This page uses content from Wikipedia and is licensed under CC BYSA.
The LOKI97 round function


General  

Designers  Lawrie Brown, assisted by Jennifer Seberry and Josef Pieprzyk 
First published  1998 
Derived from  LOKI91 
Cipher detail  
Key sizes  128, 192 or 256 bits 
Block sizes  128 bits 
Structure  Feistel network 
Rounds  16 
Best public cryptanalysis  
Linear cryptanalysis against LOKI97, requiring 2^{56} known plaintexts (Knudsen and Rijmen, 1999). 
In cryptography, LOKI97 is a block cipher which was a candidate in the Advanced Encryption Standard competition. It is a member of the LOKI family of ciphers, earlier instances being LOKI89 and LOKI91. LOKI97 was designed by Lawrie Brown, assisted by Jennifer Seberry and Josef Pieprzyk.
Like DES, LOKI97 is a 16round Feistel cipher, and like other AES candidates, has a 128bit block size and a choice of a 128, 192 or 256bit key length. It uses 16 rounds of a balanced feistel network to process the input data blocks (see diagram right). The complex round function f incorporates two substitutionpermutation layers in each round.The key schedule is also a Feistel structure — an unbalanced one unlike the main network — but using the same Ffunction.
The LOKI97 round function (shown right) uses two columns each with multiple copies of two basic Sboxes. These Sboxes are designed to be highly nonlinear and have a good XOR profile. The permutations before and between server to provide autokeying and to diffuse the Sbox outputs as quickly as possible.
The authors have stated that, "LOKI97 is a nonproprietary algorithm, available for royaltyfree use worldwide as a possible replacement for the DES or other existing block ciphers." It was intended to be an evolution of the earlier LOKI89 and LOKI91 block ciphers.
It was the first published candidate in the Advanced Encryption Standard competition, and was quickly analysed and attacked. An analysis of some problems with the LOKI97 design, which led to its rejection when shortlisting candidates, is given in the paper (Rijmen & Knudsen 1999). It was found to be susceptible to an effective theoretical differential cryptanalysis attack considerably faster than an exhaustive search.