Document of MISTY 1 Version 1 . 10 Supporting Document of MISTY 1

We propose secret-key cryptosystems MISTY1 andMISTY2, which are block ciphers with a 128-bit key, a 64-bit block and a variable number of rounds. MISTY is a generic name for MISTY1 and MISTY2. They are designed on the basis of the theory of provable security against di erential and linear cryptanalysis, and moreover they realize high speed encryption on hardware platforms as well as on software environments. Our software implementation shows that MISTY1 with eight rounds can encrypt a data stream in CBCmode at a speed of 20Mbps and 40Mbps on Pentium/100MHz and PA-7200/120MHz, respectively. For its hardware performance, we have produced a prototype LSI by a process of 0.5 CMOS gate-array and con rmed a speed of 450Mbps. In this paper, we describe the detailed speci cations and design principles of MISTY1 and MISTY2. 1 Fundamental Design Policies of MISTY Our purpose of designing MISTY is to o er secret-key cryptosystems that are applicable to various practical systems as widely as possible; for example, software stored in IC cards and hardware used in fast ATM networks. To realize this, we began its design with the following three fundamental policies: 1. MISTY should have a numerical basis for its security, 2. MISTY should be reasonably fast in software on any processor, 3. MISTY should be su ciently fast in hardware implementation. For the rst policy, we have adopted the theory of provable security against di erential and linear cryptanalysis [1][2][4], which was originally introduced by Kaisa Nyberg and Lars Knudsen. As far as we know, MISTY is the rst block encryption algorithm designed for practical use with provable security against di erential and linear cryptanalysis. Although this advantage does not mean information theoretic provable security, we believe that it is a good starting point for discussing secure block ciphers. Secondly, we have noticed the fact that many recent block ciphers were designed so that they could be fastest and/or smallest on speci c targets; for example, 32-bit microprocessors. This often results in slow and/or big implementation on other types of processors. Since we regarded seeking applicability to various systems as more important than pursuing maximum performance on