MOSQUITO

In cryptography, MOSQUITO was a stream cipher algorithm designed by Joan Daemen and Paris Kitsos. They submitted it to the eSTREAM project, which was a part of eCRYPT. While presenting it in a document published in 2005, they explained some of their design intentions:

Self-synchronizing stream encryption can be performed by using a block cipher in CFB mode. However, for single-bit self-synchronizing stream encryption, this is very inefficient. Therefore we believe that it would be useful to design a dedicated self-synchronizing stream cipher that is efficient in hardware.^[1]

It was subsequently broken by Antoine Joux and Frédéric Muller in 2006, who had this to say in their conference paper:

All the dedicated Self-Synchronizing Stream Ciphers (SSSC) of the KNOT-MOSQUITO family are subject to differential chosen ciphertext attacks. Our results, combined with previous results on HBB, KNOT and SSS show that it is extremely difficult to design a SSSC resistant against chosen-ciphertext attacks.^[2]

A tweaked version named MOUSTIQUE was proposed^[3] which made it to Phase 3 of the eSTREAM evaluation process as the only self-synchronizing cipher remaining, where it was noted that "in reaching the third phase of eSTREAM all the algorithms in this book have made a significant advance in the development of stream ciphers.^[4]

However, MOUSTIQUE was subsequently broken by Käsper et al., leaving the design of a secure and efficient self-synchronizing stream cipher as an open research problem.^[5]

The MOSQUITO cipher has eight registers of varying lengths, let's call the register CCSR - $a^{{\mathcal {h}}0{\mathcal {i}}}$ , the first register - $a^{{\mathcal {h}}1{\mathcal {i}}}$ , second - $a^{{\mathcal {h}}2{\mathcal {i}}}$ and so on up to the seventh register - $a^{{\mathcal {h}}7{\mathcal {i}}}$ . We will designate the i-th position of register j as follows: $a_{i}^{{\mathcal {h}}j{\mathcal {i}}}$ . Register lengths:

CCSR — 128 bits;

a^{{\mathcal {h}}1{\mathcal {i}}}

—

a^{{\mathcal {h}}5{\mathcal {i}}}

53 bits;

a^{{\mathcal {h}}6{\mathcal {i}}}

— 12 bits;

a^{{\mathcal {h}}7{\mathcal {i}}}

— 3 bits.

The essence of the cipher operation is to calculate, for each clock cycle, the bits of any of the registers (except CCSR) based on some combination of bits of the previous register. The CCSR register works as a shift register: the register elements are shifted, and a bit of the encrypted text (from the cipher output) is written to the zero position of the CCSR register. Let us denote by $G_{i}^{j}$ the rule by which the bit in the i-th position in register j is calculated. Then:

G_{4i~mod~53}^{1}=a_{128-i}^{{\mathcal {h}}0{\mathcal {i}}}+a_{18+i}^{{\mathcal {h}}0{\mathcal {i}}}+a_{113-i}^{{\mathcal {h}}0{\mathcal {i}}}(a_{1+i}^{{\mathcal {h}}0{\mathcal {i}}}+1)+1

, где

0\leqslant i<53

;

G_{4i~mod~53}^{j}=a_{i}^{{\mathcal {h}}j-1{\mathcal {i}}}+a_{3+i}^{{\mathcal {h}}j-1{\mathcal {i}}}+a_{1+i}^{{\mathcal {h}}j-1{\mathcal {i}}}(a_{2+i}^{{\mathcal {h}}j-1{\mathcal {i}}}+1)+1

, где

0\leqslant i<53

и

2\leqslant j\leqslant 5

, if the subscript of any element on the right side of the equality becomes greater than 53, then this element is replaced by 0;

G_{i}^{6}=a_{4i}^{{\mathcal {h}}5{\mathcal {i}}}+a_{3+4i}^{{\mathcal {h}}5{\mathcal {i}}}+a_{1+4i}^{{\mathcal {h}}5{\mathcal {i}}}+a_{2+4i}^{{\mathcal {h}}5{\mathcal {i}}}

, где

0\leqslant i<12

;

G_{i}^{7}=a_{4i}^{{\mathcal {h}}6{\mathcal {i}}}+a_{3+4i}^{{\mathcal {h}}6{\mathcal {i}}}+a_{1+4i}^{{\mathcal {h}}6{\mathcal {i}}}(a_{2+4i}^{{\mathcal {h}}6{\mathcal {i}}}+1)+1

, где

0\leqslant i<3

;

and finally the keystream bit $z=a_{0}^{{\mathcal {h}}7{\mathcal {i}}}+a_{1}^{{\mathcal {h}}7{\mathcal {i}}}+a_{2}^{{\mathcal {h}}7{\mathcal {i}}}$ .

It is worth noting that the calculation of register bits is performed using combinational logic, and the shift, naturally, using register logic, which means that in order to prevent incorrect operation of the pipeline, when the bits from the register do not have time to be processed by combinational logic, it is necessary that the function $G_{i}^{j}$ , implementing the calculations was relatively simple.

References

Related Articles