# Lai–Massey scheme

The Lai–Massey scheme is a cryptographic structure used in the design of block ciphers.[1][2] It is used in IDEA and IDEA NXT.

## Construction details

Let ${\displaystyle \mathrm {F} }$ be the round function, and ${\displaystyle \mathrm {H} }$ a half-round function, and let ${\displaystyle K_{0},K_{1},\ldots ,K_{n}}$ be the sub-keys for the rounds ${\displaystyle 0,1,\ldots ,n}$ respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, (${\displaystyle L_{0}}$, ${\displaystyle R_{0}}$).

For each round ${\displaystyle i=0,1,\dots ,n}$, compute

${\displaystyle (L_{i+1}',R_{i+1}')=\mathrm {H} (L_{i}'+T_{i},R_{i}'+T_{i}),}$

where ${\displaystyle T_{i}=\mathrm {F} (L_{i}'-R_{i}',K_{i})}$, and ${\displaystyle (L_{0}',R_{0}')=\mathrm {H} (L_{0},R_{0})}$.

Then the ciphertext is ${\displaystyle (L_{n+1},R_{n+1})=(L_{n+1}',R_{n+1}')}$.

Decryption of a ciphertext ${\displaystyle (L_{n+1},R_{n+1})}$ is accomplished by computing for ${\displaystyle i=n,n-1,\ldots ,0}$

${\displaystyle (L_{i}',R_{i}')=\mathrm {H} ^{-1}(L_{i+1}'-T_{i},R_{i+1}'-T_{i}),}$

where ${\displaystyle T_{i}=\mathrm {F} (L_{i+1}'-R_{i+1}',K_{i})}$, and ${\displaystyle (L_{n+1}',R_{n+1}')=\mathrm {H} ^{-1}(L_{n+1},R_{n+1})}$.

Then ${\displaystyle (L_{0},R_{0})=(L_{0}',R_{0}')}$ is the plaintext again.

The Lai–Massey scheme offers security properties similar to those of the Feistel structure. It also shares its advantage over a substitution-permutation network that the round function ${\displaystyle \mathrm {F} }$ does not have to be invertible.

The half-round function is required to prevent a trivial distinguishing attack (${\displaystyle L_{0}-R_{0}=L_{n+1}-R_{n+1}}$). It commonly applies an orthomorphism ${\displaystyle \sigma }$ on the left hand side, that is,

${\displaystyle \mathrm {H} (L,R)=(\sigma (L),R),}$

where both ${\displaystyle \sigma }$ and ${\displaystyle x\mapsto \sigma (x)-x}$ are permutations (in the mathematical sense, that is, a bijection – not a permutation box). Since there are no orthomorphisms for bit blocks (groups of size ${\displaystyle 2^{n}}$), "almost orthomorphisms" are used instead.

${\displaystyle \mathrm {H} }$ may depend on the key. If it doesn't, the last application can be omitted, since its inverse is known anyway. The last application is commonly called "round ${\displaystyle n.5}$" for a cipher that otherwise has ${\displaystyle n}$ rounds.

## References

1. ^ Aaram Yun, Je Hong Park, Jooyoung Lee: Lai-Massey Scheme and Quasi-Feistel Networks. IACR Cryptology.
2. ^ Serge Vaudenay: On the Lai-Massey Scheme. ASIACRYPT'99.