   Next: Design of Mercy Up: Mercy: a fast large Previous: Mercy design goals

Subsections

# Description of Mercy

Since most of Mercy's operations are based around 32-bit words, we define . Vectors are indexed from zero, so a vector of 128 32-bit numbers will be indexed as . The symbol represents bitwise exclusive OR; where appears in the figures with a square box around it, it represents addition in the ring . Least significant and lowest indexed bytes and words appear leftmost and uppermost in the figures.

Note that some details that would be needed to build a specification of Mercy-based file encryption sufficient for interoperability, such as byte ordering within words, are omitted since they are irrelevant for cryptanalytic purposes.

## T box

The box ( , Figure 1) is a key-dependent mapping of bytes onto words. represents multiplicative inverses in with polynomial base except that . are key dependent bijective affine mappings on . ## Operation M (Figure 2) is drawn from David Wheeler's stream cipher WAKE ; it's a simple, key-dependent mapping on 32-bit words. The most significant byte of the input word is looked up in the box, and the output XORred with the other three bytes shifted up eight bits; the construction of the box ensures that this mapping is bijective. ## Q state machine

The state machine (Figure 3) maps a four-word initial state and one word input onto a four-word final state and one word output ( ) using taps from a linear feedback shift register and a nonlinear mixing function.

## F function

The function ( ; Figure 4) accepts a 128-bit spice and a -bit input and generates a -bit output ( ). (usually just ) is the F function for the Feistel rounds. Here represents successive 128-bit states of a state machine; are the successive 32-bit inputs to the state machine, and are the outputs.               ## Round structure

Mercy uses a six round Feistel structure (Figure 5) with partial pre- and post-whitening; unusually, the final swap is not omitted. The spice (usually the sector number) goes through a spice scheduling'' procedure, analogous with key scheduling, through which the spice material'' is generated based on the input spice, using the variant of the function; this forms six 128-bit round spices''. Spice scheduling uses a dummy input to the F function; for this a vector of incrementing bytes is used. represents the plaintext, the ciphertext, and the whitening values. We describe decryption below; since Mercy is a straightforward Feistel cipher encryption follows in the straightforward way.               ## Key schedule

The key is used to seed a CPRNG from which key material is drawn;  is used in the sample implementation (after discarding 256 bytes of output), and is convenient since it's small and byte oriented, but any strong CPRNG will serve. Then the procedure in Figure 6 generates the substitutions and the 2048-bit whitening values .

An expected 10.6 random bytes will be drawn for each . Once have been determined, a 1k table representing the box can be generated. During normal use 1536 bytes of key-dependent tables are used.   Next: Design of Mercy Up: Mercy: a fast large Previous: Mercy design goals

mercy@paul.cluefactory.org.uk