[2814] in cryptography@c2.net mail archive
Re: a gaggle of new ciphers
daemon@ATHENA.MIT.EDU (Don Davis)
Fri Jun 19 18:40:07 1998
Date: Fri, 19 Jun 1998 17:36:21 -0400
In-Reply-To: <87wwadqjb3.fsf@jekyll.piermont.com>
To: cryptography@c2.net
From: Don Davis <ddavis@OpenMarket.com>
perry metzger wrote:
> I just came across an algorithm called "MISTY1" designed by Matsui &
Ohta...
here're my notes on misty, from a couple of years ago:
at the rsa labs cryptographers' colloquium last week,
a mitsubishi manager gave me a reprint of matsui's
recent paper on his new block algorithm MISTY. the
reprint is in japanese, but it has a 6 page appendix
in english that fully describes the cipher, complete
with c sources and a single test vector. you may recall
that matsui is the author of linear cryptanalysis, and
that he applied l.c. successfully to 16-round des in '94.
needless to say, he designed MISTY to resist his own
linear attack. MISTY is patented, but i figure sci.crypt
will be interested to see this brief summary.
MISTY's salient features are:
64-bit block size
128-bit symmetric key
variable number of rounds
very high speed:
400-800 Mbit/sec in hardware,
20-40 Mbit/sec in software
low memory demands
resistance to differential and linear cryptanalysis
provable security, in some sense of "proof"
in brief, MISTY has three recursive levels of feistel
flow. the 64-bit plaintext is split into two 32-bit halves
that undergo a feistel manipulation, but each half's
transformation is effected by a 32-bit wide feistel cipher.
the deepest layer is a 16-bit wide feistel cipher, which
breaks the 16 bits into a 7-bit part and a 9-bit part;
these asymmetric blocks pass through 1-1 sboxes s7 and s9,
as they are swapped and XOR-ed. MISTY has only these two
sboxes; their 2 bits of overlap and the feistel swapping
provide the cipher's only permutations. though the data
passes through these sboxes many times in each round, the
lack of bitwise permutations accounts for MISTY's speed.
matsui's paper describes two variants, MISTY1 and MISTY2,
but the english appendix gives less detail and no code for
MISTY2. i don't think it would be appropriate for me to
post matsui's code; if you want to see it, you should look
the paper up in the library, or else contact him by surface
mail to get the reprint. (e-mail me to get his postal
address in osaka).
the citation i have is:
mitsuru matsui, "block encryption algorithm MISTY,"
technical report of IEICE ISEC96-11 (1996-07)
(inst of elec, inf, & comm engineers).
i'm told matsui also presented it at the cambridge u.
fast software encryption workshop, probably this year.
if anyone can post a pointer to postscript of matsui's
cambridge presentation, i'm sure we'll all be grateful.
-don davis, boston
