Is the use of a 4-round Blake2b permutation in OPP justified?

Question

The MEM-AEAD construction uses a 4-round Blake2b permutation in masked Even-Mansour mode as a (tweakable) block cipher.

4 rounds of the Blake2b permutation are already broken to my knowledge. Why are the designers justified in their choice?

for use in a hash function it would be broken, but for use in a block cipher environment it should be fine, NORX is also 4 rounds of essentially the same permutation. I do however prefer a keyed permutation in an XEX cipher — Richie Frame, Apr 28 '16 at 10:28
@RichieFrame what about a reduced round Blake or Blake2b permutation with the data to be hashed as key? — Demi, May 02 '16 at 15:25

otus · Accepted Answer · 2016-04-28T16:11:15.123

2

4 rounds of Blake2b is essentially equivalent to 8 rounds of ChaCha in terms of complexity (a Blake2 round is close to a ChaCha double-round), and that has not yet been broken. Like Richie Frame wrote in a comment, NORX also claims to get away with 4 Blake2 rounds.

One reason ciphers get away with less is that in hash functions all inputs are known and (except for constants) under the attacker's control. In ciphers the key is secret and, unless you take into account related-key attacks and such, not under the attacker's control.

edited Apr 28 '16 at 16:11

answered Apr 28 '16 at 11:11

otus

32,132
5
70
165

MEM is not a stream cipher, but an Even-Mansour block cipher – Demi Apr 28 '16 at 14:58
@Demetri, fixed, though the more interesting modes are. – otus Apr 28 '16 at 16:12

Is the use of a 4-round Blake2b permutation in OPP justified?

1 Answers1