Practical-time attacks against reduced variants of MISTY1

Orr Dunkelman, Nathan Keller

Research output: Contribution to journalArticlepeer-review


MISTY1 is a block cipher designed by Matsui in 1997. It is widely deployed in Japan where it is an e-government candidate recommended cipher, and is recognized internationally as a NESSIE-recommended cipher as well as an ISO/IEC standard and an RFC. Moreover, MISTY1 was selected to be the blueprint on top of which KASUMI, the GSM/3G block cipher, was based. Since its introduction, and especially in recent years, MISTY1 was subjected to extensive cryptanalytic efforts, which resulted in numerous attacks on its reduced variants. Most of these attacks aimed at maximizing the number of attacked rounds, and as a result, their complexities are highly impractical. In this paper we pursue another direction, by focusing on attacks of practical time complexity. We present the first practical-time attack on 5-round MISTY1 which exploits only the linear $$FL$$FL functions, and thus, remains valid even if the non-linear $$FO$$FO functions are replaced. On the other extreme, we show the importance of the FL layers, by presenting a devastating (and experimentally verified) related-key attack that can break MISTY1 with no $$FL$$FL layers, requiring only 218 data and time. While our attacks clearly do not compromise the security of the full MISTY1, they expose several weaknesses in the components used in MISTY1, and improve our understanding of its security. These insights are also applicable to future designs which rely on MISTY1 as their base, and should be taken into close consideration by designers.

Original languageEnglish
Pages (from-to)601-627
Number of pages27
JournalDesigns, Codes, and Cryptography
Issue number3
StatePublished - 6 Sep 2015

Bibliographical note

Publisher Copyright:
© 2014, Springer Science+Business Media New York.


  • Cryptanalysis
  • MISTY1
  • Practical-time
  • Related-key attacks
  • Slide attacks

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science Applications
  • Discrete Mathematics and Combinatorics
  • Applied Mathematics


Dive into the research topics of 'Practical-time attacks against reduced variants of MISTY1'. Together they form a unique fingerprint.

Cite this