Where would a “half round” come from?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












8















In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.



Where does this 1/2 round come from?






block-cipher







share|improve this question

















  • 2





    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.

    – Maarten Bodewes
    Dec 31 '18 at 15:40











  • See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…

    – Ilmari Karonen
    Jan 1 at 2:38















8















In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.



Where does this 1/2 round come from?






block-cipher







share|improve this question

















  • 2





    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.

    – Maarten Bodewes
    Dec 31 '18 at 15:40











  • See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…

    – Ilmari Karonen
    Jan 1 at 2:38













8












8








8








In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.



Where does this 1/2 round come from?






block-cipher







share|improve this question














In the hierocrypt-L3 description, the cipher takes 6, 7, or 8 rounds. Example source code also seems to follow this same specification of 8 rounds for 256-bit keys. Wikipedia shows 8.5 rounds for 256-bits. I found it some other literature as well.



Where does this 1/2 round come from?






block-cipher




block-cipher






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 31 '18 at 14:28









b degnanb degnan

1,8081626




1,8081626







  • 2





    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.

    – Maarten Bodewes
    Dec 31 '18 at 15:40











  • See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…

    – Ilmari Karonen
    Jan 1 at 2:38












  • 2





    Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.

    – Maarten Bodewes
    Dec 31 '18 at 15:40











  • See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…

    – Ilmari Karonen
    Jan 1 at 2:38







2




2





Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.

– Maarten Bodewes
Dec 31 '18 at 15:40





Generally rounds of a cipher are rather repetitive within the round itself as well (but with different shifts etc.). I presume it is just that, the calculations of the top half of one round. But yeah, presumptions don't make great answers.

– Maarten Bodewes
Dec 31 '18 at 15:40













See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…

– Ilmari Karonen
Jan 1 at 2:38





See also: crypto.stackexchange.com/questions/1346/… and crypto.stackexchange.com/questions/10002/…

– Ilmari Karonen
Jan 1 at 2:38










1 Answer
1






active

oldest

votes


















7














The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.






share|improve this answer




















  • 1





    Thanks. The terminology is just so loose.

    – b degnan
    Dec 31 '18 at 16:16











  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.

    – b degnan
    Dec 31 '18 at 16:22











  • @bdegnan It uses 8 full rounds, plus 1 half round

    – Ella Rose
    Dec 31 '18 at 17:19











  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating

    – b degnan
    Dec 31 '18 at 17:36






  • 2





    It's just the convention that the designers chose. There is no universal standard on how to count these things.

    – Ella Rose
    Dec 31 '18 at 17:40










Your Answer





StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66200%2fwhere-would-a-half-round-come-from%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









7














The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.






share|improve this answer




















  • 1





    Thanks. The terminology is just so loose.

    – b degnan
    Dec 31 '18 at 16:16











  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.

    – b degnan
    Dec 31 '18 at 16:22











  • @bdegnan It uses 8 full rounds, plus 1 half round

    – Ella Rose
    Dec 31 '18 at 17:19











  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating

    – b degnan
    Dec 31 '18 at 17:36






  • 2





    It's just the convention that the designers chose. There is no universal standard on how to count these things.

    – Ella Rose
    Dec 31 '18 at 17:40















7














The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.






share|improve this answer




















  • 1





    Thanks. The terminology is just so loose.

    – b degnan
    Dec 31 '18 at 16:16











  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.

    – b degnan
    Dec 31 '18 at 16:22











  • @bdegnan It uses 8 full rounds, plus 1 half round

    – Ella Rose
    Dec 31 '18 at 17:19











  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating

    – b degnan
    Dec 31 '18 at 17:36






  • 2





    It's just the convention that the designers chose. There is no universal standard on how to count these things.

    – Ella Rose
    Dec 31 '18 at 17:40













7












7








7







The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.






share|improve this answer















The following appears in the linked wikipedia article (emphasis mine):




The Hierocrypt ciphers use a nested substitution-permutation network (SPN) structure. Each round consists of parallel applications of a transformation called the XS-box, followed by a linear diffusion operation. The final half-round replaces the diffusion with a simple post-whitening. The XS-box, which is shared by the two algorithms, is itself an SPN, consisting of a subkey XOR, an S-box lookup, a linear diffusion, another subkey XOR, and another S-box lookup. The diffusion operations use two MDS matrices, and there is a single 8×8-bit S-box.




So the final round operates differently, opting to replace the diffusion step with an add-key step.



It is not uncommon for block ciphers to skip the final linear diffusion operation, because it does not appear to improve security to include it. For example, AES skips the final diffusion step also. But they don't refer to it as a half round.



Salsa20



Salsa20 (and ChaCha) both use a double-round, which is counted as 1 round. So half-rounds appear again here in this context (scroll to FAQ), due to how the rounds are structured and counted.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 31 '18 at 16:03

























answered Dec 31 '18 at 15:47









Ella RoseElla Rose

15.4k44279




15.4k44279







  • 1





    Thanks. The terminology is just so loose.

    – b degnan
    Dec 31 '18 at 16:16











  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.

    – b degnan
    Dec 31 '18 at 16:22











  • @bdegnan It uses 8 full rounds, plus 1 half round

    – Ella Rose
    Dec 31 '18 at 17:19











  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating

    – b degnan
    Dec 31 '18 at 17:36






  • 2





    It's just the convention that the designers chose. There is no universal standard on how to count these things.

