Cryptography Reference
In-Depth Information
M
(1)
M
(2)
M
(
N
−
1)
M
(
N
)
H
(0)
0
1
H
(
N
)
0
E
E
E
E
H
(0)
H
(
N
)
1
Fig. 1.
The domain extension using the LW1 mode
3.3
Block Cipher
Lesamnta-LW uses a 64-round block cipher
E
that takes as input a 128-bit key
and a 256-bit plaintext. The block cipher consists of two parts: the key scheduling
function mapping the key to the round keys and the mixing function taking as
input a plaintext and the round keys to produce a ciphertext. Both of them
use a type-1 4-branch generalized Feistel network (GFN) (cf. Zheng et al. [50]).
One round of the block cipher is illustrated in Fig. 2. The input variables to
round
r
for the mixing function and the key scheduling function are denoted by
(
x
(
r
0
,x
(
r
1
,x
(
r
2
,x
(
r
3
)and(
k
(
r
0
,k
(
r
1
,k
(
r
2
,k
(
r
3
) respectively. Each
x
(
r
)
is a 64-bit
i
word and each
k
(
r
)
i
is a 32-bit word.
k
(
r
)
0
k
(
r
)
1
k
(
r
)
2
k
(
r
)
3
x
(
r
)
0
x
(
r
)
1
x
(
r
)
2
x
(
r
)
3
64
32
64
K
(
r
)
K
(
r
)
32
G
C
(
r
)
32
32
Q
Q
Q
64
R
64
x
(
r
+1)
2
x
(
r
+1)
3
k
(
r
+1)
0
k
(
r
+1)
1
k
(
r
+1)
2
k
(
r
+1)
3
x
(
r
+1)
0
x
(
r
+1)
1
function
G
key scheduling function
mixing function
Fig. 2.
The round function
The mixing function consists of XORs, a wordwise permutation, and a non-
linear function
G
. Taking as input a 32-bit round key
K
(
r
)
, the mixing function
updates its intermediate state in the following manner:
x
(
r
+1)
0
=
x
(
r
)
3
G
(
x
(
r
)
2
(
r
+1)
1
=
x
(
r
)
0
(
r
+1)
2
=
x
(
r
)
1
(
r
+1)
3
=
x
(
r
)
2
,K
(
r
)
)
,
⊕
,
,
.
The function
G
consists of XOR operations, a 32-bit non-linear permutation
Q
,
and a function
R
. For a 64-bit input
y
=
y
0
y
1
and a 32-bit round key
K
(
r
)
,
G
(
y, K
(
r
)
) is defined as follows:
G
(
y, K
(
r
)
)=
R
(
Q
(
y
0
⊕
K
(
r
)
)
Q
(
y
1
))
.
Search WWH ::
Custom Search