Editing Block cipher (section)

===Lai–Massey ciphers===
[[File:Lai Massey scheme diagram en.svg|thumb|right|265px|The Lai–Massey scheme. The archetypical cipher utilizing it is [[International Data Encryption Algorithm|IDEA]].]]
{{main|Lai–Massey scheme}}

The Lai–Massey scheme offers security properties similar to those of the [[Feistel structure]]. It also shares the advantage that the round function <math>\mathrm F</math> does not have to be invertible. Another similarity is that it also splits the input block into two equal pieces. However, the round function is applied to the difference between the two, and the result is then added to both half blocks.

Let <math>\mathrm F</math> be the round function and <math>\mathrm H</math> a half-round function and let <math>K_0,K_1,\ldots,K_n</math> be the sub-keys for the rounds <math>0,1,\ldots,n</math> respectively.

Then the basic operation is as follows:

Split the plaintext block into two equal pieces, (<math>L_0</math>, <math>R_0</math>)

For each round <math>i =0,1,\dots,n</math>, compute

:<math>(L_{i+1}',R_{i+1}') = \mathrm H(L_i' + T_i,R_i' + T_i),</math>

where <math>T_i = \mathrm F(L_i' - R_i', K_i)</math> and <math>(L_0',R_0') = \mathrm H(L_0,R_0)</math>

Then the ciphertext is <math>(L_{n+1}, R_{n+1}) = (L_{n+1}',R_{n+1}')</math>.

The decryption of a ciphertext <math>(L_{n+1}, R_{n+1})</math> is accomplished by computing for <math>i=n,n-1,\ldots,0</math>

:<math>(L_i',R_i') = \mathrm H^{-1}(L_{i+1}' - T_i, R_{i+1}' - T_i)</math>

where <math>T_i = \mathrm F(L_{i+1}' - R_{i+1}',K_i)</math> and <math>(L_{n+1}',R_{n+1}')=\mathrm H^{-1}(L_{n+1},R_{n+1})</math>

Then <math>(L_0,R_0) = (L_0',R_0')</math> is the plaintext again.