mixFeed Mode of Authenticated Encryption

minimally xored Feedback or mixFeed in abbreviation, is an authenticated encryption scheme based on any block cipher with some key scheduling, that employs message-ciphertext feedback type encryption. mixFeed is a single state, inverse-free nonce dependent key based, mixture feedback type construction that requires only Xor Operations. To instantiate mixFeed, we propose AES'128 which is essentially AES-128 with a difference that we do the mixcolumn for the last round just to make all the rounds symmetric.


1. Nonce-dependent Key: At the very first step we compute the secret key based on nonce. So, for every encryption we use random keys. Even though due to some side channel analysis the secret key corresponding to a nonce N is released, the master key remains still secret and all encryption using nonce other than N remains good.

2. Single State: mixFeed has a state size as small as the block size of the underlying cipher, and it ensures good implementation characteristics both on lightweight and high-performance platforms. We moreover need not to hold the original key as we dynamically update the key based on the key scheduling algorithm used for the block cipher computation.

3. Inverse-Free: mixFeed is a inverse-free authenticated algorithm. Both encryption and verified decryption of the algorithm do not require any decryption call to the underlying twekable block cipher. This reduces the overall hardware footprint significantly, especially in the combined authenticated-encryption, verified-decryption implementations.

4. Minimally Xored mixture feedback As our name suggests, we use minimum number of xors to process each block. This makes the design simpler and having very low footprint in software. The rational behind having mixture of plaintext and ciphertext feedback is to achieve NIST aimed security. During encryption we ensure 192 bit entropy for each block process. We have 128 bit dynamic secret key and 64 bits LSB of the inputs have influence from 64 bits LSB of the previous block cipher call. While decrypt, we have 64 bit MSB of the previous outputs goes to the correspond position of the next input. This would provide about 64 bit security for forgery attempts.

5. Dynamic KeyWe compute the key dynamically as key schedules goes on. This helps us not to hold the master key as well not to expose a secret key multiple times. As the key-scheduling of AES128/128 is involved, the related-key security analysis of AES128/128 expected to be much harder than conventional xor-related key.

Mode Specification

mixFeed authenticated encryption mode receives an 128-bit encryption key K, an 120-bit nonce N, an associated data A of arbitrary length, and a message M of arbitrary length as inputs, and returns a ciphertext C of same length as that of the message, and an 128-bit tag T. mixFeed is a block cipher based authenticated encryption mode that employs feedback paradigm, where at first the Nonce and the Key is used to generate the block cipher key. Then Depending on the AD and MSG length the Nonce is padded with a 8-bit number and then this 128-bit modified nonce is used as the initial blockcipher input. Message blocks are Xored with the Block cipher outputs and then the upper half of the message and lower half of the ciphertext is used as the input for the next blockcipher. Finally after the last message block is processed an extra round of blockcipher is used to generate the tag. Due to this mixing of message-ciphertext to generate the next blockcipher input, this mode can also be called as mixfeedback mode. For further details see the submitted specs. For software implementation see implementation.

Block Cipher

AES'128 is essentially the same as AES-128 except we include the mixcolumn in the last round for the sake of symmetry of each round. The details of AES-128 can be found here.


Choice of mode Our primary goal is to design a lightweight cipher that should be efficient, provide high performance and able to perform well in low end devices. In addition, we also demand robustness in security.

Choice of Block cipher AES128/128 block cipher is well analyzed for long time and it remains secure. Moreover, in this proposal, a weaker security from AES128/128 would suffice. AES128/128 also performs very well in microcontroller based platform. We note that the last mix-column operation is included in our proposal to make it uniform over all rounds. This reduces additional MUX which was required to process last round for the original AES128/128.


The security levels of our recommended instanstiations are presented below in the Table. Note that the security of AES'128 is essentially same as that of AES-128.

Security model
  • Data complexity
  • (in bits)
  • Time complexity
  • (in bits)
IND-CPA 60 112
INT-CTXT 50 112


  1. Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Biclique cryptanalysis of the full AES. In Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings, pages 344–371, 2011.
  2. Lorenzo Grassi. Mixture differential cryptanalysis: a new approach to distinguishers and attacks on round-reduced AES. IACR Trans. Symmetric Cryptol., 2018(2):133–160, 2018.
  3. Lorenzo Grassi, Christian Rechberger, and Sondre Rønjom. Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol., 2016(2):192–225, 2016.
  4. Lorenzo Grassi, Christian Rechberger, and Sondre Rønjom. A new structural-differential property of 5-round AES. In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part II, pages 289–317, 2017.
  5. Khoongming Khoo, Eugene Lee, Thomas Peyrin, and Siang Meng Sim. Human-readable proof of the related-key security of AES-128. IACR Trans. Symmetric Cryptol., 2017(2):59–83, 2017.
  6. NIST. Announcing the ADVANCED ENCRYPTION STANDARD (AES). Fedral Information Processing Standards Publication FIPS 197, National Institute of Standards and Technology, U. S. Department of Commerce, 2001.
  7. Sondre Rønjom, Navid Ghaedi Bardeh, and Tor Helleseth. Yoyo tricks with AES. In Advances in Cryptology - ASIACRYPT 2017 - 23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 3-7, 2017, Proceedings, Part I, pages 217–243, 2017.