sign in sign up
<<
Home , MISTY1

A Practical-time Attack on Reduced-round MISTY1

Nobuyuki Sugio1, Yasutaka Igarashi2, Toshinobu Kaneko2 and Kenichi Higuchi2 1NTT DOCOMO, INC., 3-6 Hikarinooka, Yokosuka, Kanagawa, 239-8536, Japan 2Tokyo University of Science,2641 Yamazaki, Noda, Chiba, 278-8510, Japan

Keywords: MISTY1, Symmetric Algorithm, , Higher Order Differential Attack.

Abstract: MISTY1 is a symmetric key algorithm which has been standardized by ISO and that its modified version is used in GSM and 3G mobile networks. MISTY1 is a 64-bit block cipher supporting key length of 128 bits. In this paper, we focused on evaluating the security of MISTY1 against higher order differential attack. We show 6-round MISTY1 with 4 FL layers is attackable with 243 blocks of chosen plaintexts and 243.31 times of data . This is the best practical-time attack on reduced-round MISTY1.

1 INTRODUCTION MISTY1 with 4 FL layers, that requires 262.9 known plaintexts and 2118 (Yi and Chen, 2014). MISTY1 is one of the symmetric key algorithms. Todo introduced Integral attack by division property, and showed that the secret key of the full MISTY1 can MISTY1 is a 64-bit block cipher supporting key 63.58 121 length of 128 bits. MISTY1 was proposed by Mat- be recovered with 2 chosen plaintexts and 2 sui in 1997 (Matsui, 1997). The number of rounds is time complexity (Todo, 2015). Bar On improved the attack proposed by Todo, and presented full MISTY1 8. MISTY1 achieves a provable security against dif- 64 69.5 ferential and with was attackable with 2 chosen plaintexts and 2 round function FO. Designer adds on an auxiliary encryptions (Bar-On, 2015a). function FL in order to become secure against other Most of the previous attacks aimed at maximiz- attacks. MISTY1 was selected as one of the NESSIE- ing the number of attacked rounds, and as a result, recommended ciphers portfolio and was adopted as their complexities are highly impractical. In this pa- the international standard by ISO/IEC 18033-3 (ISO, per, we focused on evaluating the security of MISTY1 2010). CRYPTREC project has chosen MISTY1 as in terms of practical-time complexity. The previous one of the e-Government Recommended candidate ci- practical-time attack was proposed by Hatano et. al. phers in 2013 (CRYPTREC, 2013). Furthermore, the (Y. Hatano and Kaneko, 2004), and Dunkelman et. al. block cipher KASUMI designed as a slight modifica- (Dunkelman and Keller, 2013), respectively. The best tion of MISTY1 is used in the GSM/3G mobile net- practical-time attack was higher order differential at- works, which makes it one of the most widely used tack on 5-round MISTY1 with 4 FL layers.The neces- block ciphers today. sary computational complexity by using higher order Up to now, many cryptanalytic methods were used differential can be estimated as sum of the following to evaluate the security of MISTY1 such as higher or- 2-steps. der differential attack, impossible differential attack, 1. Preparation of data integral attack, and multi-dimensional zero correla- 2. Key recovery tion linear attack. The main previous attacks are as follows. Tsunoo et. al. proposed 46-th order differ- The order of differential affects both steps. Therefore, ential and showed 7-round MISTY1 with 4 FL lay- it is very important to discover the lower order differ- ers was attackable with 254.1 chosen plaintexts and ential characteristics to reduce the complexity for an 2120.7 encryptions (Y. Tsunoo and Kawabata, 2008). attack. The results we obtain are the following. Jia et. al. constructed a 7-round impossible differ- 1. We implemented the 46th-order differential for ential and mounted impossible differential attack on 4-round MISTY1 introduced in (Y. Tsunoo and 7-round MISTY1 with 3 FL layers (Jia and Li, 2012). Kawabata, 2008) on a computer which mounted Yi presented zero-correlation linear attack on 7-round Graphics Processing Unit (GPU) co-processors

235

Sugio, N., Igarashi, Y., Kaneko, T. and Higuchi, K. A Practical-time Attack on Reduced-round MISTY1. DOI: 10.5220/0005652202350242 In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 235-242 ISBN: 978-989-758-167-0 Copyright c 2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

