LEA: A 128-Bit Block Cipher for Fast Encryption on Common Processors

Abstract

We propose a new block cipher LEA, which has 128-bit block size and 128, 192, or 256-bit key size. It provides a high-speed software encryption on general-purpose processors. Our experiments show that LEA is faster than AES on Intel, AMD, ARM, and ColdFire platforms. LEA can be also implemented to have tiny code size. Its hardware implementation has a competitive throughput per area. It is secure against all the existing attacks on block ciphers.

Appendices

Differential Characteristic

Let \(\varDelta X_{i}\) be the XOR difference of \(X_i\), and let \(p_i\) be the probability of \(\varDelta X_{i} \rightarrow \varDelta X_{i+1}\). The probability \(p\) of an \(r\)-round differential characteristic is computed as \(p = \prod _{i=0}^{r-1} p_i\).

Table 10 shows the 11-round differential characteristic with the probability of \(2^{-98}\). The differences in the table are denoted in hexadecimal.

Table 10. 11-round differential characteristic with the probability of \(2^{-98}\)

The 7-round differential characteristic with the probability of \(2^{-27}\), discarding the first two rounds and the last two rounds is used for constructing a 14-round boomerang characteristic.

Table 11. 11-round linear approximation with the bias \(\varepsilon = 2^{-62}\)

Table 12. 10-round impossible differential characteristic

Linear Approximation

Let \(\varGamma X_i\) be the mask of \(X_i\), and let \(\varepsilon _i = p_i - 1/2\) be the bias of the linear approximation

$$\begin{aligned} \varGamma X_i \cdot X_i \oplus \varGamma X_{i+1} \cdot X_{i+1} = \varGamma K_i \cdot RK. \end{aligned}$$

(2)

Equation (2) is XOR-sum of the following approximations:

$$\begin{aligned} \alpha _0^i \cdot (X_i[0] \oplus RK_i[0]) \oplus \alpha _1^i \cdot (X_i[1] \oplus RK_i[1])&= \alpha _2^i \cdot ROR_9(X_{i+1}[0]),\nonumber \\&\quad p_{\alpha ^i}= 1/2 + \varepsilon _{\alpha _i},\end{aligned}$$

(3)

$$\begin{aligned} \beta _0^i \cdot (X_i[1] \oplus RK_i[2]) \oplus \beta _1^i \cdot (X_i[2] \oplus RK_i[3])&= \beta _2^i \cdot ROL_5(X_{i+1}[1]),\nonumber \\&\quad p_{\beta ^i}= 1/2 + \varepsilon _{\beta _i},\end{aligned}$$

(4)

$$\begin{aligned} \gamma _0^i \cdot (X_i[2] \oplus RK_i[4]) \oplus \gamma _1^i \cdot (X_i[3] \oplus RK_i[5])&= \gamma _2^i \cdot ROL_3(X_{i+1}[2]),\nonumber \\&\quad p_{\gamma ^i}= 1/2 + \varepsilon _{\gamma _i}. \end{aligned}$$

(5)

Let \(\varepsilon \) be the bias of an \(r\)-round linear approximation. Note that \(\varepsilon _i = 4 \varepsilon _{\alpha ^i} \varepsilon _{\beta _i} \varepsilon _{\gamma ^i}\) and \(\varepsilon = 2^{r-1}\prod _{i=0}^{r-1} \varepsilon _i\) by Piling-Up Lemma [44].

Table 11 shows the 11-round linear approximation with the biases of \(2^{-62}\). The masks in the table are denoted in hexadecimal.

Impossible Differential Characteristic

Table 12 shows one of three 10-round impossible differential characteristic reported in [20]. ‘1’ and ‘0’ mean the single bits 1 and 0 in the XOR difference. ‘x’ means an unknown bit.