Practical-time attacks against reduced variants of MISTY1

Abstract

MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan where it is an e-government candidate recommended cipher, and is recognized internationally as a NESSIE-recommended cipher as well as an ISO/IEC standard and an RFC. Moreover, MISTY1 was selected to be the blueprint on top of which KASUMI, the GSM/3G block cipher, was based. Since its introduction, and especially in recent years, MISTY1 was subjected to extensive cryptanalytic efforts, which resulted in numerous attacks on its reduced variants. Most of these attacks aimed at maximizing the number of attacked rounds, and as a result, their complexities are highly impractical. In this paper we pursue another direction, by focusing on attacks of practical time complexity. We present the first practical-time attack on 5-round MISTY1 which exploits only the linear \(FL\) functions, and thus, remains valid even if the non-linear \(FO\) functions are replaced. On the other extreme, we show the importance of the \(FL\) layers, by presenting a devastating (and experimentally verified) related-key attack that can break MISTY1 with no \(FL\) layers, requiring only \(2^{18}\) data and time. While our attacks clearly do not compromise the security of the full MISTY1, they expose several weaknesses in the components used in MISTY1, and improve our understanding of its security. These insights are also applicable to future designs which rely on MISTY1 as their base, and should be taken into close consideration by designers.

1 Introduction

MISTY1 is a 64-bit block cipher with 128-bit keys designed in 1997 by Matsui [19]. In 2002, MISTY1 was selected by the Japanese government to be one of the CRYPTREC e-government ciphers (up until recently¹), and since then it became widely deployed in Japan. MISTY1 also gained recognition outside Japan, when it was selected to the portfolio of the NESSIE-recommended ciphers [21], and approved as an RFC in 2000 [20] and as an ISO/IEC standard in 2005 [13]. Furthermore, the block cipher KASUMI [1] designed as a slight modification of MISTY1 is used in the GSM/3G networks, which makes it one of the most widely used block ciphers today. This makes examination of the security of MISTY1 and its variants one of the central practical questions in block cipher cryptanalysis.

MISTY1 has an 8-round recursive Feistel structure, where the round function \(FO\) is in itself a modified 3-round Feistel construction, whose F-function \(FI\) is in turn a modified 3-round Feistel construction using 7-bit and 9-bit invertible S-boxes. The specific choice of S-boxes and the recursive structure suggest security against differential and linear cryptanalysis. In addition, to further thwart attacks, after every two rounds an \(FL\) function is applied to each of the two halves independently. The \(FL\) functions are key-dependent linear functions which play the role of whitening layers (even in the middle of the encryption).

Since its introduction, and especially in recent years, MISTY1 was subjected to extensive cryptanalytic efforts, which resulted in numerous attacks on its reduced variants. The best currently known attacks (in terms of number of rounds) are a higher-order differential attack on a 7-round variant with the last two \(FL\) functions removed [26] requiring \(2^{116.4}\) encryptions and an impossible differential attack on a 7-round variant with four \(FL\) functions removed [14] requiring \(2^{124.8}\) encryptions.

Most of the previous attacks on MISTY1 aimed at maximizing the number of attacked rounds, and as a result, their complexities were highly impractical. In this paper, we pursue a different research direction, by focusing on attacks with a practical time complexity and by examining the security of the components of MISTY1 separately. The best known practical-time attack on reduced-round MISTY1 is a higher-order differential attack on 5-round MISTY1 requiring \(2^{28}\) encryptions [12]. This attack exploits the exact structure of the MISTY1 S-boxes, and hence, can be easily thwarted by replacing any one of the S-boxes by an S-box with a higher algebraic degree. Among the attacks that do not exploit the exact structure of the S-box, the best are on 4-round MISTY1 requiring \(2^{45}\) encryptions [18] and on 5-round MISTY1 with the last two \(FL\) functions removed, requiring \(2^{27.32}\) encryptions [24].

In this paper we present three practical-time attacks on reduced variants of MISTY1. The first of them targets 5-round MISTY1 and uses only the overall structure of MISTY1 and its linear \(FL\) functions, so that it remains valid even if the non-linear \(FO\) functions are replaced by arbitrarily strong functions. The second attack targets the same 5-round variant and obtains improved efficiency by exploiting the structure of the \(FO\) functions, while remaining independent of the exact choice of the S-boxes (unlike the attack of [12]). The third attack is a related-key attack on 8-round MISTY1 without the \(FL\) functions, requiring only \(2^{18}\) plaintexts and time. We fully verified the related-key attack experimentally, finding the last round subkey in a negligible time on a PC. A comparison of our attacks with previous attacks on reduced-round MISTY1 is presented in Table 1.

Table 1 Summary of practical-time attacks on reduced variants of MISTY1 (with comparison to the best known attacks on MISTY1)

While our three attacks use very different techniques (impossible differentials [4], Square attack [7], and related-key attack [3]), their high efficiency results from exploiting the same weakness, which appears in all MISTY1 components. This weakness is the ability to divide the states into several sub-states whose influence on each other is limited. Hence, despite the recursive structure, and the large number of S-boxes (9 S-boxes) in each round, the adversary is still able to divide the 32-bit state of the \(FO\) function to four chunks of 7, 9, 7, and 9 bits, and divide the 32-bit state of the \(FL\) function to even smaller chunks of 2 bits each. This division allows significantly speeding up cryptanalytic attacks which now have to deal with a smaller state (and thus, less keying material). We note that variants of both divisions were used in previous works: A division of \(FO\) to two 16-bit chunks was used to attack 5-round MISTY1 without the last two \(FL\)-functions [24] and a division of \(FL\) to 2-bit chunks was used to attack 4-round MISTY1 [18]. In addition, a division of \(FO\) to four chunks was exploited implicitly in the attack of [12] on 5-round MISTY1, as it contributed to decrease the number of variables in the linear equation systems used in that attack.

Our attacks highlight several weaknesses in the design of MISTY1 components, which lead to the “division” properties described above. The first is the fact that both the \(FO\) function and the \(FI\) function have only 3 rounds, which allows for dividing the state of \(FO\) into four chunks. The second is the bit-sliced nature of the \(FL\) function, which allows to divide its state to sixteen 2-bit chunks. Interestingly, both weaknesses were partially addressed in the design of KASUMI: a fourth round was added to the \(FI\) function (but not to the \(FO\) function), and a rotation by a single bit was added into the \(FL\) function. However, these changes address the weaknesses only partially, as a variant of our second attack applies to a 5-round version of KASUMI (though with a higher complexity of \(2^{64}\)). Therefore, while our attacks clearly do not compromise the security of the full MISTY1, they point out weaknesses in its components that should be avoided in design of future MISTY1-based ciphers.

This paper is organized as follows: In Sect. 2 we give a brief description of the structure of MISTY1. In Sect. 3 we present an impossible differential attack on 5-round MISTY1 based on dividing the \(FL\) function state. In Sect. 4 we present a Square attack on 5-round MISTY1 based on dividing both the \(FO\) function and the \(FL\) function states simultaneously. In Sect. 5 we present a highly efficient related-key attack on 8-round MISTY1 without \(FL\) functions, and we conclude with a summary and discussion in Sect. 6.

2 A brief description of MISTY1

MISTY1 is an 8-round Feistel construction, where the round function, \(FO\), is in itself a variant of a 3-round Feistel construction, defined as follows. The input to \(FO\) is divided into two halves. The left one is XORed with a subkey, enters a keyed permutation \(FI\), and the output is XORed with the right half. After the XOR, the two halves are swapped, and the same process (including the swap) is repeated two more times. After that, an additional swap and an XOR of the left half with a subkey is performed (see Fig. 1).

Fig. 1

Outline of MISTY1

The \(FI\) function in itself also has a Feistel-like structure. Its 16-bit input is divided into two unequal parts—one of 9 bits, and the second of seven bits. The left part (which contains 9 bits) enters an S-box, \(S9\), and the output is XORed with the right 7-bit part (after padding the 7-bit value with two zeroes as the most significant bits). The two parts are swapped, the 7-bit part enters a different S-box, \(S7\), and the output is XORed with seven bits out of the nine of the right part. The two parts are then XORed with a subkey, and swapped again. The 9-bit value again enters \(S9\), and the output is XORed with the 7-bit part (after padding). The two parts are then swapped for the last time.

Every two rounds, starting before the first one, each of the two 32-bit halves enters an \(FL\) layer. The \(FL\) layer is a simple linear transformation. Its input is divided into two halves of 16 bits each, the AND of the left half with a subkey is XORed to the right half, and the OR of the updated right half with another subkey is XORed to the left half. We outline the structure of MISTY1 and its parts in Fig. 1.

The key schedule of MISTY1 takes the 128-bit key, and treats it as eight 16-bit words \(K_1, K_2, \ldots , K_8\). From this sequence of words, another sequence of eight 16-bit words is generated, according to the rule \(K_i^{\prime } = FI_{K_{i+1}}(K_i)\).²

In each round, seven words are used as the round subkey, and each of the \(FL\) functions accepts two subkey words. We give the exact key schedule of MISTY1 in Table 2.

Table 2 The key schedule algorithm of MISTY1

In [17], Kühn observed that the \(FO\) function has an equivalent description which uses only 107 equivalent subkey bits (rather than 112). We present this description and use it in Sect. 4.

