Cryptanalysis of LOKI 91

Home , Key schedule

Lars Ramkilde Knudsen

Aarhus Universitet

Comp. Science Dept.

DK-8000 Arhus C.

e-mail:[email protected]

Abstract. In this pap er we examine the redesign of LOKI, LOKI 91

prop osed in [5]. First it is shown that there is no characteristic with a

probability high enough to do a successful di erential attack on LOKI 91.

Secondly we show that the size of the image of the F-function in LOKI 91

is 2 . Finally weintro duce a chosen plaintext attack that reduces

an exhaustivekey search on LOKI 91 by almost a factor 4 using 2 +2

chosen plaintexts.

1 Intro duction

In 1990 Brown et al [4] prop osed a new encryption primitive, called LOKI,

later renamed LOKI 89, as an alternative to the Data Encryption Standard

DES, with which itisinterface compatible. Cryptanalysis showed weaknesses

in LOKI 89 [2, 5, 8] and a redesign, LOKI 91 was prop osed in [5]. The ciphers

from the LOKI family are DES-like iterated blo ck ciphers based on iterating a

function, called the F-function, sixteen times. The blo ck and key size is 64 bits.

Each iteration is called a round. The input to each round is divided into two

halves. The right half is fed into the F-function together with a 32 bit round key

derived from the keyschedule algorithm. The output of the F-function is added

mo dulo 2 to the left half of the input and the two halves are interchanged

except for the last round. The LOKI ciphers run 16 rounds. The plaintext is the

input to the rst round and the ciphertext is the output of the last round. The

input to the F-function is the xor'ed value of a 32 bit input text and a 32 bit

round key. The 32 bits are expanded to 48 bits and divided into blo cks of 12

bits. The 12 bit blo cks are the inputs to the 4 S-b oxes in LOKI 91, each of which

pro duces an 8 bit output. The 32 bits are p ermuted making the output of the

F-function.

In section 2 we do di erential cryptanalysis of LOKI 91 and show that there is

no characteristic with a probability high enough to do a successful di erential

attack. Di erential cryptanalysis was intro duced by Biham and Shamir [1]. The

underlying theory was later describ ed by Lai and Massey [6]. For the remainder

of this pap er we exp ect the reader to b e familiar with the basic concepts of dif-

ferential cryptanalysis. Please consult the pap ers [1,3, 6] for further details.

In section 3 we examine the size of the image of the F-function, the round func-

tion in LOKI 91. Because the key is added to the input text b efore the expansion

in the F-function, the inputs to the 4 S-b oxes are dep endent. We show that this

2 . has the e ect that the size of the image of the F-function is

In section 4 we showaweakness in the keyschedule of LOKI 91, i.e. that for every

key K there exists a key K , such that K and K have 14 common round keys.

We exploit this weakness in a chosen plaintext attack that reduces an exhaustive

key searchby almost a factor 4 using 2 +2 chosen plaintexts.

2 Di erential cryptanalysis of LOKI 91

In [5] it is indicated that LOKI 91 is resistant against di erential cryptanalysis,

achosen plaintext attackintro duced in [1]. The rst thing to do in di erential

cryptanalysis is to lo ok for go o d characteristics or di erentials. In [3] Biham and

Shamir intro duced an improved di erential attack on DES. The attack shows

how to extend an r -round characteristic to an r +1-round characteristic with

unchanged probabilityby picking the chosen plaintexts more carefully. The cost

is a more complex analysis. The improvement can b e obtained in attacks on any

DES-like iterated cipher. Thus the existence of a 13-round characteristic with

a to o high probability might enable a successful di erential attack on LOKI 91.

The probabilityofan r-round characteristic is found bymultiplying the prob-

abilities of r 1-round characteristics. As stated in [6] this way of calculating

the probabilities for characteristics requires the cipher to b e a Markov cipher.

Since the round keys are dep endent, LOKI 91 is not a Markov cipher, however

tests for LOKI 89 show that the probabilities hold in practice at least for small

characteristics [8]. Furthermore wehave found no way of incorp orating the key

dep endencies in the calculation of longer characteristics.

2.1 Characteristics for LOKI 91

The b est one-round characteristic in LOKI 91 has probability 1 and comes from

the fact that equal inputs always lead to equal outputs. A round with equal

inputs is called a zero round since the xor-sum of the inputs is zero.

