MOSQUITO

Template:For multi

In cryptography, MOSQUITO was a stream cipher algorithm designed by Joan Daemen and Paris Kitsos. They submitted it to the eSTREAM project, which was a part of eCRYPT. While presenting it in a document published in 2005, they explained some of their design intentions:

Self-synchronizing stream encryption can be performed by using a block cipher in CFB mode. However, for single-bit self-synchronizing stream encryption, this is very inefficient. Therefore we believe that it would be useful to design a dedicated self-synchronizing stream cipher that is efficient in hardware.^[1]

It was subsequently broken by Antoine Joux and Frédéric Muller in 2006, who had this to say in their conference paper:

All the dedicated Self-Synchronizing Stream Ciphers (SSSC) of the KNOT-MOSQUITO family are subject to differential chosen ciphertext attacks. Our results, combined with previous results on HBB, KNOT and SSS show that it is extremely difficult to design a SSSC resistant against chosen-ciphertext attacks.^[2]

A tweaked version named MOUSTIQUE was proposed^[3] which made it to Phase 3 of the eSTREAM evaluation process as the only self-synchronizing cipher remaining, where it was noted that "in reaching the third phase of eSTREAM all the algorithms in this book have made a significant advance in the development of stream ciphers.^[4]

However, MOUSTIQUE was subsequently broken by Käsper et al., leaving the design of a secure and efficient self-synchronizing stream cipher as an open research problem.^[5]

The MOSQUITO cipher has eight registers of varying lengths, let's call the register CCSR -${\displaystyle a^{𝒽0𝒾}}$, the first register -${\displaystyle a^{𝒽1𝒾}}$, second -${\displaystyle a^{𝒽2𝒾}}$ and so on up to the seventh register -${\displaystyle a^{𝒽7𝒾}}$. We will designate the i-th position of register j as follows: ${\displaystyle a_i^{𝒽j𝒾}}$. Register lengths:

CCSR — 128 bits;

${\displaystyle a^{𝒽1𝒾}}$ — ${\displaystyle a^{𝒽5𝒾}}$ 53 bits;

${\displaystyle a^{𝒽6𝒾}}$ — 12 bits;

${\displaystyle a^{𝒽7𝒾}}$ — 3 bits.

The essence of the cipher operation is to calculate, for each clock cycle, the bits of any of the registers (except CCSR) based on some combination of bits of the previous register. The CCSR register works as a shift register: the register elements are shifted, and a bit of the encrypted text (from the cipher output) is written to the zero position of the CCSR register. Let us denote by ${\displaystyle G_i^j}$ the rule by which the bit in the i-th position in register j is calculated. Then:

${\displaystyle G_{4imod53}^1=a_{128-i}^{𝒽0𝒾}+a_{18+i}^{𝒽0𝒾}+a_{113-i}^{𝒽0𝒾}(a_{1+i}^{𝒽0𝒾}+1)+1}$, где ${\displaystyle 0⩽i<53}$;

${\displaystyle G_{4imod53}^j=a_i^{𝒽j-1𝒾}+a_{3+i}^{𝒽j-1𝒾}+a_{1+i}^{𝒽j-1𝒾}(a_{2+i}^{𝒽j-1𝒾}+1)+1}$, где ${\displaystyle 0⩽i<53}$ и ${\displaystyle 2⩽j⩽5}$, if the subscript of any element on the right side of the equality becomes greater than 53, then this element is replaced by 0;

${\displaystyle G_i^6=a_{4i}^{𝒽5𝒾}+a_{3+4i}^{𝒽5𝒾}+a_{1+4i}^{𝒽5𝒾}+a_{2+4i}^{𝒽5𝒾}}$, где ${\displaystyle 0⩽i<12}$;

${\displaystyle G_i^7=a_{4i}^{𝒽6𝒾}+a_{3+4i}^{𝒽6𝒾}+a_{1+4i}^{𝒽6𝒾}(a_{2+4i}^{𝒽6𝒾}+1)+1}$, где ${\displaystyle 0⩽i<3}$;

and finally the keystream bit ${\displaystyle z=a_0^{𝒽7𝒾}+a_1^{𝒽7𝒾}+a_2^{𝒽7𝒾}}$.

It is worth noting that the calculation of register bits is performed using combinational logic, and the shift, naturally, using register logic, which means that in order to prevent incorrect operation of the pipeline, when the bits from the register do not have time to be processed by combinational logic, it is necessary that the function ${\displaystyle G_i^j}$, implementing the calculations was relatively simple.. Template:Crypto-stub

Template:Cryptography navbox