded convolutional transducers cryptosystem

TOPICS MULTIPLIERLESS FILTER DESIGN ELEMENTARY SCHOOL ALGORITHM MULTIPLICATION

Amiri s Supply Chain Model. System Engineering b Department of Mathematics and Statistics c Odette School of Business

Chapter Newton s Method

EEE 241: Linear Systems

Introduction to Algorithms

THE SUMMATION NOTATION Ʃ

Experience with Automatic Generation Control (AGC) Dynamic Simulation in PSS E

Min Cut, Fast Cut, Polynomial Identities

For now, let us focus on a specific model of neurons. These are simplified from reality but can achieve remarkable results.

Temperature. Chapter Heat Engine

A Novel Feistel Cipher Involving a Bunch of Keys supplemented with Modular Arithmetic Addition

Comments on a secure dynamic ID-based remote user authentication scheme for multiserver environment using smart cards

Lecture 8: Time & Clocks. CDK: Sections TVS: Sections

Least squares cubic splines without B-splines S.K. Lucas

Cryptanalysis of Some Double-Block-Length Hash Modes of Block Ciphers with n-bit Block and n-bit Key

CS4495/6495 Introduction to Computer Vision. 3C-L3 Calibrating cameras

MATH 567: Mathematical Techniques in Data Science Lab 8

State Space Cryptanalysis of The MICKEY Cipher

Attacks on RSA The Rabin Cryptosystem Semantic Security of RSA Cryptology, Tuesday, February 27th, 2007 Nils Andersen. Complexity Theoretic Reduction

Bit-Parallel Word-Serial Multiplier in GF(2 233 ) and Its VLSI Implementation. Dr. M. Ahmadi

CHAPTER 14 GENERAL PERTURBATION THEORY

Cryptanalysis of TWOPRIME

Lecture 4: Universal Hash Functions/Streaming Cont d

Neural networks. Nuno Vasconcelos ECE Department, UCSD

A MORE SECURE MFE MULTIVARIATE PUBLIC KEY ENCRYPTION SCHEME *

Algorithms for factoring

Compilers. Spring term. Alfonso Ortega: Enrique Alfonseca: Chapter 4: Syntactic analysis

Module 3 LOSSY IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur

MULTISPECTRAL IMAGE CLASSIFICATION USING BACK-PROPAGATION NEURAL NETWORK IN PCA DOMAIN

The Geometry of Logit and Probit

The optimal delay of the second test is therefore approximately 210 hours earlier than =2.

Faster Searching by Elimination

Exhaustive Search for the Binary Sequences of Length 2047 and 4095 with Ideal Autocorrelation

Difference Equations

A Simple Inventory System

Finding Dense Subgraphs in G(n, 1/2)

Analysis of countermeasures against access driven cache attacks on AES

DUE: WEDS FEB 21ST 2018

Speeding up Computation of Scalar Multiplication in Elliptic Curve Cryptosystem

CHARACTERISTICS OF COMPLEX SEPARATION SCHEMES AND AN ERROR OF SEPARATION PRODUCTS OUTPUT DETERMINATION

Introduction to Algorithms

Computing Correlated Equilibria in Multi-Player Games

Lecture 4: Adders. Computer Systems Laboratory Stanford University

Question Classification Using Language Modeling

Outline and Reading. Dynamic Programming. Dynamic Programming revealed. Computing Fibonacci. The General Dynamic Programming Technique

An Algorithm to Solve the Inverse Kinematics Problem of a Robotic Manipulator Based on Rotation Vectors

Note 10. Modeling and Simulation of Dynamic Systems

A Robust Method for Calculating the Correlation Coefficient

Chapter 6. Supplemental Text Material

COS 521: Advanced Algorithms Game Theory and Linear Programming

Modeling curves. Graphs: y = ax+b, y = sin(x) Implicit ax + by + c = 0, x 2 +y 2 =r 2 Parametric:

Department of Mathematics, Shantou University, Shantou, Guangdong, , China.