The pairs xor table see [1] for LOKI 91 is a table with 2 entries. Table 1

shows the most likely combinations for input/outputxors for one S-b ox isolated.

132

Note that although inputxor 004 leads to outputxor 01 with probability

x x

4096

for one S-b ox it do esn't mean we can nd a one round characteristic with this

probability. Because the key is added to the input text b efore the E-expansion

in LOKI 91 the inputs to two neighb ouring S-b oxes are dep endent. In the ab ove

case a neighb ouring S-b ox will have inputxor 4ij , where i; j 2f0; :::; 15g.

The b est one-round characteristic with a nonzero input di erence has probabil-

6:29

ity ' 2 . Therefore to nd a 13-round characteristic with a probability

4096

high enough to enable a successful di erential attack some of the 13 rounds must

b e zero rounds. The b est characteristic for an attack on DES is based on a 2-

round iterativecharacteristic [1], where every second round is a zero round. The

b est characteristic for an attack on LOKI 89 is based on a 3-round iterative

characteristic [5, 8], where every third round is a zero round. We need a few de nitions:

Input Output Prob. n/4096 Input Output Prob. n/4096

4 1 132 c 1 76

80 4 52 a0 e8 46

173 f7 46 185 90 46

37b cd 48 3e0 24 48

42a 41 46 498 cf 56

49e 97 46 790 46 50

a20 0 46 a21 d7 48

c43 76 46 c76 f0 48

deb c9 46 e7b 5f 48

ea6 5d 46 eec ab 46

f33 e9 46

Table 1. The most likely combinations from the pairs xor table.

De nition 1 If the rounds no. i 1 and i +1 are zero-rounds, round no.

i is of typ e A.

If the rounds no. i 1 and i +2 are zero-rounds, rounds no. i and i +1

area pair of typ e B.

If the rounds no. i 1 and i +3 are zero-rounds and the rounds no. i, i +1

and i +2 are nonzerorounds, then rounds no. i, i +1 and i +2 area

triple of typ e C.

A round of typ e A must have the following form ! 0 . The b est probability

122

of such a round for LOKI 91 is ' 2 [5].

A pair of rounds of typ e B must have the following forms,

round no. i: !

round no. i + 1: ! [9]

2 16

Lemma 1 The highest probability for a pair of rounds of typeBis =2 .

Pro of: Consider the case where and di er in the input to only one S-b ox

each, Si and Sj resp ectively. Because of the P-p ermutation see [4] it follows

easily that the input/outputxor combinations for Si and Sj must have one of

the following four forms:

Input Output Prob. n/4096

080 80 10

x x

040 20 16

x x

020 08 6

x x

010 02 12

x x

Table 2.

The highest probability for a pair of typ e B is therefore when the combination

in b oth and is 040 ! 20 . It is exactly the situation that o ccurs for xp oints

x x

[8]. From the pairs xor table it follows easily that if and di er in the inputs

to more than 2 S-b oxes totally,we obtain probabilities smaller than 2 . 2

A triple of rounds of typ e C must have the following forms,

round i: !

round i + 1: !

round i + 2: ! [9]

Lemma 2 The probability for a triple of rounds of type C is at most 2 .

Pro of: By a similar argument as for typ e B, assume that ; and di er in the

inputs to only one S-b ox each. Obviously and must di er in the inputs to the

same S-b ox. It means that the combination in round i +1 must have one of the

forms from Table 2. The combination in b oth round i and i +2 must have the

following form: 0Y 0 ! Z , where Z 2f2 ;8 ;20 ; 80 g and Y 2f0 ; ::::::::;f g.

x x x x x x x

28 34

and , therefore the The two highest probabilities for 0Y 0 ! Z are

4096 4096

probability of a triple of typ e C has probability at most

34 16 28

< 2 :

Note that 6= otherwise would have to di er in the inputs to at least two

neighb ouring S-b oxes [5]. 2

Nowwe can prove the following theorem.

Theorem 1 There is no 13-round characteristic for LOKI 91 with probability

higher than 2 .

Pro of: The b est one-round characteristic with a nonzero input di erence has

52 52

6:29 n 63

probability ' 2 . Because > 2 n 10, wemust have

4096 4096

at least 3 rounds with equal inputs in the 13-round characteristic 13R. Since

two consecutive zero-rounds force all rounds to b e zero-rounds we can haveat

most 7 zero-rounds.

