# Lai-Massey scheme

{{ safesubst:#invoke:Unsubst||$N=Technical |date=__DATE__ |$B= {{#invoke:Message box|ambox}} }}

The Lai-Massey scheme is a cryptographic structure used in the design of block ciphers. It is used in IDEA and IDEA NXT.

## Construction details

Then the basic operation is as follows:

$(L_{i+1}',R_{i+1}')=\mathrm {H} (L_{i}'+T_{i},R_{i}'+T_{i})$ $(L_{i}',R_{i}')=\mathrm {H} ^{-1}(L_{i+1}'-T_{i},R_{i+1}'-T_{i})$ The Lai-Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage over a substitution-permutation network that the round function $\mathrm {F}$ does not have to be invertible.

The half-round function is required to prevent a trivial distinguishing attack ($L_{0}-R_{0}=L_{n+1}-R_{n+1}$ ). It commonly applies an orthomorphism $\sigma$ on the left hand side, that is,

$\mathrm {H} (L,R)=(\sigma (L),R)$ where both $\sigma$ and $x\mapsto \sigma (x)-x$ are permutations (in the mathematical sense, that is, a bijection – not a permutation box). Since there are no orthomorphisms for bit blocks (groups of size $2^{n}$ ), "almost orthomorphisms" are used instead.

$\mathrm {H}$ may depend on the key. If it doesn't, the last application can be omitted, since its inverse is known anyway. The last application is commonly called "round $n.5$ " for a cipher that otherwise has $n$ rounds.