Table 1: Summary of single-key attacks on MISTY1. Rounds FL layers Data Time Attack algorithm Reference 5 4 222 CP 228 Higher Order Differential (Y. Hatano and Kaneko, 2004) 6 4 251 CP 2123.4 Impossible Differential (Dunkelman and Keller, 2008) 6 4 253.7 CP 253.7 Higher Order Differential (Y. Tsunoo and Kawabata, 2008) 6 4 243 CP 243.31 Higher Order Differential Section5 7 0 250.2 KP 2114.1 Impossible Differential (Dunkelman and Keller, 2008) 7 3 258 KP 2124.4 Impossible Differential (Jia and Li, 2012) 7 4 262.9 KP 2118 Multi-Zero Correlation (Yi and Chen, 2014) 7 4 254.1 CP 2120.7 Higher Order Differential (Y. Tsunoo and Kawabata, 2008) 7 5 251.45 CP 2121 Higher Order Differential (Bar-On, 2015b) 8 5 263.58 CP 2121 Integral by division property (Todo, 2015) 8 5 264 CP 269.5 Integral by division property (Bar-On, 2015a)

CP: Chosen Plaintexts, KP : Known Plaintexts.

Table 2: The Key Scheduling of MISTY1.

KOi1 KOi2 KOi3 KOi4 KIi1 KIi2 KIi3 KLi1 KLi2 Ki Ki+2 Ki+7 Ki+4 Ki0+5 Ki0+1 Ki0+3 K i+1 (odd i) K0i+1 (odd i) 2 2 +6 K0i (even i) K i +4 (even i) 2 +2 2

and found 16-bits of the above characteristic was 2 MISTY1 always 0. We gradually reduced the order of dif- ferentials for 4-round MISTY1 by computer ex- MISTY1 is a Feistel type 64-bit block cipher support- periment, and discovered new 38-th order differ- ing secret key length of 128 bits. MISTY1 was pro- ential characteristics for 4-round MISTY1 which posed by Matsui in 1997 (Matsui, 1997). The number 1 held 7-bits of those differential characteristics 0 . of rounds which designer recommends is 8. MISTY1 2. We can attack 6-round MISTY1 with 4 FL layers achieves a provable security against differential crypt- by using the 38-th order differential characteris- analysis and linear cryptanalysis with round function tic. The complexity for the attack needs 243 cho- FO. Designer adds on an auxiliary function FL in or- sen plaintexts and 243.31 encryptions. Our method der to become secure against other attacks. can reduce the necessary number of chosen plain- Figure 1 shows the main structure and components texts and the computational cost for the attack of of the cipher. The round function FOi (1 i 8) is ≤ ≤ 6-round MISTY1 with 4 FL layers illustrated in a variant of a 3-round Feistel construction which has (Y. Tsunoo and Kawabata, 2008) by a factor of 16-bit bijective function FIi j (1 j 3) and 16-bit 10 ≤ ≤ 2 . This is the best practical-time attack on 6- extended key KOi j (1 j 4), KIi j (1 j 3). FIi j ≤ ≤ ≤ ≤ round MISTY1. Summary of main attacks on is a variant of a 3-round Feistel construction and its in- MISTY1 are shown in Table 1. put is divided into left 9-bit data and right 7-bit data, which are transformed by bitwise XOR operations de- The remainder of this paper is organized as fol- noted by the symbol and substitution tables S7 and lows. Section 2 gives a brief introduction of MISTY1. S9. KI and KI are⊕ left 7-bit data and right 9-bit Section 3 explains higher order differentials and its i j1 i j2 data of KI , respectively. The key dependent linear application for an attack. Section 4 shows previous i j function FL are composed of bitwise AND operation higher order differentials and presents a new higher i denoted by the symbol , OR operation denoted by order differential for 4-round MISTY1. Section 5 the symbol , XOR operations∩ and KL (1 j 2). proposes higher order differential attack on 6-round ∪ i j ≤ ≤ The of MISTY1 takes the 128-bit se- MISTY1 with 4 FL layers. Section 6 summarizes this cret key K to generate extended keys. Let K (1 i paper. i 8) be the i-th (from left) 16-bit data of the secret≤ key≤ 1 K, and let KO (1 i 8) be the output of FI where The characteristic of 38-th order differential equals to i ≤ ≤ i j the characteristic of 46-th order differential for 4-round the input of FIi j is Ki and the key KIi j is Ki+1. Also, MISTY1 estimated in (Y. Tsunoo and Kawabata, 2008) identify K9 with K1. The correspondence between the