3 Impossible differential attack on 5-round MISTY1—exploiting only the \(FL\) function

Due to its general structure, 5-round MISTY1 without the \(FL\) functions is susceptible to the generic impossible differential attack against 5-round Feistel constructions with a bijective round function [4, 15]. In [18] it was claimed that the existence of the \(FL\) functions makes such an attack impossible against 5-round MISTY1 with all the \(FL\) functions present. In this section we show that rather than destroying the attack, the \(FL\) functions allow to make it much more effective, due to the possibility to attack the \(FL\) functions themselves, rather than the more complex round functions. We end up with attacking a cascade of four sequential applications of \(FL\), which can be performed very efficiently since \(FL\) can be treated as sixteen 2-bit functions applied in parallel. Using this division, we obtain an attack which requires \(2^{38}\) chosen plaintexts and \(2^{46}\) memory accesses and recovers slightly more than 41 bits of information on the \(96\) key bits used in the FL functions.³

The main advantage of this attack over the attack of Hatano et al. [12] on 5-round MISTY1 and over the Square attack presented in Sect. 4 is its generality. Since it exploits only the general structure of MISTY1 and its \(FL\) functions, the attack remains valid even if the \(FO\) function is replaced by an arbitrarily strong function, which would thwart the other attacks. Another advantage is that if only known plaintexts are available to the adversary, the attack can still be applied (with data and time complexities of \(2^{51}\)). Both the Square attack of Sect. 4 and the higher-order differential attack of [12] require almost the entire codebook in the known-plaintext model.

We note that the idea of attacking the \(FL\) functions and dividing them was first presented by Kühn [18], and used to attack 4-round MISTY1. We extend the idea and combine it with the generic 5-round impossible differential, which allows us to attack 5-round MISTY1 with roughly the same time complexity as [18].

The remainder of this section is organized as follows: In Sect. 3.1 we present the 5-round impossible differential used in the attack. We then show the main approach in using this impossible differential in Sect. 3.2. The resulting attack which recovers about 41 bits of the key is described in Sect. 3.3, and we discuss how to recover the rest of the key in Sect. 3.4.

3.1 The 5-round impossible differential used in the attack

The generic attack on 5-round Feistel constructions is based on the following impossible differential:

Observation 1

([4,  p. 136]) Let \(E:\{0,1\}^{2n} \rightarrow \{0,1\}^{2n}\) be a 5-round Feistel construction with a bijective round function \(f: \{0,1\}^{n} \rightarrow \{0,1\}^{n}\). Then for all \(\alpha \in \{0,1\}^n \backslash \{0^n\}\), the differential \((0,\alpha ) \rightarrow (0,\alpha )\) through \(E\) is impossible.

We observe that a similar impossible differential exists even if \(FL\) layers are added to the construction, as in MISTY1. Note that since for a given key, the \(FL\) layers are linear, we can define \(FL(\alpha )\) for a difference \(\alpha \) as the unique difference \(\beta \) such that \((x \oplus y = \alpha ) \Rightarrow (FL(x) \oplus FL(y) = \beta )\).

Proposition 1

Let \(E\) denote a 5-round variant of MISTY1, with all the \(FL\) functions present (including an \(FL\) layer after round 5). If for the given secret key we have \(FL7(FL6(FL4(FL2(\alpha ))))=\beta \), then the differential \((0,\alpha ) \rightarrow (0,\beta )\) through \(E\) is impossible as long as either \(\alpha \ne 0\) or \(\beta \ne 0\).

Proof

The impossible transition is demonstrated in Fig. 2. If the plaintext difference is \((0,\alpha )\), then after the first \(FL\) layer, the difference becomes \((0,FL2(\alpha ))\). This difference evolves after two rounds (including the second \(FL\) layer) to \((y,FL4(FL2(\alpha )))\), where \(y\ne 0\) due to the bijectiveness of the round function of MISTY1.

On the other hand, if the output difference is \((0,\beta )\) such that \(\beta = FL7(FL6(FL4( FL2(\alpha ))))\), then before the last \(FL\) layer, the difference is \((FL6(FL4(FL2(\alpha ))),0)\), and thus the input difference to round 5 (before the swap) is \((0,FL6(FL4(FL2(\alpha ))))\). Thus, the difference before the third \(FL\) layer is \((0,FL4(FL2(\alpha )))\).

However, if the input difference to round 3 is \((z\ne 0,FL4(FL2(\alpha )))\) and the output difference of round 4 (before the \(FL\) layer, including the swap) is \((0,FL4(FL2(\alpha )))\), then the output difference of the \(FO\) function in round 3 must be zero. This is impossible since the input difference to this \(FO\) function is \(y \ne 0\), and the \(FO\) function is bijective.

Hence, the differential \((0,\alpha ) \rightarrow (0,\beta )\) is indeed impossible. \(\square \)

Fig. 2

A 5-round impossible differential of MISTY1

z

We note that a similar approach is used in [18], using the generic 3-round impossible differential \((0,\alpha ) \rightarrow (0,\beta )\) for all non-zero \(\alpha ,\beta \) which holds for every 3-round Feistel construction with a bijective round function.

3.2 Dividing the \(FL\) functions

A straightforward way to use the impossible differential described above to attack 5-round MISTY1 is to encrypt many pairs with difference \((0,\alpha )\) for non-zero \(\alpha \)’s, consider the pairs whose ciphertext difference is of the form \((0,\beta )\), and discard subkeys of the \(FL\) layers for which \(FL7(FL6(FL4(FL2(\alpha ))))=\beta \). However, since the subkeys used in \(FL2,FL4,FL6\), and \(FL7\) are determined by \(96\) subkey bits, this approach is very time consuming.⁴ Instead, we show that the division of the \(FL\) function to sixteen 2-bit functions applied in parallel, allows to detect efficiently all the instances for which \(FL7(FL6(FL4(FL2(\alpha ))))=\beta \), for any given pair \((\alpha ,\beta )\).

We use a series of observations, most of which were first presented in [18]. In the following, the function \(FL7 \circ FL6 \circ FL4 \circ FL2\) is denoted by \(G\).

1. 1.

   For each \(0 \le i \le 15\), the \(i\)-th bits of both halves of the output of an \(FL\) function depend only on the \(i\)-th bits of both halves of the input and the \(i\)-th bits of both halves of the corresponding subkey \(KL_i\). As a result, each \(FL\) function can be represented as a parallel application of \(16\) functions \(f_i:\{0,1\}^2 \rightarrow \{0,1\}^2\) keyed by two different subkey bits each.

2. 2.

   Each such \(f_i\) is linear for a fixed key and invertible.

3. 3.

   The two observations above hold also for a series of \(FL\) functions applied sequentially. In particular, the function \(G=FL7 \circ FL6 \circ FL4 \circ FL2\) can be represented as a parallel application of 16 functions \(g_i:\{0,1\}^2 \rightarrow \{0,1\}^2\) keyed by eight subkey bits each. Each \(g_i\) is linear and invertible, and hence, can realize only one of six possible functions.⁵ Thus, there are only \(6^{16}=2^{41.36}\) possible \(G\) functions.

4. 4.

   Since each \(g_i\) is invertible, the differentials \(0 \rightarrow a\) and \(a \rightarrow 0\) through \(g_i\) are impossible, for each non-zero \(a \in \{0,1\}^2\). In other words, 6 of the 16 pairs of input and output differences are impossible (as depicted in Table 3), independent of the used keys. As a result, most of the differentials of the form \(\alpha \rightarrow \beta \) through \(G\) are impossible, regardless of the subkeys used in the \(FL\) functions. In each of the \(g_i\)-s, only \(10\) out of the \(16\) possible input/output pairs are possible. Hence, only \((10/16)^{16}=2^{-10.85}\) of the input/output pairs for \(G\) are possible.

5. 5.

   The impossible pairs can be detected efficiently by checking a simple Boolean expression. Formally, let the input difference to \(G\) be \((x_1,x_2)\) and the output difference be \((y_1,y_2)\). Also, let \(\overline{t}\) denote the bitwise not of \(t\), let & denote bitwise AND, and \(|\) denote bitwise OR. Then the transition is impossible for any key if

   $$\begin{aligned} \overline{x_1} \& \overline{x_2} \& (y_1 | y_2) \ne 0 \quad \text{ or } \quad \overline{y_1} \& \overline{y_2} \& (x_1 | x_2) \ne 0, \end{aligned}$$

   since this corresponds to a differential of the form \(0 \rightarrow a\) or \(a \rightarrow 0\) for \(a \ne 0\) in at least one of the sixteen \(g_i\) functions.

6. 6.

   Let \((\alpha ,\beta )\) be a pair such that the differential \(\alpha \rightarrow \beta \) through \(G\) is possible and was not discarded at the previous step. We want to find how many of the possible \(2^{41.36}\, G\) functions satisfy \(G(\alpha )=\beta \). For each \(g_i\), there are 10 possible input/output pairs (the other six pairs are impossible for any subkey). For the \(0 \rightarrow 0\) pair, all the six possible \(g_i\) functions satisfy this condition. For each of the other 9 input/output pairs, two of the six functions satisfy the condition. Since the \(g_i\) functions are independent, the expected number of functions satisfying \(G(\alpha )=\beta \) is:

   $$\begin{aligned} \sum _{j=0}^{16} {{16}\atopwithdelims (){j}} \cdot \left( \frac{9}{10}\right) ^j \cdot \left( \frac{1}{10}\right) ^{16-j}\cdot 2^j \cdot 6^{16-j} = 2^{20.3}. \end{aligned}$$
7. 7.

   Finally, since each \(g_i\) function can be treated independently, one can enumerate the \(2^{41.36}\) possible \(G\) functions in such a way that for each pair \((\alpha ,\beta )\), the functions \(G\) satisfying \(G(\alpha )=\beta \) can be found efficiently.

Table 3 Key-independent impossible transitions through the \(g_i\) functions

Using these observations on the structure of the \(FL\) functions, we are ready to present our attack.

3.3 Attack algorithm and analysis

The attack algorithm is the following:

1. 1.

   Ask for the encryption of 64 structures of \(2^{32}\) plaintexts each, such that in each structure, the left half of all the plaintexts is equal to some random value \(A\), while the right half obtains all possible values. (As a result, the difference between two plaintexts in the same structure is of the form \((0,\alpha )\) for varying values of \(\alpha \)).

