Cryptanalysis of the ISDB Scrambling Algorithm (MULTI2)

  • Jean-Philippe Aumasson
  • Jorge NakaharaJr.
  • Pouyan Sepehrdad
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5665)


MULTI2 is the block cipher used in the ISDB standard for scrambling digital multimedia content. MULTI2 is used in Japan to secure multimedia broadcasting, including recent applications like HDTV and mobile TV. It is the only cipher specified in the 2007 Japanese ARIB standard for conditional access systems. This paper presents a theoretical break of MULTI2 (not relevant in practice), with shortcut key recovery attacks for any number of rounds. We also describe equivalent keys and linear attacks on reduced versions with up 20 rounds (out of 32), improving on the previous 12-round attack by Matsui and Yamagishi. Practical attacks are presented on up to 16 rounds.


ISDB ARIB MULTI2 block cipher linear cryptanalysis conditional access 


  1. 1.
    Aoki, K., Kurokawa, K.: A study on linear cryptanalysis of Multi2 (in Japanese). In: The 1995 Symposium on Cryptography and Information Security, SCIS 1995 (1995)Google Scholar
  2. 2.
    ARIB. STD B25 v. 5.0 (2007),
  3. 3.
    Biham, E.: New types of cryptanalytic attacks using related keys. Journal of Cryptology 7(4), 229–246 (1994)CrossRefzbMATHGoogle Scholar
  4. 4.
    Biryukov, A., Wagner, D.: Slide attacks. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 245–259. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  5. 5.
    Biryukov, A., Wagner, D.: Advanced slide attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    BS Conditional Access Systems Co., Ltd.,
  7. 7.
    Hitachi: Japanese laid-open patent application no. H1-276189 (1998)Google Scholar
  8. 8.
    ISO. Algorithm registry entry 9979/0009 (1994)Google Scholar
  9. 9.
    Katagi, T., Inoue, T., Shimoyama, T., Tsujii, S.: A correlation attack on block ciphers with arithmetic operations (in Japanese). In: SCIS (2003), reference no. SCIS2003 5D-2Google Scholar
  10. 10.
    Matsui, M.: Linear cryptoanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  11. 11.
    Matsui, M., Yamagishi, A.: On a statistical attack of secret key cryptosystems. Electronics and Communications in Japan, Part III: Fundamental Electronic Science (English translation of Denshi Tsushin Gakkai Ronbunshi) 77(9), 61–72 (1994)Google Scholar
  12. 12.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)zbMATHGoogle Scholar
  13. 13.
    Takaragi, K., Nakagawa, F., Sasaki, R.: U.S. patent no. 4982429 (1989)Google Scholar
  14. 14.
    Takaragi, K., Nakagawa, F., Sasaki, R.: U.S. patent no. 5103479 (1990)Google Scholar
  15. 15.
    Weinmann, R.-P., Wirt, K.: Analysis of the DVB common scrambling algorithm. In: 8th IFIP TC-6 TC-11 Conference on Communications and Multimedia Security (CMS). Springer, Heidelberg (2004)Google Scholar
  16. 16.
    Wikipedia. Mobaho! (accessed February 5, 2009)Google Scholar
  17. 17.
    Wirt, K.: Fault attack on the DVB common scrambling algorithm. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganá, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 577–584. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Yoshimura, T.: Conditional access system for digital broadcasting in Japan. Proceedings of the IEEE 94(1), 318–322 (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Jean-Philippe Aumasson
    • 1
  • Jorge NakaharaJr.
    • 2
  • Pouyan Sepehrdad
    • 2
  1. 1.FHNWWindischSwitzerland
  2. 2.EPFLLausanneSwitzerland

Personalised recommendations