# Lai-Massey scheme

{{ safesubst:#invoke:Unsubst||$N=Technical |date=__DATE__ |$B= {{#invoke:Message box|ambox}} }}

The Lai-Massey scheme is a cryptographic structure used in the design of block ciphers.[1][2] It is used in IDEA and IDEA NXT.

## Construction details

Let ${\displaystyle \mathrm {F} }$ be the round function and ${\displaystyle \mathrm {H} }$ a half-round function and let ${\displaystyle K_{0},K_{1},\ldots ,K_{n}}$ be the sub-keys for the rounds ${\displaystyle 0,1,\ldots ,n}$ respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, (${\displaystyle L_{0}}$, ${\displaystyle R_{0}}$)

For each round ${\displaystyle i=0,1,\dots ,n}$, compute

${\displaystyle (L_{i+1}',R_{i+1}')=\mathrm {H} (L_{i}'+T_{i},R_{i}'+T_{i})}$

Then the ciphertext is ${\displaystyle (L_{n+1},R_{n+1})=(L_{n+1}',R_{n+1}')}$.

Decryption of a ciphertext ${\displaystyle (L_{n+1},R_{n+1})}$ is accomplished by computing for ${\displaystyle i=n,n-1,\ldots ,0}$

${\displaystyle (L_{i}',R_{i}')=\mathrm {H} ^{-1}(L_{i+1}'-T_{i},R_{i+1}'-T_{i})}$

Then ${\displaystyle (L_{0},R_{0})=(L_{0}',R_{0}')}$ is the plaintext again.

The Lai-Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage over a substitution-permutation network that the round function ${\displaystyle \mathrm {F} }$ does not have to be invertible.

The half-round function is required to prevent a trivial distinguishing attack (${\displaystyle L_{0}-R_{0}=L_{n+1}-R_{n+1}}$). It commonly applies an orthomorphism ${\displaystyle \sigma }$ on the left hand side, that is,

${\displaystyle \mathrm {H} (L,R)=(\sigma (L),R)}$

where both ${\displaystyle \sigma }$ and ${\displaystyle x\mapsto \sigma (x)-x}$ are permutations (in the mathematical sense, that is, a bijection – not a permutation box). Since there are no orthomorphisms for bit blocks (groups of size ${\displaystyle 2^{n}}$), "almost orthomorphisms" are used instead.

${\displaystyle \mathrm {H} }$ may depend on the key. If it doesn't, the last application can be omitted, since its inverse is known anyway. The last application is commonly called "round ${\displaystyle n.5}$" for a cipher that otherwise has ${\displaystyle n}$ rounds.

## References

1. Aaram Yun, Je Hong Park, Jooyoung Lee: Lai-Massey Scheme and Quasi-Feistel Networks. IACR Cryptology
2. Serge Vaudenay: On the Lai-Massey Scheme. ASIACRYPT'99