Comment by aappleby

10 months ago

I'm not sure that the claim "the mix function is injective" is sufficient to support the claim "The period is at least 2^128". If the mix is reversible then it forms a permutation on 2^192, but that does not imply that it forms a single cyclic permutation.

For example, if f(0) = 1 and f(1) = 0, even if the rest of f's domain is injective the period of f is still only 2 when the initial value is 0 or 1.

2 comments

aappleby

grumbelbart 9 months ago

That is correct. The permutations will likely break up into multiple cycles, and the cycle lengths follow a poisson distribution.

https://dms.umontreal.ca/~andrew/PDF/CycleLengths1.pdf

the_othernet 10 months ago

I wasn't able to analyze the cyclic behavior of the mix directly, but for the purpose of minimal period only fast_loop and slow_loop are used (as a 128bit counter).