Lai Massey scheme

Construction details

Let F be the round function and H a half-round function and let K 0 , K 1 , … , K n be the sub-keys for the rounds 0 , 1 , … , n respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, ( L 0 , R 0 )

For each round i = 0 , 1 , … , n , compute

where T i = F ( L i ′ − R i ′ , K i ) and ( L 0 ′ , R 0 ′ ) = H ( L 0 , R 0 )

Then the ciphertext is ( L n + 1 , R n + 1 ) = ( L n + 1 ′ , R n + 1 ′ ) .

Decryption of a ciphertext ( L n + 1 , R n + 1 ) is accomplished by computing for i = n , n − 1 , … , 0

where T i = F ( L i + 1 ′ − R i + 1 ′ , K i ) and ( L n + 1 ′ , R n + 1 ′ ) = H − 1 ( L n + 1 , R n + 1 )

Then ( L 0 , R 0 ) = ( L 0 ′ , R 0 ′ ) is the plaintext again.

The Lai-Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage over a substitution-permutation network that the round function F does not have to be invertible.

The half-round function is required to prevent a trivial distinguishing attack ( L 0 − R 0 = L n + 1 − R n + 1 ). It commonly applies an orthomorphism σ on the left hand side, that is,

where both σ and x ↦ σ ( x ) − x are permutations (in the mathematical sense, that is, a bijection – not a permutation box). Since there are no orthomorphisms for bit blocks (groups of size 2 n ), "almost orthomorphisms" are used instead.

H may depend on the key. If it doesn't, the last application can be omitted, since its inverse is known anyway. The last application is commonly called "round n .5 " for a cipher that otherwise has n rounds.

Literature