The stream cpher MICKEY-128 (verson 1 Algorthm specfcaton ssue 1. Steve Babbage Vodafone Group R&D, Newbury, UK steve.babbage@vodafone.com Matthew Dodd Independent consultant matthew@mdodd.net www.mdodd.net 29 th Aprl 25 Abstract: The stream cpher MICKEY-128 (whch stands for Mutual Irregular Clockng KEYstream generator wth a 128-bt key s amed at resource-constraned hardware platforms, but where a key sze of 128 bts s requred. It s ntended to have low complexty n hardware, whle provdng a hgh level of securty. It uses rregular clockng of shft regsters, wth some novel technques to balance the need for guarantees on perod and pseudorandomness aganst the need to avod certan cryptanalytc attacks. Keywords: MICKEY, MICKEY-128, stream cpher, ECRYPT, rregular clockng. 1. Introducton We present the stream cpher MICKEY-128 (whch stands for Mutual Irregular Clockng KEYstream generator wth a 128-bt key. MICKEY s amed at resource-constraned hardware platforms mplementaton platforms, but where a key sze of 128 bts s requred. It s ntended to have low complexty n hardware, whle provdng a hgh level of securty. 2. Input and output parameters MICKEY-128 takes two nput parameters: a 128-bt secret key K, whose bts are labelled k K k ; an ntalsaton varable IV, anywhere between and 128 bts n length, whose bts are labelled vkv IVLENGTH 1. The keystream bts output by MICKEY-128 are labelled z, z, 1 K. Cphertext s produced from plantext by btwse XOR wth keystream bts, as n most stream cphers. 3. Acceptable use The maxmum length of keystream sequence that may be generated wth a sngle ( I V K, par s 2 64 bts. It s acceptable to generate 2 64 such sequences (tme permttng!, all from the same K but wth dfferent values of IV. It s not acceptable to use two ntalsaton
MICKEY v1 specfcaton 2 varables of dfferent lengths wth the same K. And t s not, of course, acceptable to reuse the same value of IV wth the same K. 4. Components of the keystream generator 4.1 The regsters The generator s bult from two regsters R and S. Each regster s 128 stages long, each stage contanng one bt. We label the bts n the regsters r K r and s K s respectvely. Broadly speakng, we thnk of R as the lnear regster and S as the non-lnear regster. 4.2 Clockng the regster R Defne a set of feedback tap postons for R : RTAPS = {,1,2,3,6,7,9,11,12,13,14,15,23,26,27,28,31,32,35,37,4,43,47,48,52,54,55,61,62,63, 64,69,7,71,73,74,76,77,78,81,82,83,84,85,87,89,9,94,95,96,1,12,14,16, 17,18,11,114,115,12,121,124,125,126} We defne an operaton CLOCK_R (R, follows: INPUT _ BIT _ R, CONTROL _ BIT _ R as Let r K r be the state of the regster R before clockng, and let r K r be the state of the regster R after clockng. FEEDBACK BIT = r INPUT _ BIT _ For 1, r = r 1 ; r = For, f RTAPS, r = r FEEDBACK _ BIT If CONTROL _ BIT = 1 : For, r = r r 4.3 Clockng the regster S Defne four sequences COMP 1 KCOMP 126, COMP 1 K COMP 1 126, FB K FB, FB1 K FB1 as follows: 1 2 3 4 5 6 7 8 9 1 11 12 13 14 15 16 17 18 19 2 21 22 23 24 25 26 COMP 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 COMP 1 1 1 1 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 27 28 29 3 31 32 33 34 35 36 37 38 39 4 41 42 43 44 45 46 47 48 49 5 51 52 53 COMP 1 1 1 1 1 1 1 1 1 1 1 1 COMP 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 1 1 1 54 55 56 57 58 59 6 61 62 63 64 65 66 67 68 69 7 71 72 73 74 75 76 77 78 79 8 COMP 1 1 1 1 1 1 1 1 1 1 1
