LOKI LOKI block ciphers family (LOKI89.LOKI91) Similar to DES(except : F function, initial and final permutation, key scheduling algorithm ) K1=K L,K2=K R K3~K16: K i = ROL12(K J ), where J=i-2 K 3 = ROL(K 1 ) ROL12 代表 Rotate to Left 12 bits

Chosen key attack Chosen key chosen plaintext Knows only the relationship between two key,not the keys themselves Independent of number of rounds LOKI89, LOKI91

LOKI89 Original 64bit key K=(K L, K R ) K 1 = K L, K 2 = K R K 3 ~K 16, K i = ROL12(K J ), where J=i-2 ex: K 3 =ROL12(K 1 ), K 4 =ROL12(K 2 ) ….. New key K* = (K 2, K 3 ) = ( K R, ROL12(K L ) ) K 1 *= K L * = K 2, K 2 * = K R * = K 3 K 3 * ~K 16 * K i * of K* = K(i+1) of K ex: K 3 *= ROL12(K 1 *) = ROL12(K 2 ) = K 4 K 4 * = K 5

LOKI89 Original 64bit key K=(K L, K R ) K 1 = K L, K 2 = K R K 3 ~K 16, K i = ROL12(K J ), where J=i-2 ex: K 3 =ROL12(K 1 ), K 4 =ROL12(K 2 ) ….. New key K* = (K 2, K 3 ) = ( K R, ROL12(K L ) ) K 1 *= K L * = K 2, K 2 * = K R * = K 3 K 3 * ~K 16 * K i * of K* = K(i+1) of K ex: K 3 *= ROL12(K 1 *) = ROL12(K 2 ) = K 4 K 4 * = K 5

KRKR KLKL KRKR ROL12(K L)

使用 related key K and K* If the data are the same in both executions shifted by one round EX: data before 2nd round (under key K) = data before 1st round (under key K*):

plaintext P encrypted under key K data before 2nd round (under key K): ( P R ⊕ K R, P L ⊕ K L ⊕ F ( P R ⊕ K R, K L ) ) -----(1) data before 1st round (under key K*): P* ⊕ K* = ( P L * ⊕ K L *, P R * ⊕ K R * ) = ( P L * ⊕ K R, P R * ⊕ ROL12 (K L ) )------(2)

P L ⊕ K L P R ⊕ K R F( P R ⊕ K R, K L )

由 (1) = (2) P R ⊕ K R = P L * ⊕ K R ∴ P R = P L * ---(3) P L ⊕ K L ⊕ F( P R ⊕ K R, K L ) = P R * ⊕ ROL12(K L ) ∴ P L ⊕ K L ⊕ F( P R ⊕ K R, K L ) ⊕ ROL12(K L ) = P R *---(4) P* = (P R, P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L )) (a) C* = (C R ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ), C L ) (b)

chosen key chosen plaintext P* = (P R, P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L )) (a) C* = (C R ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ), C L ) (b) 已知 2 16 個 chosen key P, 2 16 個 P *, P R = P L * 2 unknown related key K, K*, K* = (K2,K3) Exist two plaintext P i, P j* such that P R * = P L ⊕ K L ⊕ ROL12(K L ) ⊕ F( P R ⊕ K R, K L ) By checking C R * = C L

chosen key chosen plaintext PRPR Randomly chosen 32 bits 2 16 個 P 0 ~ P P * 0 ~ P * Chosen 32 bits value

由 equation (a),(b) 相作 XOR 再搬移 F( P R ⊕ K R, K L )) ⊕ F(C L ⊕ K R ⊕ K L ) = P R* ⊕ P L ⊕ C L* ⊕ C R only unknown part : K R ⊕ K L 帶回 (a),(b) 可求出 K L ⊕ ROL12(K L ), 可以推出 K 和 K*

LOKI91 A random plaintext P C=LOKI91(P,K) and C*=LOKI91(P*,K*) K* = ( K R,ROL25(K L ) ) K1,K2 share the same 32 bits 2 32 possible values of K1,K2 calculate 2 32 data before 3rd round, P* 找出 real K1,K2 by verifying the relationship between cipher texts

32bit K R 32bit K L