Proposal of MISTY1 as a Block Cipher of Cipher Suites in TLS

Hirosato Tsuji Toshio Tokita Mitsubishi

Electric Corporation

2000/08/01 48th IETF, Pittsburgh, PA, USA 2

Presentation Agenda

♦ Current Status and Next Steps of MISTY1 to support TLS

♦Block Cipher “MISTY1”

--- by Toshio Tokita

--- by Hirosato Tsuji

Block Cipher

Toshio TokitaMitsubishi Electric Corporation

MISTY@isl.melco.co.jp

MISTY1

2000/08/01 48th IETF, Pittsburgh, PA, USA 4

Overview♦Secret-key block cipher

64-bit block, 128-bit key, a variable number of rounds (8-round recommended)

proposed by M.Matsui (Mitsubishi) in 1996 at Fast Software Encryption Workshop “FSE4”

♦ Widely used in many applications: Governmental applications:

Public transportation systems, Secure network systems, etc,etc

Commercial products: S/MIME E-mail software, VPN(Routers/Hubs), Encryption LSI, PKI Software & services, etc, etc

2000/08/01 48th IETF, Pittsburgh, PA, USA 5

Recent News♦ “KASUMI” has been adopted as a

mandatory algorithm for data confidentiality and data integrity in W-CDMA by 3GPP. (March, 2000)

♦ KASUMI will be also used in current GSM systems as an alternative for A5.

♦ KASUMI is a variant of MISTY1 designed for W-CDMA systems.

“KASUMI”=“MIST” 3GPP: 3rd Generation Partnership Project

2000/08/01 48th IETF, Pittsburgh, PA, USA 6

Pointers♦ ISO9979 No.13 (algorithm registration)

♦ URL for Internet-Draft : http://www.ietf.org/internet-drafts/draft-ohta-misty1desc-02.txt

♦ Specifications http://www.mitsubishi.com/ghp_japan/misty/misty_e_b.pdf

♦ Royalty Free License http://www.mitsubishi.com/ghp_japan/misty/licensee.htm

MISTY1 essential patent is licensed under royalty free conditions.

2000/08/01 48th IETF, Pittsburgh, PA, USA 7

Design Criteria

♦High security: – Provable security against differential and linear cryptanalysis

♦Multi platform:– High speed in both software and hardware implementations

♦Compact:– Low gate count and low power consumption in hardware

2000/08/01 48th IETF, Pittsburgh, PA, USA 8

High security♦ MISTY1 is designed to be highly

secure as a 64-bit block cipher; particularly to be provably secure against differential and linear cryptanalysis.

� Differential Cryptanalysis Differential Cryptanalysis (Biham, Shamir 1990)– First DES attack faster than an exhaustive key search

� Linear Cryptanalysis Linear Cryptanalysis (Matsui 1993)– First successful computer experiment for breaking DES

Powerful Cryptographic AttacksPowerful Cryptographic Attacks

2000/08/01 48th IETF, Pittsburgh, PA, USA 9

Multi Platform

♦ MISTY1 is designed to be sufficiently fast in

both software and hardware implementations. Ex1) Pentium III (800MHz) (Assembly Language Program)

Encryption speed 230Mbps

Ex2) ASIC H/W (Mitsubishi 0.35 micron CMOS Design Library)

Encryption speed 800Mbps

Gate size 50Kgates

2000/08/01 48th IETF, Pittsburgh, PA, USA 10

Compact

♦ Encryption/decryption logics of MISTY1

can be realized in very compact size.

Ex) ASIC (Mitsubishi 0.35 micron CMOS Design Library)

Gate size 7.6Kgates

Encryption speed 72Mbps

Note:

A requirement for W-CDMA encryption algorithm:

“gate size must be smaller than 10Kgates”

2000/08/01 48th IETF, Pittsburgh, PA, USA 11

Structure of MISTY

ＦＯ

ＦＯ

ＦＯ

ＦＯ

ＦＩ

ＦＩ

ＦＩ

Ｓ９

Ｓ７

Ｓ９

３２

３２

１６

１６

９

７

Pla in t e xt

C iphe r t e xt

ＦＬ ＦＬ

ＦＬ ＦＬ

ＦＬ ＦＬ

St ruc t ure o f MISTY1

Re c urs iv e s t ruc t ure 1 （ＦＯ func t ion）

Re c urs iv e s t ruc t re 2 （ＦI func t ion）

2000/08/01 48th IETF, Pittsburgh, PA, USA 12

Hardware

M16C Core

Memory

Rnd. Num. Gen.

RSA core

MISTY1 core M16C(CPU)

Current Status and Next Steps of MISTY1

to support TLS

Hirosato Tsuji

Mitsubishi Electric Corporation

<hirosato@iss.isl.melco.co.jp>

2000/08/01 48th IETF, Pittsburgh, PA, USA 14

Summary

♦ What is MISTY1?– High security, Multi platform, Compact,

Block cipher

♦ In this presentation– Actual Application of MISTY1– Proposal of MISTY1– Current Status to support TLS– Next Steps to support TLS

2000/08/01 48th IETF, Pittsburgh, PA, USA 15

Actual Application of MISTY1 (1) Secure E-mail Systems

♦ S/MIME-based e-mail application♦ Extended S/MIME V2 specification♦ Implemented by Mitsubishi and other

Japanese venders♦ Interoperability had been confirmed

between these venders

2000/08/01 48th IETF, Pittsburgh, PA, USA 16

Actual Application of MISTY1 (2) Secure Web Access Systems

♦ Secure Web Access Systems– provide authentication, access control,

integrity and confidentiality

♦ Implemented on the HTTP and TCP ( sorry, not on TLS )

♦ Contents is encrypted by MISTY1

2000/08/01 48th IETF, Pittsburgh, PA, USA 17

Actual Application of MISTY1 (3) Other Apps based on MISTY Toolkit

♦ MISTY Cryptographic / PKI Toolkit– Content Encryption Algorithm in PKCS #7– Encryption Scheme ( Symmetric Cipher )

for PKCS #5 Password-based Encryption

♦ Other Apps implemented on Toolkit– Secure Contents Distribution Systems– Governmental Services

2000/08/01 48th IETF, Pittsburgh, PA, USA 18

Proposal of MISTY1

♦ As ONE of block ciphers of Cipher Suites for TLS 1.0

♦ Reason to use MISTY1– Suitable Block Cipher– Royalty Free License

– Applied to Actual Internet Applications

2000/08/01 48th IETF, Pittsburgh, PA, USA 19

Current Status to support TLS

♦ Submit Internet Draft of Description of MISTY1– posted.

♦ Make a presentation of MISTY1 at 48th IETF, Pittsburgh, PA– now.

2000/08/01 48th IETF, Pittsburgh, PA, USA 20

Next Steps to support TLS

♦ Proceed Internet Draft of Description of MISTY1 to Informational RFC

♦ Submit Internet Draft of MISTY1-based Cipher Suites for TLS 1.0

♦ Request TLS WG to assign the Register Number of these Cipher Suites

2000/08/01 48th IETF, Pittsburgh, PA, USA 21

Next Steps to support TLS (continued)

♦ Implementing TLS 1.0 with MISTY1– processing now with OpenSSL