Similarly, if i =2,then L 2 and R 2 are computed as follows:

L 2

=

R 1

R 2

=

L 1 ⊕

f k 2 ( R 1 )

This continues until, in the last round, L r and R r are computed as follows:

L r

=

R r− 1

R r

=

L r− 1 ⊕

f k r ( R r− 1 )

The pair ( L r ,R r ) in reverse order then represents the ciphertext block. Hence,

the encryption of plaintext message m using key k can formally be expressed as

follows:

E k ( m )= E k ( L 0 ,R 0 )=( R r ,L r )

The recursive formula (10.2) can also be written as follows:

( L i− 1 ,R i− 1 )=( R i ⊕

f k i ( L i ) ,L i )

This means that it is possible to recursively compute L i− 1 and R i− 1 from

L i , R i ,and k i and to determine ( L 0 ,R 0 ) from ( R r ,L r ) using the round keys

in reverse order (i.e., k r ,...,k 1 ) accordingly. Consequently, a Feistel cipher can

always be decrypted using the same (encryption) algorithm and applying the round

keys in reverse order. This property simplifies the implementation of the decryption

function considerably (in fact, the encryption and decryption functions are the

same). Note that it is possible to design and come up with iterative block ciphers

that are not Feistel ciphers, yet whose encryption and decryption (after a certain

reordering or recalculation of variables) are structurally the same. One example is

the International Data Encryption Algorithm (IDEA) employed by many security

products, including, for example, former versions of Pretty Good Privacy (PGP).

Also, Feistel ciphers have important applications in public key cryptography as

well. For example, the optimal asymmetric encryption padding scheme addressed

in Section 14.3.2 is basically a two-round Feistel cipher. It is difficult to make