mixFeed Mode of Authenticated Encryption
minimally xored Feedback or mixFeed in abbreviation, is an authenticated encryption scheme based on any block cipher with some key scheduling, that employs messageciphertext feedback type encryption. mixFeed is a single state, inversefree nonce dependent key based, mixture feedback type construction that requires only Xor Operations. To instantiate mixFeed, we propose AES'128 which is essentially AES128 with a difference that we do the mixcolumn for the last round just to make all the rounds symmetric.
Features
1. Noncedependent Key: At the very first step we compute the secret key based on nonce. So, for every encryption we use random keys. Even though due to some side channel analysis the secret key corresponding to a nonce N is released, the master key remains still secret and all encryption using nonce other than N remains good.
2. Single State: mixFeed has a state size as small as the block size of the underlying cipher, and it ensures good implementation characteristics both on lightweight and highperformance platforms. We moreover need not to hold the original key as we dynamically update the key based on the key scheduling algorithm used for the block cipher computation.
3. InverseFree: mixFeed is a inversefree authenticated algorithm. Both encryption and verified decryption of the algorithm do not require any decryption call to the underlying twekable block cipher. This reduces the overall hardware footprint significantly, especially in the combined authenticatedencryption, verifieddecryption implementations.
4. Minimally Xored mixture feedback As our name suggests, we use minimum number of xors to process each block. This makes the design simpler and having very low footprint in software. The rational behind having mixture of plaintext and ciphertext feedback is to achieve NIST aimed security. During encryption we ensure 192 bit entropy for each block process. We have 128 bit dynamic secret key and 64 bits LSB of the inputs have influence from 64 bits LSB of the previous block cipher call. While decrypt, we have 64 bit MSB of the previous outputs goes to the correspond position of the next input. This would provide about 64 bit security for forgery attempts.
5. Dynamic KeyWe compute the key dynamically as key schedules goes on. This helps us not to hold the master key as well not to expose a secret key multiple times. As the keyscheduling of AES128/128 is involved, the relatedkey security analysis of AES128/128 expected to be much harder than conventional xorrelated key.
Mode Specification
mixFeed authenticated encryption mode receives an 128bit encryption key K, an 120bit nonce N, an associated data A of arbitrary length, and a message M of arbitrary length as inputs, and returns a ciphertext C of same length as that of the message, and an 128bit tag T. mixFeed is a block cipher based authenticated encryption mode that employs feedback paradigm, where at first the Nonce and the Key is used to generate the block cipher key. Then Depending on the AD and MSG length the Nonce is padded with a 8bit number and then this 128bit modified nonce is used as the initial blockcipher input. Message blocks are Xored with the Block cipher outputs and then the upper half of the message and lower half of the ciphertext is used as the input for the next blockcipher. Finally after the last message block is processed an extra round of blockcipher is used to generate the tag. Due to this mixing of messageciphertext to generate the next blockcipher input, this mode can also be called as mixfeedback mode. For further details see the submitted specs. For software implementation see implementation.
Block Cipher
AES'128 is essentially the same as AES128 except we include the mixcolumn in the last round for the sake of symmetry of each round. The details of AES128 can be found here.
Rationale
Choice of mode Our primary goal is to design a lightweight cipher that should be efficient, provide high performance and able to perform well in low end devices. In addition, we also demand robustness in security.
Choice of Block cipher AES128/128 block cipher is well analyzed for long time and it remains secure. Moreover, in this proposal, a weaker security from AES128/128 would suffice. AES128/128 also performs very well in microcontroller based platform. We note that the last mixcolumn operation is included in our proposal to make it uniform over all rounds. This reduces additional MUX which was required to process last round for the original AES128/128.
Security
The security levels of our recommended instanstiations are presented below in the Table. Note that the security of AES'128 is essentially same as that of AES128.
Security model 




INDCPA  60  112  
INTCTXT  50  112 
References
 Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Biclique cryptanalysis of the full AES. In Advances in Cryptology  ASIACRYPT 2011  17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 48, 2011. Proceedings, pages 344–371, 2011.
 Lorenzo Grassi. Mixture differential cryptanalysis: a new approach to distinguishers and attacks on roundreduced AES. IACR Trans. Symmetric Cryptol., 2018(2):133–160, 2018.
 Lorenzo Grassi, Christian Rechberger, and Sondre Rønjom. Subspace trail cryptanalysis and its applications to AES. IACR Trans. Symmetric Cryptol., 2016(2):192–225, 2016.
 Lorenzo Grassi, Christian Rechberger, and Sondre Rønjom. A new structuraldifferential property of 5round AES. In Advances in Cryptology  EUROCRYPT 2017  36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30  May 4, 2017, Proceedings, Part II, pages 289–317, 2017.
 Khoongming Khoo, Eugene Lee, Thomas Peyrin, and Siang Meng Sim. Humanreadable proof of the relatedkey security of AES128. IACR Trans. Symmetric Cryptol., 2017(2):59–83, 2017.
 NIST. Announcing the ADVANCED ENCRYPTION STANDARD (AES). Fedral Information Processing Standards Publication FIPS 197, National Institute of Standards and Technology, U. S. Department of Commerce, 2001.
 Sondre Rønjom, Navid Ghaedi Bardeh, and Tor Helleseth. Yoyo tricks with AES. In Advances in Cryptology  ASIACRYPT 2017  23rd International Conference on the Theory and Applications of Cryptology and Information Security, Hong Kong, China, December 37, 2017, Proceedings, Part I, pages 217–243, 2017.