Specfcatons n 200 MISTY (updated : May 3, 2002) September 27, 200 Mtsubsh Electrc Corporaton
Block Cpher Algorthm MISTY Ths document shows a complete descrpton of encrypton algorthm MISTY, whch are secret-key cpher wth 64-bt data block and 28-bt secret key. The number of rounds n of MISTY s varable under the condton that n s a multple of four. Recommendaton value s n = 8. In the followng descrpton, t s defned that the most left bt s Most Sgnfcant Bt (MSB), the most rght bt s Least Sgnfcant Bt (LSB). Data Randomzng Part Fgure a and b show the data randomzng part of MISTY for encrypton and decrypton, respectvely. The plantext/cphertext s dvded nto two 32-bt data, whch are transformed by btwse XOR operatons denoted by the symbol and sub-functons FO ( n), FL ( n + 2) and FL ( n + 2). FO uses a 64-bt subkey O and a 48-bt subkey I. FL and FL are used n encrypton and decrypton, respectvely, both of whch use a 32-bt subkey L. Fgure 2 shows the structure of FO. The nput s dvded nto two -bt data, whch are transformed by btwse XOR operatons denoted by the symbol and sub-functons j ( j 3), where O j ( j 4) and I j ( j 3) are the j-th (from left) -bt data of O and I, respectvely. Fgure 3 shows the structure of. The nput s dvded nto left 9-bt data and rght 7-bt data, whch are transformed by btwse XOR operatons denoted by the symbol and substtuton tables S 7 and S 9. In the frst and thrd XORs, the 7-bt data s zero-extended to 9 bts, and on the second XOR, the 9-bt data s truncated to 7 bts by dscardng ts hghest two bts. I j and I j 2 are left 7-bt data and rght 9-bt data of I j, respectvely. Fgure 4a and 4b show the structure of FL and FL, respectvely. The nput s dvded nto two -bt data, whch are transformed by btwse XOR operatons denoted by the symbol, a btwse AND operaton denoted by the symbol and a btwse OR operaton denoted by the symbol, where ( j 2) L. L j s the j-th (from left) -bt data of Tables and 2 show decmal representaton of the substtuton tables S 7 and S 9, respectvely. ey Schedulng Part Fgure 5 shows the ey Schedulng part of MISTY. Let ( 8) be the -th (from left) -bt data of the secret key, and let ( 8) be the output of j where the nput of j s and the key I j s +. Also, dentfy 9 wth. The correspondence between the symbols O j, I j, L j and the actual key s as follows: Symbol O O 2 O 3 O 4 I I 2 I 3 L L 2 ey + 2 + 7 + 4 +5 + +3 + 2 + 2 2 ( odd ) ( even ) Where and are dentfed wth 8 and Test Data The followng s sample data for MISTY wth eght rounds n hexadecmal form: Secret ey L ) 00 22 33 44 55 66 77 88 99 aa bb cc dd ee ff ( 8 Plantext Extended ey ( ) 8 0 23 45 67 89 ab cd ef + + 6 2 + 4 2 8, respectvely, when exceeds 8. L cf 5 8e 7f 5e 29 67 3a cd bc 07 d6 bf 35 5e ( odd ) ( even ) Cphertext 8b d a5 f5 6a b3 d0 7c
P 64 32 32 L FL I,O FL2 L2 FO I2,O2 FO2 L3 FL3 I3,O3 FL4 L4 FO3 I4,O4 FO4 L5 FL5 I5,O5 FL6 L6 FO5 I6,O6 FO6 L7 FL7 I7,O7 FL8 L8 FO7 I8,O8 FO8 Ln+ FLn+ FLn+2 Ln+2 C Fgure a. MISTY (Encrypton)
Fgure b. MISTY (Decrypton) FLn+2 FLn+ Ln+ Ln+2 P C 64 32 32 FL5 FL6 FO5 FO6 I5,O5 I6,O6 L5 L6 FL7 FL8 FO7 FO8 I7,O7 I8,O8 L7 L8 FL FL2 FO FO2 I,O I2,O2 L L2 FL3 FL4 FO3 FO4 I3,O3 I4,O4 L3 L4
32 9 7 32 O L I S9 zero-extend L2 O2 I2 2 S7 Fgure 4a. FL truncate Ij Ij2 O3 32 I3 3 S9 L2 zero-extend L O4 Fgure 2. FO Fgure 3. j Fgure 4b. Fl 2 3 4 5 6 7 8 2 3 4 5 6 7 8 Fgure 5. ey Schedulng
27, 50, 5, 90, 59,, 23, 84, 9, 26,4,5,07, 44,02, 73, 3, 36, 9,08, 55, 46, 63, 74, 93, 5, 64, 86, 37, 8, 28, 4,, 70, 32, 3,23, 53, 68, 66, 43, 30, 65, 20, 75,2, 2,, 4, 85, 9, 54,, 2,03, 83, 40, 0,26, 56, 2, 7, 96, 4, 25, 8,0, 47, 48, 57, 8,04, 95,20, 42, 76,00, 69,7, 6, 89, 72, 3, 87,24, 79, 98, 60, 29, 33, 94, 39,06,2, 77, 58,,09,0, 99, 24,9, 35, 5, 38,8, 0, 49, 45,22,27, 97, 80, 34, 7, 6, 7, 22, 82, 78,3, 62,05, 67, 52, 92, 88,25 Table. The table of S 7 45,203,339,45,483,233,25, 53,385,85,279,49,307, 9, 45,2, 99,330, 55,26,235,356,403,472,3,286, 85, 44, 29,48,355,280, 33,338,466, 5, 43, 48,34,229,273,32,398, 99,227,200,500, 27,,57,248,4,365,499, 28,326,25,209,30,490,387,30,244,44, 467,22,482,296,480,236, 89,45, 7,303, 38,220,76,396,27,503, 23,364,82,249,2,337,257,332,259,84,340,299,430, 23,3, 2, 7, 88,27,420,308,297,32,349,43,434,49, 72,24, 8,458, 35, 37,423,357, 59, 66,28,402,206,93,07,59,497,300,388,250,406, 48,36,38, 49,384,266,48,474,390,38,284, 96,373,463,03,28, 0,04,53,336, 