The block cipher LEA consisting of ARX operations for 32-bit words processes data blocks of 128 bits and has three different key lengths: 128, 192, and 256 bits. LEA with a 128-bit key, LEA with a 192-bit key, and LEA with a 256-bit key are referred to as “LEA-128”, “LEA-192”, and “LEA-256”, respectively. The number of rounds is 24 for LEA-128, 28 for LEA-192, and 32 for LEA-256.
Encryption
Let be a 128-bit block of plaintext and be a 128-bit block of ciphertext, where and are 32-bit blocks. Let be 192-bit round keys, where are 32-bit blocks. Here is the number of rounds for the LEA algorithm. The encryption operation is described as follows:
for to
#
#
#
#
Decryption
The decryption operation is as follows:
for down to
#
#
#
#
Key schedule
The key schedule of LEA supports 128, 192, and 256-bit keys and outputs 192-bit round keys for the data processing part.
Key schedule for LEA-128
Let be a 128-bit key, where are 32-bit blocks. The key schedule for LEA-128 takes and four 32-bit constants as inputs and outputs twenty-four 192-bit round keys . The key schedule operation for LEA-128 is as follows:
for to
#
#
#
#
#
Key schedule for LEA-192
Let be a 192-bit key, where are 32-bit blocks. The key schedule for LEA-192 takes and six 32-bit constants as inputs and outputs twenty-eight 192-bit round keys . The key schedule operation for LEA-192 is as follows:
for to
#
#
#
#
#
#
#
Key schedule for LEA-256
Let be a 256-bit key, where are 32-bit blocks. The key schedule for LEA-192 takes and eight 32-bit constants as inputs and outputs thirty-two 192-bit round keys . The key schedule operation for LEA-256 is as follows:
for to
#
#
#
#
#
#
#
Constant values
The eight 32-bit constant values used in the key schedule are given in the following table.
0
1
2
3
4
5
6
7
0xc3efe9db
0x44626b02
0x79e27c8a
0x78df30ec
0x715ea49e
0xc785da0a
0xe04ef22a
0xe5c40957
Security
As of 2019, no successful attack on full-round LEA is known. As is typical for iterated block ciphers, reduced-round variants have been attacked. The best published attacks on LEA in the standard attack model are boomerang attacks and differential linear attacks. The security margin to the whole rounds ratio is greater than 37% against various existing cryptanalytic techniques for block ciphers.
LEA has very good performance in a general-purpose software environment. In particular, it is possible to encrypt at a rate of about 1.5 to 2 times on average, compared to AES, the most widely used block cipher in various software environments. The tables below compare the performance of LEA and AES using FELICS, a benchmarking framework for evaluation of software implementations of lightweight cryptographic primitives.
Test vectors
Test vectors for LEA for each key length are as follows. All values are expressed in hexadecimal form.
* Plaintext: 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
* Ciphertext: d6 51 af f6 47 b1 89 c1 3a 89 00 ca 27 f9 e1 97
Implementations
LEA is free for any use: public or private, commercial or non-commercial. The source code for distribution of LEA implemented in C, Java, and Python can be downloaded from KISA's website. In addition, LEA is contained in Crypto++ library, a free C++class library of cryptographic schemes.
KCMVP
LEA is one of the cryptographic algorithms approved by the Korean Cryptographic Module Validation Program.
Standardization
LEA is included in the following standards.
KS X 3246, 128-bit block cipher LEA
ISO/IEC 29192-2:2019, Information security - Lightweight cryptography - Part 2: Block ciphers
