# New Block Encryption Algorithm MISTY

@inproceedings{Matsui1997NewBE, title={New Block Encryption Algorithm MISTY}, author={Mitsuru Matsui}, booktitle={FSE}, year={1997} }

We propose secret-key cryptosystems MISTY1 and MISTY2, which are block ciphers with a 128-bit key, a 64-bit block and a variable number of rounds. MISTY is a generic name for MISTY1 and MISTY2. They are designed on the basis of the theory of provable security against differential and linear cryptanalysis, and moreover they realize high speed encryption on hardware platforms as well as on software environments. Our software implementation shows that MISTY1 with eight rounds can encrypt a data…

## 364 Citations

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Differential Cryptanalysis

- Computer Science, MathematicsCT-RSA
- 2013

For the first time, a cryptographic weakness is exhibited in the full MISTY1 cipher (when used with the recommended 8 rounds), and it is shown that the MISTy1 cipher is distinguishable from an ideal cipher and thus cannot be regarded to be an Ideal cipher.

MISTY , KASUMI and Camellia Cipher Algorithm Development

- Computer Science, Mathematics
- 2002

In terms of security, MISTY has the major benefit of “provable security,” in which the security is proven mathematically against differential cryptanalysis and linear cryptanalysis, which are extremely powerful methods for cryptanalysis.

Improved Impossible Differential Attacks on Reduced-Round MISTY1

- Computer Science, MathematicsWISA
- 2012

This paper improves the impossible differential attack on 6-round MISTY1 with 4 FL layers introduced by Dunkelman et al. with a factor of 211 for the time complexity, and proposes an impossible differential attacked on 7- round MISTy1 with 3 FL layers, which needs 258 known plaintexts and 2124.4 7-round encryptions.

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2012

For the very first time, the results exhibit a cryptographic weakness in the full MISTY1 cipher (when used with the recommended 8 rounds), and show that the MISTy1 cipher is distinguishable from a random function and thus cannot be regarded to be an ideal cipher.

Integral Cryptanalysis on Full MISTY1

- Computer Science, MathematicsCRYPTO
- 2015

This paper proposes a key recovery attack on the full MISTY1, i.e., it shows that 8-round MISTy1 with 5 FL layers does not have 128-bit security, and constructs a new integral characteristic by using the propagation characteristic of the division property, which was proposed in EUROCRYPT 2015.

Higher Order Differential Attacks on Reduced-Round MISTY1

- Computer Science, MathematicsICISC
- 2008

It is shown that higher order differential attacks can be successful against 6-round and 7-round versions of MISTY1 with FL functions, which signifies the first successful attack on7-round MISTy1 without limiting conditions such as a weak key.

Security Analysis of 7-Round MISTY1 against Higher Order Differential Attacks

- Computer Science, MathematicsIEICE Trans. Fundam. Electron. Commun. Comput. Sci.
- 2010

Higher order differential attacks can be successful against 7-round versions of MISTY1 with FL functions and it is shown that resistance to the higher order differential attack is not substantially improved even in 7- round MISTy1 in which the key schedule is replaced by a pseudorandom function.

Weak-Key Classes of 7-Round MISTY 1 and 2 for Related-Key Amplified Boomerang Attacks

- Computer Science, MathematicsIEICE Trans. Fundam. Electron. Commun. Comput. Sci.
- 2008

This paper presents large collections of weak-key classes encompassing 273 and 270 weak keys for 7-round MISTY 1 and 2 for which they are vulnerable to a related-key amplified boomerang attack.

A Practical-time Attack on Reduced-round MISTY1

- Computer Science, MathematicsICISSP
- 2016

6-round MISTY1 with 4 FL layers is shown to be attackable with 243 blocks of chosen plaintexts and 243.31 times of data encryption, the best practical-time attack on reduced- round MISTy1.

Security Analysis of MISTY1

- Computer Science, MathematicsWISA
- 2007

This analysis consists of two algorithms based on the higher order differential property of the S-box that exceeds the existing attack algorithms against MISTY1 and give new perspectives for the security of MISTy1.

## References

SHOWING 1-6 OF 6 REFERENCES

New Structure of Block Ciphers with Provable Security against Differential and Linear Cryptanalysis

- Computer Science, MathematicsFSE
- 1996

We introduce a methodology for designing block ciphers with provable security against differential and linear cryptanalysis. It is based on three new principles: change of the location of round…

Linear Approximation of Block Ciphers

- Mathematics, Computer ScienceEUROCRYPT
- 1994

The results of this paper give the theoretical fundaments on which Matsui's linear cryptanalysis of the DES is based and it is shown how to achieve proven resistance against linear crypt analysis.

Provable Security Against Differential Cryptanalysis

- Mathematics, Computer ScienceCRYPTO
- 1992

It is shown that there exist functions such that the probabilities of differentials are less than or equal to 22 − n where n is the length of the plaintext block and an prototype of an iterated block cipher, which is compatible with DES and has proven security against differential attacks.

Stricter Evaluation for the Maximum Average of Di erential Probability and the Maximum Average of Linear Probability (in Japanese)

- Proceedings of SCIS'96, SCIS96-4A
- 1996

Linear Approximation of Block Ciphers Advances in Cryptology { Eurocrypt

- Lecture Notes in Computer Science
- 1994

Stricter Evaluation for the Maximum Average of Dierential Probability and the Maximum Average of Linear Probability

- Proceedings of SCIS'96
- 1996