Improving Resistance to Differential Cryptanalysis and the Redesign of LOKI Lawrence BROWN Matthew KWAN Josef PIEPRZYK Jennifer SEBERRY Technical Report CS38/91 Department of Computer Science, University College, UNSW, Australian Defence Force Academy, Canberra ACT 2600. Australia. Abstract Differential Cryptanalysis is currently the most powerful tool available for analysing block ciphers, and new block ciphers need to be designed to resist it. It has been suggested that the use of S-boxes based on bent functions, with a flat XOR profile, would be immune. However our studies of differential cryptanalysis, particularly applied to the LOKI cipher, have shown that this is not the case. In fact, this results in a relatively easily broken scheme. We show that an XOR profile with carefully placed zeroes is required. We also show that in order to avoid some variant forms of differential cryptanalysis, permutation P needs to be chosen to prevent easy propagation of a constant XOR value back into the same S-box. We redesign the LOKI cipher to form LOKI91, to illustrate these results, as well as to correct the key schedule to remove the formation of equivalent keys. We conclude with an overview of the security of the new cipher. 1 Introduction Cryptographic research is currently a very active field, with the need for new encryption algorithms having spurred the design of several new block ciphers [1]. The most powerful tool for analysing such block ciphers currently known is differential cryptanalysis. It has been used to find design deficiencies in many of the new ciphers. Some new design criteria have been proposed which are claimed to provide immunity to 1 Figure 1: An XOR Profile differential cryptanalysis. These involve the use of S-boxes based on bent functions, selected so the resultant box has a flat XOR profile. In this paper, after presenting a brief introduction to the key concepts in differential cryptanalysis, we will show that these new criteria do not provide the immunity claimed, but rather can result in the design of a scheme which may be relatively easily broken. What we believe is required, is an S-box with carefully placed zeroes, which significantly hinder the differential cryptanalysis process. We continue by documenting our analysis of the LOKI cipher. We report on a previously discovered differential cryptanalysis attack, faster than exhaustive search up to 11 rounds, as well as on a new attack, using an alternate form of analysis, which is faster than exhaustive search up to 14 rounds. We also briefly note some design deficiencies in the key schedule which resulted in the generation of equivalent keys. This process highlighted some necessary additional design criteria needed to strengthen block ciphers against these attacks. We conclude by describing the redesign of the LOKI cipher, using it to illustrate the application of these additional design principles, and make some comments on what we believe is the security of the new scheme. 2 Differential Cryptanalysis 2.1 Overview Differential Cryptanalysis is a dynamic attack against a cipher, using a very large number of chosen plaintext pairs, which through a statistical analysis of the resulting ciphertext pairs, can be used to determine the key in use. In general, differential cryptanalysis is much faster than exhaustive search for a certain number of rounds in the cipher, however there is a breakeven point where it becomes slower than exhaustive search. The lower the number of rounds this is, the greater the security 2 Figure 2: A 2-round Iterative Characteristic of the cipher. Differential Cryptanalysis was first described by Biham and Shamir in [2], and in greater detail in [3]. These described the general technique, and its application to the analysis of the DES and the Generalised DES. Subsequent papers by them have detailed its application to FEAL and N-Hash [4], and to Snefru, Khafre, Redoc-II, LOKI, and Lucifer [5]. In Differential Cryptanalysis, a table showing the distribution of the XOR of input pairs against the XOR of output pairs is used to determine probabilities of a particular observed output pair being the result of some input pair. The general form of such a table is shown in Fig 1. To attack a multi-round block cipher, the XOR profile is used to build n round characteristics, which have a given probability of occurring. These characteristics specify a particular input XOR, a possible output XOR, the necessary intermediate XOR's, and the probability of this occurring. In their original paper [3], Biham and Shamir describe 1,2,3 and 5 round characteristics which may be used to directly attack versions of DES up to 7 rounds. Knowing a characteristic, it is possible to infer information about the outputs for the next two rounds. To utilise this attack, a number of pairs of inputs, having the nominated input XOR, are tried, until an output XOR results which indicates that the pattern specified in the characteristic has occurred. Since an n round characteristic has a probability of occurrence, for most keys we can state on average, how many pairs of inputs need to be trialed before the characteristic is successfully matched. Once a suitable pair, known as a right pair, has been found, information on possible keys which could have been used, is deduced. Once this is done we have two plaintext-ciphertext pairs. We 3 know from the ciphertext, the input to the last round. Knowing the input XOR and output XOR for this round, we can thus restrict the possible key bits used in this round, by considering those outputs with an XOR of zero, providing information on the outputs of some of the S-boxes. By then locating additional right pairs we can eventually either uniquely determine the key, or deduce sufficient bits of it that an exhaustive search of the rest may be done. N round characteristics can be concatenated to form longer characteristics if the output of the first supplies the input to the second, with probabilities multiplied together. A particularly useful characteristic is one whose output is a swapped version of its input, and which hence may be iterated with itself. This may be used to analyse an arbitrary number of rounds of the cipher, with a steadily increasing work factor. A particularly useful form is one where a non-zero input XOR to the F function results in a zero output XOR. Such a characteristic is illustrated in Fig 2, and may be denoted as: A. (x, 0) -> (0, x) always (ie Pr=1) B. (0, x) -> (x, 0) with some probability p It may be iterated as A B A B A B A B to 8 rounds for example, with characteristic probability p4. This form of characteristic is then used in the analysis of arbitrary n round forms of a cipher, until the work factor exceeds exhaustive search. These techniques are described in detail in [3]. 2.2 Why Flat XOR profiles Don't Work Given the success of differential cryptanalysis in the analysis of block ciphers, it has become important to develop design criteria to improve the resistance of block ciphers to it, especially with several candidates having performed poorly. Dawson and Tavares [6] have proposed that the selection of S-boxes with equal probabilities for each output XOR given an input XOR (except input 0) would result in a cipher that was immune to differential cryptanalysis (see Fig. 3). However a careful study of Biham and Shamir's attack on the 8 round version of DES [3], confirmed by our own analyses of LOKI, have shown that this is not the case. Indeed the selection of such S-boxes results in a cipher which is significantly easier to cryptanalyse than normal. This is done by constructing a 2 round iterative characteristic of the form in Fig. 2, with an input XOR that changes bits to one S-box only. We know we can do this, since the flat XOR profile implies that an output XOR of 0 for a specified input XOR will occur with P r(1=2n ). When iterated over 2k rounds, this will have a probability of P r(1=2(k-1)n ), since you get the last round for free. Consider a 16 round DES style cryptosystem, but with S-boxes having a flat XOR profile of the form in Fig. 3 with m = 6, 4 Figure 3: Flat XOR Profile n = 4, and k = 8. This may be attacked by a 15-round characteristic, chosen to alter inputs to a single S-box only. This gives a probability to break with a given test pair of P r(1=228), implying that about 228 pairs need to be tried to break the cipher, far easier than by exhaustive search. 2.3 Significance of Permutation P Although differential cryptanalysis may be done independent of permutation P, knowledge of a particular P may be used to construct some other useful n round characteristics for cryptanalysing a particular cipher. The most useful of these take the form of a 2 or 3 round characteristic which generate an output XOR identical to the input XOR, either directly in 2 rounds, or by oscillating between two alternate XOR values over 3 rounds. The 3 round characteristic is sensitive to the form of permutation P . This form of characteristic has been found in the original version of LOKI, as detailed below. It thus indicates that care is needed in the design of not just the S-boxes, but of all elements in function F , in order to reduce susceptibility to differential cryptanalysis. 3 Analysis of LOKI 3.1 Overview LOKI is one of several recently proposed new block ciphers. It was originally detailed by Brown, Pieprzyk and Seberry in [7]. Its overall structure is shown in Fig. 4. We will refer to this version of the cipher as LOKI89 in the remainder of this paper. It is a 16 round Feistel style cipher, with a relatively straightforward key schedule, a non-linear function F = P (S(E(R K))), and four identical 12-to-8 bit S-boxes. Permutation P in LOKI has a regular structure which distributes the 8 output bits from each S-box to boxes [+3 + 2 + 1 0 + 3 + 2 + 1 0] in the next round. Its S-box consists of 16 1-1 functions, based on 5 Figure 4: LOKI89 Overall Structure and S-box Detail exponentiation in a Galois field GF (28) (see [8]), with the general structure shown in Fig. 4. 3.2 Security of LOKI89 Initial testing of the statistical and complexity properties of LOKI89 indicated that its properties were very similar to those exhibited by DES, FEAL8 and Lucifer [9], results that were very encouraging. Initial examination of the XOR profile of the LOKI89 S-box also suggested that it should be more resistant than DES to differential cryptanalysis. LOKI89 was then analysed in detail using differential cryptanalysis. Biham [5] describes an attack, using a 2 round iterative characteristic with P r(118=220) P r(2-13:12 ), with non-zero inputs to 2 S-boxes resulting in the same output. There are four related variants (by rotation) of the form: A. (00000510,00000000) -> (00000000,00000510) always B. (00000000,00000510) -> (00000510,00000000) Pr(118/2^20) 6 This characteristic is iterated to 8 rounds with P r(2-52:48 ), allowing up to 10 rounds to be broken faster than by exhaustive key space search. This is a significantly better result than for the DES. The authors have verified this attack. The authors have subsequently found an alternate 3 round iterative characteristic, attacking S-box 3, with an output XOR identical to the input XOR. Since permutation P in LOKI89 permutes some output bits back to the same S-box in the next round, this allows the characteristic to be iterated. It has the form: A. (00400000,00000000) -> (00000000,00400000) always B. (00000000,00400000) -> (00400000,00400000) Pr(28/4096) C. (00400000,00400000) -> (00400000,00000000) Pr(28/4096) Since 28=4096 2-7:2 if we concatenate these characteristics, we get a 13 round characteristic in the order A B C A B C A B C A B C A with a probability of P r(2-7:2*8 ) P r(2-57:6 ). This may be used to attack a 14 round version of LOKI89, and requires O(259) pairs to succeed. This is of the same order as exhaustive search (which is of O(260), as detailed below), and is thus a more successful attack than that reported previously. It has been verified by Biham. This still leaves the full 16 round version of LOKI89 secure, but with a reduced margin against that originally believed. Independently, the authors [10], Biham [5], and the members of the RIPE consortium have discovered a weakness in the LOKI89 key schedule. It results in the generation of 15 equivalent keys for any given key, effectively reducing the key-space to 260 keys. A complementation property also exists which results in 256 (key, plain, cipher) triples being formed, related by LOKI(P; K) pppppppppppppppp = LOKI(P pppppppppppppppp; K mmmmmmmmnnnnnnnn), where p = m n for arbitrary hex values m; n. This may be used to reduce the complexity of a chosen plaintext attack by an additional factor of 16. These results were found by analysing the key schedule by regarding each S-box input as a linear function of the key and plaintext, and solving to form (key, plaintext) pairs which result in identical S-box input values. This lead to solving the following equations: RD KRD n:ROT 12(KLD) = 0 (1) LD KLD n:ROT 12(KRD) = 0 (2) where LD = L0 L, RD = R0 R, KLD = KL0 KL, and KRD = KR0 KR describe the difference between the related (key, plaintext) pairs. This method is detailed by Kwan in [10]. In the light of these results, the authors have devised some additional design guidelines to those originally used in the design of LOKI, and have applied them in the development of a new version, LOKI91. 7 4 Redesign of LOKI 4.1 Some Additional Design Guidelines To improve the resistance of a cipher to differential cryptanalysis, and to remove problems with the key schedule, the following guidelines were used: o analyse the key schedule to minimize the generation of equivalent key, or related (key, plaintext) pairs. o minimise the probability that a non-zero input XOR results in a zero output XOR, or in an identical output XOR, particularly for inputs that differ in only 1 or 2 S-boxes. o ensure the cipher has sufficient rounds so that exhaustive search is the optimal attack (ie have insufficient pairs to do differential cryptanalysis). o ensure that there is no way to make all S-boxes give 0 outputs, to increase the ciphers security when used in hashing modes. These criteria were used when selecting the changes made to the LOKI structure, detailed below. 4.2 Design of LOKI91 LOKI91 is the revised version, developed to address the results detailed above. Changes have been made to two aspects of the LOKI structure. Firstly the key schedule has been amended in several places to significantly reduce the number of weak keys. Secondly the function used in the S-boxes has been altered to improve its utility in hashing applications, and to improve its immunity to differential cryptanalysis. In more detail, the four changes made to the original design were: 1. change key schedule to swap halves after every second round 2. change key rotations to alternate between ROT13 and ROT12 3. remove initial and final XORs of key with plaintext and ciphertext 4. alter the S-box function used in the LOKI S-box (Fig. 4) to Sf n(row; col) = (col + ((row * 17) f f16)&f f16)31mod grow (3) where + and * refer to arithmetic addition and multiplication, is addition modulo 2, and the exponentiation is performed in GF (28). The generator polynomials used (grow ) are as for LOKI89 [7]. 8 Figure 5: LOKI91 Overall Structure 9 ___________________________________________________ |__Encrypt__Key________|__Decrypt__Key___________|_ | 0000000000000000 | 0000000000000000 * | | 00000000aaaaaaaa | aaaaaaaa00000000 | | 0000000055555555 | 5555555500000000 | | 00000000ffffffff | ffffffff00000000 | | aaaaaaaa00000000 | 00000000aaaaaaaa | | aaaaaaaaaaaaaaaa | aaaaaaaaaaaaaaaa * | | aaaaaaaa55555555 | 55555555aaaaaaaa | | aaaaaaaaffffffff | ffffffffaaaaaaaa | | 5555555500000000 | 0000000055555555 | | 55555555aaaaaaaa | aaaaaaaa55555555 | | 5555555555555555 | 5555555555555555 * | | 55555555ffffffff | ffffffff55555555 | | ffffffff00000000 | 00000000ffffffff | | ffffffffaaaaaaaa | aaaaaaaaffffffff | | ffffffff55555555 | 55555555ffffffff | |__ffffffffffffffff__|____ffffffffffffffff__*__|___ Table 1: LOKI91 Weak and semi-weak key pairs The overall structure of LOKI91 that results from these changes is shown in Fig. 5. The key schedule changes remove all but a single bit complementation property, leaving an effective search space of 263 keys under a chosen-plaintext attack. It reduces key equivalences to a single bit complementation_property,_similar_to that of the DES where LOKI(P ; K ) = LOKI(P; K) , by reducing the solutions to each of Eq. 1 and Eq. 2 to one, and removing the independence between them by altering the swapping to every two rounds. It also greatly reduces the number of weak and semi-weak keys to those shown in Table 1 (where an * denotes weak keys). The DES also has 16 weak and semi-weak keys. The removal of the initial and final XORs became necessary with the change in the swap locations, since otherwise it would have resulted in cancellation of the keys bits at the input to E in some rounds. This change does affect the growth of ciphertext dependence on keys bits (see [11]), increasing it from 3 to 5 rounds. This still compares favorably with the DES which takes either 5 or 7 rounds, dependent on the type of dependency analysed. This change also greatly assisted in the reduction of the number of equivalent keys. The new Sfn uses arithmetic addition and multiplication, as these are non-linear when used in GF (28). The addition modulo two of the row 10 with f f16 ensures that an all zero input gives a non-zero output, thus removing the major deficiency of LOKI89 when used as a hash function. The result of the addition and multiplication is masked with f f16 to restrict the value to lie with GF (28), prior to the exponentiation in that field. The new function reduces the probabilities of occurance of n round iterative characteristics, useful for differential cryptanalysis, to be as low as possible. With the new function, LOKI91 is theoretically breakable faster than an exhaustive key space search in: o up to 10 rounds using a 2 round characteristic with the f (x0)- > 00 mapping occuring with P r(122=1048576) o up to 12 rounds using a 3 round characteristic with the f (x0)- > x0 mapping occuring with P r(16=4096) (used twice) At 16 rounds, cryptanalysis is generally impossible, as insufficient pairs are available to complete the analysis. It would require: o 280 pairs using the 3 round characterisitic, or o 292 pairs using the 2 round characteristic compared to a total of 263 possible plaintext pairs. 