M8 (cipher)
General | |
---|---|
Designers | Hitachi |
First published | 1999 |
Derived from | M6 |
Cipher detail | |
Block sizes | 64 bits |
Structure | Feistel network |
Rounds | Variable |
In cryptography, M8 is a block cipher designed by Hitachi in 1999. It is a modification of Hitachi's earlier M6 algorithm, designed for greater security and high performance in both hardware and 32-bit software implementations. M8 was registered by Hitachi in March 1999 as ISO/IEC 9979-0020.[1]
Like M6, M8 is a Feistel cipher with a block size of 64 bits. The round function can include 32-bit rotations, XORs, and modular addition, making it an early example of an ARX cipher.
The cipher features a variable number of rounds (any positive integer N), each of which has a structure determined by a round-specific "algorithm decision key". Making the rounds key-dependent is intended to make cryptanalysis more difficult (see FROG for a similar design philosophy).
Cipher description
The round count is customizable, and can be any positive integer N. The key consists of four components: a 64-bit data key, 256-bit key expansion key, a set of N 24-bit algorithm decision keys, and a set of N 96-bit algorithm expansion keys.
Test vectors
The published version of ISO/IEC 9979-0020 includes the following test data:
- Round number: 126 - Key expansion key: 0256 (an all-zeros vector) - Data key: 0123 4567 89AB CDEF in hex - Algorithm decision key: - rounds 1, 5, 9, ...: 848B6D hex - rounds 2, 6, 10, ...: 8489BB hex - rounds 3, 7, 11, ...: 84B762 hex - rounds 4, 8, 12, ...: 84EDA2 hex - Algorithm expansion key: 0000 0001 0000 0000 0000 0000 hex for all rounds
- Plaintext: 0000 0000 0000 0001 hex - Ciphertext after 7 rounds: C5D6 FBAD 76AB A53B hex - Ciphertext after 14 rounds: 6380 4805 68DB 1895 hex - Ciphertext after 21 rounds: 2BFB 806E 1292 5B18 hex - Ciphertext after 28 rounds: F610 6A41 88C5 8747 hex - Ciphertext after 56 rounds: D3E1 66E9 C50A 10A2 hex - Final ciphertext after 126 rounds: FE4B 1622 E446 36C0 hex
Cryptanalysis
The key-dependent behaviour of the cipher results in a large class of weak keys which expose the cipher to a range of attacks, including differential cryptanalysis, linear cryptanalysis and mod n cryptanalysis[2].
References
- ^ "ISO/IEC9979-0020 Register Entry" (PDF). Professor Chris Mitchell, Information Security Group, Royal Holloway, University of London. ISO/IEC 9979 Register of Cryptographic Algorithms.
- ^ Toshio Tokita; Tsutomu Matsumoto. "On Applicability of Differential Cryptanalysis, Linear Cryptanalysis and Mod n Cryptanalysis to an Encryption Algorithm M8 (ISO9979-20)". Ipsj Journal. 42 (8).