Cryptanalysis of LOKI 91

. In this paper we examine the redesign of LOKI, LOKI 91 proposed in [5]. First it is shown that there is no characteristic with a probability high enough to do a successful differential attack on LOKI 91. Secondly we show that the size of the image of the F-function in LOKI 91 is 8 13 \Theta 2 32 . Finally we introduce a chosen plaintext attack that reduces an exhaustive key search on LOKI 91 by almost a factor 4 using 2 33 + 2 chosen plaintexts. 1 Introduction In 1990 Brown et al [4] proposed a new encryption primitive, called LOKI, later renamed LOKI 89, as an alternative to the Data Encryption Standard (DES), with which it is interface compatible. Cryptanalysis showed weaknesses in LOKI 89 [2, 5, 8] and a redesign, LOKI 91 was proposed in [5]. The ciphers from the LOKI family are DES-like iterated block ciphers based on iterating a function, called the F-function, sixteen times. The block and key size is 64 bits. Each iteration is called a round. The input to each round is d..

On the Difficulty of Software Key Escrow

At Eurocrypt'95, Desmedt suggested a scheme which allows individuals to encrypt in such a way that the receiver can be traced by an authority having additional information. This paper shows that the proposed scheme does not have the required properties, by devising three non-specified protocols misleading the authority. We also discuss how to repair Desmedt's scheme, such that our attacks are no longer possible. However, by allowing slightly more general, but absolutely realistic attacks also this improved system can be broken. In fact, we argue that software key escrow as proposed by Desmedt will be very hard to implement as it requires that the distributed public key can only be used in few, well-defined systems. Furthermore, even if this is achieved, most applications to key distribution can be broken. 1 Introduction In key escrow systems, such as Clipper [5], it is necessary to be able to identify ciphertexts sent to a person whose messages are to be read by the authorities (given..

Approximate Dictionary Queries

. Given a set of n binary strings of length m each. We consider the problem of answering d--queries. Given a binary query string ff of length m, a d--query is to report if there exists a string in the set within Hamming distance d of ff. We present a data structure of size O(nm) supporting 1--queries in time O(m) and the reporting of all strings within Hamming distance 1 of ff in time O(m). The data structure can be constructed in time O(nm). A slightly modified version of the data structure supports the insertion of new strings in amortized time O(m). 1 Introduction Let W = fw 1 ; : : : ; wng be a set of n binary strings of length m each, i.e. w i 2 f0; 1g m . The set W is called the dictionary. We are interested in answering d-- queries, i.e. for any query string ff 2 f0; 1g m to decide if there is a string w i in W with at most Hamming distance d of ff. Minsky and Papert originally raised this problem in [12]. Recently a sequence of papers have considered how to solve thi..