2. 2.

   In each structure, find the pairs whose output difference is of the form \((0,\beta )\) (for all possible values of \(\beta \)).

3. 3.

   For each pair with input difference \((0,\alpha )\) and output difference \((0,\beta )\) check whether \(\alpha \rightarrow \beta \) is an impossible differential for the function \(G\) (as described in Sect. 3.2). Discard pairs which fail this test.

4. 4.

   For each remaining pair, find all the functions \(G\) satisfying the condition \(G(\alpha )=\beta \) and discard them from the list of all possible \(G\) functions.

5. 5.

   After analyzing all the remaining pairs, output the list of remaining \(G\) functions.

Step 2 of the algorithm can be easily implemented by a hash table, resulting in about \(2^{31}\) pairs from each structure. Step 3 is performed by evaluating a simple Boolean function on the input and the output. It follows from Observation 4 in Sect. 3.2 that in each structure, out of the \(2^{31}\) pairs, about \(2^{20.15}\) pairs remain at this point. Each of these pairs discards about \(2^{20.3}\) possible values of \(G\) on average (as shown in Observation 6 in Sect. 3.2), and the identification of the discarded functions can be performed very efficiently. After analyzing about 64 structures, the expected number of remaining \(G\) functions (except for the right one) is

$$\begin{aligned} 2^{41.36} \cdot (1-2^{20.3-41.36})^{2^{20.15+6}} = 2^{-7.78} \end{aligned}$$

which means that we are left only with the right \(G\) function. The time complexity of the attack is about \(64 \cdot 2^{20.15} \cdot 2^{20.3} = 2^{46.45}\) memory accesses, and the information retrieved by the adversary is equivalent to \(41.36\) key bits.

We note that this attack can be easily modified into a known plaintext attacks. Our attack requires in total \(2^{37}\) pairs of input difference \((0,\alpha )\) and output difference \((0,\beta )\) (for random non-zero values of \(\alpha \) and \(\beta \)). we can obtain these pairs in a known plaintext scenario with about \(2^{51}\) known plaintexts (that compose \(2^{101}\) pairs, of which \(2^{37}\) satisfy the 64-bit condition on the input and output differences). The attack procedure is exactly the same. When taking into account the higher data complexity, the total time complexity of the known plaintext attack is \(2^{51}\) (which is the time needed to encrypt the \(2^{51}\) plaintexts used in the attack).

3.4 Retrieving the rest of the secret key

The most naive approach toward retrieval of the rest of the key is to try all possible \(2^{96}\) subkeys which affect the functions \(FL2,FL4,FL6,\) and \(FL7\), and check (for each subkey) whether it yields the correct function \(G\). A more efficient way is based on the fact that this \(G\) can be treated as an 8-round Feistel, where the following keys are used as subkeys: \(K'_2, K'_3, K'_4,K'_5\) and \(K_4,K_5,K_6,K_7\) (the order of the keys is such that \(K'_2\) and \(K_4\) are used last in \(FL7\)). This allows performing a meet in the middle attack on \(G\). Namely, by guessing \(K_3,K_4,K_5,\) and \(K_6\), it is possible to compute half of the output of \(FL6 \circ FL4 \circ FL2\), and by guessing \(K_2, K_3,\) and \(K_4\), we can compute the full output of \(FL7^{-1}\). By taking out the common part (\(K_3\) and \(K_4\)) to the outer loop, one can easily find all consistent keys in time \(2^{64}\) (using \(2^{32}\) memory). Recovering \(K_7\) is then a trivial operation. Hence, identifying the appropriate \(2^{96} \cdot 2^{-41.36} = 2^{54.64}\) 96-bit subkeys takes about \(2^{64}\) evaluations of \(FL6 \circ FL4 \circ FL2\), which are significantly faster than \(2^{64}\) evaluations of the 5-round MISTY1.

Retrieving the rest of the key by exhaustive search leads to a total time complexity of \(2^{86.64}\) encryptions. We note that this part of the attack can probably be performed much more efficiently using some different attack techniques and exploiting the key information obtained so far. For example, several such techniques applicable in special cases (e.g., if the adversary can use both chosen plaintext and chosen ciphertext queries) are presented in [18].

4 Square attack on 5-round MISTY1—exploiting both \(FO\) and \(FL\) functions

The Feistel structure of MISTY1 and its bijective round function allow to mount a generic Square attack [7] on 4-round MISTY1. The idea behind the generic attack is simple. Consider a set of \(2^{32}\) chosen plaintexts in which the left half is constant and the right half assumes each of the \(2^{32}\) possible values exactly once. It is easy to see that the XOR of the right halves of the \(2^{32}\) corresponding values after 4 Feistel rounds is equal to zero (see Proof below). As was observed in [16], this property holds even if the \(FL\) layers are inserted every two rounds, like in MISTY1.

In order to use this property to attack 5-round MISTY1, one has to consider several such Square structures, and examine the fifth round in order to check whether the right halves after the fourth round sum up to zero. As the round function of MISTY1 is very complex and depends on 176 subkey bits (including the last \(FL\) layer), one would expect such an analysis to be very time consuming. However, we show that the \(FO\) and \(FL\) functions can be divided simultaneously in such a way that the Square structures can be checked and the subkey can be found very efficiently. We obtain an attack on 5-round MISTY1 with all \(FL\) functions present, requiring only \(2^{35.6}\) data and \(2^{38}\) time.

We note that while this attack is inferior to the higher-order differential attack of Hatano et al. [12], it has the advantage that since it does not exploit specific properties of the S-boxes, it cannot be thwarted by merely replacing one of the S-boxes.

This section is organized as follows. In Sect. 4.1 we recall an equivalent description of the \(FO\) function and give the notations used in the attack. In Sect. 4.2 we present the basic Square attack, in Sect. 4.3 we present the division of \(FO\) and \(FL\), and in Sect. 4.4 we present a meet-in-the-middle approach which allows to combine the division with the Square attack efficiently. The attack algorithm is presented in Sect. 4.5, and analyzed in Sect. 4.6. In Sect. 4.7 we show how the adversary can retrieve the rest of the secret key efficiently. In Sect. 4.8 we show that our approach can be used to reduce the data complexity of the higher-order differential attack of [12] by a factor of \(2^{7.6}\), while retaining a completely practical time complexity. Finally, we consider application of the attack to other variants of MISTY1 in Sect. 4.9.

4.1 Notations

In our attack, we use an equivalent description of the \(FO\) function, presented by Kühn in [17]. Kühn observed that since the \(FI\) function has only 3 rounds, the 7-bit subkey \(KI_{i,j,1}\) affects its output in a linear way, and thus it can be absorbed in the subsequent \(KO\) subkeys. This leads to an equivalent description of the \(FO\) function which uses only 107 equivalent subkey bits, instead of 112 subkey bits in the original description. This equivalent description is presented in the middle part of Fig. 3. The equivalent subkeys are the following:

$$\begin{aligned} \begin{array}{l} AKO_{i,1} = KO_{i,1} \\ AKO_{i,2} = KO_{i,2} \\ AKO_{i,3}=KO_{i,2} \oplus KO_{i,3} \oplus KI'_{i,1}\\ AKO_{i,4}=KO_{i,2} \oplus KO_{i,4} \oplus KI'_{i,1} \oplus KI'_{i,2}\\ AKO_{i,5}=KO_{i,2} \oplus KI'_{i,1} \oplus KI'_{i,2} \oplus KI'_{i,3}\\ AKI_{i,j}=[KI_{i,j}]_{\{8,\ldots ,0\}}\\ \end{array} \end{aligned}$$

where we use \(X_{\{a,a-1,a-2,\ldots ,b\}}\) to denote bits \(a\) downto \(b\) of the word \(X\), where \(KI'_{i,j} = [KI_{i,j}]_{\{15,\ldots ,9\}}||00||[KI_{i,j}]_{\{15,\ldots ,9\}}\), \([KI_{i,j}]_{\{15,\ldots ,9\}}\) are the seven most significant bits of \(KI_{i,j}\) which are XORed with the 7-bit half in the \(FI\) function, and where \([KI_{i,j}]_{\{8,\ldots ,0\}}\) are the nine least significant bits of \(KI_{i,j}\).

Fig. 3

Notations used in our 5-round square attack on MISTY1. \(\mathcal {A}\) denotes an active word, \(\mathcal {B}\) denotes a balanced word, \(\mathcal {C}\) denotes a constant word, and ? denotes a word whose status is unknown

We use the following notations, demonstrated in Fig. 3, for intermediate states of the function \(FO5\) and of the \(FI_{5,i}\) functions included in it: The input to the function \(FO5\) is denoted by \(X\), and its left and right 16-bit halves are denoted by \(X^L\) and \(X^R\), respectively. The two halves of the intermediate state after the \(j\)th \(FI\) function are denoted by \(X^{jL}\) and \(X^{jR}\). The 9-bit left part and the 7-bit right part of the input to the \(j\)th \(FI\) function are denoted by \(J^{jL}\) and \(J^{jR}\). The 7-bit left part and the 9-bit right part of the output of the \(j\)th \(FI\) function are denoted by \(I^{jL}\) and \(I^{jR}\), respectively. The output of the entire function \(FO5\) is denoted by \(O\).

For each state \(Z\) (either a 32-bit state, 16-bit state, etc.), the value of the state in the intermediate encryption of the \(i\)th plaintext is denoted by \(Z_i\), the XOR difference between its values in two encryptions is denoted by \(\varDelta Z\), and the XOR of its values over the entire Square structure is denoted by \(\sum Z\).

