Lai-Massey isn’t susceptible to dumb XOR-reversal like Feistel is, either. May do a post about the practical implications of that at some point for whitebox crypto. Who knows. :-)
This is a neat look at some cipher structures, but I’d add a caution to implementers that quality-of-implementation usually matters more than cipher structure per se. I agree that a naive AES implementation is bad news, but e.g. if you’re on a smartcard and don’t have anything better, you really should prefer the (side-channel-)hardened 3DES hardware over homebrewing Gimli in smartcard Java.
Lai-Massey is a neat Feistel alternative too. Also probably very simple, like Feistel and SPNs, to implement in hardware.
ARX seems easy to implement in hardware too, FWIW, but haven’t given it as much thought as the others.
Oof, how could I overlook Lai-Massey?
In my defense, I’ve never implemented IDEA before, and thought it was ARX last time I glanced at the code. Nice to learn something though!
Lai-Massey isn’t susceptible to dumb XOR-reversal like Feistel is, either. May do a post about the practical implications of that at some point for whitebox crypto. Who knows. :-)
If you do, make sure you submit it here. I’d love to read it!
This is a neat look at some cipher structures, but I’d add a caution to implementers that quality-of-implementation usually matters more than cipher structure per se. I agree that a naive AES implementation is bad news, but e.g. if you’re on a smartcard and don’t have anything better, you really should prefer the (side-channel-)hardened 3DES hardware over homebrewing Gimli in smartcard Java.
(… and 3DES is pretty bad.)