MISTY1

In cryptography, MISTY1 (or MISTY-1) is a block cipher designed in 1995 by Mitsuru Matsui and others for Mitsubishi Electric.[2][3]

MISTY1
General
Designers
  • Mitsuru Matsui,
  • Tetsuya Ichikawa,
  • Toru Sorimachi,
  • Toshio Tokita,
  • Atsuhiro Yamagishi
First published1995
SuccessorsCamellia, MISTY2, KASUMI
CertificationCRYPTREC (Candidate), NESSIE
Cipher detail
Key sizes128 bits
Block sizes64 bits
StructureNested Feistel network
Rounds4×n (8 recommended)
Best public cryptanalysis
Integral cryptanalysis leading to full key recovery with 263.9999 chosen ciphertexts and 279 time, or 264 chosen ciphertexts and 269.5 time.[1]

MISTY1 is one of the selected algorithms in the European NESSIE project, and has been among the cryptographic techniques recommended for Japanese government use by CRYPTREC in 2003; however, it was dropped to "candidate" by CRYPTREC revision in 2013. However, it was successfully broken in 2015 by Yosuke Todo using integral cryptanalysis; this attack was improved in the same year by Achiya Bar-On.[1]

"MISTY" can stand for "Mitsubishi Improved Security Technology"; it is also the initials of the researchers involved in its development: Matsui Mitsuru, Ichikawa Tetsuya, Sorimachi Toru, Tokita Toshio, and Yamagishi Atsuhiro.[4]

MISTY1 is covered by patents, although the algorithm is freely available for academic (non-profit) use in RFC 2994, and there's a GPLed implementation by Hironobu Suzuki (used by, e.g. Scramdisk).

Security

MISTY1 is a Feistel network with a variable number of rounds (any multiple of 4), though 8 are recommended. The cipher operates on 64-bit blocks and has a key size of 128 bits. MISTY1 has an innovative recursive structure; the round function itself uses a 3-round Feistel network. MISTY1 claims to be provably secure against linear and differential cryptanalysis.

KASUMI

KASUMI is a successor of the MISTY1 cipher which was supposed to be stronger than MISTY1 and has been adopted as the standard encryption algorithm for European mobile phones. In 2005, KASUMI was broken, and in 2010 a new paper was published (explained below) detailing a practical attack on the cipher; see the article for more details.

In the paper "Block Ciphers and Stream Ciphers" by Alex Biryukov, it is noted that KASUMI, also termed A5/3, is a strengthened version of block cipher MISTY1 running in a Counter mode.[5]

However, in 2010 Dunkelman, Keller, and Shamir showed that KASUMI is not as strong as MISTY1;[6] the KASUMI attack will not work against MISTY1.

gollark: Oh right, that.
gollark: Aren't there rather aging populations in most developed countries?
gollark: ++remind 20y check if China fails
gollark: Ironic purposes.
gollark: It imports `hashlib` repeatedly, for ironic purposes.

See also

  • MISTY2

References

  1. Achiya Bar-On (30 July 2015). "A 270 Attack on the Full MISTY1" (PDF). Cite journal requires |journal= (help)
  2. Mitsuru Matsui (1997). Block encryption algorithm MISTY. Fast Software Encryption, 4th International Workshop, FSE '97, LNCS 1267. pp. 64–74.
  3. Mitsuru Matsui (July 1996). "Block encryption algorithm MISTY". Technical report of IEICE ISEC96-11 (PDF). Archived from the original (PDF) on August 23, 2000.
  4. "Episodes in the development of MISTY". Archived from the original on 2005-03-22.
  5. Alex Biryukov (2004). "Block Ciphers and Stream Ciphers: The State of the Art".
  6. Orr Dunkelman and Nathan Keller and Adi Shamir (2010). "A Practical-Time Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony".
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.