Topics

On the Security of 64-bit Block Cipher MISTY1 (Another new result)

August 12, 2015
CRYPTREC Cryptographic Technology Evaluation Committee

We provided comments^[1] on a new cryptanalytic result^[2] on MISTY1, which is a 64-bit block cipher on the CRYPTREC Candidate Recommended Ciphers List^[3], on July 16th. After that another new cryptanalytic result on MISTY1 with reduced time complexity^[4] was published by the International Association for Cryptologic Research (IACR) ePrint Archive on July 30th.

The published paper shows that a 128-bit secret key of full-round MISTY1 can be recovered with a practical time complexity which is equivalent to approximately 2^69.5 encryption operations, although all (2⁶⁴) pairs of plaintexts and corresponding ciphertexts are required for the attack. Since the required data is huge, this attack is not considered practical. We will continue further evaluation on the security of MISTY1 and report them on the CRYPTREC web site.

Table: Complexities of Integral Cryptanalysis on MISTY1
	Required data^[5]	Time complexity^[6]
Todo^[2]	2^63.58	2¹²¹
Todo^[2]	2^63.994	2^107.9
Bar-On^[4]	2⁶⁴	2^69.5

http://www.cryptrec.go.jp/en/topics/cryptrec-er-0001-2015.html
Yosuke Todo, “Integral Cryptanalysis on Full MISTY1”, Advances in Cryptology - CRYPTO 2015, Lecture Notes in Computer Science, Volume 9215, pages 413-432.
https://eprint.iacr.org/2015/682
https://www.cryptrec.go.jp/en/method.html
Achiya Bar-On, “A ²70 Attack on the Full MISTY1”. https://eprint.iacr.org/2015/746
Unit of the required data is a pair of plaintext block and ciphertext block. Both blocks are 64-bit length. The attacks require chosen plaintexts and their corresponding ciphertexts.
Unit of the time complexity is the computational cost for one block encryption. The time complexity for the key exhaustive search attack for a 128-bit key is 2¹²⁸.

If you have any opinions, comments, or inquiries about this topic, please contact us at the following address.
CRYPTREC Secretariat
E-mail: