

	LLOOKKII - A Cryptographic Primitive for Authentication and Secrecy
				Applications1


			       _L_a_w_r_e_n_c_e _B_r_o_w_n_,
			       _J_o_s_e_f _P_i_e_p_r_z_y_k_,
			      _J_e_n_n_i_f_e_r _S_e_b_e_r_r_y_,

		   Centre for Computer Security Research,
		       Department of Computer Science,
			  University College, UNSW,
		      Australian Defence Force Academy,
			Canberra ACT 2600. Australia.


	AAbbssttrraacctt

	This paper provides an overview of the LOKI2 encryption prim-
	itive which may be used to encrypt and decrypt a 64-bit block
	of data using a 64-bit key.  The LOKI primitive may  be	 used
	in  any	 mode  of  operation currently defined for ISO DEA-1,
	with  which  it	 is  interface	compatible   [AAA83].	 Also
	described  are	two  modes of operation of the LOKI primitive
	which compute a 64-bit, and 128-bit,  Message  Authentication
	Code  (or  hash value).	 These modes of operation may be used
	to provide authentication of a communications session, or  of
	data files.


	11..  IInnttrroodduuccttiioonn

	This paper provides an overview of the LOKI2 encryption prim-
	itive which may be used to encrypt and decrypt a 64-bit block
	of  data  using	 a  64-bit  key.   It has been developed as a
	result of work analysing the existing DEA-1, with the aim  of
	designing  a  new  family  of  encryption primitives [Bro89],
	[BrS90a], [BrS90b], [PiF89], [Pie90], [Pie89], [PiS89].	  Its
	overall	 structure has a broad resemblance to DEA-1 (see Fig.
	1), however the	 detailed  structure  has  been	 designed  to
	remove	operations  which impede analysis or hinder efficient
	implementation, but which do not  add  to  the	cryptographic
	security of the algorithm.  The overall structure and the key
	schedule has been developed from the work  done	 in  [BrS90a]
	and  [BrS90b],	whilst the design of the S-boxes was based on
	[Pie89].
	____________________
	   1  this paper was presented at Auscrypt90, in Sydney, Aus-
	tralia, January 1990
	   2 LOKI - God of  mischief  and  trickery  in	 Scandinavian
	mythology.   "He  is  handsome	and  well made, but of a very
	fickle mood and most evil disposition. He  is  of  the	giant
	race,  but  forced  himself into the company of the gods, and
	seems to take pleasure in bringing  them  into	difficulties,
	and  in extracting them out of the danger by his cunning, wit
	and skill" [Bulfinch's Mythology, Avenel Books, NY 1978].


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	The LOKI primitive may be used in any mode of operation	 cur-
	rently defined for ISO DEA-1, with which it is interface com-
	patible [AAA83].  Also described are two modes	of  operation
	of  the	 LOKI  primitive which compute a 64-bit, and 128-bit,
	Message Authentication Code  (or  hash	value)	respectively,
	from  an arbitrary length of message input.  The modes of use
	are modifications of those described in [DaP89], [Win83], and
	[QuG90].   These  modes	 of  operation may be used to provide
	authentication of a communications session, or of data files.

	The  LOKI  encryption  primitive,  and the above modes of use
	have been submitted to the European RIPE project for  evalua-
	tion [VCF90].

	22..  TThhee LLOOKKII CCrryyppttooggrraapphhiicc PPrriimmiittiivvee

	22..11..  OOvveerrvviieeww

	The  LOKI  DEA is a family of ciphers designed to encrypt and
	decrypt blocks of data consisting of 64 bits,  under  control
	of  a 64-bit key.  This Annex defines a common variant of the
	algorithm for use when compatibility between  implementations
	is required. The same structure, but with alternate substitu-
	tion functions may be used to build private variants of	 this
	algorithm.  The	 same  key  is	used  for both encryption and
	decryption, but with the schedule of addressing the key	 bits
	altered	 so that the decryption process is the reverse of the
	encryption process. A block to be encrypted is added modulo 2
	to  the key, is then processed in 16 rounds of a complex key-
	dependent computation, and finally is added modulo 2  to  the
	key  again.   The key-dependent computation can be defined in
	terms of a confusion-diffusion function _f, and a key schedule
	KS.  Descriptions of the encryption operation, the decryption
	operation, and the definition of the function _f, are provided
	in  the	 following  sections. The representation of the keys,
	key values to be avoided and guidelines for the	 construction
	of  alternate private ciphers, and full results for the tests
	conducted to date on LOKI, are described in the Appendices.

	22..22..  EEnnccrryyppttiioonn

	The encryption computation is illustrated in Fig 1.   The  64
	bits of the input block to be encrypted are added modulo 2 to
	the key, processed in 16 rounds of  a  complex	key-dependent
	computation, and finally added modulo 2 to the key again.

	In  detail,  the 64-bit input block X is partitioned into two
	32-bit blocks XL and XR.  Similarly, the 64-bit key is parti-
	tioned	into  two  32-bit  blocks  _K_L  and _K_R.	Corresponding
	halves are added together modulo 2, to form the initial	 left
	and right halves for the following 16 rounds, thus:

			 _L0=_X_L_X_O_R_K_L0	     _K_L0=_K_L	       [Eq.1]


			 _R0=_X_R_X_O_R_K_R0	     _K_R0=_K_R


				    -- 22 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	The  complex key-dependent computation consists (except for a
	final interchange of blocks) of 16 rounds (iterations)	of  a
	set  of	 operations.  Each iteration includes the calculation
	of the encryption function _f.  This is a concatenation	of  a
	modulo	2 addition and three functions _E, _S, and _P.  Function
	_f takes as input the 32-bit right  data	 half  _R_i-1  and  the
	32-bit	left  key  half	 _K_L_i  produced by the key schedule KS
	(denoted _K_i below), and which produces a 32-bit result	which
	is  added  modulo 2 to the left data half _L_i-1.	 The two data
	halves are then interchanged (except after the	last  round).
	Each round may thus be characterised as:

				   _L_i=_R_i-1


			    _R_i=_L_i-1_X_O_R_f(_R_i-1,_K_L_i)	       [Eq.2]


			_f(_R_i-1,_K_i)=_P(_S(_E(_R_i-1_X_O_R_K_i)))

	The component functions _E, _S, and _P are described later.

	The  key schedule KS is responsible for deriving the sub-keys
	_K_i, and is defined as follows: the 64-bit  key	_K  is  parti-
	tioned	into  two  32-bit halves _K_L and _K_R.  In each round _i,
	the sub-key _K_i is the current left half	 of  the  key  _K_L_i-1.
	This  half  is	then rotated 12 bits to the left, and the key
	halves are interchanged. This may be defined thus:

				  _K_i=_K_L_i-1


				  _K_L_i=_K_R_i-1		       [Eq.3]


			      _K_R_i=_R_O_L(_K_L_i-1,12)

	Finally after the 16 rounds, the other key halves  are	added
	modulo	2  to the data halves to form two output block halves
	_Y_L and _Y_R which are then concatenated together	to  form  the
	output	block _Y. This is defined as follows (note the swap of
	data and key halves to undo the final interchange  in  [Eq.2]
	and [Eq.3]):

				_Y_L=_R16_X_O_R_K_R16


				_Y_R=_L16_X_O_R_K_L16		       [Eq.4]


				   _Y=_Y_L|_Y_R


	22..33..  DDeeccrryyppttiioonn

	The  decryption	 computation  is  identical  to that used for
	encryption, save that the partial keys used as input  to  the

				    -- 33 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	function _f in each round are calculated in reverse order, and
	the initial and final additions of key to data modulo  2  use
	the  opposite  halves  of the key (interchange _K_L0 and _K_R0 in
	[Eq.1] and _K_L16 and _K_R16 in [Eq.3]).  The calculation of  the
	partial	 keys for decryption consists of first exchanging key
	halves, then rotating the left half 12 bits to the right, and
	then  using the left half as the partial key. This is defined
	as:

				  _K_R_i=_K_L_i-1


			      _K_L_i=_R_O_R(_K_R_i-1,12)		       [Eq.5]


				   _K_i=_K_L_i


	22..44..  FFuunnccttiioonn _f

	The encryption function _f is a concatenation of	 a  modulo  2
	addition  and  three  functions	 _E,  _S, and _P, which takes as
	input the 32-bit right data half _R_i-1 and the 32-bit left key
	half  _K_L_i, and produces a 32-bit result which is added modulo
	2 to the left data half _L_i-1. This is shown in Fig 2, and  is
	defined thus:

			_f(_R_i-1,_K_i)=_P(_S(_E(_R_i-1_X_O_R_K_i)))	       [Eq.6]


	The modulo 2 addition of the key and data halves ensures that
	the output of _f will be a complex function of both  of	these
	values.

	The  expansion function _E takes a 32-bit input and produces a
	48-bit output block, composed of  four	12-bit	blocks	which
	form  the  inputs  to  four S-boxes in function _f. Function _E
	selects consecutive blocks of twelve bits  as  inputs  to  S-
	boxes S(4), S(3), S(2), and S(1) respectively, as follows:

	    [_b3_b2..._b0_b31_b30..._b24]
	    [_b27_b26..._b16]
	    [_b19_b18..._b8]
	    [_b11_b10..._b0]

	This is shown in Table 1 in full.


				    -- 44 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	 +----------------------------------------------------------+
	 |	     TTaabbllee 11 -- LLOOKKII EExxppaannssiioonn FFuunnccttiioonn _E	    |
	 +----------------------------------------------------------+
	 |3    2    1	 0    31   30	29   28	  27   26   25	 24 |
	 |27   26   25	 24   23   22	21   20	  19   18   17	 16 |
	 |19   18   17	 16   15   14	13   12	  11   10   9	 8  |
	 |11   10   9	 8    7	   6	5    4	  3    2    1	 0  |
	 +----------------------------------------------------------+


	The  substitution function _S provides the confusion component
	in the LOKI cipher. It takes a 48-bit input  and  produces  a
	32-bit	output. It is composed of four S-boxes, each of which
	takes a 12-bit input and produces an 8-bit output, which  are
	concatenated  together	to  form the 32-bit output of _S.  The
	8-bit output from S(4)	becomes	 the  most  significant	 byte
	(bits [31...24]), then the outputs from S(3) (bits[23...16]),
	S(2) (bits[15...8]), and S(1) (bits [7...0]).  In this Annex,
	the  four  S-boxes  are identical.  The form of each S-box is
	shown in Fig 3. The 12-bit input is partitioned into two seg-
	ments: a 4-bit row value _r formed from bits [_b11_b10_b1_b0], and
	an 8-bit column value _c formed from bits [_b9_b8..._b3_b2].	  The
	row  value  _r  is  used to select one of 16 S-functions Sfn_r,
	which then take as input the column value _c  and  produce  an
	8-bit output value. This is defined as:

		   Sfn_r=(_c_X_O_R_r)_e_rmodgen_r,	 inGF(28)      [Eq.7]

	where  gen_r is an irreducible polynomial in GF(28), and _e_r is
	the exponent used in forming the _rth S-box.   The  generators
	and  exponents	to  be used in the 16 S-functions Sfn_r in the
	standard LOKI are specified in Table 2.

	The permutation function _P provides diffusion of the  outputs
	from the four S-boxes across the inputs of all S-boxes in the
	next round.  It takes the 32-bit  concatenated	outputs	 from
	the S-boxes, and distributes them over all the inputs for the
	next round via a regular wire crossing which takes bits	 from
	the outputs of each S-box in turn, as defined in Table 3.

	22..55..  TTeesstt DDaattaa

	A single test triplet for the LOKI primitive is listed below.

	    #	Single LOKI Certification triplet
	    #	data is saved as (key, plaintext, ciphertext) triplets
	    #
	    5b5a57676a56676e 675a69675e5a6b5a 3c61fa7e2e99d048


				    -- 55 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	+-------------------------------+-------+----------------------------+
	|	  TTaabbllee 22 -- LLOOKKII SS--bbooxx	|   TTaabbll|ee 33 -- LLOOKKII PPeerrmmuuttaattiioonn PP     |
	|IIrrrreedduucciibbllee PPoollyynnoommiiaallss aanndd EExxpp+oo-nn-ee-nn-tt-ss--+----------------------------+
	+------------+--------------+---+-3-1----2-3+  15	7   30	 22   14   6 |
	|    Row     |	  gen_r	    |	|e2_r9   21|  13	5   28	 20   12   4 |
	+------------+--------------+---+-2-7----1-9+  11	3   26	 18   10   2 |
	|     0	     |	   375	    |	|3215   17|  9	1   24	 16   8	   0 |
	|     1	     |	   379	    |	+-3-1-----+----------------------------+
	|     2	     |	   391	    |	 31	|
	|     3	     |	   395	    |	 31	|
	|     4	     |	   397	    |	 31	|
	|     5	     |	   415	    |	 31	|
	|     6	     |	   419	    |	 31	|
	|     7	     |	   425	    |	 31	|
	|     8	     |	   433	    |	 31	|
	|     9	     |	   445	    |	 31	|
	|    10	     |	   451	    |	 31	|
	|    11	     |	   463	    |	 31	|
	|    12	     |	   471	    |	 31	|
	|    13	     |	   477	    |	 31	|
	|    14	     |	   487	    |	 31	|
	|    15	     |	   499	    |	 31	|
	+------------+--------------+-----------+


			       LOKI Fig 1 here


				    -- 66 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


			     LOKI Figs 2, 3 here


	33..  AAddddiittiioonnaall MMooddeess ooff UUssee

	The LOKI primitive may also be used in any mode of  operation
	currently  defined  for ISO DEA-1, with which it is interface
	compatible [AAA83].   In  addition,  two  modes	 of  use  are
	defined using the LOKI primitive for the purpose of providing
	message authentication. The  Single  Block  Hash  (SBH)	 mode
	computes  a  64-bit  Message Authentication Code (MAC or hash
	value), from an arbitrary length of message input. The Double
	Block  Hash  (DBH)  mode computes a 128-bit MAC from an arbi-
	trary length of message input.

	In the following definitions, the  LOKI	 primitive  used  for
	encryption  is denoted _Y=_E_L_K(_X). That is, _Y is a 64-bit block
	formed by encrypting input _X using the	LOKI  primitive	 with
	key _K.

	33..11..   SSiinnggllee BBlloocckk HHaasshh ((SSBBHH)) MMooddee

	The  SBH mode is defined as follows. Data for which a hash is
	to be computed is divided into 64-bit blocks, the final block
	being  padded  with  nulls  if required. A 64-bit key is sup-
	plied, and is used as the initial hash value  _I_V.   For	 each
	message	 block _M_i: that block is added modulo 2 to the previ-
	ous hash value to form a key.  That key is  used  to  encrypt
	the  previous hash value. The encrypted value is added modulo
	2 to the previous hash value to form the new hash value	 (see
	Fig  4).  The  SBH  code is the final hash value formed. This
	process may be summarised as:

				    _H0=_I_V


			 _H_i=_E_L_M_i_X_O_R_H_i-1(_H_i-1)_X_O_R_H_i-1


				    -- 77 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


				   _S_B_H=_H_n


	The SBH mode is a variant of the Davies and Meyer hash	func-
	tion  described	 in [DaP89], [Win83].  The major extension is
	the addition modulo 2 of the previous hash value to the	 cur-
	rent  message  block before using it as key input to the LOKI
	primitive. This was desired to prevent weak keys  being	 sup-
	plied to the primitive when the message data was constant. If
	the Initialization Value is chosen not to be a weak key, then
	the  chance  of	 generating  a	weak key from a given message
	stream should be greatly reduced.

	33..22..  DDoouubbllee BBlloocckk HHaasshh ((DDBBHH)) MMooddee

	The DBH mode is defined as follows. Data for which a hash  is
	to  be computed is divided into pairs of 64-bit blocks _M2_i+1,
	_M2_i+2, the final block being padded with nulls	if  required.
	A  128-bit  key	 is  supplied, composed of two 64-bit blocks,
	which are used as the initial hash values _I_V-1, _I_V0.

				  _H-1=_I_V-1


				   _H0=_I_V0


	For each pair of message blocks _M2_i+1  _M2_i+2,  the  following
	calculation is performed (see Fig 5):


	       _T=_E_L_M2_i+1_X_O_R_H2_i-1(_H2_i-1_X_O_R_M2_i+2)_X_O_R_M2_i+2_X_O_R_H2_i


	    _H2_i+1=_E_L_M2_i+2_X_O_R_H2_i(_T_X_O_R_M2_i+1)_X_O_R_M2_i+1_X_O_R_H2_i-1_X_O_R_H2_i


			       _H2_i+2=_T_X_O_R_H2_i-1

	The  DBH  block is formed by concatenating the final two hash
	values as follows:

				 _D_B_H=_H_n-1|_H_n


	The DBH mode is derived from that proposed by Quisquater  and
	Girault	 [QuG90].  Again it was extended by the addition mod-
	ulo 2 of the previous hash value to the current message block
	before using it as key input to the LOKI primitive.


				    -- 88 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    LOKI Figs 4, 5 here


				    -- 99 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	44..  CCoonncclluussiioonn

	The LOKI cryptographic primitive, and its associated modes of
	use for message	 authentication	 have  been  described.	 This
	algorithm  is  currently undergoing evaluation and testing by
	several parties.

	AAcckknnoowwlleeddggeemmeennttss

	To the members of the Centre for Computer Security  Research,
	and the staff of the Department of Computer Science for their
	help and suggestions.  Thankyou.

	BBiibblliiooggrraapphhyy

	[AAA83]	  "_I_n_f_o_r_m_a_t_i_o_n	 _I_n_t_e_r_c_h_a_n_g_e   _-   _D_a_t_a	   _E_n_c_r_y_p_t_i_o_n
		  _A_l_g_o_r_i_t_h_m _- _M_o_d_e_s _o_f _O_p_e_r_a_t_i_o_n,"  American National
		  Standards Institute X3.106-1983, American  National
		  Standards Institute, New York, 1983.

	[Bro89]	  L. Brown, "A Proposed Design for an Extended DES,"
		  in _C_o_m_p_u_t_e_r _S_e_c_u_r_i_t_y _i_n _t_h_e _A_g_e _o_f _I_n_f_o_r_m_a_t_i_o_n,  W.
		  J. Caelli (editor), North-Holland, Amsterdam, 1989.

	[BrS90a]  L.  Brown  and  J.  Seberry,	"On  the  Design   of
		  Permutation  P  in  DES  Type	 Cryptosystems,"   in
		  _A_d_v_a_n_c_e_s  _i_n	_C_r_y_p_t_o_l_o_g_y  _-  _E_u_r_o_c_r_y_p_t_'_8_9,  Lecture
		  Notes	  in   Computer	  Science,  no.	 434,  J.  J.
		  Quisquater  and  J.  Vanderwalle   (editors),	  pp.
		  696-705, |Springer Verlag|, Berlin, 1990.

	[BrS90b]  L.  Brown  and  J.  Seberry, "Key Scheduling in DES
		  Type Cryptosystems,"	in  _A_d_v_a_n_c_e_s  _i_n  _C_r_y_p_t_o_l_o_g_y_:
		  _A_u_s_c_r_y_p_t  _'_9_0,  Lecture  Notes in Computer Science,
		  no. 453, pp. 221-228,	 |Springer  Verlag|,  Berlin,
		  1990.

	[DaP89]	  D. W. Davies and W. L. Price, _S_e_c_u_r_i_t_y _f_o_r _C_o_m_p_u_t_e_r
		  _N_e_t_w_o_r_k_s, John Wiley	and  Sons,  New	 York,	1989.
		  (2nd edn).

	[Mey78]	  C.	 H.    Meyer,	 "Ciphertext/plaintext	  and
		  ciphertext/key dependence vs number of  rounds  for
		  the  data  encryption	 standard,"  in _A_F_I_P_S _|_C_o_n_f_._|
		  _|_P_r_o_c_._| _4_7, pp. 1119-1126,  AFIPS  Press,  Montvale
		  NJ, USA, |June| 1978.

	[MeM82]	  C.  H.  Meyer and S. M. Matyas, _C_r_y_p_t_o_g_r_a_p_h_y_: _A _N_e_w
		  _D_i_m_e_n_s_i_o_n _i_n _D_a_t_a _S_e_c_u_r_i_t_y, |John Wiley & Sons, New
		  York, 1982.

	[PiF89]	  J.  Pieprzyk and G. Finkelstein, "Permutations that
		  Maximize  Non-Linearity  and	Their	Cryptographic
		  Significance,"   in _C_o_m_p_u_t_e_r _S_e_c_u_r_i_t_y _i_n _t_h_e _A_g_e _o_f
		  _I_n_f_o_r_m_a_t_i_o_n, W. J. Caelli (editor),  North-Holland,
		  Amsterdam, 1989.


				    -- 1100 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	[Pie89]	  J.   Pieprzyk,   "Error  Propagation	Property  and
		  Application in Cryptography,"	  _I_E_E  _P_r_o_c_e_e_d_i_n_g_s_-_E_,
		  _C_o_m_p_u_t_e_r_s  _a_n_d _D_i_g_i_t_a_l _T_e_c_h_n_i_q_u_e_s, vol. 136, no. 4,
		  pp. 262-270, |July| 1989.

	[PiS89]	  J. Pieprzyk and J. Seberry, "_R_e_m_a_r_k_s	_o_n  _E_x_t_e_n_s_i_o_n
		  _o_f  _D_E_S  _-  _W_h_i_c_h  _W_a_y _t_o _G_o_?,"  Tech. Rep. CS89/4,
		  |Dept. of Computer  Science,	UC  UNSW,  Australian
		  Defence   Force   Academy|,	Canberra,  Australia,
		  |February.| 1989.

	[Pie90]	  J.	Pieprzyk,    "Non-Linearity    of    Exponent
		  Permutations,"      in  _A_d_v_a_n_c_e_s  _i_n	_C_r_y_p_t_o_l_o_g_y  _-
		  _E_u_r_o_c_r_y_p_t_'_8_9, Lecture Notes  in  Computer  Science,
		  no.  434,  J.	 J.  Quisquater	 and  J.  Vanderwalle
		  (editors), pp. 80-92,	 |Springer  Verlag|,  Berlin,
		  1990.

	[QuG90]	  J.   Quisquater   and	  M.  Girault,	"2n-Bit	 Hash
		  Functions  Using  n-Bit  Symmetric   Block   Cipher
		  Algorithms,"	    in	 _A_d_v_a_n_c_e_s   _i_n	_C_r_y_p_t_o_l_o_g_y  _-
		  _E_u_r_o_c_r_y_p_t_'_8_9, Lecture Notes  in  Computer  Science,
		  no.  434,  J.	 J.  Quisquater	 and  J.  Vanderwalle
		  (editors), pp. 102-109, |Springer Verlag|,  Berlin,
		  1990.

	[VCF90]	  J.  Vandewalle,  D.  Chaum, W. Fumy, C. Janssen, P.
		  Landrock and G. Roelofsen,  "A  European  Call  for
		  Cryptographic	  Algorithms:	RIPE  RACE  Integrity
		  Primitives Evaluation,"  in _A_d_v_a_n_c_e_s _i_n  _C_r_y_p_t_o_l_o_g_y
		  _-  _E_u_r_o_c_r_y_p_t_'_8_9, Lecture Notes in Computer Science,
		  no.  434,  J.	 J.  Quisquater	 and  J.  Vanderwalle
		  (editors),  pp. 267-271, |Springer Verlag|, Berlin,
		  1990.

	[Win83]	  R.  S.  Winternitz,  "Producing  a   One-Way	 Hash
		  Function  from  DES,"	  in _A_d_v_a_n_c_e_s _i_n _C_r_y_p_t_o_l_o_g_y _-
		  _|_P_r_o_c_._| _o_f _C_r_y_p_t_o _8_3, D. Chaum, R. L. Rivest and A.
		  T.  Sherman  (editors),  pp. 203-207, Plenum Press,
		  New York, |August.| 22-24, 1983.


				    -- 1111 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	AAppppeennddiixx 11 -- KKeeyy RReepprreesseennttaattiioonn aanndd CChhooiiccee


	INTRODUCTION
	     LOKI keys are 64-bit blocks, numbered  as	specified  in
	     section  2.  These	 keys  may  be written in hexadecimal
	     thus: hhhhhhhhhhhhhhhh,  where  h	is  one	 hex  (4-bit)
	     digit.  All  64  bits  of	the  key are used in the LOKI
	     algorithm	and  contribute	 to  the  confusion-diffusion
	     process.  There is no concept of parity bits in the key.
	     Valid keys may thus cover the  range  000000000000000016
	     to ffffffffffffffff16.


	CHOICE OF KEYS
	     The  cryptographic	 strength  of  the  LOKI algorithm is
	     greatly reduced if only a small number of internal	 sub-
	     keys  are	generated.  Thus keys which produce such sub-
	     keys should be avoided.

	Weak are those which result in only a  single  sub-key	being
	     formed  on all 16 rounds. These keys thus form their own
	     decryption key, and have the  form:  hhhhhhhhhhhhhhhh16,
	     he[0.._f].	There are 16 such keys.

	Semi-Weak
	     are  those	 which result in two sub-keys being formed on
	     alternate rounds. These keys  thus	 form  mutual  pairs,
	     each  being  the  decryption key for the other, and have
	     the form: hhhhhhhhiiiiiiii16, h,ie[0.._f],	h!=i.	There
	     are 240 such keys.

	Demi-Semi-Weak
	     are  those which result in four sub-keys being formed on
	     successive rounds. It is not known whether these form  a
	     security  risk,  but  it is generally accepted that they
	     should    be    avoided.	 They	 have	 the	form:
	     hihihihijkjkjkjk16,  h,i,j,ke[0.._f],  h!=i!=j!=k.	There
	     are 65280 such keys.


	CONCLUSION
	     In brief, the keys to be avoided may be described as all
	     keys  of  the  form: hihihihijkjkjkjk16, h,i,j,ke[0.._f];
	     that is where both the first four bytes  are  identical,
	     and  the  second four bytes are also identical, and thus
	     are very easy to test for	and  exclude.	There  are  a
	     total  of	65536  (ie  216)  keys to be avoided out of a
	     total key space of 264, a very  small  fraction  of  the
	     available number of keys.


				    -- 1122 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	AAppppeennddiixx 22 -- DDeeppeennddeennccyy AAnnaallyyssiiss ffoorr tthhee LLOOKKII PPrriimmiittiivvee

	To  provide  a	measure	 of  the effectiveness of the derived
	permutations, Meyer's analysis [Mey78], [MeM82] of ciphertext
	dependence on key bits (CKdep) and plaintext bits (CPdep) was
	used  in  the  design  of  the	overall	 structure  of	LOKI.
	Briefly,  following  Meyer, this analysis may be described as
	follows.   To  provide	a  measure  of	the   dependency   of
	ciphertext  bits  on  plaintext	 bits,	a 64*64 array _G_a,_b is
	formed. Each element  _G_a,_b(_i,_j)	 specifies  a  dependency  of
	output	bit  _X(_j)  on input bit _X(_i), between rounds _a and _b.
	The number of marked elements in _G0,_r indicates the degree to
	which	complete   dependence	was   achieved	by  round  _r.
	Similarly, the dependency of ciphertext bits on key  bits  is
	measured by forming a 64*64 array _F_a,_b, each element of which
	specifies a dependency of output bit _X(_j) on  key  bit	_K(_i).
	Again, the number of marked elements in _F0,_r will be examined
	to provide a profile of the degree of dependence achieved  by
	round  _r.   Details  of the derivation of these matrices, and
	the means by which entries are propagated, may	be  found  in
	[MeM82].   The	matrices  found	 for  the  LOKI primitive are
	listed below (x specifies  message  dependency,	 -  specifies
	autoclave  dependency,	*  specifies  dependencies  via	 both
	message and autoclave inputs):


	LLOOKKII CCKKddeepp AAnnaallyyssiiss


				    -- 1133 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    Round 1:  None 3276, Msg 564, Autoclave 256, Both 0, Err 0	CKdep: 0.00,20.02


	     1					x
	     2					 x
	     3					  x
	     4					   x
	     5					    x
	     6					     x
	     7					      x
	     8					       x
	     9						x
	    10						 x
	    11						  x
	    12						   x
	    13						    x
	    14						     x
	    15						      x
	    16						       x
	    17							x
	    18							 x
	    19							  x
	    20							   x
	    21							    x
	    22							     x
	    23							      x
	    24							       x
	    25								x
	    26								 x
	    27								  x
	    28								   x
	    29								    x
	    30								     x
	    31								      x
	    32								       x
	    33	xxxxxx--		    --xxxxxxxx--		    --xx
	    34	 x  --xxxxxxxx--		    --xxxxxxxx--
	    35	  x	    --xxxxxxxx--		    --xxxxxxxx--
	    36	   x		    --xxxxxxxx--		    --xxxxxxxx--
	    37	xxxxxx--		    --xxxxxxxx--		    --xx
	    38	    --xxxxxxxx--		    --xxxxxxxx--
	    39	      x	    --xxxxxxxx--		    --xxxxxxxx--
	    40	       x	    --xxxxxxxx--		    --xxxxxxxx--
	    41	xxxxxx--x		    --xxxxxxxx--		    --xx
	    42	    --xxxxxxxx--		    --xxxxxxxx--
	    43		  x --xxxxxxxx--		    --xxxxxxxx--
	    44		   x	    --xxxxxxxx--		    --xxxxxxxx--
	    45	xxxxxx--    x		    --xxxxxxxx--		    --xx
	    46	    --xxxxxxxx--		    --xxxxxxxx--
	    47		    --xxxxxxxx--		    --xxxxxxxx--
	    48		       x    --xxxxxxxx--		    --xxxxxxxx--
	    49	xxxxxx--	x	    --xxxxxxxx--		    --xx
	    50	    --xxxxxxxx-- x		    --xxxxxxxx--
	    51		    --xxxxxxxx--		    --xxxxxxxx--
	    52			   x--xxxxxxxx--		    --xxxxxxxx--
	    53	xxxxxx--	    x	    --xxxxxxxx--		    --xx
	    54	    --xxxxxxxx--     x		    --xxxxxxxx--

				    -- 1144 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    55		    --xxxxxxxx--		    --xxxxxxxx--
	    56			    --xxxxxxxx--		    --xxxxxxxx--
	    57	xxxxxx--		x   --xxxxxxxx--		    --xx
	    58	    --xxxxxxxx--	 x	    --xxxxxxxx--
	    59		    --xxxxxxxx--  x		    --xxxxxxxx--
	    60			    --xxxxxxxx--		    --xxxxxxxx--
	    61	xxxxxx--		    --xxxxxxxx--		    --xx
	    62	    --xxxxxxxx--	     x	    --xxxxxxxx--
	    63		    --xxxxxxxx--      x		    --xxxxxxxx--
	    64			    --xxxxxxxx--		    --xxxxxxxx--


				    -- 1155 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    Round 2:  None 1260, Msg 532, Autoclave 256, Both 2048, Err 0  CKdep: 50.00,69.24


	     1	xxxxxx--		    --xxxxxxxx--		    --xx
	     2	 x  --xxxxxxxx--		    --xxxxxxxx--
	     3	  x	    --xxxxxxxx--		    --xxxxxxxx--
	     4	   x		    --xxxxxxxx--		    --xxxxxxxx--
	     5	xxxxxx--		    --xxxxxxxx--		    --xx
	     6	    --xxxxxxxx--		    --xxxxxxxx--
	     7	      x	    --xxxxxxxx--		    --xxxxxxxx--
	     8	       x	    --xxxxxxxx--		    --xxxxxxxx--
	     9	xxxxxx--x		    --xxxxxxxx--		    --xx
	    10	    --xxxxxxxx--		    --xxxxxxxx--
	    11		  x --xxxxxxxx--		    --xxxxxxxx--
	    12		   x	    --xxxxxxxx--		    --xxxxxxxx--
	    13	xxxxxx--    x		    --xxxxxxxx--		    --xx
	    14	    --xxxxxxxx--		    --xxxxxxxx--
	    15		    --xxxxxxxx--		    --xxxxxxxx--
	    16		       x    --xxxxxxxx--		    --xxxxxxxx--
	    17	xxxxxx--	x	    --xxxxxxxx--		    --xx
	    18	    --xxxxxxxx-- x		    --xxxxxxxx--
	    19		    --xxxxxxxx--		    --xxxxxxxx--
	    20			   x--xxxxxxxx--		    --xxxxxxxx--
	    21	xxxxxx--	    x	    --xxxxxxxx--		    --xx
	    22	    --xxxxxxxx--     x		    --xxxxxxxx--
	    23		    --xxxxxxxx--		    --xxxxxxxx--
	    24			    --xxxxxxxx--		    --xxxxxxxx--
	    25	xxxxxx--		x   --xxxxxxxx--		    --xx
	    26	    --xxxxxxxx--	 x	    --xxxxxxxx--
	    27		    --xxxxxxxx--  x		    --xxxxxxxx--
	    28			    --xxxxxxxx--		    --xxxxxxxx--
	    29	xxxxxx--		    --xxxxxxxx--		    --xx
	    30	    --xxxxxxxx--	     x	    --xxxxxxxx--
	    31		    --xxxxxxxx--      x		    --xxxxxxxx--
	    32			    --xxxxxxxx--		    --xxxxxxxx--
	    33	****************************************************************
	    34	****************************************************************
	    35	****************************************************************
	    36	****************************************************************
	    37	****************************************************************
	    38	****************************************************************
	    39	****************************************************************
	    40	****************************************************************
	    41	****************************************************************
	    42	****************************************************************
	    43	****************************************************************
	    44	****************************************************************
	    45	****************************************************************
	    46	****************************************************************
	    47	****************************************************************
	    48	****************************************************************
	    49	****************************************************************
	    50	****************************************************************
	    51	****************************************************************
	    52	****************************************************************
	    53	****************************************************************
	    54	****************************************************************

				    -- 1166 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    55	****************************************************************
	    56	****************************************************************
	    57	****************************************************************
	    58	****************************************************************
	    59	****************************************************************
	    60	****************************************************************
	    61	****************************************************************
	    62	****************************************************************
	    63	****************************************************************
	    64	****************************************************************


				    -- 1177 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    Round 3:  None 0, Msg 0, Autoclave 0, Both 4096, Err 0  CKdep: 100.00,100.00


	     1	****************************************************************
	     2	****************************************************************
	     3	****************************************************************
	     4	****************************************************************
	     5	****************************************************************
	     6	****************************************************************
	     7	****************************************************************
	     8	****************************************************************
	     9	****************************************************************
	    10	****************************************************************
	    11	****************************************************************
	    12	****************************************************************
	    13	****************************************************************
	    14	****************************************************************
	    15	****************************************************************
	    16	****************************************************************
	    17	****************************************************************
	    18	****************************************************************
	    19	****************************************************************
	    20	****************************************************************
	    21	****************************************************************
	    22	****************************************************************
	    23	****************************************************************
	    24	****************************************************************
	    25	****************************************************************
	    26	****************************************************************
	    27	****************************************************************
	    28	****************************************************************
	    29	****************************************************************
	    30	****************************************************************
	    31	****************************************************************
	    32	****************************************************************
	    33	****************************************************************
	    34	****************************************************************
	    35	****************************************************************
	    36	****************************************************************
	    37	****************************************************************
	    38	****************************************************************
	    39	****************************************************************
	    40	****************************************************************
	    41	****************************************************************
	    42	****************************************************************
	    43	****************************************************************
	    44	****************************************************************
	    45	****************************************************************
	    46	****************************************************************
	    47	****************************************************************
	    48	****************************************************************
	    49	****************************************************************
	    50	****************************************************************
	    51	****************************************************************
	    52	****************************************************************
	    53	****************************************************************
	    54	****************************************************************

				    -- 1188 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    55	****************************************************************
	    56	****************************************************************
	    57	****************************************************************
	    58	****************************************************************
	    59	****************************************************************
	    60	****************************************************************
	    61	****************************************************************
	    62	****************************************************************
	    63	****************************************************************
	    64	****************************************************************


				    -- 1199 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	LLOOKKII CCPPddeepp AAnnaallyyssiiss


				    -- 2200 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    Round 1: None 3616, Msg 352, Autoclave 128, Both 0, Err 0 CPdep: 0.00,11.72


	     1				       x
	     2					x
	     3					 x
	     4					  x
	     5					   x
	     6					    x
	     7					     x
	     8					      x
	     9					       x
	    10						x
	    11						 x
	    12						  x
	    13						   x
	    14						    x
	    15						     x
	    16						      x
	    17						       x
	    18							x
	    19							 x
	    20							  x
	    21							   x
	    22							    x
	    23							     x
	    24							      x
	    25							       x
	    26								x
	    27								 x
	    28								  x
	    29								   x
	    30								    x
	    31								     x
	    32								      x
	    33 x			       xxxxxxx--		   --xx
	    34	x				   --xxxxxxxxx--
	    35	 x					   --xxxxxxxxx--
	    36	  x			       -		   --xxxxxxxxx-
	    37	   x			       xxxxxxx--		   --xx
	    38	    x				   --xxxxxxxxx--
	    39	     x					   --xxxxxxxxx--
	    40	      x			       -		   --xxxxxxxxx-
	    41	       x		       xxxxxxx--		   --xx
	    42		x			   --xxxxxxxxx--
	    43		 x				   --xxxxxxxxx--
	    44		  x		       -		   --xxxxxxxxx-
	    45		   x		       xxxxxxx--		   --xx
	    46		    x			   --xxxxxxxxx--
	    47		     x				   --xxxxxxxxx--
	    48		      x		       -		   --xxxxxxxxx-
	    49		       x	       xxxxxxx--		   --xx
	    50			x		   --xxxxxxxxx--
	    51			 x			   --xxxxxxxxx--
	    52			  x	       -		   --xxxxxxxxx-
	    53			   x	       xxxxxxx--		   --xx
	    54			    x		   --xxxxxxxxx--

				    -- 2211 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    55			     x			   --xxxxxxxxx--
	    56			      x	       -		   --xxxxxxxxx-
	    57			       x       xxxxxxx--		   --xx
	    58				x	   --xxxxxxxxx--
	    59				 x		   --xxxxxxxxx--
	    60				  x    -		   --xxxxxxxxx-
	    61				   x   xxxxxxx--		   --xx
	    62				    x	   --xxxxxxxxx--
	    63				     x		   --xxxxxxxxx--
	    64				      x-		   --xxxxxxxxx-


				    -- 2222 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    Round 2: None 2240, Msg 576, Autoclave 256, Both 1024, Err 0 CPdep: 25.00,45.31


	     1 x			       xxxxxxx--		   --xx
	     2	x				   --xxxxxxxxx--
	     3	 x					   --xxxxxxxxx--
	     4	  x			       -		   --xxxxxxxxx-
	     5	   x			       xxxxxxx--		   --xx
	     6	    x				   --xxxxxxxxx--
	     7	     x					   --xxxxxxxxx--
	     8	      x			       -		   --xxxxxxxxx-
	     9	       x		       xxxxxxx--		   --xx
	    10		x			   --xxxxxxxxx--
	    11		 x				   --xxxxxxxxx--
	    12		  x		       -		   --xxxxxxxxx-
	    13		   x		       xxxxxxx--		   --xx
	    14		    x			   --xxxxxxxxx--
	    15		     x				   --xxxxxxxxx--
	    16		      x		       -		   --xxxxxxxxx-
	    17		       x	       xxxxxxx--		   --xx
	    18			x		   --xxxxxxxxx--
	    19			 x			   --xxxxxxxxx--
	    20			  x	       -		   --xxxxxxxxx-
	    21			   x	       xxxxxxx--		   --xx
	    22			    x		   --xxxxxxxxx--
	    23			     x			   --xxxxxxxxx--
	    24			      x	       -		   --xxxxxxxxx-
	    25			       x       xxxxxxx--		   --xx
	    26				x	   --xxxxxxxxx--
	    27				 x		   --xxxxxxxxx--
	    28				  x    -		   --xxxxxxxxx-
	    29				   x   xxxxxxx--		   --xx
	    30				    x	   --xxxxxxxxx--
	    31				     x		   --xxxxxxxxx--
	    32				      x-		   --xxxxxxxxx-
	    33 xxxxxx--			   --xx********************************
	    34	   --xxxxxxxx--		       ********************************
	    35		   --xxxxxxxx--	       ********************************
	    36			   --xxxxxxxx--********************************
	    37 xxxxxx--			   --xx********************************
	    38	   --xxxxxxxx--		       ********************************
	    39		   --xxxxxxxx--	       ********************************
	    40			   --xxxxxxxx--********************************
	    41 xxxxxx--			   --xx********************************
	    42	   --xxxxxxxx--		       ********************************
	    43		   --xxxxxxxx--	       ********************************
	    44			   --xxxxxxxx--********************************
	    45 xxxxxx--			   --xx********************************
	    46	   --xxxxxxxx--		       ********************************
	    47		   --xxxxxxxx--	       ********************************
	    48			   --xxxxxxxx--********************************
	    49 xxxxxx--			   --xx********************************
	    50	   --xxxxxxxx--		       ********************************
	    51		   --xxxxxxxx--	       ********************************
	    52			   --xxxxxxxx--********************************
	    53 xxxxxx--			   --xx********************************
	    54	   --xxxxxxxx--		       ********************************

