M8 (cipher)

M8
General
Designers	Hitachi
First published	1999
Derived from	M6
Cipher detail
Block sizes	64 bits
Structure	Feistel network
Rounds	Variable

Last updated August 31, 2024

In cryptography, M8 is a block cipher designed by Hitachi in 1999. It is a modification of Hitachi's earlier M6 algorithm, designed for greater security and high performance in both hardware and 32-bit software implementations. M8 was registered by Hitachi in March 1999 as ISO/IEC 9979-0020.^[1]

Cipher description

The round count can be set to any positive integer N, but a round count of at least 10 is recommended. The key consists of four components: a 64-bit data key, 256-bit key expansion key, a set of N 24-bit algorithm decision keys, and a set of N 96-bit algorithm expansion keys.

The round function is used for both key expansion and encryption/decryption. The key expansion process transforms the 64-bit data key and 256-bit key expansion key into a 256-bit execution key, consisting of 4 pairs of 32-bit numbers $K_{R_{0}},K_{L_{0}},...,K_{R_{3}},K_{L_{3}}$ .

The cipher has a typical Feistel cipher design. First, the 64-bit input block is split into two 32-bit halves. In each round, the left half undergoes a key-dependent transformation, and is then combined with the right half. Finally, the halves are swapped. In total, the round function consists of a sequence of nine customizable operations and three bitwise rotations:

${\begin{aligned}R_{i+1}&=L_{i}\\x&=L_{i}\operatorname {op} _{1}K_{L_{i{\bmod {4}}}}\\y&=((x<<<S_{1})\operatorname {op} _{2}x)\operatorname {op} _{3}\alpha \\z&=(((y<<<S_{2})\operatorname {op} _{4}y)\operatorname {op} _{5}\beta )\operatorname {op} _{6}K_{R_{i{\bmod {4}}}}\\L_{i+1}&=(((z<<<S_{3})\operatorname {op} _{7}z)\operatorname {op} _{8}\gamma )\operatorname {op} _{9}R_{i}\end{aligned}}$

$i$ denotes the round number, which takes inputs $L_{i}$ and $R_{i}$ . $\alpha ,\beta ,\gamma$ are the three 32-bit words of the round's algorithm expansion key. $K_{R_{i{\bmod {4}}}},K_{L_{i{\bmod {4}}}}$ are words from the execution key. $<<<$ denotes a left bitwise rotation. $\operatorname {op} _{j}$ and $S_{k}$ are defined by the 24-bit algorithm decision key as follows:

MSB                                      LSB op1 op2 op3 op4 op5 op6 op7 op8 op9 S1 S2 S3

where op1 to op9 are each one bit (0 = addition mod 2³², 1 = XOR) and S1 to S3 are five bits each.

Key expansion consists of eight cipher rounds, using the first eight algorithm decision and expansion keys, the key expansion key as the execution key, and the data key as the input block. The eight intermediate outputs, $L_{1},L_{2},...,L_{7},L_{8}$ are used as the eight components of the execution key $K_{R_{0}},K_{L_{0}},...,K_{R_{3}},K_{L_{3}}$ .

Cipher implementation

The following is an implementation of the cipher in Python.

# https://en.wikipedia.org/wiki/M8_(cipher)M=0xffffffffdefadd(x,y):return(x+y)&Mdefxor(x,y):returnx^ydefrol(x,s):return((x<<s)|(x>>(32-s)))&Mdefm8_round(L,R,ri,k,adk,aek):"""    One round of the algorithm.    L, R: input    ri: round index    k: 256-bit execution key    adk: 24-bit algorithm decision key    aek: 96-bit algorithm expansion key    """op=[[add,xor][(adk>>(23-i))&1]foriinrange(9)]S1=(adk>>10)&0x1fS2=(adk>>5)&0x1fS3=(adk>>0)&0x1fA=(aek>>64)&MB=(aek>>32)&MC=(aek>>0)&MKR=(k>>(32+64*(3-ri%4)))&MKL=(k>>(0+64*(3-ri%4)))&Mx=op[0](L,KL)y=op[2](op[1](rol(x,S1),x),A)z=op[5](op[4](op[3](rol(y,S2),y),B),KR)returnop[8](op[7](op[6](rol(z,S3),z),C),R),Ldefm8_keyexpand(dk,kek,adks,aeks):"""    Key expansion.    dk: 64-bit data key    kek: 256-bit key expansion key    adks: algorithm decision keys    aeks: algorithm expansion keys    """L=(dk>>32)&MR=(dk>>0)&Mk=0foriinrange(8):L,R=m8_round(L,R,i,kek,adks[i],aeks[i])k|=(L<<(32*(7-i)))returnkdefm8_encrypt(data,N,dk,kek,adks,aeks):"""    Encrypt one block with M8.    data: 64-bit input block    N: number of rounds (must be >= 8)    dk: 64-bit data key    kek: 256-bit key expansion key    adks: a list of N 24-bit algorithm decision keys    aeks: a list of N 96-bit algorithm expansion keys    """ek=m8_keyexpand(dk,kek,adks,aeks)L=(data>>32)&MR=(data>>0)&Mforiinrange(N):L,R=m8_round(L,R,i,ek,adks[i],aeks[i])return(L<<32)|R# Published test vector from ISO/IEC 9979/0020result=m8_encrypt(0x0000_0000_0000_0001,126,0x0123_4567_89AB_CDEF,0,[0x848B6D,0x8489BB,0x84B762,0x84EDA2]*32,[0x0000_0001_0000_0000_0000_0000]*126,)assertresult==0xFE4B_1622_E446_36C0

Test vectors

The published version of ISO/IEC 9979-0020 includes the following test data:

Round number: 126
Key expansion key: 0²⁵⁶ (an all-zeros vector)
Data key: 0123 4567 89AB CDEF in hex
Algorithm decision key:
rounds 1, 5, 9, ...: 848B6D hex
rounds 2, 6, 10, ...: 8489BB hex
rounds 3, 7, 11, ...: 84B762 hex
rounds 4, 8, 12, ...: 84EDA2 hex
Algorithm expansion key: 0000 0001 0000 0000 0000 0000 hex for all rounds
Plaintext: 0000 0000 0000 0001 hex
Ciphertext after 7 rounds: C5D6 FBAD 76AB A53B hex
Ciphertext after 14 rounds: 6380 4805 68DB 1895 hex
Ciphertext after 21 rounds: 2BFB 806E 1292 5B18 hex
Ciphertext after 28 rounds: F610 6A41 88C5 8747 hex
Ciphertext after 56 rounds: D3E1 66E9 C50A 10A2 hex
Final ciphertext after 126 rounds: FE4B 1622 E446 36C0 hex

Cryptanalysis

The key-dependent behaviour of the cipher results in a large class of weak keys which expose the cipher to a range of attacks, including differential cryptanalysis, linear cryptanalysis and mod n cryptanalysis.^[2]

Related Research Articles

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

Blowfish is a symmetric-key block cipher, designed in 1993 by Bruce Schneier and included in many cipher suites and encryption products. Blowfish provides a good encryption rate in software, and no effective cryptanalysis of it has been found to date for smaller files. It is recommended Blowfish should not be used to encrypt files larger than 4GB in size, Twofish should be used instead.

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.

In cryptography, linear cryptanalysis is a general form of cryptanalysis based on finding affine approximations to the action of a cipher. Attacks have been developed for block ciphers and stream ciphers. Linear cryptanalysis is one of the two most widely used attacks on block ciphers; the other being differential cryptanalysis.

In cryptography, RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5.

In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.

KASUMI is a block cipher used in UMTS, GSM, and GPRS mobile communications systems. In UMTS, KASUMI is used in the confidentiality (f8) and integrity algorithms (f9) with names UEA1 and UIA1, respectively. In GSM, KASUMI is used in the A5/3 key stream generator and in GPRS in the GEA3 key stream generator.

In cryptography, NewDES is a symmetric key block cipher. It was created in 1984–1985 by Robert Scott as a potential DES replacement.

The rail fence cipher is a classical type of transposition cipher. It derives its name from the manner in which encryption is performed, in analogy to a fence built with horizontal rails.

The slide attack is a form of cryptanalysis designed to deal with the prevailing idea that even weak ciphers can become very strong by increasing the number of rounds, which can ward off a differential attack. The slide attack works in such a way as to make the number of rounds in a cipher irrelevant. Rather than looking at the data-randomizing aspects of the block cipher, the slide attack works by analyzing the key schedule and exploiting weaknesses in it to break the cipher. The most common one is the keys repeating in a cyclic manner.

In cryptography, an interpolation attack is a type of cryptanalytic attack against block ciphers.

ShāngMì 4 is a block cipher used in the Chinese National Standard for Wireless LAN WAPI and also used with Transport Layer Security.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.

<span class="mw-page-title-main">Key encapsulation mechanism</span>

In cryptography, a key encapsulation mechanism, or KEM, is a public-key cryptosystem that allows a sender to generate a short secret key and transmit it to a receiver securely, in spite of eavesdropping and intercepting adversaries.

Speck is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Speck has been optimized for performance in software implementations, while its sister algorithm, Simon, has been optimized for hardware implementations. Speck is an add–rotate–xor (ARX) cipher.

Simon is a family of lightweight block ciphers publicly released by the National Security Agency (NSA) in June 2013. Simon has been optimized for performance in hardware implementations, while its sister algorithm, Speck, has been optimized for software implementations.

A biclique attack is a variant of the meet-in-the-middle (MITM) method of cryptanalysis. It utilizes a biclique structure to extend the number of possibly attacked rounds by the MITM attack. Since biclique cryptanalysis is based on MITM attacks, it is applicable to both block ciphers and (iterated) hash-functions. Biclique attacks are known for having weakened both full AES and full IDEA, though only with slight advantage over brute force. It has also been applied to the KASUMI cipher and preimage resistance of the Skein-512 and SHA-2 hash functions.

The 3-subset meet-in-the-middleattack is a variant of the generic meet-in-the-middle attack, which is used in cryptology for hash and block cipher cryptanalysis. The 3-subset variant opens up the possibility to apply MITM attacks on ciphers, where it is not trivial to divide the keybits into two independent key-spaces, as required by the MITM attack.

References

↑ "ISO/IEC9979-0020 Register Entry" (PDF). Professor Chris Mitchell, Information Security Group, Royal Holloway, University of London . ISO/IEC 9979 Register of Cryptographic Algorithms.
↑ Toshio Tokita; Tsutomu Matsumoto. "On Applicability of Differential Cryptanalysis, Linear Cryptanalysis and Mod n Cryptanalysis to an Encryption Algorithm M8 (ISO9979-20)". Ipsj Journal. 42 (8).

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "ISO/IEC9979-0020 Register Entry" (PDF). Professor Chris Mitchell, Information Security Group, Royal Holloway, University of London . ISO/IEC 9979 Register of Cryptographic Algorithms.

[2] Toshio Tokita; Tsutomu Matsumoto. "On Applicability of Differential Cryptanalysis, Linear Cryptanalysis and Mod n Cryptanalysis to an Encryption Algorithm M8 (ISO9979-20)". Ipsj Journal. 42 (8).

[1]

[2]