LOKI

In cryptography, LOKI89 and LOKI91 are symmetric-key block ciphers designed as possible replacements for the Data Encryption Standard (DES). The ciphers were developed based on a body of work analysing DES, and are very similar to DES in structure. The LOKI algorithms were named for Loki, the god of mischief in Norse mythology.

LOKI89
LOKI89 was first published in 1990, then named just "LOKI", by Australian cryptographers Lawrie Brown, Josef Pieprzyk, and Jennifer Seberry. LOKI89 was submitted to the European RIPE project for evaluation, but was not selected.

The cipher uses a 64-bit block and a 64-bit key. Like DES, it is a 16-round Feistel cipher and has a similar general structure, but differs in the choice of the particular S-boxes, the "P-permutation", and the "Expansion permutation". The S-boxes use the non-linearity criteria developed by Josef Pieprzyk, making them as "complex" and "unpredictable" as possible. Their effectiveness was compared against the known design criteria for the DES S-boxes. The permutations were designed to "mix" the outputs of the S-boxes as quickly as possible, promoting the avalanche and completeness properties, essential for a good Feistel cipher. However unlike their equivalents in the DES, they are intended to be as clean and simple as possible (in retrospect perhaps a little too simple), aiding the analysis of the design.

Following the publication of LOKI89, information on the new differential cryptanalysis became available, as well as some early analysis results by (Knudsen 1993a). This resulted in the design being changed to become LOKI91.

LOKI91
LOKI 91 was designed in response to the attacks on LOKI89 (Brown et al., 1991). The changes included removing the initial and final key whitening, a new S-box, and small alterations to the key schedule.

More specifically, the S-boxes were changed to minimise the probability of seeing different inputs resulting in the same output (a hook which Differential cryptanalysis uses), thus improving LOKI91's immunity to this attack, as detailed by the attacks authors (Biham and Shamir 1991). The changes to the key schedule were designed to reduce the number of "equivalent" or "related" keys, which resulted in the exhaustive search space for the cipher being reduced.

Whilst the resulting cipher is clearly stronger and more secure than LOKI89, there are a number of potential attacks, as detailed in the papers by Knudsen and Biham. Consequently these ciphers should be viewed as academic efforts to advance the field of block cipher design, rather than algorithms for use. The number of citations and published critiques suggests this aim has been achieved.