236 A Practical-time Attack on Reduced-round MISTY1

Figure 1: Outline of MISTY1. symbols KO , KI , KL and the actual key is shown The plaintext and are denoted by P and i j i j i j • in Table 2. Here, Ki0 is the output of FIi, j where the C. The left 32-bit value of P is denoted by PL and input is Ki and the key is Ki+1. the right 32-bit value of P is denoted by PR. The left 32-bit value of C is denoted by CL and the 2.1 Notations Used in This Paper right 32-bit value of C is denoted by CR, respec- tively. We use the following notations for intermediate val- The input of i-th round (1 i 8) are denoted by • ≤ ≤ during the MISTY1 encryptions process. Xi. We denote the intermediate value after appli-

237 ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

n cation of FL functions by Xi0. output and C(X) GF(2) be the ciphertext corre- sponding to the plaintext∈ X GF(2)n.H (X) is Let Z be a intermediate variable. Z[k] denotes k-th R 1 expressed as follows. ∈ − • bit of Z and Z[k l] denotes bits from k to l of Z − respectively. HR 1(X) = FR 1( F2((F1(X;K1);K2), ,KR 1) − − ··· ··· − (5) s where Ki GF(2) be the i-th round key and F( ) be a function∈ of GF(2)n GF(2)s GF(2)m. · 3 HIGHER ORDER × → If the degree of HR 1(X) with respect to X is d, DIFFERENTIAL ATTACK we have the following equation− from Property 1. (d+1) ∆ HR 1(X) = 0 (6) This section gives an overview of higher order differ- − ential attack. This equation holds with probability 1. Let F˜( ) be a decoding function that calculates · n 3.1 Higher Order Differential (Lai, HR 1(X) from a ciphertext C(X) GF(2) . − ∈ 1994) HR 1(X) = F˜(C(X);KR) (7) − where K GF(2)s denotes the R-th round key to de- Let E( ) be an encryption function as follows. R ∈ · code HR 1(X) from C(X). From equation (6), (7) and − Y = E(X;K) (1) (2), we can derive following equation. n s m F˜(C(X A);K ) = 0 (8) where X GF(2) , K GF(2) , Y GF(2) . For a ⊕ R ∈ ∈ ∈ A V (d+1) block cipher, X, K and Y denote plaintext, key and ∈M ciphertext respectively. Let a1,a2, ,ai be a set We can determine K by solving (8). In the following, { ··· } R of linearly independent vectors in GF(2)n and V (i) we refer to equation (8) as an attack equation for key be a sub-space spanned by these vectors. We define recovery. ( ) ∆ i E(X;K) as an i-th order differential of E(X;K) V (i) with respect to X as follows. 3.3 Algebraic Method

