## Abstract

MISTY1 is a block cipher designed by Matsui in 1997. It was well evaluated and standardized by projects, such as CRYPTREC, ISO/IEC, and NESSIE. In this paper, we propose a key recovery attack on the full MISTY1, i.e., we show that 8-round MISTY1 with 5 FL layers does not have 128-bit security. Many attacks against MISTY1 have been proposed, but there is no attack against the full MISTY1. Therefore, our attack is the first cryptanalysis against the full MISTY1. We construct a new integral characteristic by using the propagation characteristic of the division property, which was proposed in EUROCRYPT 2015. We first improve the division property by optimizing the division property for a public S-box and then construct a 6-round integral characteristic on MISTY1. Finally, we recover the secret key of the full MISTY1 with \(2^{63.58}\) chosen plaintexts and \(2^{121}\) time complexity. Moreover, if we use \(2^{63.994}\) chosen plaintexts, the time complexity for our attack is reduced to \(2^{108.3}\). Note that our cryptanalysis is a theoretical attack. Therefore, the practical use of MISTY1 will not be affected by our attack.

## Keywords

MISTY1 Integral attack Division property## References

- 1.S. Babbage, L. Frisch, On MISTY1 higher order differential cryptanalysis, in
*ICISC*. LNCS, vol. 2015, ed. by D. Won (Springer, 2000), pp. 22–36Google Scholar - 2.A. Bar-On, A 2\({}^{\text{70}}\) attack on the full MISTY1. IACR Cryptology ePrint Archive 2015, 746 (2015). http://eprint.iacr.org/2015/746
- 3.A. Bar-On, Improved higher-order differential attacks on MISTY1, in
*FSE*(2015)Google Scholar - 4.E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems, in
*CRYPTO*. LNCS, vol. 537, ed. by A. Menezes, S.A. Vanstone (Springer, 1990), pp. 2–21Google Scholar - 5.C. Boura, A. Canteaut, On the influence of the algebraic degree of f\({}^{\text{-1 }}\) on the algebraic degree of G \(\circ \) F.
*IEEE Trans. Inf. Theory***59**(1), 691–702 (2013)Google Scholar - 6.A. Canteaut, M. Videau, Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis, in
*EUROCRYPT*. LNCS, vol. 2332, ed. by L.R. Knudsen (Springer, 2002), pp. 518–533Google Scholar - 7.CRYPTREC, Specifications of e-government recommended ciphers (2013). http://www.cryptrec.go.jp/english/method.html
- 8.J. Daemen, L.R. Knudsen, V. Rijmen, The block cipher square, in
*FSE*. LNCS, vol. 1267, ed. by E. Biham (Springer, 1997), pp. 149–165Google Scholar - 9.O. Dunkelman, N. Keller, An improved impossible differential attack on MISTY1, in
*ASIACRYPT*. LNCS, vol. 5350, ed. by J. Pieprzyk (Springer, 2008), pp. 441–454Google Scholar - 10.N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, D. Whiting, Improved cryptanalysis of Rijndael, in
*FSE*. LNCS, vol. 1978, ed. by B. Schneier (Springer, 2000), pp. 213–230Google Scholar - 11.Y. Hatano, H. Tanaka, T. Kaneko, Optimization for the algebraic method and its application to an attack of MISTY1.
*IEICE Trans.***87-A**(1), 18–27 (2004)Google Scholar - 12.ISO/IEC: JTC1: ISO/IEC 18033, Security techniques—encryption algorithms—part 3: block ciphers (2005)Google Scholar
- 13.L.R. Knudsen, Truncated and higher order differentials, in
*FSE*. LNCS, vol. 1008, ed. by B. Preneel (Springer, 1994), pp. 196–211Google Scholar - 14.L.R. Knudsen, D. Wagner, Integral cryptanalysis, in
*FSE*. LNCS, vol. 2365, ed. by J. Daemen, V. Rijmen (Springer, 2002), pp. 112–127Google Scholar - 15.X. Lai, Higher order derivatives and differential cryptanalysis, in
*Communications and Cryptography. The Springer International Series in Engineering and Computer Science*, vol. 276 (1994), pp. 227–233Google Scholar - 16.M. Matsui, Linear cryptanalysis method for DES cipher, in
*EUROCRYPT*. LNCS, vol. 765, ed. by T. Helleseth (Springer, 1993), pp. 386–397Google Scholar - 17.M. Matsui, New structure of block ciphers with provable security against differential and linear cryptanalysis, in
*FSE*. LNCS, vol. 1039, ed. by D. Gollmann (Springer, 1996), pp. 205–218Google Scholar - 18.M. Matsui, New block encryption algorithm MISTY, in
*FSE*. LNCS, vol. 1267, ed. by E. Biham (Springer, 1997), pp. 54–68Google Scholar - 19.NESSIE: New European schemes for signatures, integrity, and encryption (2004). https://www.cosic.esat.kuleuven.be/nessie/
- 20.K. Nyberg, Linear approximation of block ciphers, in
*EUROCRYPT*. LNCS, vol. 950, ed. by A.D. Santis (Springer, 1994), pp. 439–444Google Scholar - 21.K. Nyberg, L.R. Knudsen, Provable security against a differential attack.
*J. Cryptol*.**8**(1), 27–37 (1995)Google Scholar - 22.H. Ohta, M. Matsui, A description of the MISTY1 encryption algorithm (2000). https://tools.ietf.org/html/rfc2994
- 23.Y. Sasaki, L. Wang, Meet-in-the-middle technique for integral attacks against Feistel ciphers, in
*SAC*. vol. 7707, ed. by L.R. Knudsen, H. Wu (Springer, 2012), pp. 234–251Google Scholar - 24.B. Sun, X. Hai, W. Zhang, L. Cheng, Z. Yang, New observation on division property. IACR Cryptology ePrint Archive, 459 (2015). http://eprint.iacr.org/2015/459
- 25.H. Tanaka, K. Hisamatsu, T. Kaneko, Strength of MISTY1 without FL function for higher order differential attack, in
*AAECC-13*. LNCS, vol. 1719, ed. by M.P.C. Fossorier, H. Imai, S. Lin, A. Poli (Springer, 1999), pp. 221–230Google Scholar - 26.Y. Todo, Integral cryptanalysis on full MISTY1, in
*CRYPTO Part I*. LNCS, vol. 9215, ed. by R. Gennaro, M. Robshaw (Springer, 2015), pp. 413–432Google Scholar - 27.Y. Todo, Structural evaluation by generalized integral property, in
*EUROCRYPT Part I*. LNCS, vol. 9056, ed. by E. Oswald, M. Fischlin (Springer, 2015b), pp. 287–314Google Scholar - 28.Y. Tsunoo, T. Saito, M. Shigeri, T. Kawabata, Higher order differential attacks on reduced-round MISTY1, in
*ICISC*. LNCS, vol. 5461, ed. by P.J. Lee, J.H. Cheon (Springer, 2008), pp. 415–431Google Scholar - 29.H. Zhang, W. Wu, Structural evaluation for generalized Feistel structures and applications to LBlock and TWINE, in
*INDOCRYPT*. LNCS, vol. 9462, ed. by A. Biryukov, V. Goyal (Springer, 2015), pp. 218–237Google Scholar