rfc2994.txt

来自「RFC 的详细文档！」· 文本 代码 · 共 564 行 · 第 1/2 页


RFC 2994                         MISTY1                    November 2000


   // 0 round
   D0 = FL(D0, 0);
   D1 = FL(D1, 1);
   D1 = D1 ^ FO(D0, 0);
   // 1 round
   D0 = D0 ^ FO(D1, 1);
   // 2 round
   D0 = FL(D0, 2);
   D1 = FL(D1, 3);
   D1 = D1 ^ FO(D0, 2);
   // 3 round
   D0 = D0 ^ FO(D1, 3);
   // 4 round
   D0 = FL(D0, 4);
   D1 = FL(D1, 5);
   D1 = D1 ^ FO(D0, 4);
   // 5 round
   D0 = D0 ^ FO(D1, 5);
   // 6 round
   D0 = FL(D0, 6);
   D1 = FL(D1, 7);
   D1 = D1 ^ FO(D0, 6);
   // 7 round
   D0 = D0 ^ FO(D1, 7);
   // final
   D0 = FL(D0, 8);
   D1 = FL(D1, 9);

   64-bit ciphertext C is constructed from D0 and D1 as following
   operation.

   C = (D1<<32) | D0;

   When data randomizing part is used as decrypting operation, it should
   be executed in reverse order.  The detail description is as follows.

   D0 = C & 0xffffffff;
   D1 = C >> 32;
   D0 = FLINV(D0, 8);
   D1 = FLINV(D1, 9);
   D0 = D0 ^ FO(D1, 7);
   D1 = D1 ^ FO(D0, 6);
   D0 = FLINV(D0, 6);
   D1 = FLINV(D1, 7);
   D0 = D0 ^ FO(D1, 5);
   D1 = D1 ^ FO(D0, 4);
   D0 = FLINV(D0, 4);
   D1 = FLINV(D1, 5);



Ohta & Matsui                Informational                      [Page 6]

RFC 2994                         MISTY1                    November 2000


   D0 = D0 ^ FO(D1, 3);
   D1 = D1 ^ FO(D0, 2);
   D0 = FLINV(D0, 2);
   D1 = FLINV(D1, 3);
   D0 = D0 ^ FO(D1, 1);
   D1 = D1 ^ FO(D0, 0);
   D0 = FLINV(D0, 0);
   D1 = FLINV(D1, 1);
   P = (D0<<32) | D1;

3. Object Identifier

   The Object Identifier for MISTY1 in Cipher Block Chaining (CBC) mode
   is as follows:

   MISTY1-CBC OBJECT IDENTIFIER ::=
     {iso(1) member-body(2) jisc(392)
      mitsubishi-electric-corporation(200011) isl(61) security(1)
      algorithm(1) symmetric-encryption-algorithm(1) misty1-cbc(1)}

   MISTY1-CBC needs Initialization Vector (IV) as like as other
   algorithms, such as DES-CBC, DES-EDE3-CBC and so on.  To determine
   the value of IV, MISTY1-CBC takes parameter as:

   MISTY1-CBC Parameter ::= IV

   where IV ::= OCTET STRING -- 8 octets.

   When this Object Identifier is used, plaintext is padded before
   encrypt it.  At least 1 padding octet is appended at the end of the
   plaintext to make the length of the plaintext to the multiple of 8
   octets.  The value of these octets is as same as the number of
   appended octets.  (e.g., If 5 octets are needed to pad, the value is
   0x05.)

4. Security Considerations

   The algorithm, which is described in this document, is designed in
   consideration of the theory of provable security against differential
   cryptanalysis and linear cryptanalysis [2][3][4].  According to the
   recent result, when the algorithm consists of 8 rounds, both
   differential characteristic probability and liner characteristic
   probability are 2^-140.  For reference, probabilities of DES are 2^-
   62 and 2^-46, respectively.







Ohta & Matsui                Informational                      [Page 7]

RFC 2994                         MISTY1                    November 2000


5. Legal Issues

   The algorithm description is applied for a patent in several
   countries as PCT/JP96/02154.  However, the algorithm is freely
   available for academic (non-profit) use.  Additionally, the algorithm
   can be used for commercial use without paying the patent fee if you
   contract with Mitsubishi Electric Corporation.  For more information,
   please contact at MISTY@isl.melco.co.jp.

6. References

   [1]  M. Matsui, "New Block Encryption Algorithm MISTY", Fast Software
        Encryption - 4th International Workshop (FSE'97), LNCS 1267,
        Springer Verlag, 1997, pp.54-68

   [2]  K. Nyberg and L.R. Knudsen, "Provable Security Against a
        Differential Attack", Journal of Cryptology, Vol.8, No.1, 1995,
        pp. 27-37

   [3]  K. Nyberg, "Linear Approximation of Block Ciphers", Advances in
        Cryptology - Eurocrypt'94, LNCS 950, Springer Verlag, 1995,
        pp.439-444

   [4]  M. Matsui, "New Structure of Block Ciphers with Provable
        Security Against Differential and Linear Cryptanalysis", Fast
        Software Encryption - Third International Workshop, LNCS 1039,
        Springer Verlag, 1996, pp.205-218

7. Authors' Addresses

   Hidenori Ohta
   Mitsubishi Electric Corporation, Information Technology R&D Center
   5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan

   Phone: +81-467-41-2183
   Fax:   +81-467-41-2185
   EMail: hidenori@iss.isl.melco.co.jp


   Mitsuru Matsui
   Mitsubishi Electric Corporation, Information Technology R&D Center
   5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan

   Phone: +81-467-41-2181
   Fax:   +81-467-41-2185
   EMail: matsui@iss.isl.melco.co.jp





Ohta & Matsui                Informational                      [Page 8]

RFC 2994                         MISTY1                    November 2000


Appendix A. Example Data of MISTY1

   Here is an example ciphertext of MISTY1 when the key and the
   plaintext are set as following value.

   Key:        00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff
   Plaintext:  01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
   Ciphertext: 8b 1d a5 f5 6a b3 d0 7c 04 b6 82 40 b1 3b e9 5d

   In the above example, because the plaintext has a length of 128-bit,
   MISTY1 is used two times to each 64-bit, namely ECB mode.

   Following example is ciphertext of MISTY1 in CBC mode.

   Key:        00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff
   IV:         01 02 03 04 05 06 07 08
   Plaintext:  01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10
   Ciphertext: 46 1c 1e 87 9c 18 c2 7f b9 ad f2 d8 0c 89 03 1f

































Ohta & Matsui                Informational                      [Page 9]

RFC 2994                         MISTY1                    November 2000


Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.



















Ohta & Matsui                Informational                     [Page 10]