IACR News item: 09 July 2013
Orr Dunkelman, Nathan Keller
ePrint Reportan ISO standard and an RFC. Moreover, MISTY1 was selected to be the blueprint on top of which KASUMI, the GSM/3G block cipher, was based. Since its introduction, and especially in recent years, MISTY1 was subjected to extensive cryptanalytic efforts, which resulted in numerous attacks on its reduced variants. Most of these attacks aimed at maximizing the number of attacked rounds, and as a result, their complexities are highly impractical.
In this paper we pursue another direction, by focusing on attacks with a practical time complexity. The best previously-known attacks with practical complexity against MISTY1 could break either 4 rounds (out of 8), or 5 rounds in a modified variant in which some of the FL functions are removed. We present an attack on 5-round MISTY1 with all the FL functions present whose time complexity is 2^38 encryptions. When the FL functions are removed, we present a devastating (and experimentally verified) related-key attack on the full 8-round variant, requiring only 2^18 data and time.
While our attacks clearly do not compromise the security of the full
MISTY1, they expose several weaknesses in MISTY1\'s components, and
improve our understanding of its security. Moreover, future designs which rely on MISTY1 as their base, should take these issues into close consideration.
Additional news items may be found on the IACR news page.