A Practical-time Attack on Reduced-round MISTY1 Nobuyuki Sugio1, Yasutaka Igarashi2, Toshinobu Kaneko2 and Kenichi Higuchi2 1NTT DOCOMO, INC., 3-6 Hikarinooka, Yokosuka, Kanagawa, 239-8536, Japan 2Tokyo University of Science,2641 Yamazaki, Noda, Chiba, 278-8510, Japan Keywords: MISTY1, Symmetric Key Algorithm, Block Cipher, Higher Order Differential Attack. Abstract: MISTY1 is a symmetric key algorithm which has been standardized by ISO and that its modified version is used in GSM and 3G mobile networks. MISTY1 is a 64-bit block cipher supporting key length of 128 bits. In this paper, we focused on evaluating the security of MISTY1 against higher order differential attack. We show 6-round MISTY1 with 4 FL layers is attackable with 243 blocks of chosen plaintexts and 243.31 times of data encryption. This is the best practical-time attack on reduced-round MISTY1. 1 INTRODUCTION MISTY1 with 4 FL layers, that requires 262.9 known plaintexts and 2118 encryptions (Yi and Chen, 2014). MISTY1 is one of the symmetric key algorithms. Todo introduced Integral attack by division property, and showed that the secret key of the full MISTY1 can MISTY1 is a 64-bit block cipher supporting key 63.58 121 length of 128 bits. MISTY1 was proposed by Mat- be recovered with 2 chosen plaintexts and 2 sui in 1997 (Matsui, 1997). The number of rounds is time complexity (Todo, 2015). Bar On improved the attack proposed by Todo, and presented full MISTY1 8. MISTY1 achieves a provable security against dif- 64 69.5 ferential cryptanalysis and linear cryptanalysis with was attackable with 2 chosen plaintexts and 2 round function FO. Designer adds on an auxiliary encryptions (Bar-On, 2015a). function FL in order to become secure against other Most of the previous attacks aimed at maximiz- attacks. MISTY1 was selected as one of the NESSIE- ing the number of attacked rounds, and as a result, recommended ciphers portfolio and was adopted as their complexities are highly impractical. In this pa- the international standard by ISO/IEC 18033-3 (ISO, per, we focused on evaluating the security of MISTY1 2010). CRYPTREC project has chosen MISTY1 as in terms of practical-time complexity. The previous one of the e-Government Recommended candidate ci- practical-time attack was proposed by Hatano et. al. phers in 2013 (CRYPTREC, 2013). Furthermore, the (Y. Hatano and Kaneko, 2004), and Dunkelman et. al. block cipher KASUMI designed as a slight modifica- (Dunkelman and Keller, 2013), respectively. The best tion of MISTY1 is used in the GSM/3G mobile net- practical-time attack was higher order differential at- works, which makes it one of the most widely used tack on 5-round MISTY1 with 4 FL layers.The neces- block ciphers today. sary computational complexity by using higher order Up to now, many cryptanalytic methods were used differential can be estimated as sum of the following to evaluate the security of MISTY1 such as higher or- 2-steps. der differential attack, impossible differential attack, 1. Preparation of data integral attack, and multi-dimensional zero correla- 2. Key recovery tion linear attack. The main previous attacks are as follows. Tsunoo et. al. proposed 46-th order differ- The order of differential affects both steps. Therefore, ential and showed 7-round MISTY1 with 4 FL lay- it is very important to discover the lower order differ- ers was attackable with 254.1 chosen plaintexts and ential characteristics to reduce the complexity for an 2120.7 encryptions (Y. Tsunoo and Kawabata, 2008). attack. The results we obtain are the following. Jia et. al. constructed a 7-round impossible differ- 1. We implemented the 46th-order differential for ential and mounted impossible differential attack on 4-round MISTY1 introduced in (Y. Tsunoo and 7-round MISTY1 with 3 FL layers (Jia and Li, 2012). Kawabata, 2008) on a computer which mounted Yi presented zero-correlation linear attack on 7-round Graphics Processing Unit (GPU) co-processors 235 Sugio, N., Igarashi, Y., Kaneko, T. and Higuchi, K. A Practical-time Attack on Reduced-round MISTY1. DOI: 10.5220/0005652202350242 In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 235-242 ISBN: 978-989-758-167-0 Copyright c 2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy Table 1: Summary of single-key attacks on MISTY1. Rounds FL layers Data Time Attack algorithm Reference 5 4 222 CP 228 Higher Order Differential (Y. Hatano and Kaneko, 2004) 6 4 251 CP 2123.4 