Zero-Correlation Linear Cryptanalysis of Reduced-round MISTY1

Published 16 Oct 2014 in cs.CR | (1410.4312v3)

Abstract: The MISTY1 algorithm, proposed by Matsui in FSE 1997, is a block cipher with a 64-bit block size and a 128-bit key size. It was recommended by the European NESSIE project and the CRYPTREC project, and became one RFC in 2002 and an ISO standard in 2005, respectively. In this paper, we first investigate the properties of the FL linear function and identify 232 subkey- dependent zero-correlation linear approximations over 5-round MISTY1 with 3 FL layers. Fur- thermore, some observations on the FL, FO and FI functions are founded and based upon those observations, we select 27 subkey-dependent zero-correlation linear approximations and then, pro- pose the zero-correlation linear attacks on 7-round MISTY1 with 4 FL layers. Besides, for the case without FL layers, 27 zero-correlation linear approximations over 5-round MISTY1 are employed to the analysis of 7-round MISTY1. The zero-correlation linear attack on the 7-round with 4 FL layers needs about 2^{119:5} encryptions with 2^{62.9} known plaintexts and 2⁶¹ memory bytes. For the attack on 7-round without FL layers, the data complexity is about 2^{63.9} known plaintexts, the time complexity is about 2^{81} encryptions and the memory requirements are about 2^{93} bytes. Both have lower time complexity than previous attacks.