Cryptography Reference
In-Depth Information
M (1)
M (2)
M ( N 1)
M ( N )
H (0)
0
1
H ( N )
0
E
E
E
E
H (0)
H ( N )
1
Fig. 1. The domain extension using the LW1 mode
3.3
Block Cipher
Lesamnta-LW uses a 64-round block cipher E that takes as input a 128-bit key
and a 256-bit plaintext. The block cipher consists of two parts: the key scheduling
function mapping the key to the round keys and the mixing function taking as
input a plaintext and the round keys to produce a ciphertext. Both of them
use a type-1 4-branch generalized Feistel network (GFN) (cf. Zheng et al. [50]).
One round of the block cipher is illustrated in Fig. 2. The input variables to
round r for the mixing function and the key scheduling function are denoted by
( x ( r 0 ,x ( r 1 ,x ( r 2 ,x ( r 3 )and( k ( r 0 ,k ( r 1 ,k ( r 2 ,k ( r 3 ) respectively. Each x ( r )
is a 64-bit
i
word and each k ( r )
i
is a 32-bit word.
k ( r )
0
k ( r )
1
k ( r )
2
k ( r )
3
x ( r )
0
x ( r )
1
x ( r )
2
x ( r )
3
64
32
64
K ( r )
K ( r )
32
G
C ( r )
32
32
Q
Q
Q
64
R
64
x ( r +1)
2
x ( r +1)
3
k ( r +1)
0
k ( r +1)
1
k ( r +1)
2
k ( r +1)
3
x ( r +1)
0
x ( r +1)
1
function G
key scheduling function
mixing function
Fig. 2. The round function
The mixing function consists of XORs, a wordwise permutation, and a non-
linear function G . Taking as input a 32-bit round key K ( r ) , the mixing function
updates its intermediate state in the following manner:
x ( r +1)
0
= x ( r )
3
G ( x ( r )
2
( r +1)
1
= x ( r )
0
( r +1)
2
= x ( r )
1
( r +1)
3
= x ( r )
2
,K ( r ) ) ,
,
,
.
The function G consists of XOR operations, a 32-bit non-linear permutation Q ,
and a function R . For a 64-bit input y = y 0
y 1 and a 32-bit round key K ( r ) ,
G ( y, K ( r ) ) is defined as follows:
G ( y, K ( r ) )= R ( Q ( y 0
K ( r ) )
Q ( y 1 )) .
 
Search WWH ::




Custom Search