- SAFER
In
cryptography , SAFER (Secure And Fast Encryption Routine) is the name of a family ofblock cipher s designed primarily byJames Massey (one of the designers of IDEA) on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the sameencryption function, but differ in the number of rounds and thekey schedule . More recent versions — SAFER+ and SAFER++ — were submitted as candidates to theAES process and theNESSIE project respectively. All of the algorithms in the SAFER family are unpatented and available for unrestricted use.AFER K and SAFER SK
The first SAFER cipher was SAFER K-64, published by Massey in
1993 , with a 64-bit block size. The "K-64" denotes akey size of 64 bits. There was some demand for a version with a larger 128-bit key, and the following year Massey published such a variant incorporating new key schedule designed by theSingapore Ministry for Home affairs: SAFER K-128. However, bothLars Knudsen and Sean Murphy found minor weaknesses in this version, prompting a redesign of the key schedule to one suggested by Knudsen; these variants were named SAFER SK-64 and SAFER SK-128 respectively — the "SK" standing for "Strengthened Key schedule", though the RSA FAQ reports that, "one joke has it that SK really stands for 'Stop Knudsen', a wise precaution in the design of any block cipher". Another variant with a reduced key size was published, SAFER SK-40, to comply with 40-bit export restrictions.All of these ciphers use the same round function consisting of four stages, as shown in the diagram: a key-mixing stage, a substitution layer, another key-mixing stage, and finally a diffusion layer. In the first key-mixing stage, the plaintext block is divided into eight 8-bit segments, and subkeys are added using either addition modulo 256 (denoted by a "+" in a square) or
XOR (denoted by a "+" in a circle). The substitution layer consists of twoS-box es, each the inverse of each other, derived from discreteexponentiation (45"x") andlogarithm (log45x) functions. After a second key-mixing stage there is the diffusion layer: a novel cryptographic component termed apseudo-Hadamard transform (PHT). (The PHT was also later used in theTwofish cipher.)AFER+ and SAFER++
There are two more-recent members of the SAFER family that have made changes to the main encryption routine, designed by the Armenian cryptographers Gurgen Khachatrian and Melsik Kuregian in conjunction with Massey.
* SAFER+ (Massey et al, 1998) was submitted as a candidate for the Advanced Encryption Standard and has a block size of 128 bits. The cipher was not selected as a finalist.
Bluetooth uses custom algorithms based on SAFER+ for key derivation (called E21 and E22) and authentication asmessage authentication code s (called E1). Encryption in Bluetooth does not use SAFER+.cite paper |author=Sil Janssens |date=2005-01-09 |title=Preliminary study: Bluetooth Security |url=http://student.vub.ac.be/~sijansse/2e%20lic/BT/Voorstudie/PreliminaryStudy.pdf |accessdate=2007-02-27 ]
* SAFER++ (Massey et al, 2000) was submitted to theNESSIE project in two versions, one with 64 bits, and the other with 128 bits.ee also
*
Substitution-permutation network
*Confusion and diffusion References
*
Alex Biryukov , Christophe De Cannière, Gustaf Dellkrantz: Cryptanalysis of SAFER++.CRYPTO 2003: 195-211
*Lars R. Knudsen : A Detailed Analysis of SAFER K.J. Cryptology 13(4): 417-436 (2000)
* James L. Massey: SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm.Fast Software Encryption 1993: 1-17
* James L. Massey: SAFER K-64: One Year Later. Fast Software Encryption 1994: 212-241
* James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES)
* Massey, J. L., "Announcement of a Strengthened Key Schedule for the Cipher SAFER", September 9, 1995.
* James Massey, Gurgen Khachatrian, Melsik Kuregian, "Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE)," Presented at the First Open NESSIE Workshop, November 2000.
* Gurgen Khachatrian, Melsik Kuregian, Karen Ispiryan, James Massey, „Differential analysis of SAFER++ algorithm” – Second NESSIE workshop, Egham, UK, September 12-13, (2001)
*Lars R. Knudsen , A Key-schedule Weakness in SAFER K-64. CRYPTO 1995: 274-286.
*Lars R. Knudsen , Thomas A. Berson, "Truncated Differentials of SAFER". Fast Software Encryption 1996: 15-26
* Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST, June 1998.
* Karen Ispiryan “Some family of coordinate permutation for SAFER++” CSIT September 17-20, 2001 Yerevan, ArmeniaExternal links
* [http://www.quadibloc.com/crypto/co040407.htm John Savard's description of SAFER+]
* [http://www.quadibloc.com/crypto/co040301.htm John Savard's description of SAFER K and SAFER SK]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER-K SCAN's entry for SAFER K]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER-SK SCAN's entry for SAFER SK]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER+ SCAN's entry for SAFER+]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER++ SCAN's entry for SAFER++]
* [http://groups.google.com/groups?selm=4336pm%24e9t%40net.auckland.ac.nz Announcement of new key schedule (SAFER SK)]
Wikimedia Foundation. 2010.