Where would a “half round” come from?
In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.
Where does this 1/2 round come from?
block-cipher
add a comment |
In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.
Where does this 1/2 round come from?
block-cipher
1
Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
– Maarten Bodewes♦
11 hours ago
See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
– Ilmari Karonen
42 mins ago
add a comment |
In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.
Where does this 1/2 round come from?
block-cipher
In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.
Where does this 1/2 round come from?
block-cipher
block-cipher
asked 12 hours ago
b degnan
1,7421626
1,7421626
1
Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
– Maarten Bodewes♦
11 hours ago
See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
– Ilmari Karonen
42 mins ago
add a comment |
1
Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
– Maarten Bodewes♦
11 hours ago
See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
– Ilmari Karonen
42 mins ago
1
1
Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
– Maarten Bodewes♦
11 hours ago
Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
– Maarten Bodewes♦
11 hours ago
See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
– Ilmari Karonen
42 mins ago
See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
– Ilmari Karonen
42 mins ago
add a comment |
1 Answer
1
active
oldest
votes
The following appears in the linked wikipedia article (emphasis mine):
The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.
So the final round operates differently, opting to replace the diffusion step with an add-key step.
It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.
Salsa20
Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.
Thanks. The terminology is just so loose.
– b degnan
11 hours ago
As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago
@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose♦
10 hours ago
why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago
2
It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose♦
9 hours ago
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66200%2fwhere-would-a-half-round-come-from%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The following appears in the linked wikipedia article (emphasis mine):
The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.
So the final round operates differently, opting to replace the diffusion step with an add-key step.
It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.
Salsa20
Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.
Thanks. The terminology is just so loose.
– b degnan
11 hours ago
As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago
@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose♦
10 hours ago
why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago
2
It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose♦
9 hours ago
add a comment |
The following appears in the linked wikipedia article (emphasis mine):
The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.
So the final round operates differently, opting to replace the diffusion step with an add-key step.
It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.
Salsa20
Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.
Thanks. The terminology is just so loose.
– b degnan
11 hours ago
As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago
@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose♦
10 hours ago
why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago
2
It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose♦
9 hours ago
add a comment |
The following appears in the linked wikipedia article (emphasis mine):
The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.
So the final round operates differently, opting to replace the diffusion step with an add-key step.
It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.
Salsa20
Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.
The following appears in the linked wikipedia article (emphasis mine):
The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.
So the final round operates differently, opting to replace the diffusion step with an add-key step.
It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.
Salsa20
Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.
edited 11 hours ago
answered 11 hours ago
Ella Rose♦
15.3k44279
15.3k44279
Thanks. The terminology is just so loose.
– b degnan
11 hours ago
As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago
@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose♦
10 hours ago
why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago
2
It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose♦
9 hours ago
add a comment |
Thanks. The terminology is just so loose.
– b degnan
11 hours ago
As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago
@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose♦
10 hours ago
why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago
2
It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose♦
9 hours ago
Thanks. The terminology is just so loose.
– b degnan
11 hours ago
Thanks. The terminology is just so loose.
– b degnan
11 hours ago
As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago
As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago
@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose♦
10 hours ago
@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose♦
10 hours ago
why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago
why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago
2
2
It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose♦
9 hours ago
It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose♦
9 hours ago
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66200%2fwhere-would-a-half-round-come-from%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
– Maarten Bodewes♦
11 hours ago
See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
– Ilmari Karonen
42 mins ago