( ) ∆ i E(X;K) = E(X A;K) (2) Shimoyama et al. proposed an effective method V (i) ⊕ (i) of solving equation (8) (T. Shimoyama and Tsujii, AMV ∈ 1999). This method, called algebraic method in this ( ) In the following, we abbreviate ∆ i as ∆(i), when paper, expands equation (8) as boolean polynomials V (i) it is clearly understood. In this paper, we use the over GF(2), and linearizes by treating every higher or- following properties of the higher order differential. der variables like kik j with new independent variables like ki j. In the following, we use the term linearized Property 1. If the degree of E(X;K) with re- attack equation to refer to an attack equation that is spect to X equals to d, then regarded as a linear equation. Let L be the number of unknowns in the linearized ∆(d+1)E(X;K) = 0 attack equation (8). Since the equation (8) is derived deg E(X;K) = d X { } ⇔ ∆(d)E(X;K) = const by using an m-bit sub-block, we can rewrite equation  (3) (8) as follows. t Ak = b , k = (k1,k2,...,k1k2,...,k1k2k3, ) (9) Property 2. Higher order differential has a linear ··· property on XOR sum. That means d-th order differ- where A, b, and k are the m L coefficient matrix, the × ential of the sum of each function equals to the sum m-dimensional vector, and the L-dimensional vector of d-th order differential of each function. over GF(2). k denotes linearized unknowns that are expressed as monomials of the R-th round key KR. ∆(d) E(X ;K ) E(X ;K ) = { 1 1 ⊕ 2 2 } (4) We can obtain m linearized attack equations from ∆(d)E(X ;K ) ∆(d)E(X ;K ) 1 1 ⊕ 2 2 one (d + 1)-th order differential because equation (8) is an m-bit equation. Therefore we need L/m sets 3.2 Attack Equation of the (d + 1)-th order differential for thed uniquee so- lution. Consider an R-round iterative block cipher. Let Since one set of (d + 1)-th order differential re- m d+1 HR 1(X) GF(2) be a part of the (R 1)-th round quires 2 chosen plaintexts, the necessary number − ∈ −

238 A Practical-time Attack on Reduced-round MISTY1

of plaintexts D for the determination of a key is esti- Kaneko, 2004). mated as L P = P[i] α, P[ j] β i = j, 0 j 6, D = 2d+1 (10) { ∈ ∈ | 6 ≤ ≤ × m 16 j 22 (13) ( ) ≤ ≤ }   ∆ 14 X [63 57] = 0 If we use the same technique shown in (T. Shimoyama V (14) 4 − d+1 and Tsujii, 1999), equation (9) requires 2 (L+1) (14) times of F˜( ) calculations. Since we have to× prepare where V is the subspace based on variable sub- L/m sets· of (d + 1)-th order differentials to deter- block P[22 16,6 0]. d e − − mine k, the computational cost2 is estimated as Tsunoo et. al. proposed 46-th order differential which was a 1-round extension of the 14-th order L differential to the direction to plaintext. Due to the T = 2d+1 (L + 1) (11) × × m Feistel structure of MISTY1, the 3-round 14-th order   differential can be extended to a 4-round 46-th order Hatano et. al. proposed the optimization for al- differential by taking all the 232 possible values in the gebraic method by analyzing the number of indepen- previous round. Thus, the following theorem could dent unknowns l( L) in equation (8) (Y. Hatano be derived. and Kaneko, 2004).≤ If we can analyze the num- ber of independent unknowns l( L) in equation (8), ≤ Theorem. For four consecutive rounds of MISTY1 the l/m l coefficient matrix A and the l/m - d e × op d e with FL functions that starts at 1-st round, the dimensional vector bop is sufficient for solving the following equation independently holds under linearized attack equation. any fixed value of the key, constant value of the P[i](39 i 47, 55 i 63) and V (46) is the ≤ ≤ ≤ ≤ subspace based on variable sub-blockPR, P[ j] ( 32 j 38, 48 j 54). 4 HIGHER ORDER ≤ ≤ ≤ ≤ DIFFERENTIALS FOR P = P[i] α, P[ j],P β 39 i 47, REDUCED ROUND MISTY1 { ∈ R ∈ | ≤ ≤ 55 i 63, 32 j 38, 48 j 54 (14) ≤ ≤ (46) ≤ ≤ ≤ ≤ } This section explains the previous results of higher ∆ X [63 57] = 0 V (46) 5 − order differential characteristic of MISTY1 and il- lustrates new higher order differential characteris- 4.2 New Higher Order Differentials for tics which we discovered. Here, α and β denote fixed and variable sub-block respectively. For ex- MISTY1 ample, 64-bit variable Y consisting of a 3-bit vari- ables a-th, b-th, and c-th bit of sub-block β (0 In this subsection, we describe the new higher order a,b,c 63, a = b = c) can be denoted as Y ≤= differential characteristics for MISTY1 which were Y[i] ≤α, Y[ j] 6 β i6 = j, j = a,b,c, a = b = c .A discovered by computer experiment. {3-rd order∈ differential∈ | of6 intermediate variable6 6 Z[k} l] by using Y can be denoted as − 46-th Order Differential Characteristic. We implemented 46-th order differential described in Y = Y[i] α, Y[ j] β i = j, j = a,b,c,a =b =c equation (14) on a computer which mounts Graphics { ∈ ∈( ) | 6 6 6 } ∆ 3 Z[k l] Processing Unit (GPU) co-processors and found the V (3) − (12) following 46-th order differential characteristic. where 0 i, j,k,l 63 and V (3) is a subspace based ≤ ≤ (46) [ ] ∆ (46) X5[63 48] = 0 (15) on variable sub-block Y j . V − Although we verified equation (15) with 10 different 4.1 Previous Results keys and fixed sub-blocks, equation (15) always held. Since the provability of 10 sets 16-bit random Hatano et. al. proposed 14-th order differential of 160 variables incidentally becomes 0 is 2− , we don’t 3-round MISTY1 with FL functions (Y. Hatano and think equation (15) accidentally holds. 2This computational cost ignores the complexity of solving linearized attack equation, because the computa- 38-th Order Differential Characteristic. We tional cost is negligible as long as coefficient matrix size gradually reduced the order of differentials in is small. equation (15) and discovered the new higher order

