SAFER

In cryptography, SAFER (Secure And Fast Encryption Routine) is the name of a family of block ciphers designed primarily by James Massey (one of the designers of IDEA) on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule. More recent versions — SAFER+ and SAFER++ — were submitted as candidates to the AES process and the NESSIE project respectively. All of the algorithms in the SAFER family are unpatented and available for unrestricted use.

AFER K and SAFER SK

The first SAFER cipher was SAFER K-64, published by Massey in 1993, with a 64-bit block size. The "K-64" denotes a key size of 64 bits. There was some demand for a version with a larger 128-bit key, and the following year Massey published such a variant incorporating new key schedule designed by the Singapore Ministry for Home affairs: SAFER K-128. However, both Lars Knudsen and Sean Murphy found minor weaknesses in this version, prompting a redesign of the key schedule to one suggested by Knudsen; these variants were named SAFER SK-64 and SAFER SK-128 respectively — the "SK" standing for "Strengthened Key schedule", though the RSA FAQ reports that, "one joke has it that SK really stands for 'Stop Knudsen', a wise precaution in the design of any block cipher". Another variant with a reduced key size was published, SAFER SK-40, to comply with 40-bit export restrictions.

All of these ciphers use the same round function consisting of four stages, as shown in the diagram: a key-mixing stage, a substitution layer, another key-mixing stage, and finally a diffusion layer. In the first key-mixing stage, the plaintext block is divided into eight 8-bit segments, and subkeys are added using either addition modulo 256 (denoted by a "+" in a square) or XOR (denoted by a "+" in a circle). The substitution layer consists of two S-boxes, each the inverse of each other, derived from discrete exponentiation (45^"x") and logarithm (log₄₅x) functions. After a second key-mixing stage there is the diffusion layer: a novel cryptographic component termed a pseudo-Hadamard transform (PHT). (The PHT was also later used in the Twofish cipher.)

AFER+ and SAFER++

There are two more-recent members of the SAFER family that have made changes to the main encryption routine, designed by the Armenian cryptographers Gurgen Khachatrian and Melsik Kuregian in conjunction with Massey.

* SAFER+ (Massey et al, 1998) was submitted as a candidate for the Advanced Encryption Standard and has a block size of 128 bits. The cipher was not selected as a finalist. Bluetooth uses custom algorithms based on SAFER+ for key derivation (called E21 and E22) and authentication as message authentication codes (called E1). Encryption in Bluetooth does not use SAFER+.cite paper |author=Sil Janssens |date=2005-01-09 |title=Preliminary study: Bluetooth Security |url=http://student.vub.ac.be/~sijansse/2e%20lic/BT/Voorstudie/PreliminaryStudy.pdf |accessdate=2007-02-27 ]
* SAFER++ (Massey et al, 2000) was submitted to the NESSIE project in two versions, one with 64 bits, and the other with 128 bits.

ee also

* Substitution-permutation network
* Confusion and diffusion

References

* Alex Biryukov, Christophe De Cannière, Gustaf Dellkrantz: Cryptanalysis of SAFER++. CRYPTO 2003: 195-211
* Lars R. Knudsen: A Detailed Analysis of SAFER K. J. Cryptology 13(4): 417-436 (2000)
* James L. Massey: SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. Fast Software Encryption 1993: 1-17
* James L. Massey: SAFER K-64: One Year Later. Fast Software Encryption 1994: 212-241
* James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES)
* Massey, J. L., "Announcement of a Strengthened Key Schedule for the Cipher SAFER", September 9, 1995.
* James Massey, Gurgen Khachatrian, Melsik Kuregian, "Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE)," Presented at the First Open NESSIE Workshop, November 2000.
* Gurgen Khachatrian, Melsik Kuregian, Karen Ispiryan, James Massey, „Differential analysis of SAFER++ algorithm” – Second NESSIE workshop, Egham, UK, September 12-13, (2001)
* Lars R. Knudsen, A Key-schedule Weakness in SAFER K-64. CRYPTO 1995: 274-286.
* Lars R. Knudsen, Thomas A. Berson, "Truncated Differentials of SAFER". Fast Software Encryption 1996: 15-26
* Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST, June 1998.
* Karen Ispiryan “Some family of coordinate permutation for SAFER++” CSIT September 17-20, 2001 Yerevan, Armenia

External links

* [http://www.quadibloc.com/crypto/co040407.htm John Savard's description of SAFER+]
* [http://www.quadibloc.com/crypto/co040301.htm John Savard's description of SAFER K and SAFER SK]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER-K SCAN's entry for SAFER K]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER-SK SCAN's entry for SAFER SK]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER+ SCAN's entry for SAFER+]
* [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER++ SCAN's entry for SAFER++]
* [http://groups.google.com/groups?selm=4336pm%24e9t%40net.auckland.ac.nz Announcement of new key schedule (SAFER SK)]