A 270 attack on the full MISTY1

Achiya Bar-On; Nathan Keller

doi:10.1007/978-3-662-53018-4_16

A 2⁷⁰ attack on the full MISTY1

Achiya Bar-On, Nathan Keller

Department of Mathematics

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

8 Scopus citations

Abstract

MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan, and is recognized internationally as a European NESSIE-recommended cipher and an ISO standard. After almost 20 years of unsuccessful cryptanalytic attempts, a first attack on the full MISTY1 was presented at CRYPTO 2015 by Yosuke Todo. The attack, using a new technique called division property, requires almost the full codebook and has time complexity of 2^107.3 encryptions. In this paper we present a new attack on the full MISTY1. It is based on Todo’s division property, along with a variety of refined key-recovery techniques. Our attack requires almost the full codebook (like Todo’s attack), but allows to retrieve 49 bits of the secret key in time complexity of only 2⁶⁴ encryptions, and the full key in time complexity of 2^69.5 encryptions. While our attack is clearly impractical due to its large data complexity, it shows that MISTY1 provides security of only 2⁷⁰ — significantly less than what was considered before.

Original language	English
Title of host publication	Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings
Editors	Matthew Robshaw, Jonathan Katz
Publisher	Springer Verlag
Pages	435-456
Number of pages	22
ISBN (Print)	9783662530177
DOIs	https://doi.org/10.1007/978-3-662-53018-4_16
State	Published - 2016
Event	36th Annual International Cryptology Conference, CRYPTO 2016 - Santa Barbara, United States Duration: 14 Aug 2016 → 18 Aug 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9814
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	36th Annual International Cryptology Conference, CRYPTO 2016
Country/Territory	United States
City	Santa Barbara
Period	14/08/16 → 18/08/16

Bibliographical note

Publisher Copyright:
© International Association for Cryptologic Research 2016.

Funding

A. Bar-On – This research was partially supported by the Israeli Ministry of Science, Technology and Space, and by the Check Point Institute for Information Security.

Funders	Funder number
Check Point Institute for Information Security
Ministry of Science, Technology and Space

Access to Document

10.1007/978-3-662-53018-4_16

Cite this

Bar-On, A., & Keller, N. (2016). A 2⁷⁰ attack on the full MISTY1. In M. Robshaw, & J. Katz (Eds.), Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings (pp. 435-456). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9814). Springer Verlag. https://doi.org/10.1007/978-3-662-53018-4_16

Bar-On, Achiya ; Keller, Nathan. / A 2⁷⁰ attack on the full MISTY1. Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. editor / Matthew Robshaw ; Jonathan Katz. Springer Verlag, 2016. pp. 435-456 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{c381e225a17f4932bbdb845fd8f0379d,

title = "A 270 attack on the full MISTY1",

abstract = "MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan, and is recognized internationally as a European NESSIE-recommended cipher and an ISO standard. After almost 20 years of unsuccessful cryptanalytic attempts, a first attack on the full MISTY1 was presented at CRYPTO 2015 by Yosuke Todo. The attack, using a new technique called division property, requires almost the full codebook and has time complexity of 2107.3 encryptions. In this paper we present a new attack on the full MISTY1. It is based on Todo{\textquoteright}s division property, along with a variety of refined key-recovery techniques. Our attack requires almost the full codebook (like Todo{\textquoteright}s attack), but allows to retrieve 49 bits of the secret key in time complexity of only 264 encryptions, and the full key in time complexity of 269.5 encryptions. While our attack is clearly impractical due to its large data complexity, it shows that MISTY1 provides security of only 270 — significantly less than what was considered before.",

author = "Achiya Bar-On and Nathan Keller",

note = "Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2016.; 36th Annual International Cryptology Conference, CRYPTO 2016 ; Conference date: 14-08-2016 Through 18-08-2016",

year = "2016",

doi = "10.1007/978-3-662-53018-4_16",

language = "אנגלית",

isbn = "9783662530177",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "435--456",

editor = "Matthew Robshaw and Jonathan Katz",

booktitle = "Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings",

address = "גרמניה",

}

Bar-On, A & Keller, N 2016, A 2⁷⁰ attack on the full MISTY1. in M Robshaw & J Katz (eds), Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9814, Springer Verlag, pp. 435-456, 36th Annual International Cryptology Conference, CRYPTO 2016, Santa Barbara, United States, 14/08/16. https://doi.org/10.1007/978-3-662-53018-4_16

A 2⁷⁰ attack on the full MISTY1. / Bar-On, Achiya; Keller, Nathan.
Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. ed. / Matthew Robshaw; Jonathan Katz. Springer Verlag, 2016. p. 435-456 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9814).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A 270 attack on the full MISTY1

AU - Bar-On, Achiya

AU - Keller, Nathan

PY - 2016

Y1 - 2016

N2 - MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan, and is recognized internationally as a European NESSIE-recommended cipher and an ISO standard. After almost 20 years of unsuccessful cryptanalytic attempts, a first attack on the full MISTY1 was presented at CRYPTO 2015 by Yosuke Todo. The attack, using a new technique called division property, requires almost the full codebook and has time complexity of 2107.3 encryptions. In this paper we present a new attack on the full MISTY1. It is based on Todo’s division property, along with a variety of refined key-recovery techniques. Our attack requires almost the full codebook (like Todo’s attack), but allows to retrieve 49 bits of the secret key in time complexity of only 264 encryptions, and the full key in time complexity of 269.5 encryptions. While our attack is clearly impractical due to its large data complexity, it shows that MISTY1 provides security of only 270 — significantly less than what was considered before.

AB - MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan, and is recognized internationally as a European NESSIE-recommended cipher and an ISO standard. After almost 20 years of unsuccessful cryptanalytic attempts, a first attack on the full MISTY1 was presented at CRYPTO 2015 by Yosuke Todo. The attack, using a new technique called division property, requires almost the full codebook and has time complexity of 2107.3 encryptions. In this paper we present a new attack on the full MISTY1. It is based on Todo’s division property, along with a variety of refined key-recovery techniques. Our attack requires almost the full codebook (like Todo’s attack), but allows to retrieve 49 bits of the secret key in time complexity of only 264 encryptions, and the full key in time complexity of 269.5 encryptions. While our attack is clearly impractical due to its large data complexity, it shows that MISTY1 provides security of only 270 — significantly less than what was considered before.

UR - http://www.scopus.com/inward/record.url?scp=84979599341&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-53018-4_16

DO - 10.1007/978-3-662-53018-4_16

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:84979599341

SN - 9783662530177

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 435

EP - 456

BT - Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings

A2 - Robshaw, Matthew

A2 - Katz, Jonathan

PB - Springer Verlag

T2 - 36th Annual International Cryptology Conference, CRYPTO 2016

Y2 - 14 August 2016 through 18 August 2016

ER -

Bar-On A, Keller N. A 2⁷⁰ attack on the full MISTY1. In Robshaw M, Katz J, editors, Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. Springer Verlag. 2016. p. 435-456. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-662-53018-4_16