7 zero-rounds: Every second round is of typ e A, therefore

13 6 78

P 13R 2 =2

6 zero-rounds: At least 3 rounds are of typ e A, the remaining 6 rounds can have

6:29

probability at most 2 , therefore

13 3 6:29 4 64:2

P 13R 2 2 =2

5 zero-rounds: There can b e at most one round of typ e A, since

13 n 6:29 8n 63

2 2 > 2 n 1

There are two cases to consider

1. No rounds of typ e A, thereby 4 pairs of typ e B:

16 4 64

P 13R 2 =2

2. One round of typ e A, thereby at least 2 pairs of typ e B:

13 16 2 6:29 3 63:9

P 13R 2 2 2 =2

4 zero-rounds: There can b e no rounds of typ e A, since

13 n 6:29 9n 63

2 2 > 2 n<1

There can b e at most one pair of typ e B, since

16 n 6:29 92n 63

2 2 > 2 n 1

There are two cases to consider

1. No pairs of typ e B, thereby 3 triples of typ e C:

22 3 66

P 13R 2 =2

2. One pair of typ e B, thereby at least one triple of typ e C:

16 22 6:29 4 63:2

P 13R 2 2 2 =2

3 zero-rounds: All 10 nonzero rounds must b e based on the b est combination

6:47

080 ! 4 , since the second b est combination has probability2 and

x x

6:29 9 6:47 63

2 2 < 2 .However it is not p ossible to construct a 13-round

characteristic based solely on the b est combination. 2

The ab ove do es not prove that LOKI 91 is resistant against di erential attacks.

As stated in [7] to prove this resistance for a DES-like cipher we need to nd

the b est p ossible di erentials. However this seems to b e extremely dicult for

LOKI 91 and wehave done no work in that direction.

3 The F-function of LOKI 91

In the redesign of LOKI89 [5] one of the guidelines was

{ to ensure that there is no waytomake all S-b oxes give 0 outputs, to increase

the ciphers security when used in hashing mo des.

The 4 S-b oxes in LOKI 91 are equal. Each S-b ox takes a 12 bit input and pro-

duces an 8 bit output. Each output value o ccurs exactly 16 times. The inputs

to one S-b ox that result in a 0 output are listed in Table 1. Because the key

is added to the input text b efore the E-expansion, the input to one S-b oxis

dep endent on the inputs to neighb ouring S-b oxes. Let the input to one S-b oxbe

hij , then the input to one of the neighb ouring S-b oxes is jkl .From Table 1

x x

we see that to get 0 output from b oth S-b oxes wemust have h; j 2f0;5;a;c;fg

and j; l 2f3;4;9;eg leaving no p ossible values for j . Therefore we cannot get 0

4 49 8e d3 514 559 59e 5e3

a24 a69 aae af3 c03 f34 f79 fb e

Table 3. Inputs yielding 0 output for one S-b ox hex notation

outputs from anytwo neighb ouring S-b oxes. Let the output from the F-function

be B = fb ;b ;b ;b g where b represents the output byte from S-b ox i. Then

1 2 3 4 i

B = f0; 0; ; g, B = f; 0; 0; g, B = f; ; 0; 0g and B = f0; ; ; 0g, where ''

represents anybyte value, are imp ossible values in the image of the F-function.

We found a lot of other imp ossible values. Therefore we made an exhaustive

search for the size of the image of the F-function in LOKI 91.

Theorem 2 The F-function is not surjective, indeed the size of the image of F

31:3

is about 2 :

Note that once we found that B = fb ;b ;b ;b g, where b represents the output

1 2 3 4 i

byte from S-b ox i, is not in the image of F, then b ecause the 4 S-b oxes in LOKI 91

are equal we know that any rotation of the four bytes yields a value not in the

image of F. The exact numb er of imp ossible values is 1; 638; 383; 180 ' 2 .

It means that ab out 5 out of 13 values are never hit in the output of the F-

function. In DES we do not have that the inputs to the S-b oxes are dep endent,

b ecause the key is added after the E-expansion. Therefore the size of the image

of the F-function in DES is 2 .Wehave not found anyways to exploit the

ab ove observation in an attack on LOKI 91. A consequence of the observation is

that the left and right halves of a ciphertext reveals 0.7 bit of information ab out

the inputs b efore addition of the keys to the second last round resp ectively

the third last round of the encryption.