    – Ella Rose
    Dec 31 '18 at 17:40












  • 1





    Thanks. The terminology is just so loose.

    – b degnan
    Dec 31 '18 at 16:16











  • As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.

    – b degnan
    Dec 31 '18 at 16:22











  • @bdegnan It uses 8 full rounds, plus 1 half round

    – Ella Rose
    Dec 31 '18 at 17:19











  • why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating

    – b degnan
    Dec 31 '18 at 17:36






  • 2





    It's just the convention that the designers chose. There is no universal standard on how to count these things.

    – Ella Rose
    Dec 31 '18 at 17:40







1




1





Thanks. The terminology is just so loose.

– b degnan
Dec 31 '18 at 16:16





Thanks. The terminology is just so loose.

– b degnan
Dec 31 '18 at 16:16













As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.

– b degnan
Dec 31 '18 at 16:22





As a follow up, any ideas why they rounded up to 8.5? AES you could say was 11.5.

– b degnan
Dec 31 '18 at 16:22













@bdegnan It uses 8 full rounds, plus 1 half round

– Ella Rose
Dec 31 '18 at 17:19





@bdegnan It uses 8 full rounds, plus 1 half round

– Ella Rose
Dec 31 '18 at 17:19













why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating

– b degnan
Dec 31 '18 at 17:36





why not say 11.5 for AES then? i’m just trying to get down to nuance of nomenclature. cryptography is infuriating

– b degnan
Dec 31 '18 at 17:36




2




2





It's just the convention that the designers chose. There is no universal standard on how to count these things.

– Ella Rose
Dec 31 '18 at 17:40





It's just the convention that the designers chose. There is no universal standard on how to count these things.

– Ella Rose
Dec 31 '18 at 17:40

















draft saved

draft discarded
















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66200%2fwhere-would-a-half-round-come-from%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






-

Popular posts from this blog

Peggy Mitchell

Image
EastEnders character This article is about the soap opera character. For the British tennis player, see Peggy Michell. For the author, see Margaret Mitchell. Peggy Mitchell Barbara Windsor as Peggy Mitchell (2008) EastEnders character Portrayed by Jo Warne (1991) Barbara Windsor (1994–2016) Duration 1991, 1994–2010, 2013–2016 First appearance Episode 650 30 April 1991  ( 1991-04-30 ) Last appearance Episode 5286 17 May 2016  ( 2016-05-17 ) (appearance) Episode 5287 19 May 2016 (voiceover) Introduced by Michael Ferguson (1991) Barbara Emile (1994) Louise Berridge (2004) Kate Harwood (2005) Lorraine Newman (2013) Dominic Treadwell-Collins (2014) Spin-off appearances The Mitchells - Naked Truths (1998) Classification Former; regular Profile Other names Peggy Butcher Occupation Barmaid Businesswoman Pub landlady Jo Warne as Peggy Mitchell (1991) Family Family Mitchell Father Jack Martin Mother Lily Martin Sisters Aunt ...
Read more

Palaiologos

Image
Palaiologos Παλαιολόγος Palaeologus, Palaeologue Imperial Family Double-headed eagle with the family cypher Country Byzantine Empire, Duchy of Montferrat (remaining lineage after Empire annexed by Ottomans) Founded 11th century  ( 11th century ) Founder Nikephoros Palaiologos (first known) Final ruler Constantine XI Palaiologos (Byzantine Empire) Margaret Paleologa (Montferrat) Titles Byzantine Emperor Marquess of Montferrat Style(s) "Augustus" "Basileus" "Autokrator" Traditions Greek Orthodoxy (predominantly) Roman Catholicism (remaining lineage in Montferrat) Dissolution 1533  ( 1533 ) Cadet branches Claimants: House of Kastrioti (defunct) House of Rurik (defunct) Palaiologan dynasty Chronology Michael VIII 1259–1282 with Andronikos II as co-emperor, 1261–1282 Andronikos II 1282–1328 with Michael IX (1294–1320) and Andronikos III (1321–1328) as co-emperors Andronikos III 1328–1341 John...
Read more

The Forum (Inglewood, California)

Image
The Forum "LA Forum" Prairie Ave. façade of The Forum in 2014 Full name The Forum, presented by Chase Former names The Forum (1967–1988) Great Western Forum (1988–2003) Address 3900 W. Manchester Blvd Location Inglewood, California Coordinates Coordinates: 33°57′29″N 118°20′31″W  /  33.95806°N 118.34194°W  / 33.95806; -118.34194 Public transit     Downtown Inglewood station Owner The Madison Square Garden Company Operator MSG Entertainment Seating type Reserved Capacity 17,500 Half-bowl: 8,000 Construction Broke ground July 1, 1966  ( 1966-07-01 ) Opened December 30, 1967  ( 1967-12-30 ) Renovated 1988, 2012–2014 Construction cost $16 million Renovation: 2014: $76.5 million Architect Charles Luckman Associates (original) Brisbin Brook Beynon (renovation) Structural engineer Johnson & Nielsen Associates (original) Severud Associates (renovation) Genera...
Read more