4.2 The square property

We now present in detail the Square property used in the attack: Consider a structure of \(2^{32}\) plaintexts of the form \(({\mathcal {C}}, {\mathcal {A}})\), where \({\mathcal {C}}\) denotes a constant word, and \({\mathcal {A}}\) denotes an active word.⁶ In other words, the structure is composed of \(2^{32}\) plaintexts of the form \((\alpha , \beta _i)\), where \(\alpha \) is a constant 32-bit word, and \(\beta _i\) assumes all \(2^{32}\) possible values. In the sequel, we denote such structures by “Square structures”. The propagation of the values of a Square structure through rounds 1–4 of MISTY1 is shown in the left part of Fig. 3.

As we can see in the figure, after the initial \(FL\) layer, the left half remains constant (though, possibly it may become a different constant), and the right half remains active (though, the order of the values may change). Since the input of the function \(FO1\) is constant, at the beginning of round 2, the right half is constant and the left half is active. Given that for a fixed key the \(FO2\) function is bijective, at the end of round 2, both halves are active. This situation remains also in the input of round 3, since the \(FL\) layer is also bijective.

Again, as the input \(FO3\) is active, then so is its output. However, this property is not preserved by the XOR with the right half of the input to round 3 (which is active as well), but the word is still balanced. Hence, the left half of the input to round 4 is balanced, which following the Feistel structure becomes the right half after round 4. Finally, since the \(FL\) function is linear, it follows that the XOR of the \(2^{32}\) outputs of \(FL6\) is also equal to zero. We have thus proved:

Proposition 2

([16]) Consider a structure of \(2^{32}\) plaintexts where the left 32 bits are held constant, and the right 32 bits take on all possible values. Then the XOR of the \(2^{32}\) outputs of the function \(FL6\) is zero.

The standard way to exploit the 4-round Square property to attack 5-round MISTY1 is to consider several Square structures, guess some key material in round 5, partially decrypt the ciphertexts and check whether the \(2^{32}\) corresponding outputs of \(FL6\) sum up to zero. Formally, the equation we check is:

$$\begin{aligned} \sum _{i=1}^{2^{32}} O_i \oplus FL7^{-1}(C^R_i) \mathop {=}\limits ^{?} 0, \end{aligned}$$

(1)

since \(O_i \oplus FL7^{-1}(C^R_i)\) equals the output of \(FL6\) in the encryption of the \(i\)th plaintext.

Due to the complex structure of the \(FO\) function and the final functions \(FL7,FL8\), a direct check of Eq. 1 is very time consuming. In the following we show how a division of the \(FO\) and \(FL\) functions, along with a meet-in-the-middle approach, allows to check whether Eq. 1 holds much more efficiently.

4.3 Dividing the \(FO\) and \(FL\) functions

In [22], Sakurai and Zheng observed that given two inputs of the function \(FO5\), seven bits of the difference between the two corresponding outputs can be represented as the XOR of two values, where one of them depends only on the subkey \(AKO_{5,1}\) and the other depends only on the subkey \(AKO_{5,2}\), and all other subkeys are not involved. Indeed, we have

$$\begin{aligned} \varDelta O^{L}_{\{15,14,\ldots ,9\}}&= \varDelta I^{2L} \oplus \varDelta X^{1R}_{\{15,14,\ldots ,9\}}\nonumber \\&= \varDelta I^{2L} \oplus \varDelta I^{1L} \oplus \varDelta X^{R}_{\{15,14,\ldots ,9\}}. \end{aligned}$$

(2)

By the structure of the function \(FI\), the values \(I^{1L}\) and \(I^{2L}\) depend only on the subkeys \(AKO_{5,1}\) and \(AKO_{5,2}\), respectively.

If the final \(FL\) layer is removed from 5-round MISTY1, this observation allows to check the validity of the Square property efficiently. Indeed, it is sufficient to guess 32 key bits and check whether the XOR of the \(2^{32}\) outputs of \(FL6\) equals to zero in its 7 leftmost bits. Checking this condition for four Square structures is sufficient for discarding most of the possible values of the subkeys \(KO_{5,1}\) and \(KO_{5,2}\). Such an attack, along with some enhancements, was used in [16] to break 5-round MISTY1 without the last \(FL\) layer, with time complexity of \(2^{48}\). Later on, Sun and Lai [24] refined the Sakurai–Zheng relation and used it to improve the complexity of [16]’s attack to \(2^{27.32}\) encryptions (without taking into account the time needed to encrypt \(2^{34}\) plaintexts).

In order to handle the final \(FL\) layer, we further refine the Sakurai–Zheng property, and show that the \(FO\) function state can be divided not only into two 16-bit chunks, but actually into four chunks of sizes 7, 9, 7, and 9 bits, respectively.

We observe that due to the structure of \(FI\), the value \(I^{1L}\) composed of bits \(\{15,14,\ldots ,9\}\) of \(I^1\) can be further divided into the XOR of two values, such that one of them depends only on the 9 leftmost bits of \(AKO_{5,1}\), and the second one depends only on the 7 rightmost bits of \(AKO_{5,1}\). Indeed, we have⁷

$$\begin{aligned} I^{1L} = S7(J^{1R}) \oplus \left( J^{1R} \oplus S9(J^{1L})\right) , \end{aligned}$$

where \(S7(J^{1R}) \oplus J^{1R}\) depends only on the 7 least significant bits of \(AKO_{5,1}\) and \(S9(J^{1L})\) depends only on 9 most significant bits of \(AKO_{5,1}\). The same holds also for \(I^2_{\{15,14,\ldots ,9\}}\). Substituting into Eq. 2, we obtain:

$$\begin{aligned} \varDelta O^{L}_{\{15,14,\ldots ,9\}}&= \varDelta \left( J^{2R} \oplus S7(J^{2R})\right) \oplus \varDelta S9(J^{2L}) \oplus \varDelta \left( J^{1R} \oplus S7(J^{1R})\right) \nonumber \\&\quad \oplus \varDelta S9(J^{1L}) \oplus \varDelta X^{R}_{\{15,14,\ldots ,9\}} \nonumber \\&= \underbrace{\varDelta \left( S9(J^{2L}) \oplus S9(J^{1L}) \right) }_{(\star )} \oplus \underbrace{\left( \varDelta (J^{2R} \oplus S7(J^{2R})) \oplus \varDelta (J^{1R} \oplus S7(J^{1R})) \right) }_{(\star \star )} \nonumber \\&\quad \oplus \varDelta X^{R}_{\{15,14,\ldots ,9\}}. \end{aligned}$$

(3)

In Eq. 3, the first part (\((\star )\)) depends only on the 9 leftmost bits of both halves of the input to \(FO5\) and on the 9 leftmost bits of the subkeys \(AKO_{5,1}\) and \(AKO_{5,2}\). Likewise, the second part (\((\star \star )\)) depends only on the 7 rightmost bits of both halves of the input to \(FO5\) and on the 7 rightmost bits of the subkeys \(AKO_{5,1}\) and \(AKO_{5,2}\).

Now we observe that in 5-round MISTY1, the 9 leftmost bits and the 9 rightmost bits of the input to \(FO5\), can be found given the ciphertext and 18 corresponding bits of the subkey \(KL_8\). Likewise, the 14 bits of input to \(FO\) required in the second parentheses can be found given the 14 remaining bits of \(KL_8\). Therefore, Eq. 3, along with a meet-in-the-middle technique, allow us to break into parts both the subkeys \(AKO_{5,1}\) and \(AKO_{5,2}\) and the subkeys used in \(FL8\).

4.4 Efficient method to check the square property using division and a meet-in-the-middle approach

Recall that we consider Square structures, and want to check whether Eq. 1 holds (in some of the bits). This will allow us to discard wrong suggestions of the subkey of round 5, and thus to retrieve subkey material. The condition we would like to check for a given key guess is whether

$$\begin{aligned} \left( \sum _i FL7^{-1}(C^R_i) \right) _{\{31,30,\ldots ,25\}} = \left( \sum _i O^{L}_i \right) _{\{15,14,\ldots ,9\}}. \end{aligned}$$

Indeed, this is exactly Eq. 1, restricted to the 7 leftmost bits. Using Eq. 3, which can be generalized to the sum of \(2^{32}\) values, we can reformulate the condition we have to check as follows:

$$\begin{aligned} \left( \sum _i FL7^{-1}(C^R_i) \right) _{\{31,30,\ldots ,25\}} =&\sum _i \left[ \left( S9(J^{2L}_i) \oplus S9(J^{1L}_i) \right) \oplus \left( (J^{2R}_i \oplus S7(J^{2R}_i)\right) \right] \\&\oplus \sum _i \left[ \left( J^{1R}_i \oplus S7(J^{1R}_i)) \right) \right] \oplus \sum _i X^{R}_{\{15,14,\ldots ,9\}}, \end{aligned}$$

or equivalently (by rearranging the terms),

$$\begin{aligned}&\underbrace{\left( \sum _i FL7^{-1}(C^R_i) \right) _{\{31,30,\ldots ,25\}} \oplus \sum _i \left( (J^{2R}_i \oplus S7(J^{2R}_i)) \oplus (J^{1R}_i \oplus S7(J^{1R}_i)) \right) }_{LHS} \nonumber \\&\quad =\underbrace{\sum _i \left[ \left( S9(J^{2L}_i) \oplus S9(J^{1L}_i) \right) \right] \oplus \sum _i X^{R}_{\{15,14,\ldots ,9\}}}_{RHS}. \end{aligned}$$

(4)

Note that by the structure of the \(FL\) function, the value \(\left( \sum _i FL7^{-1}(C^R_i) \right) _{\{31,30,\ldots ,25\}}\) can be computed from the ciphertext given only the 7 leftmost bits of the subkey \(KL_{7,2}\). Therefore, given the ciphertext, the left hand side of Eq. 4 depends on 35 subkey bits (seven bits of \(KL_7\), 14 bits of \(KL_8\), seven bits of \(AKO_{5,1}\) and 7 bits of \(AKO_{5,2}\)) while the right hand side depends on 36 subkey bits (18 bits of \(KL_8\), 9 bits of \(AKO_{5,1}\) and 9 bits of \(AKO_{5,2}\)). We can thus check the validity of Eq. 4 by a meet-in-the middle procedure between two evaluations that depend on 35 and 36 disjoint subkey bits, respectively.

