From Syllab
Jump to: navigation, search

Tiaoxin-346 is nonce-based software oriented authenticated encryption scheme designed by Ivica Nikolić. The name comes from tiǎo xìn which in Mandarin means provocation, to provoke.



One iteration uses 6 AES rounds to process 2 message blocks.

One round of the scheme.


  • It is the first to use only 3 AES round calls per 16-byte message (6 per 32-byte message). All 6 calls are fully parallelizable.
  • It achieves 0.28 cycles per byte on Intel Haswell. Twice faster than AES-128 in counter mode, 3.5 to 6.5 times faster than AES-GCM.
  • It is analyzed against various types of attacks. The design decisions (choice of state sizes, output function, etc.) were made in order to make the cipher secure.
  • It provides full security for nonce-respecting adversaries. Security claims include distinguishers and related-key attacks.


The design is fast in software in general and very fast on the processors with AES-NI support.

Speed on AES-NI enabled Intel
Intel Sandy Bridge Intel Haswell
message length in bytes 128 256 512 1024 2048 4096 8192 64K 8192 64K
cycles per byte 2.49 1.45 0.91 0.65 0.50 0.44 0.40 0.38 0.31 0.28


Version 2.0 (second round) is identical to Version 1.0 (first round). The software implementation of V2 and V1 differ as V1 contains a bug (the lengths of the associated data and the message are coded incorrectly). Cyril Arnould from ETH Zürich has discovered the bug as well.

Version 2.1 is identical to the previous versions except that the submission document has been updated to reflect the use cases.


The first round submission document can be found here.

The second round submission document (corrected typos) can be found here.

The third round submission document can be found here.