M6 (cipher)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
First published1997
Cipher detail
Key sizes40–64 bits
Block sizes64 bits
StructureFeistel network
Best public cryptanalysis
Mod n cryptanalysis: 1 known plaintext allows recovering the key with about 235 trial encryptions; "a few dozen" known plaintexts reduces this to about 231

In cryptography, M6 is a block cipher proposed by Hitachi in 1997 for use in the IEEE 1394 FireWire standard. The design allows some freedom in choosing a few of the cipher's operations, so M6 is considered a family of ciphers. Due to export controls, M6 has not been fully published; nevertheless, a partial description of the algorithm based on a draft standard is given by Kelsey, et al. in their cryptanalysis of this family of ciphers.[1]

The algorithm operates on blocks of 64 bits using a 10-round Feistel network structure. The key size is 40 bits by default, but can be up to 64 bits. The key schedule is very simple, producing two 32-bit subkeys: the high 32 bits of the key, and the sum mod 232 of this and the low 32 bits.

Because its round function is based on rotation and addition, M6 was one of the first ciphers attacked by mod n cryptanalysis.[1] Mod 5, about 100 known plaintexts suffice to distinguish the output from a pseudorandom permutation. Mod 257, information about the secret key itself is revealed. One known plaintext reduces the complexity of a brute force attack to about 235 trial encryptions; "a few dozen" known plaintexts lowers this number to about 231. Due to its simple key schedule, M6 is also vulnerable to a slide attack, which requires more known plaintext but less computation.


  1. ^ a b John Kelsey, Bruce Schneier, David Wagner (March 1999). Mod n Cryptanalysis, with Applications Against RC5P and M6 (PDF/PostScript). 6th International Workshop on Fast Software Encryption (FSE '99). Rome: Springer-Verlag. pp. 139–155. Retrieved 25 January 2007.{{cite conference}}: CS1 maint: multiple names: authors list (link)