4.5 Attack algorithm

After discussing all the required components, the description of the attack is simple and straightforward. For the sake of clarity, we introduce a notation for the subkey bits used in the attack.

Let \(K_{RHS}\) denote the 36 subkey bits required for the computation of the right hand side (RHS) of Eq. 4. These are bits \(\{15,14,\ldots ,7\}\) of the subkey words \(KL_{8,1}, KL_{8,2}, AKO_{5,1}\) and \(AKO_{5,2}\). Similarly, \(K_{LHS}\) (required for the LHS) is composed of bits \(\{6,5,\ldots ,0\}\) of \(KL_{8,1}, KL_{8,2}, AKO_{5,1}\) and \(AKO_{5,2}\) and of bits \(\{15,14,\ldots ,9\}\) of \(KL_{7,2}\).

The attack algorithm is the following:

1. 1.

   Ask for the encryption of 12 structures of \(2^{32}\) chosen plaintexts, such that in each structure, the left 32 bits are held constant, and the right 32 bits take on all possible values.

2. 2.

   For each guess of the 35 subkey bits denoted by \(K_{LHS}\), compute the LHS of Eq. 4 for each of the 12 structures, and store the 84-bit vector composed of the 12 values of the 7-bit LHS in a hash table.

3. 3.

   For each guess of the 36 subkey bits denoted by \(K_{RHS}\), compute the RHS of Eq. 4 for each of the 12 structures, check whether the 84-bit vector composed of the 12 values of the RHS is in the hash table.

Since the table provides an 84-bit filtering and we examine only \(2^{71}\) subkey suggestions, it is expected that only the right key guess suggests a collision in the table. Thus, the attack retrieves the value of 71 subkey bits (the full subkeys \(KL_{8,1},KL_{8,2},AKO_{5,1},\) and \(AKO_{5,2}\), and seven bits of \(KL_{7,2}\)).

4.6 Efficient implementation of the attack and its analysis

In a naive implementation, the time complexity of the attack is about \(12 \cdot 2^{36} \cdot 2^{32} = 2^{71.6}\) operations, since in Step 2, for each of the 12 structures, we have to compute the XOR of \(2^{32}\) values, under each of \(2^{36}\) subkey guesses. The time complexity can be dramatically reduced, using the partial sum technique, proposed by Ferguson et al. in their Square attack on reduced-round AES [10].

The partial sum technique suggests to use the fact that the Square structure can be replaced by a smaller structure which yields the same sum, after only a part of the subkey bits are guessed. For example, due to the linearity of the \(FL\) function, we have

$$\begin{aligned} \sum _i FL7^{-1}(C^R_i) = FL7^{-1}\left( \sum _i C^R_i\right) . \end{aligned}$$

Hence, instead of computing \(\sum _i FL7^{-1}(C^R_i)\) for each guess of the seven bits of \(KL_7\) separately (which would require \(2^7 \cdot 2^{32}=2^{39}\) operations), we can compute \(\sum _i C^R_i\) (which requires \(2^{32}\) XORs), and only then compute \(FL7^{-1}(\sum _i C^R_i)\) for each guess of \(KL_7\) (which requires only \(2^7\) operations).

As the application of the partial sum technique in computing the terms of Eq. (4) is quite cumbersome, and all terms are computed roughly in the same way, we exemplify this application for one of the terms, and leave the rest of the terms to the reader.

Consider the term \(\sum _i S9(J^{2L}_i)\) which depends on 27 subkey bits. We perform its computation in several stages.

1. 1.

   First, we proceed from \(C^L\) to \(FL8^{-1}(C^L)\) which is the input to \(FO5\). We observe that since the value of the 18 bits in \(FL8^{-1}(C^L)\) we are interested in, depends on only 18 bits of \(C^L\), then if two ciphertexts are equal in these 18 bits then their contributions to \(\sum _i S9(J^{2L}_i)\) cancel each other. Thus, before guessing \(KL_8\), we can go over the ciphertexts and replace the sequence of \(2^{32}\) ciphertexts with a sequence of length \(2^{18}\) that indicates the parity of the number of appearances of each 18-bit value amongst these ciphertexts. This computation requires \(2^{32}\) operations, but can be performed before any key material was guessed. The result of this step, is that the following operations are performed for “structures” of size \(2^{18}\) rather than \(2^{32}\).

2. 2.

   As a second step, we compute \(\sum _i S9(J^{2L}_i)\) for the reduced “structure”. Since \(S9(J^{2L})\) depends on only 9 of the 18 bits we computed in \(FL8^{-1}(C^R)\), we can replace the sequence of \(2^{18}\) parity bits with a shorter sequence of size \(2^9\) which corresponds to the 9 bits that influence \(S9(J^{2L})\). This shrinking cannot be performed before the guess of the 18 bits of \(KL_8\), but it can be performed before the guess of \(AKO_{5,2}\). Therefore, under the “heavier” guess of \(AKO_{5,2}\) we have to perform only \(2^9\) simple operations.

3. 3.

   As a third step, we compute \(\sum _i S9(J^{2L}_i)\) independently of the guess of \(AKO_{5,1}\) and store it in an auxiliary table corresponding to the guessed value of \(AKO_{5,2}\). Then, the combination of the guesses of \(AKO_{5,1}\) with the guesses of \(AKO_{5,2}\) requires only a few operations for each pair of guesses.

Using this procedure, the computation of \(\sum _i S9(J^{2L}_i)\) can be performed in \(2^{32} + 2^{18} \cdot 2^{18} + 2^{27} \cdot 2^9 + 2^{36} \cdot 2 = 2^{38}\) operations, instead of \(2^{32} \cdot 2^{27} = 2^{59}\) operations.

All the other terms of Eq. 4 can be also computed in time of at most \(2^{38}\) simple operations for each Square structure. In total, the number of operations performed by the attack is approximately \(2^{36}\) 1-round encryptions for each Square structure, which amount to less than \(2^{38}\) encryptions. Hence, the data complexity of the attack is \(2^{35.6}\) chosen plaintexts, and its time complexity is \(2^{38}\) encryptions. The memory complexity is dominated by the storage of the plaintext/ciphertext pairs, which requires \(2^{36.6}\) 64-bit blocks.

4.7 Retrieving the rest of the secret key

The adversary can use similar techniques to retrieve the rest of the subkey used in \(AKO_5\). First, she can perform a meet-in-the-middle procedure based on examining bits \(\{24,23,\ldots ,16\}\) of the output of \(FL6\), and retrieve the subkeys \(AKI_{5,1},AKI_{5,2},\) and the 9 remaining bits of \(KL_{7,2}\). Then, by checking the rest of the bits of \(FL6\)’s output, she can retrieve the subkeys \(AKO_{5,3}, AKI_{5,3},\) and \(KL_{7,1}\). By the key schedule, these subkeys supply the adversary with the key words \(K2,K3,K4,K5,K6,\) and \(K7\). The two remaining key words can be found by exhaustive key search over \(2^{32}\) possible values. Therefore, the entire secret key can be found in a total time of \(2^{38}\) encryptions.

4.8 Exploiting the low algebraic degree of the S-boxes

In this section we show that the meet-in-the-middle technique presented in Sect. 4.4 can be used to reduce the data complexity of the higher-order differential attack of Hatano et al. [12] on 5-round MISTY1 from \(2^{21.6}\) to \(2^{18}\), at the expense of increasing the time complexity from \(2^{28}\) to \(2^{34}\). We note that while this attack is faster than the other attacks presented in this paper, it can be easily thwarted by replacing the S-boxes of MISTY1 by S-boxes with a higher algebraic degree.

4.8.1 The attack of Hatano et al. [12]

The central observation used in [12] (which in itself is an enhancement of an observation of Babbage and Frisch [2]) is the following:

Proposition 3

([12]) Consider a structure of \(2^{14}\) plaintexts where the left 32 bits and bits 31–23 and 15–7 of the right half are held constant, and the remaining 14 bits take all possible values, and encrypt it through rounds 1–4 of MISTY1. Then the 7 leftmost bits of the XOR of the \(2^{14}\) inputs of the function \(FL6\) is zero.

The proof of the proposition is quite complex, and exploits the low algebraic degree of the S-boxes of MISTY1. Like in our Square attack above, we call a structure of \(2^{14}\) plaintexts satisfying the proposition a “Square structure”.

Note that while Proposition 2 uses the Square structure to predict the output of the function \(FL6\), Proposition 3 gives knowledge only on part of the input of \(FL6\), that cannot be reached from the ciphertext side. In order to overcome this problem, Hatano et al. observed that if for some \(i \le 7\), the \(i\)th leftmost bit of the subkey \(KL_{6,2}\) (i.e., \([KL_{6,2}]_{16-i}\)) equals 1, then the \(i\)th leftmost bit of the output of \(FL6\) equals to the complement of the \(i\)th leftmost bit of the input to \(FL6\). Therefore, an adversary can perform seven attacks, such that in the \(i\)th attack she assumes that \([KL_{6,2}]_{16-i}=1\) and uses the fact that in each Square structure, the \(i\)th leftmost bit of the XOR of the \(2^{14}\) outputs of \(FL6\) equals zero. The overall attack fails only if \([KL_{6,2}]_{\{15,14,\ldots ,9\}}=\{0,0,0,0,0,0,0\}\), which happens only for \(2^{-7}\) of the keys. When the attack fails, we obtain the knowledge of seven bits of the key.

