LOKI97 Encryption & Decryption

LOKI97 is the third-generation cipher in the Australian LOKI family, designed by Lawrie Brown (Australian Defence Force Academy) and Josef Pieprzyk (Macquarie University). The lineage began with LOKI89 (1990), which used 64-bit blocks and fell to differential cryptanalysis by Biham and Shamir. LOKI91 followed with revised S-box construction using cubic polynomials. LOKI97 is a complete redesign submitted as an AES candidate in 1998, featuring 128-bit blocks and 128, 192, or 256-bit key options.

LOKI97's most distinctive structural element is its S-boxes, generated by evaluating irreducible polynomials over GF(2¹³) — a more algebraically complex construction than the manually-crafted DES-style S-boxes or AES's GF(2⁸) SubBytes. The key schedule derives all round subkeys by recursively applying the LOKI97 round function itself to the master key, so the security of the subkey generation mirrors the strength of the cipher. LOKI97 did not advance past the first round of AES evaluation but remains cryptographically unbroken.

Key Features

• 128-bit block size — upgraded from LOKI89's 64-bit block, eliminating the birthday-bound vulnerability that affected the 64-bit LOKI89
• Three key sizes: 128, 192, and 256 bits — matching the full range of AES key lengths, allowing scalable security levels
• 16-round Feistel network with S-boxes generated over GF(2¹³) — more algebraically complex S-box construction than DES or AES
• Self-referential key schedule — round subkeys derived by applying the LOKI97 round function recursively to the master key material
• Australian origin and heritage: designed at ADFA and Macquarie University, the only AES candidate with an exclusively Southern Hemisphere academic lineage

LOKI Family History

• LOKI89: The original cipher designed in 1989 with 64-bit blocks and 64-bit keys.
• LOKI91: An improved version addressing weaknesses found in LOKI89.
• LOKI97: The final evolution with 128-bit blocks, submitted to the AES competition.

Encryption Modes

• CBC: Cipher Block Chaining — each 128-bit LOKI97 plaintext block is XORed with the preceding ciphertext before the 16-round GF(2¹³)-S-box Feistel sequence. Unlike the 64-bit LOKI89/91, LOKI97's 128-bit blocks mean the birthday-bound collision probability stays negligible until approximately 2⁶⁴ blocks (~148 exabytes per key), putting practical CBC use safely outside Sweet32 territory.
• ECB: Electronic Codebook — each 128-bit LOKI97 block independently runs through all 16 Feistel rounds. Because LOKI97's key schedule generates subkeys recursively from the master key, all blocks share the same derived round keys; identical 128-bit plaintext blocks yield identical ciphertext. ECB is acceptable only for single-block token or key wrapping, never for multi-block plaintext.
• CFB: Cipher Feedback — LOKI97's 128-bit block function encrypts the previous ciphertext block (starting with the IV) and the top n bits of the output are XORed with n bits of plaintext. LOKI97-CFB produces a keystream segment derived from both the GF(2¹³) S-box substitution and the Feistel diffusion network, making it an error-propagating synchronous stream mode.
• OFB: Output Feedback — LOKI97's block function repeatedly encrypts the running state, fully independent of the plaintext, bypassing the extended key schedule to produce a deterministic keystream. The 128-bit internal state means OFB's keystream cycle length is at minimum 2⁶⁴ (birthday argument), far larger than LOKI97's 64-bit predecessors.
• RAW: Raw Block — applies a single 16-byte pass through LOKI97's 16 Feistel rounds without any feedback chaining. Used for key-wrapping, cryptographic testing, and evaluating the round function in isolation. Input must be exactly 128 bits (16 bytes); no IV is used.

Algorithm Structure

LOKI97 uses a 16-round Feistel network structure. Each round processes a 128-bit block split into two 64-bit halves (L and R).

Security Considerations

• LOKI97 has no published practical attack on its full 16 rounds. The best academic cryptanalysis targets reduced-round variants; the cipher's GF(2¹³) S-box structure was specifically designed to counteract differential and linear cryptanalysis after the weaknesses exposed in LOKI89.
• The 128-bit block size eliminates the Sweet32 birthday attack that affects 64-bit predecessors LOKI89 and LOKI91. A birthday-bound collision under LOKI97 requires approximately 2⁶⁴ encrypted blocks — roughly 148 exabytes — making it a non-issue for practical deployments.
• LOKI97's failure to advance at AES evaluation was an efficiency, not security, judgment. The AES committee cited LOKI97's slower software performance relative to Rijndael and Twofish. No cryptographic weakness was the grounds for exclusion; the algorithm has received limited but positive post-AES cryptanalytic attention.
• For all new systems, use AES-128-GCM or AES-256-GCM. LOKI97 is appropriate for reading data encrypted under existing LOKI97 deployments, academic study of Australian cipher design, or systems with a documented requirement for a non-AES algorithm.

Use Cases

• Academic cryptanalysis research: LOKI97's GF(2¹³) S-box construction and self-referential key schedule provide a distinct study object for students of algebraic cipher design and the historical AES evaluation process
• Australian government and defence legacy compatibility: systems built during the late 1990s under Australian-origin cryptography policy may have standardized on LOKI97; reading or migrating such archives requires LOKI97 support
• Comparative AES-candidate study: alongside Serpent, Twofish, RC6, and MARS, LOKI97 represents the first round of NIST's AES evaluation — studying all five first-round candidates provides a complete picture of the design trade-offs considered
• Non-AES compliance scenarios: some organizational or regulatory contexts specify that the primary cipher must not be AES-based; LOKI97 provides a thoroughly analyzed, unbroken 128-bit-block alternative with documented academic heritage

References

• Wikipedia - LOKI (cipher)
• NIST AES Development Process