Impossible Differential (Dunkelman and Keller, 2008) 6 4 253.7 CP 253.7 Higher Order Differential (Y. Tsunoo and Kawabata, 2008) 6 4 243 CP 243.31 Higher Order Differential Section5 7 0 250.2 KP 2114.1 Impossible Differential (Dunkelman and Keller, 2008) 7 3 258 KP 2124.4 Impossible Differential (Jia and Li, 2012) 7 4 262.9 KP 2118 Multi-Zero Correlation (Yi and Chen, 2014) 7 4 254.1 CP 2120.7 Higher Order Differential (Y. Tsunoo and Kawabata, 2008) 7 5 251.45 CP 2121 Higher Order Differential (Bar-On, 2015b) 8 5 263.58 CP 2121 Integral by division property (Todo, 2015) 8 5 264 CP 269.5 Integral by division property (Bar-On, 2015a) CP: Chosen Plaintexts, KP : Known Plaintexts. Table 2: The Key Scheduling of MISTY1. KOi1 KOi2 KOi3 KOi4 KIi1 KIi2 KIi3 KLi1 KLi2 Ki Ki+2 Ki+7 Ki+4 Ki0+5 Ki0+1 Ki0+3 K i+1 (odd i) K0i+1 (odd i) 2 2 +6 K0i (even i) K i +4 (even i) 2 +2 2 and found 16-bits of the above characteristic was 2 MISTY1 always 0. We gradually reduced the order of dif- ferentials for 4-round MISTY1 by computer ex- MISTY1 is a Feistel type 64-bit block cipher support- periment, and discovered new 38-th order differ- ing secret key length of 128 bits. MISTY1 was pro- ential characteristics for 4-round MISTY1 which posed by Matsui in 1997 (Matsui, 1997). The number 1 held 7-bits of those differential characteristics 0 . of rounds which designer recommends is 8. MISTY1 2. We can attack 6-round MISTY1 with 4 FL layers achieves a provable security against differential crypt- by using the 38-th order differential characteris- analysis and linear cryptanalysis with round function tic. The complexity for the attack needs 243 cho- FO. Designer adds on an auxiliary function FL in or- sen plaintexts and 243.31 encryptions. Our method der to become secure against other attacks. can reduce the necessary number of chosen plain- Figure 1 shows the main structure and components texts and the computational cost for the attack of of the cipher. The round function FOi (1 i 8) is ≤ ≤ 6-round MISTY1 with 4 FL layers illustrated in a variant of a 3-round Feistel construction which has (Y. Tsunoo and Kawabata, 2008) by a factor of 16-bit bijective function FIi j (1 j 3) and 16-bit 10 ≤ ≤ 2 . This is the best practical-time attack on 6- extended key KOi j (1 j 4), KIi j (1 j 3). FIi j ≤ ≤ ≤ ≤ round MISTY1. Summary of main attacks on is a variant of a 3-round Feistel construction and its in- MISTY1 are shown in Table 1. put is divided into left 9-bit data and right 7-bit data, which are transformed by bitwise XOR operations de- The remainder of this paper is organized as fol- noted by the symbol and substitution tables S7 and lows. Section 2 gives a brief introduction of MISTY1. S9. KI and KI are⊕ left 7-bit data and right 9-bit Section 3 explains higher order differentials and its i j1 i j2 data of KI , respectively. The key dependent linear application for an attack. Section 4 shows previous i j function FL are composed of bitwise AND operation higher order differentials and presents a new higher i denoted by the symbol , OR operation denoted by order differential for 4-round MISTY1. Section 5 the symbol , XOR operations∩ and KL (1 j 2). proposes higher order differential attack on 6-round ∪ i j ≤ ≤ The key schedule of MISTY1 takes the 128-bit se- MISTY1 with 4 FL layers. Section 6 summarizes this cret key K to generate extended keys. Let K (1 i paper. i 8) be the i-th (from left) 16-bit data of the secret≤ key≤ 1 K, and let KO (1 i 8) be the output of FI where The characteristic of 38-th order differential equals to i ≤ ≤ i j the characteristic of 46-th order differential for 4-round the input of FIi j is Ki and the key KIi j is Ki+1. Also, MISTY1 estimated in (Y. Tsunoo and Kawabata, 2008) identify K9 with K1. The correspondence between the 236 A Practical-time Attack on Reduced-round MISTY1 Figure 1: Outline of MISTY1. symbols KO , KI , KL and the actual key is shown The plaintext and ciphertext are denoted by P and i j i j i j • in Table 2. Here, Ki0 is the output of FIi, j where the C. The left 32-bit value of P is denoted by PL and input is Ki and the key is Ki+1. the right 32-bit value of P is denoted by PR. The left 32-bit value of C is denoted by CL and the 2.1 Notations Used in This Paper right 32-bit value of C is denoted by CR, respec- tively. We use the following notations for intermediate val- The input of i-th round (1 i 8) are denoted by • ≤ ≤ ues during the MISTY1 encryptions process.