5 Conclusion In this paper, we have shown that a flat XOR profile does not provide immunity to differential cryptanalysis, but in fact leads to a very insecure scheme. Instead a carefully chosen XOR profile, with suitably placed 0 entries is required to satisfy the new design guidelines we have identified. We also note an analysis of key schedules, which can be used to determine the number of equivalent keys. We conclude with the application of these results to the design of LOKI91. 6 Acknowledgements Thank you to the members of the crypt group for their support and suggestions. This work has been supported by ARC grant A48830241, ATERB, and Telecom Australia research contract 7027. Appendix A - Specification of LOKI91 Encryption The overall structure of LOKI91 is shown in Fig. 5, and is specified as follows. The 64-bit input block X is partitioned into two 32-bit blocks L 11 and R. Similarly, the 64-bit key is partitioned into two 32-bit blocks KL and KR. L0 = L KL0 = KL R0 = R KR0 = KR (4) The key-dependent computation consists (except for a final interchange of blocks) of 16 rounds (iterations) of a set of operations. Each iteration includes the calculation of the encryption function f . This is a concatenation of a modulo 2 addition and three functions E, S, and P . Function f takes as input the 32-bit right data half Ri-1 and the 32-bit left key half KLi produced by the key schedule KS (denoted Ki below), and which produces a 32-bit result which is added modulo 2 to the left data half Li-1 . The two data halves are then interchanged (except after the last round). Each round may thus be characterised as: Li = Ri-1 Ri = Li-1 f (Ri-1 ; KLi) (5) f (Ri-1; Ki) = P (S(E(Ri-1 Ki))) The component functions E, S, and P are described later. The key schedule KS is responsible for deriving the sub-keys Ki, and is defined as follows: the 64-bit key K is partitioned into two 32-bit halves KL and KR. In each round i, the sub-key Ki is the current left half of the key KLi-1 . On odd numbered rounds (1, 3, 5, etc), this half is then rotated 12 bits to the left. On even numbered rounds (2, 4, 6, etc), this half is then rotated 13 bits to the left, and the key halves are interchanged. This may be defined for odd numbered rounds as: Ki = KLi-1 KLi = ROL(KLi-1; 13) (6) KRi = KRi-1 This may be defined for even numbered rounds as: Ki = KLi-1 KLi = KRi-1 (7) KRi = ROL(KLi-1; 12) Finally after the 16 rounds, the two output block halves L16 and R16 are then concatenated together to form the output block Y . This is defined as (note the swap of data halves to undo the final interchange in Eq.5): Y = R16 | L16 (8) 12 ___________________________________________________________________ | 3 2 1 0 31 30 29 28 27 26 25 24 | | 27 26 25 24 23 22 21 20 19 18 17 16 | | 19 18 17 16 15 14 13 12 11 10 9 8 | |__11__10____9_____8____7_____6____5_____4____3_____2____1_____0__|_ Table 2: LOKI Expansion Function E Decryption The decryption computation is identical to that used for encryption, save that the partial keys used as input to the function f in each round are calculated in reverse order. The rotations are to the right, and an initial pre-rotation of 8 places is needed to form the key pattern. Function f The encryption function f is a concatenation of a modulo 2 addition and three functions E, S, and P , which takes as input the 32-bit right data half Ri-1 and the 32-bit left key half KLi, and produces a 32-bit result which is added modulo 2 to the left data half Li-1 . f (Ri-1; Ki) = P (S(E(Ri-1 Ki))) (9) The modulo 2 addition of the key and data halves ensures that the output of f will be a complex function of both of these values. The expansion function E takes a 32-bit input and produces a 48-bit output block, composed of four 12-bit blocks which form the inputs to four S-boxes in function f . Function E selects consecutive blocks of twelve bits as inputs to S-boxes S(4), S(3), S(2), and S(1) respectively, as follows: [b3 b2 ::: b0 b31 b30 ::: b24] [b27 b26 ::: b16] [b19 b18 ::: b8] [b11 b10 ::: b0] This is shown in full in Table 2 which specifies the source bit for outputs bits 47 to 0 respectively: The substitution function S provides the confusion component in the LOKI cipher. It takes a 48-bit input and produces a 32-bit