Mercy: A fast large block cipher for disk sector encryption

Paul Crowley

In Bruce Schneier, editor, Fast Software Encryption: 7th International Workshop, volume 1978 of Lecture Notes in Computer Science, pages 49-63, New York, USA, April 2000. Springer-Verlag.

Abstract. We discuss the special requirements imposed on the underlying cipher of systems which encrypt each sector of a disk partition independently, and demonstrate a certificational weakness in some existing block ciphers including Bellare and Rogaway's 1999 proposal, proposing a new quantitative measure of avalanche. To address these needs, we present Mercy, a new block cipher accepting large (4096-bit) blocks, which uses a key-dependent state machine to build a bijective F function for a Feistel cipher. Mercy achieves 9 cycles/byte on a Pentium compatible processor.
Key words: disk sector, large block, state machine, avalanche, Feistel cipher.

Copyright © IACR (the International Association for Cryptologic Research); see the copyright form I signed for the obligations this places on me. Springer-Verlag's LNCS webpages are the primary source for this document.

On this website

Mercy is a fast block cipher operating on 4096-bit blocks, designed specifically around the needs of disk sector encryption. It takes a 128-bit parameter representing the block number being encrypted, so that saving the same plaintext to different blocks results in different ciphertexts. Mercy was presented at Fast Software Encryption 2000.

Mercy is weak: a highly effective differential cryptanalysis-based distinguisher across all six rounds was presented by Scott Fluhrer at FSE 2001. A new version of Mercy resistant to this attack may be forthcoming at some point; until then, Mercy should definitely not see real use.

Mercy carries no licensing restrictions, and all the source code here is placed in the public domain. I know of no patent restrictions affecting it.

Related resources