A \(2^{70}\) Attack on the Full MISTY1

  • Achiya Bar-OnEmail author
  • Nathan Keller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9814)


MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan, and is recognized internationally as a European NESSIE-recommended cipher and an ISO standard. After almost 20 years of unsuccessful cryptanalytic attempts, a first attack on the full MISTY1 was presented at CRYPTO 2015 by Yosuke Todo. The attack, using a new technique called division property, requires almost the full codebook and has time complexity of \(2^{107.3}\) encryptions.

In this paper we present a new attack on the full MISTY1. It is based on Todo’s division property, along with a variety of refined key-recovery techniques. Our attack requires almost the full codebook (like Todo’s attack), but allows to retrieve 49 bits of the secret key in time complexity of only \(2^{64}\) encryptions, and the full key in time complexity of \(2^{69.5}\) encryptions.

While our attack is clearly impractical due to its large data complexity, it shows that MISTY1 provides security of only \(2^{70}\) — significantly less than what was considered before.


Time Complexity Block Cipher Affine Subspace Encryption Direction Linear Cryptanalysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    3rd Generation Partnership Project: Specification of the 3GPP. Confidentiality, Integrity Algorithms - Document 2: KASUMI Specification (Release 6). Technical report 3GPP. TS 35.202 V6.1.0 (2005–2009), September 2005Google Scholar
  2. 2.
    Bar-On, A.: Improved higher-order differential attacks on MISTY1. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 28–47. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  3. 3.
    Daemen, J., Knudsen, L.R., Rijmen, V.: The block cipher SQUARE. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 149–165. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Dinur, I., Dunkelman, O., Shamir, A.: Improved attacks on full GOST. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 9–28. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Dunkelman, O., Keller, N.: Practical-time attacks against reduced variants of MISTY1. Des. Codes Crypt. 76, 601–627 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Ferguson, N., Kelsey, J., Lucks, S., Schneier, B., Stay, M., Wagner, D., Whiting, D.L.: Improved cryptanalysis of Rijndael. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 213–230. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    Jia, K., Li, L.: Improved impossible differential attacks on reduced-round MISTY1. In: Lee, D.H., Yung, M. (eds.) WISA 2012. LNCS, vol. 7690, pp. 15–27. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. 8.
    Knudsen, L.R., Wagner, D.: Integral cryptanalysis. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 112–127. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Kühn, U.: Improved cryptanalysis of MISTY1. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 61–75. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Matsui, M.: New block encryption algorithm MISTY. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 54–68. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  11. 11.
    Todo, Y.: Integral cryptanalysis on full MISTY1. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 413–432. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  12. 12.
    Todo, Yosuke: Structural Evaluation by Generalized Integral Property. In: Oswald, Elisabeth, Fischlin, Marc (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 287–314. Springer, Heidelberg (2015)Google Scholar
  13. 13.
    Tsunoo, Y., Saito, T., Kawabata, T., Nakagawa, H.: Differentials, finding higher order of MISTY1. IEICE Trans. 95(A(6)), 1049–1055 (2012)CrossRefGoogle Scholar
  14. 14.
    Yi, W., Chen, S.: Multidimensional zero-correlation linear attacks on reduced-round MISTY1. In: CoRR (2014). arXiv:1410.4312

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Department of MathematicsBar Ilan UniversityRamat GanIsrael

Personalised recommendations