Linear equation over a ring

My name is Winnie and I am studying Anthropology and Sociology and Modern Languages and Classics at Rillieux-La-Pape / France.

Also visit my web site ... hostgator1centcoupon.info

The Lai-Massey scheme is a cryptographic structure used in the design of block ciphers.^[1][2] It is used in IDEA and IDEA NXT.

Construction details

Let ${\displaystyle \mathrm{F}}$ be the round function and ${\displaystyle \mathrm{H}}$ a half-round function and let ${\displaystyle K_0,K_1,\dots ,K_n}$ be the sub-keys for the rounds ${\displaystyle 0,1,\dots ,n}$ respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, (${\displaystyle L_0}$, ${\displaystyle R_0}$)

For each round ${\displaystyle i=0,1,\dots ,n}$, compute

${\displaystyle ({L_{i^{\prime }+1}}^{\prime },{R_{i^{\prime }+1}}^{\prime })=\mathrm{H}({L_i}^{\prime }+T_i,{R_i}^{\prime }+T_i)}$

where ${\displaystyle T_i=\mathrm{F}({L_i}^{\prime }-{R_i}^{\prime },K_i)}$ and ${\displaystyle ({L_0}^{\prime },{R_0}^{\prime })=\mathrm{H}(L_0,R_0)}$

Then the ciphertext is ${\displaystyle (L_{n+1},R_{n+1})=({L_{n^{\prime }+1}}^{\prime },{R_{n^{\prime }+1}}^{\prime })}$.

Decryption of a ciphertext ${\displaystyle (L_{n+1},R_{n+1})}$ is accomplished by computing for ${\displaystyle i=n,n-1,\dots ,0}$

${\displaystyle ({L_i}^{\prime },{R_i}^{\prime })={\mathrm{H}}^{-1}({L_{i^{\prime }+1}}^{\prime }-T_i,{R_{i^{\prime }+1}}^{\prime }-T_i)}$

where ${\displaystyle T_i=\mathrm{F}({L_{i^{\prime }+1}}^{\prime }-{R_{i^{\prime }+1}}^{\prime },K_i)}$ and ${\displaystyle ({L_{n^{\prime }+1}}^{\prime },{R_{n^{\prime }+1}}^{\prime })={\mathrm{H}}^{-1}(L_{n+1},R_{n+1})}$

Then ${\displaystyle (L_0,R_0)=({L_0}^{\prime },{R_0}^{\prime })}$ is the plaintext again.

The Lai-Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage over a substitution-permutation network that the round function ${\displaystyle \mathrm{F}}$ does not have to be invertible.

The half-round function is required to prevent a trivial distinguishing attack (${\displaystyle L_0-R_0=L_{n+1}-R_{n+1}}$). It commonly applies an orthomorphism ${\displaystyle \sigma }$ on the left hand side, that is,

${\displaystyle \mathrm{H}(L,R)=(\sigma (L),R)}$

where both ${\displaystyle \sigma }$ and ${\displaystyle x\mapsto \sigma (x)-x}$ are permutations (in the mathematical sense, that is, a bijection – not a permutation box). Since there are no orthomorphisms for bit blocks (groups of size ${\displaystyle 2^n}$), "almost orthomorphisms" are used instead.

${\displaystyle \mathrm{H}}$ may depend on the key. If it doesn't, the last application can be omitted, since its inverse is known anyway. The last application is commonly called "round ${\displaystyle n.5}$" for a cipher that otherwise has ${\displaystyle n}$ rounds.

Literature

• X. Lai. On the design and security of block ciphers. ETH Series in Information Processing, vol. 1, Hartung-Gorre, Konstanz, 1992
• X. Lai, J. L. Massey. A proposal for a new block encryption standard. Advances in Cryptology EUROCRYPT'90, Aarhus, Denemark, LNCS 473, p. 389-404, Springer, 1991
• Serge Vaudenay: A Classical Introduction to Cryptography, p. 33

References

Template:Cryptography block