3

I read about the AEZ encryption scheme as presented at the CAESAR competition. To me it seems like a construction of an arbitrary length block cipher from a smaller one. The key component is the mixing function. (See the figureā€¦ Left: without cipher text stealing, Right: with cipher text stealing.)

Mixing

Image source: http://www.cs.ucdavis.edu/~rogaway/aez/aez.pdf

In my opinion the properties of a mixing function would be:

  • keyable with good avalanche effect
  • no need to be cryptographically secure
  • arbitrary length
  • reversible
  • fast (at least faster than encryption cipher)

AEZ uses reduced round AES as the core of its mixing function. Overall operation time is about 1.8 AES (as mentioned in the document). This algorithm will be bound to the AES cipher.

I wonder, is there an alternative mix function with these properties floating around?

Glorfindel
  • 506
  • 1
  • 11
  • 22
Curious Sam
  • 261
  • 2
  • 7

1 Answers1

3

I read about the AEZ encryption scheme as presented at the CAESAR competition. To me it seems like a construction of an arbitrary length block cipher from a smaller one.

The construction is only used in the v1.x of AEZ, because it requires appriximately 1.8 AES calls per block of plaintext, while the one used in v2.0 requires only 1 AES per block asymptotically. It is originally due to Naor and Reingold.

It is more like a block cipher mode than a way to construct a larger block size cipher from a smaller one. Specifically, it does not improve the birthday bound which limits the number of blocks encrypted to less than the square root of block size (i.e. $2^{64}$ for AES).

In my opinion the properties of a mixing function would be:

The requirements for the mixing function are given in the paper above. It is enough that the functions MIX and MIXI are pairwise independent permutations, but that is not a strict requirement. Instead it is enough that they are $\epsilon$-AXU2: $\forall x \not = y, z \in \{0,1\}^n: P[f(x) \oplus f(y) = z] \le \epsilon$.

The paper NR mode of operation (ps) refers to several types of functions that fit the bill if you are interested in using something else.

otus
  • 32,462
  • 5
  • 75
  • 167