Integral Cryptanalysis on Full MISTY1

MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in 2015. We first improve the division property by optimizing a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with \(2^{63.58}\) chosen plaintexts and \(2^{121}\) time complexity. Moreover, if we can use \(2^{63.994}\) chosen plaintexts, the time complexity for our attack is reduced to \(2^{107.9}\). Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack.

[1]  Achiya Bar-On Improved Higher-Order Differential Attacks on MISTY1 , 2015, FSE.

[2]  Lars R. Knudsen,et al.  Provable security against a differential attack , 1994, Journal of Cryptology.

[3]  Yosuke Todo,et al.  Structural Evaluation by Generalized Integral Property , 2015, EUROCRYPT.

[4]  Bruce Schneier,et al.  Improved Cryptanalysis of Rijndael , 2000, FSE.

[5]  Xuejia Lai Higher Order Derivatives and Differential Cryptanalysis , 1994 .

[6]  Mitsuru Matsui,et al.  New Block Encryption Algorithm MISTY , 1997, FSE.

[7]  Lars R. Knudsen,et al.  Truncated and Higher Order Differentials , 1994, FSE.

[8]  Zhichao Yang,et al.  New observation on division property , 2016, Science China Information Sciences.

[9]  Anne Canteaut,et al.  On the Influence of the Algebraic Degree of $F^{-1}$ on the Algebraic Degree of $G \circ F$ , 2013, IEEE Transactions on Information Theory.

[10]  Mitsuru Matsui,et al.  New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis , 1996, FSE.

[11]  Yasuo Hatano,et al.  Optimization for the Algebraic Method and Its Application to an Attack of MISTY1 , 2004, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[12]  Mitsuru Matsui,et al.  A Description of the MISTY1 Encryption Algorithm , 2000, RFC.

[13]  Steve Babbage,et al.  On MISTY1 Higher Order Differential Cryptanalysis , 2000, ICISC.

[14]  Takeshi Kawabata,et al.  Higher Order Differential Attacks on Reduced-Round MISTY1 , 2008, ICISC.

[15]  Yu Sasaki,et al.  Meet-in-the-Middle Technique for Integral Attacks against Feistel Ciphers , 2012, Selected Areas in Cryptography.

[16]  Achiya Bar-On,et al.  A 2^70 Attack on the Full MISTY1 , 2016, CRYPTO.

[17]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[18]  Vincent Rijmen,et al.  The Block Cipher Square , 1997, FSE.

[19]  Mitsuru Matsui,et al.  Linear Cryptanalysis Method for DES Cipher , 1994, EUROCRYPT.

[20]  Yosuke Todo,et al.  Integral Cryptanalysis on Full MISTY1 , 2015, Journal of Cryptology.

[21]  Orr Dunkelman,et al.  An Improved Impossible Differential Attack on MISTY1 , 2008, ASIACRYPT.

[22]  Anne Canteaut,et al.  Degree of Composition of Highly Nonlinear Functions and Applications to Higher Order Differential Cryptanalysis , 2002, EUROCRYPT.

[23]  Kaisa Nyberg,et al.  Linear Approximation of Block Ciphers , 1994, EUROCRYPT.

[24]  Wenling Wu,et al.  Structural Evaluation for Generalized Feistel Structures and Applications to LBlock and TWINE , 2015, INDOCRYPT.

[25]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[26]  Toshinobu Kaneko,et al.  Strenght of MISTY1 without FL Function for Higher Order Differential Attack , 1999, AAECC.

[27]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.