On non-pseudorandomness from block ciphers with provable immunity against linear cryptanalysis

Weakness of a block cipher, which has provable immunity against linear cryptanalysis, is investigated. To this end, the round transformation used in MISTY, which is a data encryption algorithm recently proposed by M. Matsui from Mitsubishi Electric Corporation, is compared to the round transformation of DES from the point of view of pseudorandom generation. An important property of the MISTY cipher is that, in terms of theoretically provable resistance against linear and differential cryptanalysis, which are the most powerful cryptanalytic attacks known to date, it is more robust than the Data Encryption Standard or DES. This property can be attributed to the application of a new round transform in the MISTY cipher, which is obtained by changing the location of the basic round-function in a transform used in DES. Cryptographic roles of the transform used in the MISTY cipher are the main focus of this paper. Our research reveals that when used for constructing pseudorandom permutations, the transform employed by the MISTY cipher is inferior to the transform in DES, though the former is superior to the latter in terms of strength against linear and differential attacks. More specifically, we show that a 3-round (4-round, respectively) concatenation of transforms used in the MISTY cipher is not a pseudorandom (super pseudorandom, respectively) permutation. For comparison, we note that with three (four, respectively) rounds, transforms used in DES yield a pseudorandom (super pseudorandom, respectively) permutation. Another contribution of this paper is to show that a 3-round concatenation of transforms used in (the preliminary version of) the MISTY cipher has an algebraic property, which may open a door for various cryptanalytic attacks. These results clearly indicate that provable immunity against linear and differential cryptanalysis is not sufficient for designing a secure block cipher, and the security of the MISTY cipher will remain open until a close examination of its resistance is conducted against other cryptanalytic attacks than the linear or differential attack.