MICKEY v1 specfcaton 3 COMP 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 1 1 81 82 83 84 85 86 87 88 89 9 91 92 93 94 95 96 97 98 99 1 11 12 13 14 15 16 17 COMP 1 1 1 1 1 1 1 1 1 1 COMP 1 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 18 19 11 111 112 113 114 115 116 117 118 119 12 121 122 123 124 125 126 COMP 1 1 1 1 1 1 1 1 1 1 1 1 1 1 COMP 1 1 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 FB 1 1 1 1 1 1 1 1 1 1 1 1 We defne an operato n CLOCK_ S (S, INPUT_BIT _ S, CONTROL _ BIT _ S as follows: Le t s K s be the state of the regster S before clockng, and let s K s be the state of the regster after clockng. We wll also use ˆ s ˆ K s as ntermedate varables to smplfy the specfcaton. FEEDBACK _ BIT = s INPUT _ BIT For 1 126, ˆ s s (( s COMP.( s COMP 1 If CONTROL _ BIT = : For ˆ s =. = 1 + 1 ; ˆ s = ; s126, s = ˆ s ( FB. FEEDBACK _ BIT If nstead CONTROL _ BIT = 1 : For s = ˆ s FB1. FEEDBACK _ BIT, ( 4.4 Clockng the overall generator We defne an operaton CLOCK_KG (R, S, MIXING, INPUT _ BIT as follows: CONTROL _ BIT _ R = s43 r85 CONTROL _ BIT _ S = s85 r42 If MIXING = TRUE, CLOCK_R (R, INPUT _ BIT _ R = INPUT _ BIT s64, CONTROL _ BIT _ R = CONTROL _ BIT CLOCK_S (S, INPUT _ BIT _ S = INPUT _ BIT, CONTROL _ BIT _ S = CONTROL _ BIT If nstead MIXING = FALSE, CLOCK_R ( R, INPUT _ BIT _ R = INPUT _ BIT, CONTROL _ BIT _ R = CONTROL _ BIT
MICKEY v1 specfcaton 4 CLOCK_S (S, INPUT _ BIT _ S = INPUT _ BIT, CONTROL _ BIT _ S = CONTROL _ BIT 5. Key loadng and ntalsaton The regsters are ntalsed from the nput varables as follows: Intalse the regsters R and S wth all zeros. (Load n IV. For IVLENGTH 1: CLOCK_KG (R, S, MIXING = TRUE, INPUT_BIT = v (Load n K. For : CLOCK_KG (R, S, MIXING = TRUE, INPUT_BIT = k (Precloc k. For : CLOCK_KG ( R, S, MIXING = TRUE, INPUT_BIT = 6. Generatng keystream Havng loaded and ntalsed the regsters, we generate keystream bts z K z L 1 as follows: For L 1 : z = r s CLOCK_KG ( R, S, MIXING = FALSE, INPUT_BIT = 7. Desgn prncples The desgn prncples of MICKEY-128 are exactly the same as those of MICKEY [3]. We wll not repeat them here. We have treated MICKEY-128 as a separate algorthm purely to keep the specfcaton of each verson smpler. In secton 7.1 of the MICKEY specfcaton [3], we menton a value J = 2 4 23 related to the clockng of regster R. For MICKEY-128, the correspondng value of J s 2 64 55. 8. The ntended strength of the algorthm When used n accordance wth the rules set out n secton 3, MICKEY-128 s ntended to resst any attack faster than exhaustve key search. The desgners have not delberately nserted any hdden weaknesses n the algorthm. 9. Performance of the algorthm MICKEY-128 s not desgned for notably hgh speeds n software, although t s straghtforward to mplement t reasonably effcently. Our own reasonably effcent (but not turbo-charged mplementaton generated 1 8 bts of keystream n 5.5 seconds, usng a PC wth a 3.4GHz Pentum 4 processor.
MICKEY v1 specfcaton 5 There may be scope for more effcent software mplementatons that produce several bts of keystream at a tme, makng use of look-up tables to mplement the regster clockng and keystream dervaton. 1. IPR The desgners of the algorthm do not clam any IPR over t, and make t freely avalable for any purpose. To the best of our knowledge no one else has any relevant IPR ether. We wll update the ECRYPT stream cpher project coordnators f we ever dscover any. 11. References [1] C.J.A.Jansen, Streamcpher Desgn: Make your LFSRs jump!, presented at the ECRYPT SASC (State of the Art n Stream Cphers workshop, Bruges, October 24, and n the workshop record at http://www.sg.rhul.ac.uk/research/projects/ecrypt/stvl/sasc-record.zp. [2] E.Dawson, A.Clark, J.Golć, W.Mllan, L.Penna, L.Smpson, The LILI-128 Keystream Generator, NESSIE submsson, n the proceedngs of the Frst Open NESSIE Workshop (Leuven, November 2, and avalable at http://www.cryptonesse.org. [3] S.H.Babbage, M.W.Dodd, The strea m cpher MICKEY (verson 1, Algorthm specfcaton Issue 1., ECRYPT stream cpher submsson, n the proceedngs of the SKEW Workshop (Århus, May 25, and expected to become avalable va the ECRYPT web ste.