Cryptography Reference
In-Depth Information
−
K
1
F
+
+
−
K
2
F
+
+
−
K
3
F
+
+
Figure 2.14.
The Lai-Massey scheme.
(
x
L
,
x
R
) pair is mapped onto the (
y
L
,
y
R
) pair defined by
y
L
=
x
L
+
t
y
R
=
x
R
+
t
where
t
and
changing the order of the subkeys. Unfortunately, the Lai-Massey scheme cannot be
used as is since the pair difference is an invariance: we have
=
F
(
x
L
−
x
R
). Note that this scheme is invertible by replacing the
+
by
−
x
L
−
x
R
=
y
L
−
y
R
.
This is obviously an unsuitable property for security. For this reason we must insert
(at least) a permutation
σ
as depicted in Fig. 2.15 and have
y
L
=
σ
(
x
L
+
t
)
y
R
=
x
R
+
t
as it will be detailed in Section 2.6.1 for the FOX algorithms. When the permutation
σ
is such that
z
→
σ
(
z
)
−
z
is also a permutation, we say that
σ
is an
orthomorphism
for
the
is an orthomorphism, then the Lai-Massey
scheme provides security properties which are similar to those for the Feistel scheme.
So the invariance of the basic Lai-Massey scheme is no longer a problem. In IDEA,
key-dependent permutations (namely, products and additions) are used instead of a
fixed
+
law. We can demonstrate that when
σ
σ
.
IDEA consists of eight rounds. One round is as represented in Fig. 2.16. The
·
repre-
sents the multiplication modulo 2
16
+
1 to a subkey, the
+
is the regular addition modulo
2
16
to a subkey,
is the bitwise XOR, and MA is the Multiplication-Addition structure,
which is depicted in Fig. 2.17. The MA structure also requires multiplication to subkeys.
The addition law which is used in the Lai-Massey scheme of IDEA is the XOR.
⊕
Search WWH ::
Custom Search