9

In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.

Where does this 1/2 round come from?

b degnan
  • 4,810
  • 1
  • 24
  • 48
  • 2
    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers. – Maarten Bodewes Dec 31 '18 at 15:40
  • See also: https://crypto.stackexchange.com/questions/1346/why-is-mixcolumns-omitted-from-the-last-round-of-aes and https://crypto.stackexchange.com/questions/10002/why-no-swapping-block-in-the-last-round-of-des – Ilmari Karonen Jan 01 '19 at 02:38

1 Answers1

8

The following appears in the linked wikipedia article (emphasis mine):

The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.

So the final round operates differently, opting to replace the diffusion step with an add-key step.

It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.

Salsa20

Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.

Ella Rose
  • 19,603
  • 6
  • 53
  • 101
  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5. – b degnan Dec 31 '18 at 16:22
  • @bdegnan It uses 8 full rounds, plus 1 half round – Ella Rose Dec 31 '18 at 17:19
  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating – b degnan Dec 31 '18 at 17:36
  • 2
    It's just the convention that the designers chose. There is no universal standard on how to count these things. – Ella Rose Dec 31 '18 at 17:40
  • And each "double round" consists of four parallel applications of a "quarter round" (though confusingly, four quarter rounds don't make two double rounds, but one). – forest Apr 29 '19 at 07:24