4 Achosen plaintext attack reducing key search

We b egin by giving the notation used in this section.

Notation:

{ X is the bitwise complementofX.

{ Rol X is bitwise rotation of Xnp ositions to the left.

{ E P; K is a full 16 round encryption of P using K .

0 0

{ E P; K is a 2 round encryption of P using the 32 bit key K in the rst

round and Rol K in the second round.

{ SwapX; Y is the swapping of X and Y .

{ SwapZ is the swapping of the left and right halves of Z .

{ X kY is the concatenation of X and Y .

The attackwe are to describ e makes use of a prop erty of the key schedule in

LOKI 91. The key size is 64 bits. The key is divided into two 32 bit halves K ,

K and the 16 round keys K i;i=1; :::; 16, are derived as follows: R

1. i := 1

2. K i=K ; i=i+1

3. K = Rol K

L 13 L

4. K i=K ; i=i+1

5. K = Rol K

L 12 L

6. SwapK ;K

L R

7. go to 2.

The key schedule allows two di erentkeys to have several round keys in common.

Theorem 3 For every key K there exists a key K*, such that K and K* have

14 round keys in common.

Pro of: Let K 1; :::::; K 16 b e the roundkeys for K = K kK . Let K =

L R

K kRol K . Then K 2 + i=K i;i=1; ::; 14. 2

R 25 L

If K = K Theorem 3 is trivial, but this happ ens for only twokeys, b ecause

K = K K = K ^ K = Rol K K = K = Rol K

L R R 25 L R L 25 L

K =00::::00 _ K =11::::11, since gcd25; 32 = 1:

Corollary 1 There exists 2 pairs of keys, K and K*, such that K and K* have

16 round keys in common.

Let K = K kK , K = hh:::hh for some hex digit h and let K be any32

L R L x R

bits. From Theorem 3 wehaveakey K such that K and K have 14 round

keys in common and wehave furthermore K 15 = Rol K =K =K1

100 L L

and K 16 = Rol K =Rol K = K2, i.e. K and K have 16 round

113 L 13 L

keys in common. 2

Theorem 3 can b e used in a chosen plaintext attack to reduce an exhaustivekey

searchby almost a factor 2. It is well known that the complementation prop erty

of DES can b e used to reduce an exhaustivekey search of DES by a factor 2 in

an attack that needs twochosen plaintexts [1]. The complementation prop erty

holds also for LOKI 91. This prop erty and Theorem 3 can b e used to reduce

an exhaustivekey searchby almost a factor 4 in a chosen plaintext attack that

needs 2 + 2 plaintexts.

Algorithm:

1. Pick P = P kP at random. Get encryptions C; C for P; P .

L R

2. For all a 2f0;1; :::; 2 1g:

Let P abe E P; a. More precisely P a= P akP a, where

2 L R

P a= FP ;a P

L R L

P a=FP a; Rol a P :

R L 13 R

3. Get encryptions C a;C a for P a; P a for all a.

4. Let all keys b e non discarded.

Let C b e the encryption of P using K , then C is the encryption of P using K as the

key.

5. Exhaustive search for key:

For every non discarded key K = K kK ,do

L R

a Find C = E P; K

b then

{ if C = C return K and stop

C return K and stop { if C =

{ if E SwapC ; Rol K = C K

2 100 L L

return K kRol K and stop

R 25 L

{ if E SwapC ; Rol K = C K

2 100 L L

return K kRol K and stop

R 25 L

c Discard the four keys in b.

Up on termination wehave found either the secret key or a collision for LOKI 91,

i.e. K 6= K , such that E P; K =E P; K . Note that in step 5, once we

16 16

have encrypted P using key K = K kK without success, we do not haveto

L R

K ,K kRol K nor K kRol K . If one of encrypt P using neither

R 25 L R 25 L

these three keys is the secret key, then the algorithm would have terminated

b efore. At some p oints in the algorithm some of the four keys in 5b are equal,

for example the all zero key will app ear twice in the same iteration of step 5.

Therefore we cannot nd an enumeration of the keys in step 5, s.t. the total

no. of iterations of step 5 is exactly one quarter of the size of the key space, i.e.

