From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
DesignersDai Watanabe,
Soichi Furuya,
Kazuo Takaragi,
Bart Preneel
First publishedFebruary 2002
Derived fromPanama
CertificationCRYPTREC (Candidate)
Cipher detail
Key sizes128 bits
State size1216 bits

In cryptography, MUGI is a pseudorandom number generator (PRNG) designed for use as a stream cipher. It was among the cryptographic techniques recommended for Japanese government use by CRYPTREC in 2003, however, has been dropped to "candidate" by CRYPTREC revision in 2013.

MUGI takes a 128-bit secret key and a 128-bit initial vector (IV). After a key- and IV- setup process, MUGI outputs 64-bit output strings based on the internal state, while updating the internal state after each output block. MUGI has a 1216-bit internal state; there are three 64-bit registers (the "state") and 16 64-bit registers (the "buffer").

MUGI uses the non-linear S-box that was originally defined in Advanced Encryption Standard (AES). A part of the linear transformation also reuses the MDS matrix of AES. The basic design is influenced by that of Panama.


As of September 2006, there are no known attacks against MUGI that are faster than serial brute-force of the key space or of the internal state.

In the paper, "A weakness of the linear part of stream cipher MUGI", by Golic Jovan Dj, Roy Bimal and Meier Willi, the abstract claims: "The linearly updated component of the stream cipher MUGI, called the buffer, is analyzed theoretically by using the generating function method. In particular, it is proven that the intrinsic response of the buffer, without the feedback from the nonlinearly updated component, consists of binary linear recurring sequences with small linear complexity 32 and with extremely small period 48. It is then shown how this weakness can in principle be used to facilitate the linear cryptanalysis of MUGI with two main objectives: to reconstruct the secret key and to find linear statistical distinguishers."

In the paper, "Analysis of the Non-linear Part of Mugi" by Alex Biryukov and Adi Shamir, the abstract claims: "This paper presents the results of a preliminary analysis of the stream cipher Mugi. We study the nonlinear component of this cipher and identify several potential weaknesses in its design. While we can not break the full Mugi design, we show that it is extremely sensitive to small variations. For example, it is possible to recover the full 1216-bit state of the cipher and the original 128-bit secret key using just 56 words of known stream and in 214 steps of analysis if the cipher outputs any state word which is different than the one used in the actual design. If the linear part is eliminated from the design, then the secret non-linear 192-bit state can be recovered given only three output words and in just 232 steps. If it is kept in the design but in a simplified form, then the scheme can be broken by an attack which is slightly faster than exhaustive search."


  • Dai Watanabe, Soichi Furuya, Kazuo Takaragi, Bart Preneel (February 2002). A New Keystream Generator MUGI (PDF). 9th International Workshop on Fast Software Encryption (FSE 2002). Leuven: Springer-Verlag. pp. 179–194. Retrieved 2007-08-07.CS1 maint: multiple names: authors list (link)[permanent dead link]
  • Jovan Dj. Golic (February 2004). A weakness of the Linear Part of Stream Cipher MUGI. 11th International Workshop on Fast Software Encryption (FSE 2004). Delhi: Springer-Verlag. pp. 178–192.
  • Alex Biryukov; Adi Shamir (February 2005). Analysis of the Non-linear Part of Mugi. 12th International Workshop on Fast Software Encryption (FSE 2005). Paris: Springer-Verlag. pp. 320–329. Archived from the original (PostScript) on 2006-05-15. Retrieved 2007-08-07.

External links[edit]