8, 7,380,83, 36, 25,222,295,29,228,425, 82, 265,44,42,449, 40,435,309,362,374,223,485,392,97,366,478,433, 95,479, 54,238,494,240,47, 73,54,438,05,29,293,, 94,80, 329,455,372, 62,35,439,42,454,74,,49,495, 78,242,509,33, 253,246,0,367,3,38,342,55,3,263,359,52,464,489, 3,50, 89,290,37,20,399, 8, 5,06,322,237,368,283,226,335,344,305, 327, 93,275,46,2,353,42,377,58,436,204, 34,306, 26,232, 4, 39,493,407, 57,447,47, 39,395,98,56,208,334,08, 52,498,0, 202, 37,86,40,254, 9,262, 47,429,370,475,92,267,470,245,492, 269,8,276,427,7,268,484,345, 84,287, 75,96,446,247, 4,4, 4,496,9, 77,378,34,39,79,369,9,270,260,5,347,352,360, 25,87,02,462,252,46,453,, 22, 74,,33,75,24,400, 0, 426,323,379, 86,397,358,22,507,333,404,40,35,504,29,7,440, 32, 60,505,320, 42,34,282,47,408,23,294,43, 97,302,343,476, 4,394,70,50,277,239, 69,23,4,325, 83, 95,376,78, 46, 32, 469, 63,457,487,428, 68, 56, 20,77,363,7,8, 90,386,456,468, 24,375,00,207,09,256,409,304,346, 5,288,443,445,224, 79,24, 39,452,298, 2, 6,255,4,6, 67,36, 80,35,488,289,5,382, 88,94,20,37,393,50,,460,486,424,405, 3, 65, 3,442, 50, 6,465,28,8, 87,44,354,328,27,26, 98,22, 33,5,274,264, 448,9,285,432,422,205,243, 92,258, 9,473,324,502,73,5, 58, 459,30,383, 70,225, 30,477,230,3,506,389,40,43, 64,437,90, 20, 0,72,272,350,292, 2,444,2,234,2,508,278,348, 76,450 Table 2. The table of S 9
Implementaton Methods The reference C source code attached to the submsson package shows an example of straghtforward mplementaton based on the specfcatons of MISTY. There are however many more technques for mplementng MISTY n software balancng speed and memory requrements. The followng shows how to speed up MISTY n software. It s not dffcult to see that the -functon can be also wrtten as shown n the left fgure, where S9A and S9B are newly ntroduced look-up tables that transform 9 and 7 nput bts nto output bts, respectvely. Note that the subkey j can be "embedded" nto other subkeys. Though mplementng ths form requres more memory than the straghtforward method, but faster speed s expected. Moreover, notng that the number of possble varetes of j2 s only eght, we can even remove the subkey by ntroducng eght dfferent S9A tables (S9A) f a target processor has on-chp cache of bytes or more. Verson Informaton MISTY has been proposed n the followng standardzaton actvtes, where the proposed specfcaton s exactly the same as the specfcaton descrbed n ths document. ISO / SC27 NESSIE IETF-TLS Also, ASUMI, whch was modfed on the bass of MISTY, has been adopted as the world standard of the forthcomng W-CDMA systems. ASUMI s a varant of MISTY, but s not compatble wth MISTY. Object Identfer The object dentfer of MISTY s descrbed n RFC2994 "A Descrpton of the MISTY Encrypton Algorthm". The followng s extracted from the RFC2994 document. The Object Identfer for MISTY n Cpher Block Channg (CBC) mode s as follows: MISTY-CBC OBJECT IDENTIER ::= {so() member-body(2) jsc(392) mtsubsh-electrc-corporaton(2000) sl(6) securty() algorthm() symmetrc-encrypton-algorthm() msty-cbc()} MISTY-CBC needs Intalzaton Vector (IV) as lke as other algorthms, such as DES-CBC, DES-EDE3-CBC and so on. To determne the value of IV, MISTY-CBC takes parameter as: MISTY-CBC Parameter ::= IV
where IV ::= OCTET STRING -- 8 octets. When ths Object Identfer s used, plantext s padded before encrypt t. At least paddng octet s appended at the end of the plantext to make the length of the plantext to the multple of 8 octets. The value of these octets s as same as the number of appended octets. (e.g., If 5 octets are needed to pad, the value s 0x05.) Applcatons and Products MISTY has been used n varous applcatons and products as follows; most of the nformaton can be found at http://www.securty.melco.co.jp/ [Software Products] Encrypton lbrary <PowerMISTY>, PI lbrary <CertMISTY>, PI server system <CERTMANAGER>, Fle encrypton software <CRYPTOLE>, Secure web access <TRUSTWEB>, Message encrypton software <CRYPTOSIGN>, Dgtal contents secure dstrbuton system <DIGICAPSULE>, Emal securty enhancement tool <MAHOUBIN-II> (by NTT Electroncs), Fle encrypton tool <SecureStaff> (by Mtsubsh Control Software) [Hardware Products] LAN encrypton hardware <MELWALL>, ey management hardware <MISTYEYPER> (by Mtsubsh Electrc Engneerng), Encrypton LSI CDI2050 (by Cogntve Desgn, Inc), Encrypton Algorthm IP for LSI development.