239 ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

Table 3: The results of higher order differential characteris- tics on MISTY1. (i) We abbreviate ∆ X [63 57] = 0 (i = 7,14) as X [63 57] = 0 V (i) 4 − 4 − in the table. This abbreviation is same other characteristics. The symbol ’N/A’ means that we couldn’t find a higher order diffe- (i) rential characteristic which satisfied ∆ X [63 41] = 0 V (i) 4 − (1 i 31). (*1) is discovered by Hatano (Y. Hatano and ≤ ≤ Kaneko, 2004). (*2)is discovered by Tanaka (H. Tanaka and Kaneko, 1999). (*3)is discovered by Igarashi (Igarashi and Kaneko, 2008). Rounds i-th order diff. Output FL without FL 3 14( 1) 7( 2) X [63 57] = 0 ∗ ∗ 4 − 3 18 10 X4[63 48] = 0 3 N/A 26 X [63 − 41] = 0 4 − 3 32 31 X4[63 32] = 0 ( 3) − 4 38 32 ∗ X5[63 57] = 0 4 44 36 X [63 − 48] = 0 5 − 4 50 47 X5[63 41] = 0 4 - 48 X [63 − 32] = 0 5 − 5 - 53 Unknown ∼

We estimate the complexity for an attack by means of same procedure described in (Y. Tsunoo and Kawa- bata, 2008). Using the chosen plaintext denoted in equation (16), we have the following attack equation by assuming KL [15 9] = 0x7 f . (See figure 3.) 52 − β shown in 32-bit state (α, β, α, β) are 3-bits variables out of FO6(X6[63 32];KO61,KO62)[31 25] 7-bits sub-blocks, respectively. { − − ⊕ A MV (38) Figure 2: A new 38th order differential of MISTY1. ∈ 1 FL7− (CL(X A);KL72)[31 25] = 0, ⊕1 − } X [63 32] = FL− (C (X A);KL ,KL ) differential characteristics as follows. 6 − 8 R ⊕ 81 82 1 P = P[i] α,P[ j,k],PR β i = j,i = k where FL− means an inverse function of FL. We di- { 32∈ i 63, j =∈k +|166 , 6 vide the attack equation into seven kinds of 1-bit at- k = h ,h ,h≤ (32≤ h < h < h 38) (16) tack equations in order to increase the success prob- 1 2 3 ≤ 1 2 3 ≤ } (38) ability. Assuming KL52[15 9] = 0x7 f , the seven ∆ X5[63 57] = 0 V (38) − kinds of 1-bit attack equations− are written as where h1, h2 and h3 are bit patterns of variable sub-block. The variations of 38-th order differential FO6(X6[63 32];KO61,KO62)[i] 7 { − ⊕ illustrated in equation (16) exist =35 patterns. A MV (38) 3 ∈ 1 FL7− (CL(X A);KL72)[i] = 0,  1 ⊕ } Other Characteristics. We searched for the new X6[63 32] = FL8− (CR(X A);KL81,KL82) higher order differential characteristics on 3-round, 4- − ⊕ (17) round and 5-round MISTY1 respectively. The results where 25 i 31. Each 1-bit attack equation holds ≤ ≤ 1 are presented in Table 3. with probability 2− . Using those equations, we can 7 determine the key with probability 1 2− , which means KL [15 9] = 0x00. Otherwise− we can de- 52 − 6 5 38-TH ORDER DIFFERENTIAL termine KL52[15 9] = 0x00. After linearization− of the attack equation which ATTACK ON REDUCED ROUND consists of 7-bits width, we obtain the total number MISTY1 of unknown variables L = 1665 in a system of lin- ear equations. If any of the unknown variables have In this section we apply 38-th order differential char- linear sum relations, the complexity for attack can acteristic to attack 6-round MISTY1 with 4 FL layers. be reduced. In this paper, we chose independent un-

