SAFER
- This article is about the encryption algorithm. For the SAFER unit used on spacewalks, see Simplified Aid for EVA Rescue.
Table of contents |
2 SAFER+ and SAFER++ 3 See also 4 References 5 External links |
SAFER K and SAFER SK
The first SAFER cipher was SAFER K-64, published by Massey in 1993, with a 64-bit block size. The "K-64" denotes a key size of 64 bits. There was some demand for a version with a larger 128-bit key, and the following year Massey published such a variant incorporating new key schedule designed by the Singapore Ministry for Home affairs: SAFER K-128. However, both Lars Knudsen and Sean Murphy found minor weaknesses in this version, prompting a redesign of the key schedule to one suggested by Knudsen; these variants were named SAFER SK-64 and SAFER SK-128 respectively — the "SK" standing for "Strengthened Key schedule", though the RSA FAQ reports that, "one joke has it that SK really stands for 'Stop Knudsen', a wise precaution in the design of any block cipher". Another variant with a reduced key size was published, SAFER SK-40, to comply with 40-bit export restrictions.
All of these ciphers use the same round function consisting of four stages, as shown in the diagram: a key-mixing stage, a substitution layer, another key-mixing stage, and finally a diffusion layer. In the first key-mixing stage, the plaintext block is divided into eight 8-bit segments, and subkeys are added using either addition modulo 256 (denoted by a "+" in a square) or XOR (denoted by a "+" in a circle). The substitution layer consists of two S-boxes, each the inverse of each other, derived from discrete exponentiation (45^{x}) and logarithm (log_{45}x) functions. After a second key-mixing stage there is the diffusion layer: a novel cryptographic component termed a Pseudo-Hadamard Transform (PHT). The PHT was later used in the Twofish cipher.)
SAFER+ and SAFER++
There are two more-recent members of the SAFER family that have made changes to the main encryption routine, designed by the Armenian cryptographers Gurgen Khachatrian and Melsik Kuregian in conjunction with Massey.
- SAFER+ (Massey et al, 1998) was submitted as a candidate for the Advanced Encryption Standard and has a block size of 128 bits. The cipher was not selected as a finalist. SAFER+ was included in the Bluetooth standard as an algorithm for authentication and key generation.
- SAFER++ (Massey et al, 2000) was submitted to the NESSIE project in two versions, one with 64 bits, and the other with 128 bits.
See also
References
- Alex Biryukov, Christophe De Cannière, Gustaf Dellkrantz: Cryptanalysis of SAFER++. CRYPTO 2003: 195-211
- Lars R. Knudsen: A Detailed Analysis of SAFER K. J. Cryptology 13(4): 417-436 (2000)
- James L. Massey: SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. Fast Software Encryption 1993: 1-17
- James L. Massey: SAFER K-64: One Year Later. Fast Software Encryption 1994: 212-241
- James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES)
- Massey, J. L., "Announcement of a Strengthened Key Schedule for the Cipher SAFER", September 9, 1995.
- James Massey, Gurgen Khachatrian, Melsik Kuregian, "Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE)," Presented at the First Open NESSIE Workshop, November 2000.
- Lars R. Knudsen: A Key-schedule Weakness in SAFER K-64. CRYPTO 1995: 274-286
- Lars R. Knudsen, Thomas A. Berson: Truncated Differentials of SAFER. Fast Software Encryption 1996: 15-26
- Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST, June 1998.
External links
- John Savard's description of SAFER+
- John Savard's description of SAFER K and SAFER SK
- SCAN's entry for SAFER K
- SCAN's entry for SAFER SK
- SCAN's entry for SAFER+
- SCAN's entry for SAFER++
- Announcement of new key schedule (SAFER SK)
Block ciphers |
Algorithms: 3-Way | AES | Blowfish | Camellia | CAST-128 | CAST-256 | CMEA | DEAL | DES | DES-X | FEAL | G-DES | GOST | IDEA | Iraqi | KASUMI | KHAZAD | Khufu and Khafre; | LOKI89/91 | LOKI97 | Lucifer | MacGuffin | Madryga | MAGENTA | MARS | MISTY1 | MMB | NewDES | RC2 | RC5 | RC6 | Red Pike; | S-1 | SAFER | Serpent | SHARK | Skipjack | Square | TEA | Triple DES; | Twofish | XTEA |
Design: Feistel network; | Key schedule; | Product cipher; | S-box | SPN Attacks: Brute force; | Linear / Differential cryptanalysis | Mod n; | XSL Standardisation: AES process; | CRYPTREC | NESSIE Misc: Avalanche effect | Block size; | IV | Key size; | Modes of operation; | Piling-up lemma; | Weak key; |