Where would a “half round” come from?












7














In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.



Where does this 1/2 round come from?






block-cipher







share|improve this question


















  • 1




    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
    – Maarten Bodewes
    11 hours ago










  • See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
    – Ilmari Karonen
    42 mins ago
















7














In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.



Where does this 1/2 round come from?






block-cipher







share|improve this question


















  • 1




    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
    – Maarten Bodewes
    11 hours ago










  • See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
    – Ilmari Karonen
    42 mins ago














7












7








7







In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.



Where does this 1/2 round come from?






block-cipher







share|improve this question













In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.



Where does this 1/2 round come from?






block-cipher




block-cipher






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 12 hours ago









b degnan

1,7421626




1,7421626








  • 1




    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
    – Maarten Bodewes
    11 hours ago










  • See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
    – Ilmari Karonen
    42 mins ago














  • 1




    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
    – Maarten Bodewes
    11 hours ago










  • See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
    – Ilmari Karonen
    42 mins ago








1




1




Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
– Maarten Bodewes
11 hours ago




Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.
– Maarten Bodewes
11 hours ago












See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
– Ilmari Karonen
42 mins ago




See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…
– Ilmari Karonen
42 mins ago










1 Answer
1






active

oldest

votes


















6














The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.






share|improve this answer























  • Thanks. The terminology is just so loose.
    – b degnan
    11 hours ago










  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
    – b degnan
    10 hours ago










  • @bdegnan It uses 8 full rounds, plus 1 half round
    – Ella Rose
    10 hours ago










  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
    – b degnan
    9 hours ago






  • 2




    It's just the convention that the designers chose. There is no universal standard on how to count these things.
    – Ella Rose
    9 hours ago











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66200%2fwhere-would-a-half-round-come-from%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









6














The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.






share|improve this answer























  • Thanks. The terminology is just so loose.
    – b degnan
    11 hours ago










  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
    – b degnan
    10 hours ago










  • @bdegnan It uses 8 full rounds, plus 1 half round
    – Ella Rose
    10 hours ago










  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
    – b degnan
    9 hours ago






  • 2




    It's just the convention that the designers chose. There is no universal standard on how to count these things.
    – Ella Rose
    9 hours ago
















6














The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.






share|improve this answer























  • Thanks. The terminology is just so loose.
    – b degnan
    11 hours ago










  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
    – b degnan
    10 hours ago










  • @bdegnan It uses 8 full rounds, plus 1 half round
    – Ella Rose
    10 hours ago










  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
    – b degnan
    9 hours ago






  • 2




    It's just the convention that the designers chose. There is no universal standard on how to count these things.
    – Ella Rose
    9 hours ago














6












6








6






The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.






share|improve this answer














The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.







share|improve this answer














share|improve this answer



share|improve this answer








edited 11 hours ago

























answered 11 hours ago









Ella Rose

15.3k44279




15.3k44279












  • Thanks. The terminology is just so loose.
    – b degnan
    11 hours ago










  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
    – b degnan
    10 hours ago










  • @bdegnan It uses 8 full rounds, plus 1 half round
    – Ella Rose
    10 hours ago










  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
    – b degnan
    9 hours ago






  • 2




    It's just the convention that the designers chose. There is no universal standard on how to count these things.
    – Ella Rose
    9 hours ago


















  • Thanks. The terminology is just so loose.
    – b degnan
    11 hours ago










  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
    – b degnan
    10 hours ago










  • @bdegnan It uses 8 full rounds, plus 1 half round
    – Ella Rose
    10 hours ago










  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
    – b degnan
    9 hours ago






  • 2




    It's just the convention that the designers chose. There is no universal standard on how to count these things.
    – Ella Rose
    9 hours ago
















Thanks. The terminology is just so loose.
– b degnan
11 hours ago




Thanks. The terminology is just so loose.
– b degnan
11 hours ago












As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago




As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.
– b degnan
10 hours ago












@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose
10 hours ago




@bdegnan It uses 8 full rounds, plus 1 half round
– Ella Rose
10 hours ago












why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago




why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating
– b degnan
9 hours ago




2




2




It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose
9 hours ago




It's just the convention that the designers chose. There is no universal standard on how to count these things.
– Ella Rose
9 hours ago


















draft saved

draft discarded




















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66200%2fwhere-would-a-half-round-come-from%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Quarter-circle Tiles

Image
up vote 0 down vote favorite I have $99$ identical square tiles, each with a quarter-circle drawn on it like this: [asy] size(1.5cm); draw(Arc((2,0),1,90,180),red+1); draw((0,0)--(2,0)--(2,2)--(0,2)--(0,0)); [/asy] When I arrange the tiles in a $9times 11$ rectangular grid, each with a random orientation, what is the expected value of the number of full circles I form? I think this problem has to do with finding the chance any given 2x2 square has a circle, but I can't find it. expected-value share | cite | improve this question asked Nov 20 at 15:03 6minecraftninja 1 2
Read more

build a pushdown automaton that recognizes the reverse language of a given pushdown automaton?

Image
0 I think it's similiar to NFAs. I replace the finite states of the given automaton for start-states for my new automaton. I do it with $epsilon$ -transition from the start state to the actual finite states of the given automaton. The start state of the given automaton will be my accepting(finite) state of my new one. All transitions will be reversed of course to recognize the reversed word. But how do I have to change the stack of the pushdown automaton? That's tricky. formal-languages automata context-free-grammar share | cite | improve this question edited Nov 29 '18 at 14:20 joee
Read more

Mont Emei

Image
Mont Emei.mw-parser-output .entete.map{background-image:url("//upload.wikimedia.org/wikipedia/commons/7/7a/Picto_infobox_map.png")} Vue du sommet Wanfo du mont Emei Géographie Altitude 3 099  m , Wanfo Coordonnées 29° 31′ 11″ nord, 103° 19′ 57″ est Administration Pays   Chine Province Sichuan Ville-préfecture Leshan Géolocalisation sur la carte : Sichuan Mont Emei Géolocalisation sur la carte : Chine Mont Emei modifier   Paysage panoramique du mont Emei, incluant le paysage panoramique du grand Bouddha de Leshan *   Patrimoine mondial de l'UNESCO Passerelle en bois sur le versant ouest Pays   Chine Subdivision Sichuan Type Mixte Critères (iv) (vi) (x) Superficie 15 400 ha Numéro d’identification 779 Zone géographique Asie et Pacifique  ** Année d’inscription 1996 (20 e session) * Descriptif officiel UNESCO ** Classification géog
Read more