Problem Set 9 Solutions

The Key-Dependent Attack on Block Ciphers

Additional Codes using Finite Difference Method. 1 HJB Equation for Consumption-Saving Problem Without Uncertainty

( ) = ( ) + ( 0) ) ( )

Operating conditions of a mine fan under conditions of variable resistance

Appendix B: Resampling Algorithms

PRIME NUMBER GENERATION BASED ON POCKLINGTON S THEOREM

A Key Leakage Preventive White-box Cryptographic Implementation

Grover s Algorithm + Quantum Zeno Effect + Vaidman

Message modification, neutral bits and boomerangs

Report on Image warping

Dynamic Programming. Preview. Dynamic Programming. Dynamic Programming. Dynamic Programming (Example: Fibonacci Sequence)

Some modelling aspects for the Matlab implementation of MMA

Tutorial 2. COMP4134 Biometrics Authentication. February 9, Jun Xu, Teaching Asistant

FE REVIEW OPERATIONAL AMPLIFIERS (OP-AMPS)( ) 8/25/2010

Canonical transformations

JAB Chain. Long-tail claims development. ASTIN - September 2005 B.Verdier A. Klinger

Curve Fitting with the Least Square Method

VQ widely used in coding speech, image, and video

2-Adic Complexity of a Sequence Obtained from a Periodic Binary Sequence by Either Inserting or Deleting k Symbols within One Period

Winter 2008 CS567 Stochastic Linear/Integer Programming Guest Lecturer: Xu, Huan

LINEAR REGRESSION ANALYSIS. MODULE IX Lecture Multicollinearity

EEL 6266 Power System Operation and Control. Chapter 3 Economic Dispatch Using Dynamic Programming

College of Computer & Information Science Fall 2009 Northeastern University 20 October 2009

Application of Nonbinary LDPC Codes for Communication over Fading Channels Using Higher Order Modulations

Introduction to Vapor/Liquid Equilibrium, part 2. Raoult s Law:

Nonlinear Classifiers II

Complete subgraphs in multipartite graphs

Dynamic Programming! CSE 417: Algorithms and Computational Complexity!

CSci 6974 and ECSE 6966 Math. Tech. for Vision, Graphics and Robotics Lecture 21, April 17, 2006 Estimating A Plane Homography

Some thoughts on Trivium

Transcription:

The stream cpher MICKEY-128 2.0 Steve Babbage Vodafone Group R&D, Newbury, UK steve.babbage@vodafone.com Matthew Dodd Independent consultant matthew@mdodd.net www.mdodd.net 30 th June 2006 Abstract: We present a strengthened verson 2.0 of the stream cpher MICKEY-128. MICKEY-128 (whch stands for Mutual Irregular Clockng KEYstream generator wth a 128-bt key) s amed at resource-constraned hardware platforms, but where a key sze of 128 bts s requred. It s ntended to have low complexty n hardware, whle provdng a hgh level of securty. It uses rregular clockng of shft regsters, wth some novel technques to balance the need for guarantees on perod and pseudorandomness aganst the need to avod certan cryptanalytc attacks. Keywords: MICKEY, MICKEY-128, stream cpher, ECRYPT, rregular clockng. 1. Introducton We present the stream cpher MICKEY-128 2.0 (whch stands for Mutual Irregular Clockng KEYstream generator wth a 128-bt key). MICKEY-128 2.0 s amed at resource-constraned hardware platforms, but where a key sze of 128 bts s requred. It s ntended to have low complexty n hardware, whle provdng a hgh level of securty. 2. Input and output parameters MICKEY-128 2.0 takes two nput parameters: a 128-bt secret key K, whose bts are labelled k0k k127 ; an ntalsaton varable IV, anywhere between 0 and 128 bts n length, whose bts are labelled v0k v IVLENGTH 1. The keystream bts output by MICKEY-128 2.0 are labelled z, z, 0 1 K. Cphertext s produced from plantext by btwse XOR wth keystream bts, as n most stream cphers. 3. Acceptable use The maxmum length of keystream sequence that may be generated wth a sngle ( ) IV K, par s 2 64 bts. It s acceptable to generate 2 64 such sequences (tme permttng!), all from the same K but wth dfferent values of IV. It s not acceptable to use two ntalsaton varables of dfferent lengths wth the same K. And t s not, of course, acceptable to reuse the same value of IV wth the same K.