The standard way to exploit the 4-round Square property to attack 5-round MISTY1 is to consider several Square structures, guess some keying material in round 5, partially decrypt the ciphertexts and check whether the \(2^{32}\) corresponding outputs of \(FL6\) sum up to zero in the \(i\)th leftmost bit. Formally, the equation one has to check is:

$$\begin{aligned} \sum _{j=1}^{2^{14}} [O_j \oplus FL7^{-1}(C^R_j)]_{32-i} \mathop {=}\limits ^{?} 0, \end{aligned}$$

(5)

since \(O_i \oplus FL7^{-1}(C^R_j)\) equals the output of \(FL6\) in the encryption of the \(j\)th plaintext.

In [12], the equation is checked by representing the left hand side as a non-linear function of the ciphertext and the last round subkey bits and solving it by linearization. Despite the large number of subkey bits involved, the number of variables after the linearization is not so big (i.e., only a few hundreds of variables), due to the low algebraic degree of the S-boxes and to the ability to divide the \(FO\) function into four chunks as described above. As a result, about 200 structures are sufficient to solve the equations, and the solution process is efficient. The resulting complexity is \(2^{21.6}\) chosen plaintexts and \(2^{28}\) encryptions.

4.8.2 Reducing the data complexity using our techniques

The data complexity of the attack of Hatano et al. can be reduced by using our meet-in-the-middle technique to check the validity of Eq. 5, instead of the linear equations used in [12]. In a basic implementation, the attack procedure is exactly the same as in our Square attack described above (including application of the partial sums technique). Since \(64+1=65\) subkey bits are to be recovered (compared to 71 in the attack above), and since each Square structure gives only a single bit of information (compared to seven bits in the attack above), the number of required structures is 65. Hence, the data complexity is about \(2^{20}\) chosen plaintexts, and the time complexity is about \(2^{41}\) encryptions. Note that the complexity is higher than the complexity of our Square attack, due to the need to repeat the attack seven times, and since there are six times more structures than in our Square attack.

The time complexity can be reduced significantly by switching to a chosen ciphertext attack. The Square structure exploited in the new attack is similar to the structure of Proposition 3, and the only difference is that the round whose subkey is to be recovered becomes round 1, instead of round 5. This allows to use the fact that the subkeys \(KO1\) and \(KL_{1,1}\) are equal, which reduces the amount of key material the adversary has to handle by 16 bits. As a result, the time complexity is reduced to about \(2^{33}\) encryptions, without increasing the data complexity.

Finally, since for 77 % of the keys, at least three of the bits \([KL_{6,2}]_{\{15,\ldots ,9\}}\) are equal to 1, the adversary can repeat the attack for all 35 choices of three indices \(i_1,i_2,i_3 \in \{1,2,\ldots ,7\}\), and work under the assumption that in each Square structure, bits \(32-i_1,32-i_2,\) and \(32-i_3\) of the XOR of the \(2^{14}\) outputs of \(FL6\) equals zero. As a result, each structure gives three bits of information, which reduces the number of required structures to less than 20. On the other hand, since the attack has to be repeated 35 times instead of seven times, the time complexity is increased. Overall, the data complexity is reduced to \(2^{18}\) chosen ciphertexts (which is 12 times less than in Hatano et al.’s attack), while the time complexity is increased to \(2^{34}\) encryptions.

4.8.3 Enhancing the attack using a recent observation of [26]

In a recent paper, Tsunoo et al. [26] used a finer analysis of the algebraic degree of components of MISTY1 to enhance Proposition 3. They showed that each of the plaintext structures considered in Proposition 3 (consisting of \(2^{14}\) plaintexts) can be further divided into 4 sub-structures of \(2^{12}\) plaintexts each, such that the 7 leftmost bits of the XOR of the \(2^{12}\) inputs of the function FL6 is zero for each sub-structure. Moreover, such division can be performed in 7 different ways, resulting in 28 different Square structures of size \(2^{12}\) that can be constructed from each Square structure of size \(2^{14}\). Tsunoo et al. used their enhancement to improve the attacks of [25] on 6-round and 7-round variants of MISTY1 by a factor of \(2^{4.4}\).

The improvements suggested by Tsunoo et al. can be applied without any change both to Hatano’s attack on 5-round MISTY1 described above, and to our reduced-data-complexity variant. As a result, we obtain an attack on 5-round MISTY1 with all FL functions requiring only \(2^{14}\) chosen ciphertexts (i.e., a single structure of size \(2^{14}\)), while retaining the practical time complexity of \(2^{34}\) encryptions.

4.9 Application to other variants of MISTY1

It is clear that the Square attack applies without change to a stronger variant of MISTY1 in which the \(FL\) layers are applied after every single round.

It is more interesting to note that a variant of the attack applies to 5-round KASUMI. Since in the design of KASUMI, the \(FI\) function was extended to four rounds, it becomes impossible to divide the state of \(FO\) to four chunks. However, since the \(FO\) function itself was not extended, division into two 16-bit chunks using the Sakurai–Zheng relation is still possible. This allows to check the Square condition by a meet-in-the-middle procedure, which uses an external guess of the 16-bit subkey \(KL_{5,1}\), the subkeys \((KL_{5,2},KO_{5,1},KI_{5,1,2})\) from the one side and \((KO_{5,2},KI_{5,2,2})\) from the other side. It appears that the partial sums technique also becomes less effective, and the total complexity of the attack becomes around \(2^{68}\) operations. We do not present the details in full, since this attack is less efficient than the higher-order differential attack of Sugio et al. [23].

5 A related-key slide attack on 8-round MISTY1 without \(FL\) layers

In a MISTY1 variant without the \(FL\) layers, each subsequent round subkey is a shift by one key word of the previous round subkey (see Table 2 and Fig. 4). This allows mounting a related-key slide attack [3],⁸ using the pair of related-keys \(K=(K_1,K_2,\ldots ,K_8)\), \(K^*=(K_2,K_3,\ldots ,K_8,K_1)\). As we show below, \(2^{18}\) appropriately chosen plaintexts are expected to contain about four slid pairs, and these pairs can be efficiently identified. Once detected, they can be used to attack a single round of MISTY1 with several plaintext/ciphertext pairs. We follow and show that given these pairs, using the division of the \(FO\) function, we can efficiently recover the key. This yields a related-key attack on 8-round MISTY1 without the \(FL\) layers requiring only \(2^{18}\) data and time. In the following, we present the detailed description of the attack and report its experimental verification.

Fig. 4

Two related-key MISTY1 encryptions

5.1 First phase—detecting the related-key slid pairs

Consider a pair of related-keys of the form \(K=(K_1,K_2,\ldots ,K_8)\) and \(K^*=(K_2,K_3,\ldots ,K_8,K_1)\) for 8-round MISTY1 without the \(FL\) layers. Note that due to the key schedule, for each \(2 \le i \le 8\), the \(i\)-th round key corresponding to \(K^*\) is equal to the \((i+1)\)-th round key corresponding to \(K\). That is, \(KO^*_{i,j}=KO_{i+1,j}\) and \(KI^*_{i,j}=KI_{i+1,j}\) for all \(i,j\). This implies that if for a pair of plaintexts \((P,P^*)\), \(P^*\) is equal to the 1-round MISTY encryption of \(P\) under the subkey \((KO_{1,1},KO_{1,2},KO_{1,3},KO_{1,4},KI_{1,1},KI_{1,2},KI_{1,3})\), then \(C^*\) is equal to the 1-round MISTY encryption of \(C\) under the 8th round subkey of \(K^*\) which happens to be:

$$\begin{aligned}&(KO^*_{8,1},KO^*_{8,2},KO^*_{8,3},KO^*_{8,4},KI^*_{8,1},KI^*_{8,2},KI^*_{8,3}) \\&\,= (KO_{1,1},KO_{1,2},KO_{1,3},KO_{1,4},KI_{1,1},KI_{1,2},KI_{1,3}) \end{aligned}$$

(see Fig. 4). We denote such pairs as slid pairs.⁹

Given the Feistel structure of MISTY1 (with no \(FL\) functions), it is easy to construct and detect slid pairs. This relies on the fact that if \((P,C)\) and \((P^*,C^*)\) compose a slid pair, then the following two relations must hold: \(P^L=P^{*R}\) and \(C^L=C^{*R}\). Since in the second phase of the attack we need at least three slid pairs, we construct them as follows:

1. 1.

   Detecting candidate slid pairs

   1. (a)

      Ask for the encryption, under the key \(K\), of a structure of \(2^{17}\) plaintexts of the form \(P_i=(A,X_i)\), where \(A\) is a random 32-bit fixed value and \(X_i\) assumes \(2^{17}\) different values. Denote the corresponding ciphertexts by \(C_i\) (\(1 \le i \le 2^{17}\)), and store the pairs \((P_i,C_i)\) in a hash table sorted according to the value of \(C_i^L\).

   2. (b)

      Ask for the encryption, under the key \(K^*\), of a structure of \(2^{17}\) plaintexts of the form \(P^*_i=(Y_i,A)\), where \(A\) is the same 32-bit fixed value as in the previous step, and \(Y_i\) assumes \(2^{17}\) different values. Denote the corresponding ciphertexts by \(C^*_j\) (\(1 \le j \le 2^{17}\)). For each pair \((P^*_j,C^*_j)\), access the hash table in the cell corresponding to \(C^{*R}\) to find all pairs \((P_i,C_i)\) such that \(C_i^L=C^{*R}_i\).

This algorithm is an efficient way to check the equality in 32 bits among all the \(2^{17} \cdot 2^{17} = 2^{34}\) pairs. Hence, we expect that about \(2^{34} \cdot 2^{-32} = 4\) pairs pass this step randomly. Given the equality in the 32 bits which were set in the plaintext, the probability of a pair to indeed be a slid pair is \(2^{-32}\), which means we expect 4 slid pairs (in addition to the few random ones).