				    -- 2233 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    55		   --xxxxxxxx--	       ********************************
	    56			   --xxxxxxxx--********************************
	    57 xxxxxx--			   --xx********************************
	    58	   --xxxxxxxx--		       ********************************
	    59		   --xxxxxxxx--	       ********************************
	    60			   --xxxxxxxx--********************************
	    61 xxxxxx--			   --xx********************************
	    62	   --xxxxxxxx--		       ********************************
	    63		   --xxxxxxxx--	       ********************************
	    64			   --xxxxxxxx--********************************


				    -- 2244 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    Round 3: None 640, Msg 256, Autoclave 128, Both 3072, Err 0 CPdep: 75.00,84.38


	     1 xxxxxx--			   --xx********************************
	     2	   --xxxxxxxx--		       ********************************
	     3		   --xxxxxxxx--	       ********************************
	     4			   --xxxxxxxx--********************************
	     5 xxxxxx--			   --xx********************************
	     6	   --xxxxxxxx--		       ********************************
	     7		   --xxxxxxxx--	       ********************************
	     8			   --xxxxxxxx--********************************
	     9 xxxxxx--			   --xx********************************
	    10	   --xxxxxxxx--		       ********************************
	    11		   --xxxxxxxx--	       ********************************
	    12			   --xxxxxxxx--********************************
	    13 xxxxxx--			   --xx********************************
	    14	   --xxxxxxxx--		       ********************************
	    15		   --xxxxxxxx--	       ********************************
	    16			   --xxxxxxxx--********************************
	    17 xxxxxx--			   --xx********************************
	    18	   --xxxxxxxx--		       ********************************
	    19		   --xxxxxxxx--	       ********************************
	    20			   --xxxxxxxx--********************************
	    21 xxxxxx--			   --xx********************************
	    22	   --xxxxxxxx--		       ********************************
	    23		   --xxxxxxxx--	       ********************************
	    24			   --xxxxxxxx--********************************
	    25 xxxxxx--			   --xx********************************
	    26	   --xxxxxxxx--		       ********************************
	    27		   --xxxxxxxx--	       ********************************
	    28			   --xxxxxxxx--********************************
	    29 xxxxxx--			   --xx********************************
	    30	   --xxxxxxxx--		       ********************************
	    31		   --xxxxxxxx--	       ********************************
	    32			   --xxxxxxxx--********************************
	    33 ****************************************************************
	    34 ****************************************************************
	    35 ****************************************************************
	    36 ****************************************************************
	    37 ****************************************************************
	    38 ****************************************************************
	    39 ****************************************************************
	    40 ****************************************************************
	    41 ****************************************************************
	    42 ****************************************************************
	    43 ****************************************************************
	    44 ****************************************************************
	    45 ****************************************************************
	    46 ****************************************************************
	    47 ****************************************************************
	    48 ****************************************************************
	    49 ****************************************************************
	    50 ****************************************************************
	    51 ****************************************************************
	    52 ****************************************************************
	    53 ****************************************************************
	    54 ****************************************************************

				    -- 2255 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    55 ****************************************************************
	    56 ****************************************************************
	    57 ****************************************************************
	    58 ****************************************************************
	    59 ****************************************************************
	    60 ****************************************************************
	    61 ****************************************************************
	    62 ****************************************************************
	    63 ****************************************************************
	    64 ****************************************************************


				    -- 2266 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    Round 4: None 0, Msg 0, Autoclave 0, Both 4096, Err 0 CPdep: 100.00,100.00


	     1 ****************************************************************
	     2 ****************************************************************
	     3 ****************************************************************
	     4 ****************************************************************
	     5 ****************************************************************
	     6 ****************************************************************
	     7 ****************************************************************
	     8 ****************************************************************
	     9 ****************************************************************
	    10 ****************************************************************
	    11 ****************************************************************
	    12 ****************************************************************
	    13 ****************************************************************
	    14 ****************************************************************
	    15 ****************************************************************
	    16 ****************************************************************
	    17 ****************************************************************
	    18 ****************************************************************
	    19 ****************************************************************
	    20 ****************************************************************
	    21 ****************************************************************
	    22 ****************************************************************
	    23 ****************************************************************
	    24 ****************************************************************
	    25 ****************************************************************
	    26 ****************************************************************
	    27 ****************************************************************
	    28 ****************************************************************
	    29 ****************************************************************
	    30 ****************************************************************
	    31 ****************************************************************
	    32 ****************************************************************
	    33 ****************************************************************
	    34 ****************************************************************
	    35 ****************************************************************
	    36 ****************************************************************
	    37 ****************************************************************
	    38 ****************************************************************
	    39 ****************************************************************
	    40 ****************************************************************
	    41 ****************************************************************
	    42 ****************************************************************
	    43 ****************************************************************
	    44 ****************************************************************
	    45 ****************************************************************
	    46 ****************************************************************
	    47 ****************************************************************
	    48 ****************************************************************
	    49 ****************************************************************
	    50 ****************************************************************
	    51 ****************************************************************
	    52 ****************************************************************
	    53 ****************************************************************
	    54 ****************************************************************

				    -- 2277 --


	TTRR CCSS9900//11      LLOOKKII -- AA CCrryyppttooggrraapphhiiccBBPPrrrrooiiwwmmnnii,,ttiiPPvviieeeepprrzzyykk,, SSeebbeerrrryy


	    55 ****************************************************************
	    56 ****************************************************************
	    57 ****************************************************************
	    58 ****************************************************************
	    59 ****************************************************************
	    60 ****************************************************************
	    61 ****************************************************************
	    62 ****************************************************************
	    63 ****************************************************************
	    64 ****************************************************************


				    -- 2288 --