2 . There exists however an enumeration, s.t. the no. of iterations of step 5 is

62 48

ab out 2 +2 . It is given in Section 4.1 in every glory detail. Table 4 shows

the estimates for space, time and numberofchosen plaintexts for the attack,

where one time unit is a full 16 round encryption and one space unit is 64 bits.

The estimate for Time is the numb er of encryptions made in the analysis. In

Estimates for Time Space Chosen plaintexts

62 33 33

1:07 2 2 +2 2 +2

Table 4. Complexity of the chosen plaintext attack

every iteration of step 5 we do one full 16-round encryption in 5a. For the

two last tests in step 5b we do at most 2 rounds of encryption. For most

iterations however, we need only to do one round of encryption, b ecause we can

test for equality of the right halves of E SwapC ; Rol K and C K

2 100 L L

. If the tests resp. C K already after one round of encryption of SwapC

fail we need not do the second round of encryption. Therefore for only ab out

one out of 2 iterations we need to do two rounds of encryption in 5b. The

total amount of time therefore is

62 48

17 2 +2 1

62 48 62

2 +2 + ' 1:07 2 :

16 2 16

Compared to this the time used in step 2 is negligible. The ab ove attackisa

weak attack. First of all, it is not very likely that we can get the encryptions

33 62

for 2 +2 chosen plaintexts, furthermore an exhaustive search for 2 keys is

computationally infeasible. The LOKI cipher is meant as an alternative to DES,

with whichitisinterface compatible. The so far b est known attack on DES was

intro duced by Biham and Shamir in [3]. The attackisachosen plaintext attack

47 37

that needs 2 chosen plaintexts. The time used in the analysis phase is 2 .

The time needed for the ab ove attack on LOKI 91 is signi cantly higher than for

Biham and Shamirs attack on DES, however the requirements for ever getting

to the analysis phase, i.e. the numb er of encryptions of chosen plaintexts needed,

are much higher for the attack on DES.

The steps 2, 3 and 5 can b e carried out in parallel, for instance by letting K = a

in step 5, in that waywe don't have to store the 2 C a;C a's in step 3.

It seems imp ossible however to obtain an enumeration that at the same time

makes the total no. of iterations of step 5 b e close to 2 and enables a parallel

run of the algorithm.

4.1 Enumeration of the keys in the chosen plaintext attack

We use the same notation as in the previous Sect. Let A b e a function from

GF 2 to itself

A : K kK ! K kRol K

L R R 25 L

As stated ab ove, once wehave tried the key K = K kK in step 5 of the

L R

algorithm without success, we don't have to try the keys

AK ; K; AK

The idea is to use A to construct a set of keys ab out half the size of the key

space and s.t.

{ the biggest blo ck of bits in every key consists of 1's.

{ for every key K , AK is also in the set.

Then let the enumeration of the keys b e every second key from the ab ove con-

structed set of keys. Later in this Sect. we show that the enumeration obtained

this way makes the total no. of keys tried in the attackbevery close to 2 .

2 63

Let Al istK b e the set of 64 keys fK; AK ; A K ; ::::::::; A K g. Note that

A K =K. De ne for K = K kK

L R

M = [ fAl istRol K kRol K [Al istRol K kRol K g

K p;q p L q R p R q L

for p =0;1;2;3 and q =0;8;16; 24.

Lemma 3 For K = K kK , M is the set of al l keys of the forms:

L R K

Rol K kRol K

x L y R

Rol K kRol K

x R y L

for al l x; y 2f0;1; :::::; 31g

Pro of: For xed K there are 2 32 32 = 2 keys of the ab ove form. Since Al ist

pro duces 64 keys, the total no. of keys in M is 2 16 64=2 . Therefore it

suces to show that the pairs of rotations of the keys in M are distinct, i.e.

that Rol K kRol K do es not app ear twice for any a; b.Itisobvious that

a L b R

Rol K kRol K do es not app ear twice in one Al ist. There are two cases to

a L b R

consider, Rol K kRol K app ears in

a L b R

0 0

1. Al istRol K kRol K and Al istRol K kRol K

p L q R p L q R

Rol K kRol K =Rol K kRol K ^

a L b R p+25n L q +25n R

0 0

Rol K kRol K =Rol K kRol K

a L b R p +25n L q +25n R

0 0

p +25n = p +25n mod 32 ^ q +25n = q +25n mod 32

0 0 0 0

p p = q q mod 32 p; q = p ;q ;

0 0

since p p 2f3;2;1;0;1;2;3gand q q 2f0;8;16; 24g.

