## Question:

I would like to better understand how the `LED`

algorithm works step-by-step, especially the process of substitution and permutation of blocks and especially the use of keys in each round.

Are the keys in each round expansions of a single key or are they different keys?

I've already consulted the sources

- https://www.cryptolux.org/index.php/Lightweight_Block_Ciphers#Zorro
- https://sites.google.com/site/ledblockcipher/design
- https://eprint.iacr.org/2012/600.pdf

But I couldn't find out if each round are expansions or if they are different keys.

## Answer:

I'm also researching on the subject and reading on [crypto.SO] I found this answer interesting, so I'll adjust it here, I hope it suits us.

On page 3 of the Proposal for the LED Algorithm it says:

"Note that for a 64-bit key

`K`

, all subkeys are equal to`K`

, while for a 128-bit key`K`

, the subkeys are alternatively equal to the left part`K^1`

and to the right part`K^2`

of`K`

. "

Translating:

Note that for a 64-bit key

`k`

, all subkeys are equal to $k$, while for a 128-bit key`k`

, the subkeys are alternately equal to the left part of`k^1`

and the part right`k^2`

of de`k`

.

Basically the main key input is split into ordered list of *nibbles* , and when the algorithm needs stuff for subkeys it uses exactly the *nibbles* directly from the ordered list — moving each *nibble* to the end of the line so that all the *nibbles* are used in succession. Since the algorithm handles 64 bits of subkeys at a time (16 *nibbles* ), for a 64-bit main key each subkey will simply be the main key, and for 128-bit keys the algorithm will use the first 16 *nibbles* of the master key, and then the second part, the remaining 16 *nibbles* , and then the first 16 again, and so on. At the top of page 4 shows the diagram of how this works for an 80-bit main switch.

Considering the original question to which this answer was applied, the answer author highlights that the subkeys not used in ' *round* ' as highlighted in the question, but that between each *step* , while each step is composed of 4 rounds. Each round consists of 4 operations, very similar to the one used in the AES algorithm — first you do an **xor** in a round, then you replace each *nibble* using a non-linear replacement operation (the *cipher* s-box), you transpose the *nibbles* then passing through the highest linear diffuse permutation, with a high branching factor (similar to MixColumns in AES, but optimized for *nibbles* ).

Based on the answer: https://crypto.stackexchange.com/a/26013