MICKEY-128 2.0 specfcaton 2 4. Components of the keystream generator 4.1 The regsters The generator s bult from two regsters R and S. Each regster s 160 stages long, each stage contanng one bt. We label the bts n the regsters r0k r and s0k s respectvely. Broadly speakng, we thnk of R as the lnear regster and S as the non-lnear regster. 4.2 Clockng the regster R Defne a set of feedback tap postons for R : RTAPS = {0,4,5,8,10,11,14,16,20,25,30,32,35,36,38,42,43,46,50,51,53,54,55,56,57,60,61,62, 63,65,66,69,73,74,76,79,80,81,82,85,86,90,91,92,95,97,100,101,105,106,107,108, 109,111,112,113,115,116,117,127,128,129,130,131,133,135,136,137,140,142,145,148, 150,152,153,154,156,157} We defne an operaton CLOCK_R ( R, follows: INPUT _ BIT _ R, CONTROL _ BIT _ R ) as Let r0k r be the state of the regster R before clockng, and let r 0 K r be the state of the regster R after clockng. FEEDBACK _ BIT = r INPUT _ BIT For 1, r = r 1 ; r = 0 0 For 0, f RTAPS, r = r FEEDBACK _ BIT If CONTROL _ BIT = 1 : For 0, r = r r 4.3 Clockng the regster S Defne four sequences COMP 01K COMP 0158, COMP1 K COMP 1158, FB00K FB0, FB10 K FB1 as follows: 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 COMP 0 1 1 1 1 0 1 0 0 1 0 0 1 1 1 1 0 1 1 0 1 0 1 1 1 0 1 COMP 1 0 0 0 1 1 0 0 1 1 1 1 1 0 0 0 1 0 0 1 1 0 0 0 1 0 1 FB 0 1 1 1 1 0 1 0 1 1 1 1 1 1 0 0 0 0 0 1 1 1 1 0 0 0 0 1 FB 1 1 1 0 1 0 1 0 1 1 1 1 0 1 1 1 0 0 0 1 0 1 1 1 1 1 1 0 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 COMP 0 1 1 0 1 0 1 0 1 0 1 0 1 0 1 0 0 1 0 0 0 0 0 1 1 0 0 1 COMP 1 1 1 1 1 0 0 0 0 1 1 0 0 1 0 0 1 1 1 1 0 0 0 1 1 0 1 1 FB 0 0 0 0 1 1 0 1 0 0 0 1 0 0 1 1 0 0 0 1 0 1 1 1 1 1 0 1 FB 1 1 1 0 0 1 0 0 0 0 1 0 0 1 0 0 1 1 0 0 0 1 1 0 0 1 1 1

MICKEY-128 2.0 specfcaton 3 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 COMP 0 0 0 1 0 0 1 1 1 1 0 0 1 0 0 0 1 1 0 0 0 0 0 1 1 1 0 0 COMP 1 0 1 0 1 1 1 1 1 1 1 0 0 0 0 0 1 1 1 1 1 0 0 0 0 1 1 0 FB 0 0 0 0 1 1 1 0 0 0 0 1 0 0 0 0 0 0 1 1 0 1 1 0 0 1 0 1 FB 1 1 0 0 0 0 0 1 1 1 0 0 1 1 0 1 1 0 1 0 0 0 1 1 0 0 0 0 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 COMP 0 0 0 0 0 0 0 0 1 0 0 1 1 1 1 0 1 0 0 0 1 1 0 0 1 0 0 1 COMP 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 FB 0 0 1 0 0 1 1 1 0 1 1 0 0 1 1 0 1 0 0 0 1 0 0 1 1 1 0 1 FB 1 1 0 1 1 0 0 1 1 1 1 1 0 1 1 0 1 1 1 0 0 1 1 1 0 1 1 1 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 COMP 0 1 0 1 1 1 1 1 1 0 1 0 1 1 1 1 0 1 1 0 0 0 1 1 1 1 1 0 COMP 1 0 1 1 1 0 0 0 0 0 1 1 0 0 1 1 0 0 1 1 0 1 0 1 0 1 1 0 FB 0 0 0 1 0 0 0 1 0 1 0 1 0 0 0 1 0 1 0 1 1 1 0 0 0 0 0 1 FB 1 1 1 1 0 1 1 0 1 0 0 1 0 0 0 1 1 0 1 1 0 1 1 1 1 0 1 1 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 COMP 0 1 0 1 1 0 0 0 0 0 0 1 1 1 1 1 0 1 1 1 1 1 0 0 0 COMP 1 1 1 1 0 1 1 0 1 0 0 0 1 0 1 1 1 1 1 1 1 1 1 1 1 FB 0 1 1 1 0 1 0 0 0 0 1 1 0 0 0 1 1 0 1 1 0 0 0 0 0 1 FB 1 1 0 0 0 0 0 0 0 1 1 1 1 0 0 1 0 1 1 0 0 0 1 0 0 0 We defne an operaton CLOCK_S (S, follows: INPUT_BIT _ S, CONTROL _ BIT _ S ) as Let s0k s be the state of the regster S before clockng, and let s 0 K s be the state of the regster after clockng. We wll also use ˆ s ˆ 0K s as ntermedate varables to smplfy the specfcaton. FEEDBACK _ BIT = s INPUT _ BIT For 1 158, ˆ s s ( ( s COMP 0 )(. s COMP1 )) If CONTROL _ BIT = 0 : For 0 = 1 + 1 ; ˆ0 = 0, s = ˆ s ( FB0. FEEDBACK _ BIT ) If nstead CONTROL _ BIT = 1 : For 0, s = ˆ s ( FB1. FEEDBACK _ BIT ) s ; ˆ s = s158. 4.4 Clockng the overall generator We defne an operaton CLOCK_KG ( R, S, MIXING, INPUT _ BIT ) as follows: CONTROL _ BIT _ R = s54 r106 CONTROL _ BIT _ S = s106 r53