Fortunately, we can easily discard the false hits by examining the first round. For a slid pair \((P_i,C_i),(P^*_j,C^*_j)\), we know that \(P^*_j\) is equal to the 1-round encryption of \(P_i\). In particular, this implies \(FO1(A) \oplus X^R_i = Y^L_j\). Since \(A\) is constant for all plaintexts in the structures, we get that for all slid pairs, \(X^R_i \oplus Y^L_j = B\), for some constant \(B\)(\(=FO1(A)\)). One can safely assume (as supported by our experiments), that the values of \(X^R_i \oplus Y^L_j\) for wrong pairs which passed the filtering, are distributed randomly, thus we can identify the slid pairs as follows:

1. 2.

   Discarding the false hits For each pair that passed the first step, compute the value of \(X^R_i \oplus Y^L_j\). Discard all pairs whose result is unique.

With an overwhelming probability, only the slid pairs remain after this stage. Since the number of slid pairs follows the \(Poisson(4)\) distribution, the probability that the data contains at least three slid pairs is \(1-e^{-4}(1+4+16/2) = 0.76\). We assume that this is the case, and denote these pairs (w.l.o.g.) by \(((P_i,C_i),(P^*_i,C^*_i))\), for \(i=1,2,3\). Each of these slid pairs yields two input/output pairs for the \(FO\) function under the subkey \((KO_{1,1},KO_{1,2},KO_{1,3},KO_{1,4},KI_{1,1},KI_{1,2},KI_{1,3})\): the pair \((A, X^R_i \oplus Y^L_i)\) obtained from the first round of the encryption under \(K\), and the pairs \((C_i^L,C^R_i \oplus C^{*L}_i)\) (for \(i=1,2,3\)) obtained from the last round encryption under \(K^*\). As all three pairs share the same input to the first round of encryption under \(K\) (i.e., the value of \(A\)), and the output of that round (i.e., the value of \(X^R_i \oplus Y^L_i\)), we obtain four pairs of input/output to this round function (or more, if more than three slid pairs exist), denoted by \(({\mathcal {I}}_j,{\mathcal {O}}_j)\) for \(j=1,\ldots ,4\), which can then be used in the analysis. We emphasize the fact that due to the key schedule of MISTY1, the first round of encryption under \(K\), uses the same subkeys as the last round of encryption under \(K^*\), i.e., they share the round function itself.

5.2 Second phase—dividing \(FO\) yet another time

In order to retrieve the subkey of the \(FO\) function efficiently, we divide its state once again. Similarly to Sect. 4, we consider the seven leftmost bits of \(FO\)’s output and use a meet-in-the-middle technique to find the subkeys \(AKO_{1,1}\) and \(AKO_{1,2}\). In the following, we use the notations introduced in Sect. 4 (with \(FO1\) replacing \(FO5\)), including the equivalent description of the \(FO\) function.

The first step of this phase of the attack is as follows:

1. 1.

   Retrieving the subkeys \(AKO_{1,1}\) and \(AKO_{1,2}\):

   1. (a)

      For each value of the subkey \(AKO_{1,1}\), partially encrypt the four inputs \(({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_4)\) through the function \(FI_{1,1}\) to obtain the four intermediate values at the state \(I_1^{1L}\). Denote the four obtained values by \(Z_1,Z_2,Z_3,Z_4\). Store in a hash table the 21-bit vector

      $$\begin{aligned}&(Z_1 \oplus Z_2, Z_1 \oplus Z_3, Z_1 \oplus Z_4) \oplus ({\mathcal {I}}^R_1 \oplus {\mathcal {I}}^R_2, {\mathcal {I}}^R_1 \oplus {\mathcal {I}}^R_3, {\mathcal {I}}^R_1 \oplus {\mathcal {I}}^R_4)_{\{15,14,\ldots ,9\}} \\&\quad \oplus ({\mathcal {O}}^L_1 \oplus {\mathcal {O}}^L_2, {\mathcal {O}}^L_1 \oplus {\mathcal {O}}^L_3, {\mathcal {O}}^L_1 \oplus {\mathcal {O}}^L_4)_{\{15,14,\ldots ,9\}}. \end{aligned}$$
   2. (b)

      For each value of the subkey \(AKO_{1,2}\), partially encrypt the four inputs \(({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_4)\) through the function \(FI_{1,2}\) to obtain the four intermediate values at the state \(I_1^{2L}\). Denote the four obtained values by \(W_1,W_2,W_3,W_4\). Access the hash table with the 21-bit vector \((W_1 \oplus W_2, W_1 \oplus W_3, W_1 \oplus W_4)\) and search for collisions.

From the structure of the \(FO\) function, a collision in the table is equivalent to satisfying

$$\begin{aligned} ({\mathcal {O}}_1^L \oplus {\mathcal {O}}_j^L)_{\{15,\ldots ,9\}} \oplus (C^{*L}_1 \oplus C^{*L}_j)_{\{15,\ldots ,9\}} = (C^R_1 \oplus C^R_j)_{\{15,\ldots ,9\}}, \end{aligned}$$

for \(j=2,3,4\). Obviously, this happens when the right keys are used, which means that of the \(2^{16}\cdot 2^{16}=2^{32}\) candidates for \(AKO_{1,1}\) and \(AKO_{1,2}\), about \(2^{32} \cdot 2^{-21}=2^{11}\) satisfy the relation for \(j=2,3,4\), including the right subkey guess.

In the next step of the attack, we try all these \(2^{11}\) possible values and recover the values of the subkeys \(AKI_{1,1}\) and \(AKI_{1,2}\), while discarding some wrong key guesses. This step of the attack completes the evaluation of the Sakurai–Zheng relation in the 9 bits which were not earlier checked, as follows:

1. 2.

   Retrieving the subkeys \(AKI_{1,1}\) and \(AKI_{1,2}\) For each remaining suggestion for \(AKO_{1,1}\) and \(AKO_{1,2}\) from Step 1, perform the following:

   1. (a)

      For each value of the subkey \(AKI_{1,1}\), partially encrypt the four plaintexts \(({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_4)\) through the function \(FI_{1,1}\) to obtain the four intermediate values at the state \(I_1^{1R}\). Denote the four obtained values by \(Z'_1,Z'_2,Z'_3,Z'_4\). Store in a hash table the 27-bit vector

      $$\begin{aligned}&(Z'_1 \oplus Z'_2, Z'_1 \oplus Z'_3, Z'_1 \oplus Z'_4) \oplus ({\mathcal {I}}_1 \oplus {\mathcal {I}}_2, {\mathcal {I}}_1 \oplus {\mathcal {I}}_3, {\mathcal {I}}_1 \oplus {\mathcal {I}}_4)_{\{8,7,\ldots ,0\}} \\&\quad \oplus ({\mathcal {O}}^L_1 \oplus {\mathcal {O}}^L_2, {\mathcal {O}}^L_1 \oplus {\mathcal {O}}^L_3, {\mathcal {O}}^L_1 \oplus {\mathcal {O}}^L_4)_{\{8,7,\ldots ,0\}}. \end{aligned}$$
   2. (b)

      For each value of the subkey \(AKI_{1,2}\), partially encrypt the four plaintexts \(({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_4)\) through the function \(FI_{1,2}\) to obtain the four intermediate values at the state \(I_1^{2R}\). Denote the four obtained values by \(W'_1,W'_2,W'_3,W'_4\). Access the hash table with the 27-bit vector \((W'_1 \oplus W'_2, W'_1 \oplus W'_3, W'_1 \oplus W'_4)\) and search for collisions.

From the structure of the \(FO\) function, a collision in the table is equivalent to having

$$\begin{aligned} ({\mathcal {O}}_1^L \oplus {\mathcal {O}}_j^L)_{\{8,\ldots ,0\}} \oplus (C^{*L}_1 \oplus C^{*L}_j)_{\{8,\ldots ,0\}} = (C^R_1 \oplus C^R_j)_{\{8,\ldots ,0\}}, \end{aligned}$$

for \(j=2,3,4\). As for the right key guess, these three equations are necessarily satisfied, the correct value of the subkeys \(AKI_{1,1}\) and \(AKI_{1,2}\) is suggested by one of the collisions. At the same time, the number of suggested subkeys is \(2^{11} \cdot 2^9 \cdot 2^9 \cdot 2^{-27} = 4\). Hence, we remain with only about 4 suggestions for the 50 subkey bits \(AKO_{1,1}, AKO_{1,2}, AKI_{1,1}, AKI_{1,2}\).

The rest of the round subkey can be now found easily, as follows:

1. 3.

   Retrieving the rest of the round subkey For each remaining suggestion for \(AKO_{1,1}, AKO_{1,2}, AKI_{1,1}, AKI_{1,2}\), perform the following:

   1. (a)

      For each value of the subkey \(AKO_{1,3}\), partially encrypt the four plaintexts \(({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_4)\) through the function \(FI_{1,3}\) to obtain the four intermediate values at the state \(I_1^{3L}\). Denote the four obtained values by \(Z''_1,Z''_2,Z''_3,Z''_4\). Use the values \(Z''_1 \oplus Z''_2, Z''_1 \oplus Z''_3, Z''_1 \oplus Z''_4\) to compute the 21-bit vector \(({\mathcal {O}}_1^R \oplus {\mathcal {O}}_2^R, {\mathcal {O}}_1^R \oplus {\mathcal {O}}_3^R, {\mathcal {O}}_1^R \oplus {\mathcal {O}}_4^R)_{\{15,14,\ldots ,9\}}\) and compare it with the known values.

