 #jsDisabledContent { display:none; } My Account | Register | Help Flag as Inappropriate This article will be permanently flagged as inappropriate and made unaccessible to everyone. Are you certain this article is inappropriate?          Excessive Violence          Sexual Content          Political / Social Email this Article Email Address:

Lai-Massey scheme

Article Id: WHEBN0040925030
Reproduction Date:

 Title: Lai-Massey scheme Author: World Heritage Encyclopedia Language: English Subject: Collection: Publisher: World Heritage Encyclopedia Publication Date:

Lai-Massey scheme

The Lai-Massey scheme is a cryptographic structure used in the design of block ciphers. It is used in IDEA and IDEA NXT.

Construction details

Let \mathrm F be the round function and \mathrm H a half-round function and let K_0,K_1,\ldots,K_n be the sub-keys for the rounds 0,1,\ldots,n respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, (L_0, R_0)

For each round i =0,1,\dots,n, compute

(L_{i+1}',R_{i+1}') = \mathrm H(L_i' + T_i,R_i' + T_i)

where T_i = \mathrm F(L_i' - R_i', K_i) and (L_0',R_0') = \mathrm H(L_0,R_0)

Then the ciphertext is (L_{n+1}, R_{n+1}) = (L_{n+1}',R_{n+1}').

Decryption of a ciphertext (L_{n+1}, R_{n+1}) is accomplished by computing for i=n,n-1,\ldots,0

(L_i',R_i') = \mathrm H^{-1}(L_{i+1}' - T_i, R_{i+1}' - T_i)

where T_i = \mathrm F(L_{i+1}' - R_{i+1}',K_i) and (L_{n+1}',R_{n+1}')=\mathrm H^{-1}(L_{n+1},R_{n+1})

Then (L_0,R_0) = (L_0',R_0') is the plaintext again.

The Lai-Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage over a substitution-permutation network that the round function \mathrm F does not have to be invertible.

The half-round function is required to prevent a trivial distinguishing attack (L_0-R_0 = L_{n+1}-R_{n+1}). It commonly applies an orthomorphism \sigma on the left hand side, that is,

\mathrm H(L, R) = (\sigma(L),R)

where both \sigma and x\mapsto \sigma(x)-x are permutations (in the mathematical sense, that is, a bijection – not a permutation box). Since there are no orthomorphisms for bit blocks (groups of size 2^n), "almost orthomorphisms" are used instead.

\mathrm H may depend on the key. If it doesn't, the last application can be omitted, since its inverse is known anyway. The last application is commonly called "round n.5" for a cipher that otherwise has n rounds.

Literature

• X. Lai. On the design and security of block ciphers. ETH Series in Information Processing, vol. 1, Hartung-Gorre, Konstanz, 1992
• X. Lai, J. L. Massey. A proposal for a new block encryption standard. Advances in Cryptology EUROCRYPT'90, Aarhus, Denemark, LNCS 473, p. 389-404, Springer, 1991
• Serge Vaudenay: A Classical Introduction to Cryptography, p. 33