Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

The MISTY1 block cipher has a 64-bit block length, a 128-bit user key and a recommended number of 8 rounds. It is a Japanese CRYPTREC-recommended e-government cipher, an European NESSIE selected cipher, and an ISO international standard. Despite of considerable cryptanalytic efforts during the past fifteen years, there has been no published cryptanalytic attack on the full MISTY1 cipher algorithm. In this paper, we present related-key differential and related-key amplified boomerang attacks on the full MISTY1 under certain weak key assumptions: We describe 2 weak keys and a related-key differential attack on the full MISTY1 with a data complexity of 2 chosen ciphertexts and a time complexity of 2 encryptions; and we also describe 2 weak keys and a related-key amplified boomerang attack on the full MISTY1 with a data complexity of 2 chosen plaintexts and a time complexity of 2 encryptions. For the very first time, our results exhibit a cryptographic weakness in the full MISTY1 cipher (when used with the recommended 8 rounds), and show that the MISTY1 cipher is distinguishable from a random function and thus cannot be regarded to be an ideal cipher.