0 0

2. Al istRol K kRol K and Al istRol K kRol K

p L q R p R q L

Rol K kRol K =Rol K kRol K ^

a L b R p+25n L q +25n R

0 0

Rol K kRol K =Rol K kRol K

a L b R q +25n L p +25+25n R

0 0

p +25n = q +25n mod 32 ^ q +25n = p +25+25n mod 32

0 0

p + p +25= q+q mod 32

0 0

A contradiction, since p + p +25 2f25; 26; :::; 31g and q + q 2f0;8;16; 24g.

Let Ka and Kb be two 32-bit keyhalves, s.t. Ka and Kb are no rotations of

each other, i.e. Rol Ka 6= Kb for any x,0

M is a set of distinct keys except in the cases where Rol Ka=Ka and/or

K x

Rol Kb=Kb.

Lemma 4 Let H be a 32-bit key and Rol H any rotation to the left of H ,

gcdn;2

where 0

H = Rol H .

From Lemma 4 it follows for K = K kK , where K and K are no rotations

L R L R

of each other, that

Lemma 5 There at most 2 keys for which the elements in M are not dis-

tinct.

Pro of: Assume wehavetwo equal keys K and K from M . Then

K = Rol K kRol K ;K=Rol K kRol K

a L b R c L d R

Clearly from the pro of of Lemma 1 a; b 6=c; d. Then

Rol K =Rol K ^ Rol K =Rol K

a L c L b R d R

Rol K =K ^Rol K =K

ac L L bd R R

If a = c then there are 2 p ossible values for K , but then there are at most

2 p ossible values for K according to Lemma 4, since a; b 6=c; d. If b = d R

32 16 49

then a 6= b and we get a total no. of 2 2 2 =2 keys. 2

The following algorithm makes a list of 32 bit strings, where no two strings are

rotations of each other and where the biggest blo ck of bits in every string consists

of 1's.

ALGORITHM - No-rotations-of-keys NRK

For all p ositive k 32, list all k -tuples a ;a ; ::::::;a , s.t.

1 2 k

a =32 1.

i=1

2. a 1 for 0

P P

k k

k i k i

3. a 32 a 32 , for all n k .

i+n mod k +1

i=1 i=1

Metho d: For every k -tuple a ; ::::::; a output the 32-bit key, where the a MSB

1 k 1

are 1-bits, the next a bits are 0-bits and so on.

Lemma 6 No two keys in the output from NRK arerotations of each other.

Pro of: Because of the inequalityin3.aboveifk>1, then k is even. Therefore

for k>1 the a LSB are 0-bits and furthermore a a for i k .

k 1 i

0 0

Let A and A be two 32 bit keys from NRK, s.t. A = Rol A for some xed x.

0 0 0

Write A and A as tuples a ; ::::; a and a ; ::::; a according to the metho d

1 m

in NRK. Clearly l = m otherwise A cannot b e a rotation of A . Because

A = Rol A wehave for some i

a = a ; 0

1+n

i+n mod m+1

0 0

Esp ecially wehavea =a and a = a . Because of the inequalityin3.

1 mi+2

ab ovewehave

0 0

a a ^ a a

1 mi+2

i 1

0 0 0

Therefore a = a a = a .Now a =a a a . Similar as

1 1 mi+2 2 mi+3

1 1

b efore

0 0 0

a = a a = a a = a

2 mi+3 2

i+1 2 2

By induction we obtain A = A 2

ALGORITHM - Enumeration EN

1. i =1

2. Let K b e the i'th output from NRK.

3. For j =1 to i do

a Let K b e the j 'th output from NRK

b For K = K kK output the rst and then every second key from all

L R

Al ists in M

K kK do as in 3b c For K =

L R

4. i = i + 1, goto 1.

We are left to check whether the set

KS = [ fKi; AKi; Ki; AKig

where the Ki s are the keys output from EN, contains the entire keyspace.

Let K = K kK b e an arbitrary key. Rotate K and K such that the biggest

L R L R

0 0

blo cks of bits 0's or 1's are the MSB. Let K j =K kK b e that key.

L R

0 0

If the MSB in b oth K and K are 1's then they are b oth output from NRK.

