Journal of Cryptology

, Volume 30, Issue 3, pp 920–959 | Cite as

Integral Cryptanalysis on Full MISTY1

  • Yosuke Todo


MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in EUROCRYPT 2015. We first improve the division property by optimizing the division property for a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with \(2^{63.58}\) chosen plaintexts and \(2^{121}\) time complexity. Moreover, if we use \(2^{63.994}\) chosen plaintexts, the time complexity for our attack is reduced to \(2^{108.3}\). Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack.


MISTY1 Integral attack Division property 


  1. 1.
    S. Babbage, L. Frisch, On MISTY1 higher order differential cryptanalysis, in ICISC. LNCS, vol. 2015, ed. by D. Won (Springer, 2000), pp. 22–36Google Scholar
  2. 2.
    A. Bar-On, A 2\({}^{\text{70}}\) attack on the full MISTY1. IACR Cryptology ePrint Archive 2015, 746 (2015).
  3. 3.
    A. Bar-On, Improved higher-order differential attacks on MISTY1, in FSE (2015)Google Scholar
  4. 4.
    E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems, in CRYPTO. LNCS, vol. 537, ed. by A. Menezes, S.A. Vanstone (Springer, 1990), pp. 2–21Google Scholar
  5. 5.
    C. Boura, A. Canteaut, On the influence of the algebraic degree of f\({}^{\text{-1 }}\) on the algebraic degree of G \(\circ \) F. IEEE Trans. Inf. Theory 59(1), 691–702 (2013)Google Scholar
  6. 6.
    A. Canteaut, M. Videau, Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis, in EUROCRYPT. LNCS, vol. 2332, ed. by L.R. Knudsen (Springer, 2002), pp. 518–533Google Scholar
  7. 7.
    CRYPTREC, Specifications of e-government recommended ciphers (2013).
  8. 8.
    J. Daemen, L.R. Knudsen, V. Rijmen, The block cipher square, in FSE. LNCS, vol. 1267, ed. by E. Biham (Springer, 1997), pp. 149–165Google Scholar
  9. 9.
    O. Dunkelman, N. Keller, An improved impossible differential attack on MISTY1, in ASIACRYPT. LNCS, vol. 5350, ed. by J. Pieprzyk (Springer, 2008), pp. 441–454Google Scholar
  10. 10.
    N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, D. Whiting, Improved cryptanalysis of Rijndael, in FSE. LNCS, vol. 1978, ed. by B. Schneier (Springer, 2000), pp. 213–230Google Scholar
  11. 11.
    Y. Hatano, H. Tanaka, T. Kaneko, Optimization for the algebraic method and its application to an attack of MISTY1. IEICE Trans. 87-A(1), 18–27 (2004)Google Scholar
  12. 12.
    ISO/IEC: JTC1: ISO/IEC 18033, Security techniques—encryption algorithms—part 3: block ciphers (2005)Google Scholar
  13. 13.
    L.R. Knudsen, Truncated and higher order differentials, in FSE. LNCS, vol. 1008, ed. by B. Preneel (Springer, 1994), pp. 196–211Google Scholar
  14. 14.
    L.R. Knudsen, D. Wagner, Integral cryptanalysis, in FSE. LNCS, vol. 2365, ed. by J. Daemen, V. Rijmen (Springer, 2002), pp. 112–127Google Scholar
  15. 15.
    X. Lai, Higher order derivatives and differential cryptanalysis, in Communications and Cryptography. The Springer International Series in Engineering and Computer Science, vol. 276 (1994), pp. 227–233Google Scholar
  16. 16.
    M. Matsui, Linear cryptanalysis method for DES cipher, in EUROCRYPT. LNCS, vol. 765, ed. by T. Helleseth (Springer, 1993), pp. 386–397Google Scholar
  17. 17.
    M. Matsui, New structure of block ciphers with provable security against differential and linear cryptanalysis, in FSE. LNCS, vol. 1039, ed. by D. Gollmann (Springer, 1996), pp. 205–218Google Scholar
  18. 18.
    M. Matsui, New block encryption algorithm MISTY, in FSE. LNCS, vol. 1267, ed. by E. Biham (Springer, 1997), pp. 54–68Google Scholar
  19. 19.
    NESSIE: New European schemes for signatures, integrity, and encryption (2004).
  20. 20.
    K. Nyberg, Linear approximation of block ciphers, in EUROCRYPT. LNCS, vol. 950, ed. by A.D. Santis (Springer, 1994), pp. 439–444Google Scholar
  21. 21.
    K. Nyberg, L.R. Knudsen, Provable security against a differential attack. J. Cryptol. 8(1), 27–37 (1995)Google Scholar
  22. 22.
    H. Ohta, M. Matsui, A description of the MISTY1 encryption algorithm (2000).
  23. 23.
    Y. Sasaki, L. Wang, Meet-in-the-middle technique for integral attacks against Feistel ciphers, in SAC. vol. 7707, ed. by L.R. Knudsen, H. Wu (Springer, 2012), pp. 234–251Google Scholar
  24. 24.
    B. Sun, X. Hai, W. Zhang, L. Cheng, Z. Yang, New observation on division property. IACR Cryptology ePrint Archive, 459 (2015).
  25. 25.
    H. Tanaka, K. Hisamatsu, T. Kaneko, Strength of MISTY1 without FL function for higher order differential attack, in AAECC-13. LNCS, vol. 1719, ed. by M.P.C. Fossorier, H. Imai, S. Lin, A. Poli (Springer, 1999), pp. 221–230Google Scholar
  26. 26.
    Y. Todo, Integral cryptanalysis on full MISTY1, in CRYPTO Part I. LNCS, vol. 9215, ed. by R. Gennaro, M. Robshaw (Springer, 2015), pp. 413–432Google Scholar
  27. 27.
    Y. Todo, Structural evaluation by generalized integral property, in EUROCRYPT Part I. LNCS, vol. 9056, ed. by E. Oswald, M. Fischlin (Springer, 2015b), pp. 287–314Google Scholar
  28. 28.
    Y. Tsunoo, T. Saito, M. Shigeri, T. Kawabata, Higher order differential attacks on reduced-round MISTY1, in ICISC. LNCS, vol. 5461, ed. by P.J. Lee, J.H. Cheon (Springer, 2008), pp. 415–431Google Scholar
  29. 29.
    H. Zhang, W. Wu, Structural evaluation for generalized Feistel structures and applications to LBlock and TWINE, in INDOCRYPT. LNCS, vol. 9462, ed. by A. Biryukov, V. Goyal (Springer, 2015), pp. 218–237Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.NTT Secure Platform LaboratoriesTokyoJapan
  2. 2.Kobe UniversityHyogoJapan

Personalised recommendations