MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan where it is an e-government candidate recommended cipher, and is recognized internationally as a NESSIE-recommended cipher as well as an ISO/IEC standard and an RFC. Moreover, MISTY1 was selected to be the blueprint on top of which KASUMI, the GSM/3G block cipher, was based. Since its introduction, and especially in recent years, MISTY1 was subjected to extensive cryptanalytic efforts, which resulted in numerous attacks on its reduced variants. Most of these attacks aimed at maximizing the number of attacked rounds, and as a result, their complexities are highly impractical. In this paper we pursue another direction, by focusing on attacks of practical time complexity. We present the first practical-time attack on 5-round MISTY1 which exploits only the linear $$FL$$FL functions, and thus, remains valid even if the non-linear $$FO$$FO functions are replaced. On the other extreme, we show the importance of the FL layers, by presenting a devastating (and experimentally verified) related-key attack that can break MISTY1 with no $$FL$$FL layers, requiring only 218 data and time. While our attacks clearly do not compromise the security of the full MISTY1, they expose several weaknesses in the components used in MISTY1, and improve our understanding of its security. These insights are also applicable to future designs which rely on MISTY1 as their base, and should be taken into close consideration by designers.
Bibliographical noteFunding Information:
The authors thank the anonymous reviewers for their useful and insightful comments. The first author was supported in part by the German-Israeli Foundation for Scientific Research and Development through Grant No. 2282-2222.6/2011. The second author was supported by the Alon Fellowship.
© 2014, Springer Science+Business Media New York.
- Related-key attacks
- Slide attacks