   2. (b)

      For each value of the subkey \(AKI_{1,3}\), partially encrypt the four plaintexts \(({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_4)\) through the function \(FI_{1,3}\) to obtain the four intermediate values at the state \(I_1^{3R}\). Denote the four obtained values by \(W''_1,W''_2,W''_3,W''_4\). Use the values \(W''_1 \oplus W''_2, W''_1 \oplus W''_3, W''_1 \oplus W''_4\) to compute the 27-bit vector \(({\mathcal {O}}_1^R \oplus {\mathcal {O}}_2^R, {\mathcal {O}}_1^R \oplus {\mathcal {O}}_3^R, {\mathcal {O}}_1^R \oplus {\mathcal {O}}_4^R)_{\{8,\ldots ,0\}}\) and compare it with the known values.

   3. (c)

      For each remaining value of the subkeys \(AKO_{1,3}, AKI_{1,3}\), encrypt \({\mathcal {I}}_1\) through the entire \(FO\) except for the last subkey addition to obtain the value of the state \(X_1^{3}\), and compute the subkeys \(AKO_{1,4},AKO_{1,5}\) using the formula

      $$\begin{aligned} (X_1^{3L},X_1^{3R}) \oplus (AKO_{1,4},AKO_{1,5}) = ({\mathcal {O}}^L,{\mathcal {O}}^R). \end{aligned}$$

The condition in Step 3(a) offers a 21-bit filtering on the key value. Thus, only the correct suggestion of the subkey \(AKO_{1,1}, AKO_{1,2}, AKI_{1,1}, AKI_{1,2}, AKO_{1,3}\) is expected to remain after that step. Steps 3(b) and 3(c) each yield single values of the subkeys \(AKI_{i,3},AKO_{1,4},\) and \(AKO_{1,5}\), thus yielding a single suggestion for the 107-bit equivalent round subkey.

The most time-consuming step in the second phase of the attack is Step 2, which is composed of \(2^{10}\) simple operations performed for each of \(2^{11}\) suggestions of \(AKO_{1,1}, AKO_{1,2}\). As this step is much faster than \(2^{18}\) encryptions, the overall complexity of the attack is dominated by the encryption of \(2^{18}\) chosen plaintexts performed at the beginning of the attack. Therefore, the data, memory and time complexities of the attack are as low as \(2^{18}\).

5.3 Retrieving the rest of the secret key

By guessing the 7 leftmost bits of the subkeys \(K'_2\) and \(K'_6\) and using the retrieved subkey of \(KO_1\), the adversary obtains \(2^{14}\) suggestions for the key words \(K_1,K_3,K_5,K_8\) and the subkey words \(K'_2, K'_4,K'_6\). By the construction of the subkeys, this yields also the key words \(K_2,K_4\), and with an additional 16-bit guess of \(K_6\) this yields \(2^{30}\) suggestions for the full secret key (\(K_7\) can be derived from \(K_6\) and \(K'_6\)). Hence, the secret key can be found by an exhaustive search over \(2^{30}\) possible values. In order to further improve this complexity, the adversary must analyze also other rounds, which can be obtained, e.g., by peeling off the first round and applying a related-key slide attack on a 7-round variant. However, this would require an increase in the data complexity and in the number of related-keys.

5.4 Experimental verification

To verify this attack, we have executed two experiments. The first experiment took 1,000,000 random keys, and generated \(2^{18}\) pairs as suggested in Sect. 5.1. We verified that the amount of slid pairs indeed follows the expected distribution, and that on very rare occasions (about 130), one can expect an additional wrong value to be suggest by two pairs which are not slid pairs (as expected from a random process). Table 4 reports the number of slid pairs found in each experiment compared with the expected outcome.

Table 4 The results of 1,000,000 experiments to generate (and locate) the slid pairs

The second experiment we conducted was running the full attack algorithm for 10,000 different keys. Out of these 10,000 experiments, 7,643 ended with success (i.e., the full 107-bit key was recovered), whereas the remaining experiments failed (all but one due to lack of sufficient slid pairs). This part of the experiment was timed using the basic clock_gettime call. The running times of the failed cases and the successful cases varied—as the key recovery phase was not invoked unless 3 slid pairs were found. For failed attempts, the average running time was 0.05216 s, whereas the average running time for successful attacks was 0.14949 s for both data generation and the key recovery phase. The experiment was carried on an Intel i7-3520 machine running at 2.9 GHz, running Linux 3.2.0-23, compiled with gcc 4.6.3 (with a single optimization flag “-O2”). All relevant parts of the code were taken from the Misty1’s submission to the NESSIE project. We report in Table 5 the statistical data concerning this experiment.

Table 5 The results of 10,000 full runs of our related-key attack

Hence, we conclude that our attack on MISTY1 with no FL layers is valid and of practical complexities.

5.5 Applicability to other variants of MISTY1

The same attack can be applied to cases with any number of rounds of MISTY1 without the \(FL\) functions. In these cases, slightly more data is needed to ensure that there are indeed four input/output pairs to the analyzed round function (as the first and last rounds may not share the exact subkeys). In exchange, one can easily retrieve the full key by applying the analysis to the first round (in addition to the last round).

An interesting observation is that a small modification of the attack applies to the stronger MISTY1 variant in which \(FL\) functions are applied after every round, discussed in Sect. 4.9. Indeed, in such a variant, the \(FL\) keys also satisfy the cyclic property satisfied by the \(FO\) keys (see Table 2), and hence, the basic related-key slide attack can be applied. However, as a single round in this modified construction contains not only a Feistel round but also an \(FL\) function, the detection of the slid pairs becomes more complicated, which requires guessing the subkeys of the last rounds right hand side \(FL\) function (the one in \(K^*\)), and repeating the attack of Sect. 4.5 for each such guess. This results in an attack with data complexity of roughly \(2^{18}\) chosen plaintexts, and time complexity of about \(2^{68}\) encryptions.

When the adversary has access to encryption (without the \(FL\) layers) under 8 related-keys which compose all the word-wise cyclic shifts of a single key, one can run a significantly more efficient attack by attacking the \(FL\) functions (like in Sect. 3). This is done by using the fact that when a related-key slid pair is encrypted (under the respective keys), it maintains the slid pair property [5, 11]. The adversary considers the above pair of structures of size \(2^{17}\) each, and generates from each plaintext, a sequence of a few adaptively chosen plaintexts, by sequential encryption. Then, in order to check whether a given pair of values is a slid pair, the adversary looks at the subsequent plaintext pairs, and checks a sequence of conditions of the form \(FL1(P^{iL})=P^{*iR}\), which must hold simultaneously (where \(FL1\) is the \(FL\) function applied to the left half of the state in the first round). Using the procedure of Sect. 3, one can identify the correct \(FL2\) key in time of a few operations for each candidate slid pair, and use a few additional pairs from the encrypted sequence as a filtering check. This allows to retrieve the right slid pairs, along with the two subkey words \(KL_{1,1},KL_{1,2}\) in time of about \(2^{34}\) (since \(2^{34}\) candidate pairs are checked). Depending on the exact number of rounds in the MISTY1 variant, one can either perform the same attack on other \(FL\) functions (taking into consideration slid pairs with other offsets), or apply the attack of Sect. 4.5. Hence, with data complexity of about \(2^{24}\) adaptively chosen plaintexts encrypted under 8 related-keys (where \(2^{21}\) plaintexts are encrypted under each key), one can recover the full key in time of about \(2^{36}\) encryptions (or even less).

It should be mentioned that unlike the Square attack presented in Sect. 4, this attack was completely thwarted by the designers of KASUMI [1]. In KASUMI, though the key schedule is simpler than that of MISTY1, it contains distinct round constants which are added to every round subkey. These constants seem to prevent any related-key slide attack.

6 Summary and conclusions

In this paper, we considered attacks with a practical time complexity against reduced variants of MISTY1. We presented the first attack on 5-round MISTY1 with all the \(FL\) layers present which applies even if the \(FO\) function is replaced by an arbitrarily strong function, and an extremely efficient related-key attack on 8-round MISTY1 without the \(FL\) layers requiring \(2^{18}\) encryptions. The related-key attack was fully verified experimentally.

Our attacks point out three weaknesses in the components of MISTY1:

1. 1.

   The 3-round Feistel structure of the \(FO\) and \(FI\) functions allows to divide the state of \(FO\) into four smaller parts of 7, 9, 7, 9 bits each, whose interaction is limited.

2. 2.

   The \(FL\) function can be divided into sixteen 2-bit functions applied in parallel, and the same holds for a sequential application of several \(FL\) functions.

3. 3.

   The key schedule of \(MISTY1\) without the \(FL\) functions lacks round constants, and hence, makes this variant susceptible to related-key slide attacks. We note that this seems to be the first case of a “reasonable” cipher variant whose security completely collapses (up to the point of a practical time complexity attack) against this sort of related-key attacks.

As we showed, combinations of these weaknesses can be deployed by an adversary to mount practical-time attacks on 5-round MISTY1 with all \(FL\) layers, and on the full MISTY1 without the \(FL\) layers (the latter in the related-key model).

In comparison, it is interesting to see how these weakness were handled by ETSI’s SAGE task force working for the GSM association in the design of KASUMI (based on MISTY1):

1. 1.

   The \(FI\) function was strengthened by adding a fourth round to the Feistel structure, while the \(FO\) function remained with a 3-round structure. As we showed in Sect. 4.9, this thwarts the Square attack only partially, still allowing to divide the state into two 16-bit parts. As a result, a Square attack with complexity of \(2^{68}\) operations is applicable to 5-round KASUMI.

2. 2.

   A rotation by one bit was added to the \(FL\) function, thus making it impossible to divide it into 16 independent functions.

3. 3.

   Round constants were inserted into the round subkeys, thwarting the related-key slide attack completely. On the other hand, the key schedule was simplified, which led to a practical-time related-key attack on the full KASUMI [9], which does not apply to MISTY1.¹⁰

Our conclusion is that while our results clearly do not pose any threat to the security of the full MISTY1 block cipher, they point out weaknesses of its components, which should be avoided in future designs based on MISTY1.