240 A Practical-time Attack on Reduced-round MISTY1

variable bit sub-blocks. When we regard one set of 43-rd order differential as some sets of 38-th order differential, the number of fixed bit sub-blocks in 43- rd order differential is five. 5-bits pattern includes 25 possible values. Thus, a 43-rd order differential illus- 5 5 trated in equation (18) generates 2 3 =320 > 199 sets of 38-th order differential. Therefore,× the neces- sary number of chosen plaintexts D for  key recovery is estimated as 243. Now, we consider the time complexity for this at- tack. The necessary computational cost for an attack can be estimated as sum of the following 2-steps. 1. Preparation of 2. Key recovery The time complexity for a preparation of ciphertexts 43 TC is estimated as 2 6-round MISTY1 encryptions. From equation (11), the complexity for key recovery is estimated as follows. 189 + 10 T = 238 (1665 + 1) M × × 1   We can reduce the complexity by using a modulo 2 frequency distribution table. This table counts cipher- text values appearing an odd number of times since Figure 3: An attack on 6-round MISTY1 by using 38-th performing an XOR operation on the same value an order differential. even number of times results in a value of 0. We pre- pare 2 kinds of tables whose size are 218 with respect 3 14 known variables l = 189 as worst-case. Because ev- to 18-bits CL[32 23,15 7] for 2 S9-boxes and 2 ery linearized attack equation was derived by 1-bit with respect to 14-bits− C−[22 16,6 0] for 2 S7- L − − key KL52[i] assumption, additional 10 linear equa- boxes respectively. The cost for generating these ta- tions are needed to remove all false keys. From equa- bles is tion (10), the necessary number of chosen plaintexts T = 238 2 199 t × × D is estimated as table look-ups. If the computational cost for one table 189 + 10 D = 238 look-up equals to the cost for a S7, S9 look-up, Tt is × m estimated as   38 where m = 1 since the attack solves equation (17) for 2 2 199 40.9 38 45.7 T = × × 2 each bit. Namely, D = 2 199 2 . Here, we t 6 9 ≈ × ≈ × can reduce the number of plaintexts D as follows. Let encryptions because 6-round MISTY1 has 6 9 S- us consider a 43-rd order differential denoted equa- boxes. The computational cost from equation (11)× by tion (18). using these tables is estimated as P = P[i] α,P[ j,k,l],PR β i = j,k,l, j =k+16 { ∈ ∈ | 6 } 18 14 189 + 10 k = h , ,h (32 h < h < h < h < h 38) T 0 = (2 2 + 2 2 ) (1665 + 1) 1 ∼ 5 ≤ 1 2 3 4 5 ≤ M × × × × 1 l = h6 (32 h6 38, or 48 h6 54)   ≤ ≤ ≤ ≤ (18) 237.5 A 43-rd order differential described in equation (18) ≈ 237.5 31.8 5 5 S-box look-ups. TM0 is estimated as 6 9 2 en- can be used to construct 2 3 =320 sets of 38-th or- × ≈ der differential. The explanation× is as follows. The cryptions. The complexity for solving a system of combination of choosing variable  bit sub-blocks of equations resulting from linearization is negligible. The overall time complexity T is estimated as 38-th order differential in equation (18) is 5 , be- 3 43 40.9 31.8 43.31 cause we have to choose 3-bits from (h1, ,h5) as T = TC + Tt + TM0 = 2 + 2 + 2 2 ∼  ≈ 3It should be noted that the number of independent un- times of 6-round MISTY1 encryptions. The time known variables depends on the exact bit in attack equation. complexity T is dominated by the encryption of plain- See (Y. Tsunoo and Kawabata, 2008) in detail. texts.