output. It is composed of four S-boxes, each of which takes a 12-bit input and produces an 8-bit output, which are concatenated together to form the 32-bit output of S. The 8-bit output from S(4) becomes the most significant byte (bits [31...24]), then the outputs from S(3) (bits[23...16]), S(2) (bits[15...8]), and S(1) (bits [7...0]). In LOKI91 the four S-boxes are 13 ___________________________ |__Row__|_|genrow__|_erow__| | 0 | | 375 | 31 | | 1 | | 379 | 31 | | 2 | | 391 | 31 | | 3 | | 395 | 31 | | 4 | | 397 | 31 | | 5 | | 415 | 31 | | 6 | | 419 | 31 | | 7 | | 425 | 31 | | 8 | | 433 | 31 | | 9 | | 445 | 31 | | 10 | |451 | 31 | | 11 | |463 | 31 | | 12 | |471 | 31 | | 13 | |477 | 31 | | 14 | |487 | 31 | |___15___|_|499____|__31___| Table 3: LOKI S-box Irreducible Polynomials and Exponents identical. The form of each S-box is shown in Fig 4. The 12-bit input is partitioned into two segments: a 4-bit row value row formed from bits [b11 b10 b1 b0], and an 8-bit column value col formed from bits [b9 b8 ::: b3 b2]. The row value row is used to select one of 16 S-functions Sf nrow (col), which then take as input the column value col and produce an 8-bit output value. This is defined as: Sf nrow (col) = (col + ((row * 17) f f16)r&f f16)erow mod grow (10) where genrow is an irreducible polynomial in GF (28), and erow is the (constant 31) exponent used in forming Sf nrow (col). The generators and exponents to be used in the 16 S-functions in LOKI91 are specified in Table 3. For ease of implementation in hardware, this function can also be written as: Sf nrow (col) = (col + ((_____row)|(_____row<< 4))&f f16)31mod grow (11) The permutation function P provides diffusion of the outputs from the four S-boxes across the inputs of all S-boxes in the next round. It takes the 32-bit concatenated outputs from the S-boxes, and distributes them over all the inputs for the next round via a regular wire crossing which takes bits from the outputs of each S-box in turn, as defined in Table 4 which specifies the source bit for output bits 31 to 0 respectively. 14 __________________________________________ | 31 23 15 7 30 22 14 6 | | 29 21 13 5 28 20 12 4 | | 27 19 11 3 26 18 10 2 | |__25__17____9____1____24___16____8____0__| Table 4: LOKI Permutation P Test Data A single test triplet for the LOKI91 primitive is listed below. # Single LOKI91 Certification triplet # data is saved as (key, plaintext, ciphertext) hex triplets # 3849674c2602319e 126898d55e911500 c86caec1e3b7b17e 15 References [1] J. Seberry and J. Pieprzyk, Cryptography: An Introduction to Computer Security. Englewood Cliffs, NJ, Prentice Hall, 1989. [2] E. Biham and A. Shamir, ``Differential Cryptanalysis of DES-like Cryptosystems," Journal of Cryptology, 4, no. 1, 1991, to appear. [3] E. Biham and A. Shamir, ``Differential Cryptanalysis of DES-like Cryptosystems," Weizmann Institute of Science, Rehovot, Israel, Technical Report, 19 July 1990. [4] E. Biham and A. Shamir, ``Differential Cryptanalysis of Feal and N-Hash," in Eurocrypt'91 Abstracts, Brighton, UK, 8-11 April 1991. [5] E. Biham and A. Shamir, ``Differential Cryptanalysis Snefru, Kharfe, REDOC-II, LOKI and Lucifer," in Abstracts Crypto'91, Santa Barbara, Aug. 1991. [6] M. H. Dawson and S. E. Tavares, ``An Expanded Set of S-box Design Criteria Based On Information Theory and Its Relation to Differential-Like Attacks," in Eurocrypt'91 Abstracts, Brighton, UK, 8-11 April 1991. [7] L. Brown, J. Pieprzyk and J. Seberry, ``LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications," in Advances in Cryptology: Auscrypt '90 (Lecture Notes in Computer Science), vol. 453. Berlin: Springer Verlag, pp. 229--236, 1990. [8] J. Pieprzyk, ``Non-Linearity of Exponent Permutations," in Advances in Cryptology - Eurocrypt'89 (Lecture Notes in Computer Science), vol. 434, J. J. Quisquater and J. Vanderwalle, Eds. Berlin: Springer Verlag, pp. 80--92, 1990. [9] L. Brown, J. Pieprzyk, R. Safavi-Naini and J. Seberry, ``A Generalised Testbed for Analysing Block and Stream Ciphers," in Information Security, W. Price and D. Lindsey, Eds. North-Holland, May 1991, to appear. [10] M. Kwan and J. Pieprzyk, ``A General Purpose Technique for Locating Key Scheduling Weaknesses in DES-style Cryptosystems," in Advances in Cryptology - Asiacrypt'91 (Lecture Notes in Computer Science). Berlin: Springer Verlag, 1992, to appear. 16 [11] L. Brown and J. Seberry, ``Key Scheduling in DES Type Cryptosystems," in Advances in Cryptology: Auscrypt '90 (Lecture Notes in Computer Science), vol. 453. Berlin: Springer Verlag, pp. 221--228, 1990. 17