A Practical-time Attack on Reduced-round MISTY1
Nobuyuki Sugio
1
, Yasutaka Igarashi
2
, Toshinobu Kaneko
2
and Kenichi Higuchi
2
1
NTT DOCOMO, INC., 3-6 Hikarinooka, Yokosuka, Kanagawa, 239-8536, Japan
2
Tokyo University of Science,2641 Yamazaki, Noda, Chiba, 278-8510, Japan
Keywords:
MISTY1, Symmetric Key Algorithm, Block Cipher, Higher Order Differential Attack.
Abstract:
MISTY1 is a symmetric key algorithm which has been standardized by ISO and that its modiﬁed version is
used in GSM and 3G mobile networks. MISTY1 is a 64-bit block cipher supporting key length of 128 bits. In
this paper, we focused on evaluating the security of MISTY1 against higher order differential attack. We show
6-round MISTY1 with 4 FL layers is attackable with 2
43
blocks of chosen plaintexts and 2
43.31
times of data
encryption. This is the best practical-time attack on reduced-round MISTY1.
1 INTRODUCTION
MISTY1 is one of the symmetric key algorithms.
MISTY1 is a 64-bit block cipher supporting key
length of 128 bits. MISTY1 was proposed by Mat-
sui in 1997 (Matsui, 1997). The number of rounds is
8. MISTY1 achieves a provable security against dif-
ferential cryptanalysis and linear cryptanalysis with
round function FO. Designer adds on an auxiliary
function FL in order to become secure against other
attacks. MISTY1 was selected as one of the NESSIE-
recommended ciphers portfolio and was adopted as
the international standard by ISO/IEC 18033-3 (ISO,
2010). CRYPTREC project has chosen MISTY1 as
one of the e-Government Recommended candidate ci-
phers in 2013 (CRYPTREC, 2013). Furthermore, the
block cipher KASUMI designed as a slight modiﬁca-
tion of MISTY1 is used in the GSM/3G mobile net-
works, which makes it one of the most widely used
block ciphers today.
Up to now, many cryptanalytic methods were used
to evaluate the security of MISTY1 such as higher or-
der differential attack, impossible differential attack,
integral attack, and multi-dimensional zero correla-
tion linear attack. The main previous attacks are as
follows. Tsunoo et. al. proposed 46-th order differ-
ential and showed 7-round MISTY1 with 4 FL lay-
ers was attackable with 2
54.1
chosen plaintexts and
2
120.7
encryptions (Y. Tsunoo and Kawabata, 2008).
Jia et. al. constructed a 7-round impossible differ-
ential and mounted impossible differential attack on
7-round MISTY1 with 3 FL layers (Jia and Li, 2012).
Yi presented zero-correlation linear attack on 7-round
MISTY1 with 4 FL layers, that requires 2
62.9
known
plaintexts and 2
118
encryptions (Yi and Chen, 2014).
Todo introduced Integral attack by division property,
and showed that the secret key of the full MISTY1 can
be recovered with 2
63.58
chosen plaintexts and 2
121
time complexity (Todo, 2015). Bar On improved the
attack proposed by Todo, and presented full MISTY1
was attackable with 2
64
chosen plaintexts and 2
69.5
encryptions (Bar-On, 2015a).
Most of the previous attacks aimed at maximiz-
ing the number of attacked rounds, and as a result,
their complexities are highly impractical. In this pa-
per, we focused on evaluating the security of MISTY1
in terms of practical-time complexity. The previous
practical-time attack was proposed by Hatano et. al.
(Y. Hatano and Kaneko, 2004), and Dunkelman et. al.
(Dunkelman and Keller, 2013), respectively. The best
practical-time attack was higher order differential at-
tack on 5-round MISTY1 with 4 FL layers.The neces-
sary computational complexity by using higher order
differential can be estimated as sum of the following
2-steps.
1. Preparation of data
2. Key recovery
The order of differential affects both steps. Therefore,
it is very important to discover the lower order differ-
ential characteristics to reduce the complexity for an
attack. The results we obtain are the following.
1. We implemented the 46th-order differential for
4-round MISTY1 introduced in (Y. Tsunoo and
Kawabata, 2008) on a computer which mounted
Graphics Processing Unit (GPU) co-processors
Sugio, N., Igarashi, Y., Kaneko, T. and Higuchi, K.
A Practical-time Attack on Reduced-round MISTY1.
DOI: 10.5220/0005652202350242
In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 235-242
ISBN: 978-989-758-167-0
Copyright
c
2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
235