This article may be too technical for most readers to understand.October 2013) (Learn how and when to remove this template message)(
Let be the round function, and a half-round function, and let be the sub-keys for the rounds respectively.
Then the basic operation is as follows:
Split the plaintext block into two equal pieces, (, ).
For each round , compute
where , and .
Then the ciphertext is .
Decryption of a ciphertext is accomplished by computing for
where , and .
Then is the plaintext again.
The Lai–Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage over a substitution–permutation network that the round function does not have to be invertible.
The half-round function is required to prevent a trivial distinguishing attack (). It commonly applies an orthomorphism on the left hand side, that is,
where both and are permutations (in the mathematical sense, that is, a bijection – not a permutation box). Since there are no orthomorphisms for bit blocks (groups of size ), "almost orthomorphisms" are used instead.
may depend on the key. If it doesn't, the last application can be omitted, since its inverse is known anyway. The last application is commonly called "round " for a cipher that otherwise has rounds.
- X. Lai. On the design and security of block ciphers. ETH Series in Information Processing, vol. 1, Hartung-Gorre, Konstanz, 1992
- X. Lai, J. L. Massey. A proposal for a new block encryption standard. Advances in Cryptology EUROCRYPT'90, Aarhus, Denmark, LNCS 473, p. 389–404, Springer, 1991
- Serge Vaudenay: A Classical Introduction to Cryptography, p. 33