L R

0 0

Then at some p oint K j orKl=K kK ,say Kj, are the key considered

R L

in step 3b of EN. Let K n, 0

K = K j . Then L = fK n; AK ng,0

halves in K j according to Lemma 3. Therefore K 2 L 2 KS.

0 0

If MSB in b oth K and K are 0's, then at some p oint either K j orKl are

L R

K j . Then the key considered in step 3b. Let K n b e as b efore, when K =

L = fK n; AK ng,0

according to Lemma 3. Therefore K 2 L 2 KS K 2 L 2 KS.

0 0

If the MSB in K and K are 1's and 0's resp. or vice versa similar arguments

L R

hold for step 3c.

Wehave implemented NRK on a SUN-Sparc workstation. The numberofkey

halves output from NRK is 2 + 2068. It means that the number of keys output

51 37

from NRK in 2. and 3a ab ove is ab out 2 +2 .Every second key from M

gives 2 keys for each K . The total number of keys in the enumeration therefore

is ab out

51 37 10 62 48

2 +2 2 2 =2 +2 :

Wehave given an enumeration of the keys, s.t. the total no. of iterations of step

5 in the algorithm of the chosen plaintext attack is close to 2 . The time used

in the enumeration EN is negligible compared to the 1:07 2 full 16 rounds

of encryption of LOKI 91, since it runs only one time p er every 2 2 runs of

step 5 in the algorithm of the chosen plaintext attack.

5 Conclusion and op en problems

Wehave shown that we cannot nd a characteristic for LOKI 91 go o d enough to

do a successful di erential attack on LOKI 91. Still it is not enough to conclude

that LOKI 91 is secure against this kind of attack. To do that we need an ecient

way of calculating the probabilities of di erentials.

Wehave shown that the size of the image of the F-function in LOKI 91 is only

of the size of the image of the F-function in DES. Wehave found no wayof

exploiting this fact in an attack on LOKI 91. Whether it represents a weakness

of the algorithm is left as an op en question.

Finally weintro duced a chosen plaintext attack on LOKI 91 that reduces an

exhaustivekey searchby almost a factor 4. The attack exploits a weakness in

the key schedule of LOKI 91. It might also b e p ossible to use this weakness, the

common round key prop erty, to nd collisions for LOKI 91 when used as a hash function. This is left as an op en question.

6 Acknowledgements

We wish to thank Prof. Ivan Damgard for valuable discussions on the enumera-

tion of the keys in the chosen plaintext attack.

References

1. E. Biham, A. Shamir. Di erential Cryptanalysis of DES-like Cryptosystems.

Journal of Cryptology,Vol. 4 No. 1 1991.

2. E. Biham, A. Shamir. Di erential Cryptanalysis of Snefru, Khafre, REDOC-

II, LOKI and Lucifer. Extended abstract app ears in Advances in Cryptology,

pro ceedings of CRYPTO 91.

3. E. Biham, A. Shamir. Di erential Cryptanalysis of the ful l 16-round DES.

Technical Rep ort 708, Technion - Israel Institute of Technology.

4. L. Brown, J. Pieprzyk, J. Seb erry. LOKI - A Cryptographic Primitive for Au-

thentication and Secrecy Applications. Advances in Cryptology - AUSCRYPT

'90. Springer Verlag, Lecture Notes 453, pp. 229-236, 1990.

5. L. Brown, M. Kwan, J. Pieprzyk, J. Seb erry. Improving Resistance to Dif-

ferential Cryptanalysis and the Redesign of LOKI. Abstracts from ASIA-

CRYPT'91.

6. X. Lai, J. L. Massey, S. Murphy. Markov Ciphers and Di erential Cryptanal-

ysis. Advances in Cryptology - Euro crypt '91. Lecture Notes in Computer

Science 547, Springer Verlag.

7. K. Nyb erg, L. Ramkilde Knudsen. Provable Security Against Di erential

Cryptanalysis. Presented at the rump session of CRYPTO'92. To app ear

in the pro ceedings of CRYPTO'92.

8. L. Ramkilde Knudsen. Cryptanalysis of LOKI. Abstracts from ASIA-

CRYPT'91.

9. L. Ramkilde Knudsen. Iterative Characteristics of DES and s -DES. To ap-

p ear in the pro ceedings from CRYPTO'92.

This article was pro cessed using the L T X macro package with LLNCS style E