241 ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy

6 CONCLUSIONS Matsui, M. (1997). New block encryption algorithm misty. In Fast Software Encryption 4th International Work- In this paper, we focused on evaluating the security of shop. Springer. MISTY1 in terms of practical-time complexity. We T. Shimoyama, Siho Moriai, T. K. and Tsujii, S. (1999). Im- implemented the 46th-order differential characteris- proving higher order differential attack and its appli- cation to nyberg-knudesen’s designed block cipher. In tic for 4-round MISTY1 introduced in (Y. Tsunoo IEIEC Transactions, Fundamentals, Vol.E82-A, No.9, and Kawabata, 2008) on a computer which mounts pages 1971-1980. IEICE. GPU co-processors. We found 16-bits of 46-th order Todo, Y. (2015). on full misty1. In differential characteristic was 0. We discovered the CRYPTO 2015 volume 9215 of LNCS, pages 413-432. new 38-th order differential characteristic for 4-round Springer. MISTY1 whose characteristic is equal to the charac- Y. Hatano, H. T. and Kaneko, T. (2004). Optimization teristic estimated in (Y. Tsunoo and Kawabata, 2008). for the algebraic method and its application to an at- We applied the 38-th order differential character- tack of misty1. In IEIEC Transactions, Fundamentals, istic to attack 6-round MISTY1 with 4 FL layers. The Vol.E87-A, No.1, pages 18-27. IEICE. complexity for attack needs 243 chosen plaintexts and Y. Tsunoo, Teruo Saito, M. S. and Kawabata, T. (2008). 243.31 encryptions. By using 38-th order differential, Higher order differential attacks on reduced-round misty1. In ICISC, volume 5461 of LNCS, pages 415- we can reduce the necessary number of data and time 431. Springer. complexity for an attack on 6-round MISTY1 with 4 10 Yi, W. and Chen, S. (2014). Multidimensional zero- FL layers by a factor of 2 . This is the best practical- correlation linear attacks on reduced-round misty1. In time attack on 6-round MISTY1. CoRR, abs/1410.4312.

REFERENCES

Bar-On, A. (2015a). A 270 attack on the full misty1. In IACR ePrint Archive, 2015/746. IACR. Bar-On, A. (2015b). Improved higher-order dierential at- tacks on misty1. In Fast Software Encryption 22nd International Workshop. Springer. CRYPTREC (2013). CRYPTREC ciphers list, http://www.cryptrec.go.jp/english/method.html. Dunkelman, O. and Keller, N. (2008). An improved im- possible differential attack on misty1. In ASIACRYPT, volume 5350 of LNCS, pages 441-454. Springer. Dunkelman, O. and Keller, N. (2013). Practical-time attacks against reduced variants of misty1. In IACR ePrint Archive, 2013/431. IACR. H. Tanaka, K. H. and Kaneko, T. (1999). Strength of misty1 without fl function for higher order differential attack. In Applied Algebra, Algebraic Algorithms and Error- Correcting Codes, volume 1719 of LNCS, pp 221-230. Springer. Igarashi, Y. and Kaneko, T. (2008). The 32nd-order differ- ential attack on misty1 without fl functions. In 2008 International Symposium on Information Theory and its Applications, No.W-TI-4-4, pages 1503-1508. IE- ICE. ISO (2010). ISO/IEC 18033-3 information technology - security techniques - encryption algorithms - part 3: Block ciphers. Jia, K. and Li, L. (2012). Impossible differential at- tacks on reduced-round misty1. In 13th International Workshop, WISA, volume 7690 of LNCS pages 1527. Springer. Lai, X. (1994). Higher order derivatives and differential cryptanalysis. In Communications and , pages 227-233.

242