MICKEY-128 2.0 specfcaton 4 If MIXING = TRUE, CLOCK_R (R, INPUT _ BIT _ R = INPUT _ BIT s80, CONTROL _ BIT _ R = CONTROL _ BIT ) CLOCK_S (S, INPUT _ BIT _ S = INPUT _ BIT, CONTROL _ BIT _ S = CONTROL _ BIT ) If nstead MIXING = FALSE, CLOCK_R (R, INPUT _ BIT _ R = INPUT _ BIT, CONTROL _ BIT _ R = CONTROL _ BIT ) CLOCK_S (S, INPUT _ BIT _ S = INPUT _ BIT, CONTROL _ BIT _ S = CONTROL _ BIT ) 5. Key loadng and ntalsaton The regsters are ntalsed from the nput varables as follows: Intalse the regsters R and S wth all zeros. (Load n IV.) For 0 IVLENGTH 1: CLOCK_KG (R, S, MIXING = TRUE, INPUT_BIT = v ) (Load n K.) For 0 127 : CLOCK_KG (R, S, MIXING = TRUE, INPUT_BIT = k ) (Preclock.) For 0 : CLOCK_KG (R, S, MIXING = TRUE, INPUT_BIT = 0 ) 6. Generatng keystream Havng loaded and ntalsed the regsters, we generate keystream bts z 0K 1 as follows: For 0 L 1 : z = r 0 s0 z L CLOCK_KG (R, S, MIXING = FALSE, INPUT_BIT = 0 ) 7. Desgn prncples The desgn prncples of MICKEY-128 2.0 are exactly the same as those of MICKEY 2.0 [1]. We wll not repeat them here. We have treated MICKEY-128 2.0 as a separate algorthm purely to keep the specfcaton of each verson smpler. In secton 7.1 of the MICKEY 2.0 specfcaton [1], we menton a value J = 2 50 157 related to the clockng of regster R. For MICKEY-128 2.0, the correspondng value of J s 2 80 255.

MICKEY-128 2.0 specfcaton 5 8. Changes from MICKEY-128 verson 1 The changes are very smple: the two regsters have each been ncreased from 128 stages to 160 stages. Some detaled values, such as control bt tap locatons, have been scaled accordngly. There are no other changes. For an explanaton of the ratonale behnd these changes, see secton 8 of [1]. 9. The ntended strength of the algorthm When used n accordance wth the rules set out n secton 3, MICKEY-128 2.0 s ntended to resst any attack faster than exhaustve key search. The desgners have not delberately nserted any hdden weaknesses n the algorthm. 10. Performance of the algorthm MICKEY-128 2.0 s not desgned for notably hgh speeds n software, although t s straghtforward to mplement t reasonably effcently. Our own reasonably effcent (but not turbo-charged) mplementaton generated 10 8 bts of keystream n 4.81 seconds 1, usng a PC wth a 3.4GHz Pentum 4 processor. There may be scope for more effcent software mplementatons that produce several bts of keystream at a tme, makng use of look-up tables to mplement the regster clockng and keystream dervaton. 11. IPR The desgners of the algorthm do not clam any IPR over t, and make t freely avalable for any purpose. To the best of our knowledge no one else has any relevant IPR ether. We wll update the ECRYPT stream cpher project coordnators f we ever dscover any. 12. References [1] S.H.Babbage, M.W.Dodd, The stream cpher MICKEY 2.0, revsed ECRYPT stream cpher submsson, expected to become avalable va the ECRYPT web ste. 1 Ths s faster than the fgure we quoted n the MICKEY-128 v1 specfcaton, whch may surprse the reader. We found that a slght reorgansaton of our testng code allowed our compler to make nlnng optmsatons that t had faled to make before. The fgures we quote here are stll based on the MICKEY-128 2 faster C code that we have submtted to estream.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback