LOKI
Encyclopedia
In cryptography
, LOKI89 and LOKI91 are block cipher
s designed as possible replacements for the Data Encryption Standard
(DES). The ciphers were developed based on a body of work analysing DES, and are very similar to DES in structure. The LOKI algorithms were named for Loki
, the god of mischief in Norse mythology
.
, Josef Pieprzyk
, and Jennifer Seberry
. LOKI89 was submitted to the European RIPE
project for evaluation, but was not selected.
The cipher uses a 64-bit block
and a 64-bit key. Like DES
, it is a 16-round Feistel cipher
and has a similar general structure, but differs in the choice of the particular S-boxes, the "P-permutation", and the "Expansion permutation". The S-Boxes use the non-linearity criteria
developed by Josef Pieprzyk, making them as "complex" and
"unpredicatable" as possible. Their effectiveness was compared
against the known design criteria for the DES S-boxes. The
permutations were designed to "mix" the outputs of the S-boxes
as quickly as possible, promoting the avalanche and completeness
properties, essential for a good Feistel cipher
. However unlike
their equivalents in the DES, they are intended to be as clean and
simple as possible (in retrospect perhaps a little too simple),
aiding the analysis of the design.
Following the publication of LOKI89, information on the new
differential cryptanalysis
became available, as well as
some early analysis results by (Knudsen 1993a).
This resulted in the design being changed to become LOKI91.
, a new S-box, and small alterations to the key schedule
.
More specifically, the S-boxes were changed to minimise the probability of seeing different inputs resulting in the same output (a hook which Differential cryptanalysis
uses), thus improving LOKI91's immunity to this attack, as detailed by the attacks authors (Biham and Shamir 1991). The changes to the key schedule were designed to reduce the number of "equivalent" or "related" keys, which resulted in the exhaustive search space for the cipher being reduced.
Whilst the resulting cipher is clearly stronger and more secure than LOKI89, there are a number of potential attacks, as detailed in the papers by Knudsen and Biham. Consequently these ciphers should be viewed as academic efforts to advance the field of block cipher design, rather than algorithms for use. The number of citations and published critiques suggests this aim has been achieved.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
, LOKI89 and LOKI91 are block cipher
Block cipher
In cryptography, a block cipher is a symmetric key cipher operating on fixed-length groups of bits, called blocks, with an unvarying transformation. A block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext...
s designed as possible replacements for the Data Encryption Standard
Data Encryption Standard
The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
(DES). The ciphers were developed based on a body of work analysing DES, and are very similar to DES in structure. The LOKI algorithms were named for Loki
Loki
In Norse mythology, Loki or Loke is a god or jötunn . Loki is the son of Fárbauti and Laufey, and the brother of Helblindi and Býleistr. By the jötunn Angrboða, Loki is the father of Hel, the wolf Fenrir, and the world serpent Jörmungandr. By his wife Sigyn, Loki is the father of Nari or Narfi...
, the god of mischief in Norse mythology
Norse mythology
Norse mythology, a subset of Germanic mythology, is the overall term for the myths, legends and beliefs about supernatural beings of Norse pagans. It flourished prior to the Christianization of Scandinavia, during the Early Middle Ages, and passed into Nordic folklore, with some aspects surviving...
.
LOKI89
LOKI89 was first published in 1990, then named just "LOKI", by Australian cryptographers Lawrie BrownLawrie Brown
Lawrence Peter "Lawrie" Brown is a cryptographer and computer security researcher, currently a Senior Lecturer at the Australian Defence Force Academy. His notable work includes the design of the block ciphers LOKI and LOKI97. He received his Ph.D...
, Josef Pieprzyk
Josef Pieprzyk
Josef Pieprzyk is a professor at Macquarie University in Sydney, Australia.He has worked on cryptography, in particular the XSL attack. He collaborated in the invention of the LOKI and LOKI97 block ciphers and the HAVAL cryptographic hash function....
, and Jennifer Seberry
Jennifer Seberry
Jennifer Roma Seberry is an Australian cryptographer, mathematician, and computer scientist, currently a professor at the University of Wollongong, Australia...
. LOKI89 was submitted to the European RIPE
RIPE
Réseaux IP Européens is a forum open to all parties with an interest in the technical development of the Internet. The RIPE community’s objective is to ensure that the administrative and technical coordination necessary to maintain and develop the Internet continues...
project for evaluation, but was not selected.
The cipher uses a 64-bit block
Block size (cryptography)
In modern cryptography, symmetric key ciphers are generally divided into stream ciphers and block ciphers. Block ciphers operate on a fixed length string of bits. The length of this bit string is the block size...
and a 64-bit key. Like DES
Data Encryption Standard
The Data Encryption Standard is a block cipher that uses shared secret encryption. It was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is...
, it is a 16-round Feistel cipher
Feistel cipher
In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM ; it is also commonly known as a Feistel network. A large proportion of block...
and has a similar general structure, but differs in the choice of the particular S-boxes, the "P-permutation", and the "Expansion permutation". The S-Boxes use the non-linearity criteria
developed by Josef Pieprzyk, making them as "complex" and
"unpredicatable" as possible. Their effectiveness was compared
against the known design criteria for the DES S-boxes. The
permutations were designed to "mix" the outputs of the S-boxes
as quickly as possible, promoting the avalanche and completeness
properties, essential for a good Feistel cipher
Feistel cipher
In cryptography, a Feistel cipher is a symmetric structure used in the construction of block ciphers, named after the German-born physicist and cryptographer Horst Feistel who did pioneering research while working for IBM ; it is also commonly known as a Feistel network. A large proportion of block...
. However unlike
their equivalents in the DES, they are intended to be as clean and
simple as possible (in retrospect perhaps a little too simple),
aiding the analysis of the design.
Following the publication of LOKI89, information on the new
differential cryptanalysis
Differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output...
became available, as well as
some early analysis results by (Knudsen 1993a).
This resulted in the design being changed to become LOKI91.
LOKI91
LOKI 91 was designed in response to the attacks on LOKI89 (Brown et al., 1991). The changes included removing the initial and final key whiteningKey whitening
In cryptography, key whitening is a technique intended to increase the security of an iterated block cipher. It consists of steps that combine the data with portions of the key before the first round and after the last round of encryption.The first block cipher to use a form of key whitening is...
, a new S-box, and small alterations to the key schedule
Key schedule
[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES [[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("[[Image:DES-key-schedule.png|thumbnail|220px|The key schedule of DES ("...
.
More specifically, the S-boxes were changed to minimise the probability of seeing different inputs resulting in the same output (a hook which Differential cryptanalysis
Differential cryptanalysis
Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in an input can affect the resultant difference at the output...
uses), thus improving LOKI91's immunity to this attack, as detailed by the attacks authors (Biham and Shamir 1991). The changes to the key schedule were designed to reduce the number of "equivalent" or "related" keys, which resulted in the exhaustive search space for the cipher being reduced.
Whilst the resulting cipher is clearly stronger and more secure than LOKI89, there are a number of potential attacks, as detailed in the papers by Knudsen and Biham. Consequently these ciphers should be viewed as academic efforts to advance the field of block cipher design, rather than algorithms for use. The number of citations and published critiques suggests this aim has been achieved.