Lai-Massey scheme

From Wikipedia, the free encyclopedia

The Lai-Massey scheme is a cryptographic structure used in the design of block ciphers.^[1]^[2] It is used in IDEA and IDEA NXT.

Construction details

Let ${\mathrm F}$ be the round function and ${\mathrm H}$ a half-round function and let $K_{0},K_{1},\ldots ,K_{n}$ be the sub-keys for the rounds $0,1,\ldots ,n$ respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, ( $L_{0}$ , $R_{0}$ )

For each round $i=0,1,\dots ,n$ , compute

$(L_{{i+1}}',R_{{i+1}}')={\mathrm H}(L_{i}'+T_{i},R_{i}'+T_{i})$

where $T_{i}={\mathrm F}(L_{i}'-R_{i}',K_{i})$ and $(L_{0}',R_{0}')={\mathrm H}(L_{0},R_{0})$

Then the ciphertext is $(L_{{n+1}},R_{{n+1}})=(L_{{n+1}}',R_{{n+1}}')$ .

Decryption of a ciphertext $(L_{{n+1}},R_{{n+1}})$ is accomplished by computing for $i=n,n-1,\ldots ,0$

$(L_{i}',R_{i}')={\mathrm H}^{{-1}}(L_{{i+1}}'-T_{i},R_{{i+1}}'-T_{i})$

where $T_{i}={\mathrm F}(L_{{i+1}}'-R_{{i+1}}',K_{i})$ and $(L_{{n+1}}',R_{{n+1}}')={\mathrm H}^{{-1}}(L_{{n+1}},R_{{n+1}})$

Then $(L_{0},R_{0})=(L_{0}',R_{0}')$ is the plaintext again.

The Lai-Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage over a substitution-permutation network that the round function ${\mathrm F}$ does not have to be invertible.

The half-round function is required to prevent a trivial distinguishing attack ( $L_{0}-R_{0}=L_{{n+1}}-R_{{n+1}}$ ). It commonly applies an orthomorphism $\sigma$ on the left hand side, that is,

${\mathrm H}(L,R)=(\sigma (L),R)$

where both $\sigma$ and $x\mapsto \sigma (x)-x$ are permutations (in the mathematical sense, that is, a bijection – not a permutation box). Since there are no orthomorphisms for bit blocks (groups of size $2^{n}$ ), "almost orthomorphisms" are used instead.

${\mathrm H}$ may depend on the key. If it doesn't, the last application can be omitted, since its inverse is known anyway. The last application is commonly called "round $n.5$ " for a cipher that otherwise has $n$ rounds.

Literature

X. Lai. On the design and security of block ciphers. ETH Series in Information Processing, vol. 1, Hartung-Gorre, Konstanz, 1992
X. Lai, J. L. Massey. A proposal for a new block encryption standard. Advances in Cryptology EUROCRYPT'90, Aarhus, Denemark, LNCS 473, p. 389-404, Springer, 1991
Serge Vaudenay: A Classical Introduction to Cryptography, p. 33

References

↑ Aaram Yun, Je Hong Park, Jooyoung Lee: Lai-Massey Scheme and Quasi-Feistel Networks. IACR Cryptology
↑ Serge Vaudenay: On the Lai-Massey Scheme. ASIACRYPT'99

v t e Block ciphers (security summary)

Common algorithms	AES Blowfish DES Triple DES Serpent Twofish

Less common algorithms	Camellia CAST-128 IDEA RC2 RC5 SEED Skipjack TEA XTEA

Other algorithms	3-Way Akelarre Anubis ARIA BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES GOST Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Ladder-DES Libelle LOKI97 LOKI89/91 Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Q RC6 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon SMS4 Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES Xenon xmx XXTEA Zodiac

Design	Feistel network Key schedule Lai-Massey scheme Product cipher S-box P-box SPN Avalanche effect Block size Key size Key whitening No weak keys

Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Linear (Piling-up lemma) Differential (Impossible Truncated Higher-order) Differential-linear Integral (aka Square) Boomerang Mod n Related-key Slide Rotational Timing XSL Interpolation Partitioning Davies' Rebound

Standardization	AES process CRYPTREC NESSIE

Utilization	Initialization vector Mode of operation Padding

This article is issued from Wikipedia. The text is available under the Creative Commons Attribution/Share Alike; additional terms may apply for the media files.