This article is about the encryption algorithm. For other uses of the acronym, see SAFER (disambiguation).
In cryptography, SAFER (Secure And Fast Encryption Routine) is the name of a family of block ciphers designed primarily by James Massey (one of the designers of IDEA) on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule. More recent versions — SAFER+ and SAFER++ — were submitted as candidates to the AES process and the NESSIE project respectively. All of the algorithms in the SAFER family are unpatented and available for unrestricted use.
The first SAFER cipher was SAFER K-64, published by Massey in 1993, with a 64-bit block size. The "K-64" denotes a key size of 64 bits. There was some demand for a version with a larger 128-bit key, and the following year Massey published such a variant incorporating new key schedule designed by the Singapore Ministry for Home affairs: SAFER K-128. However, both Lars Knudsen and Sean Murphy found minor weaknesses in this version, prompting a redesign of the key schedule to one suggested by Knudsen; these variants were named SAFER SK-64 and SAFER SK-128 respectively — the "SK" standing for "Strengthened Key schedule", though the RSA FAQ reports that, "one joke has it that SK really stands for 'Stop Knudsen', a wise precaution in the design of any block cipher".[1] Another variant with a reduced key size was published, SAFER SK-40, to comply with 40-bit export restrictions.
All of these ciphers use the same round function consisting of four stages, as shown in the diagram: a key-mixing stage, a substitution layer, another key-mixing stage, and finally a diffusion layer. In the first key-mixing stage, the plaintext block is divided into eight 8-bit segments, and subkeys are added using either addition modulo 256 (denoted by a "+" in a square) or XOR (denoted by a "+" in a circle). The substitution layer consists of two S-boxes, each the inverse of each other, derived from discrete exponentiation (45x) and logarithm (log45x) functions. After a second key-mixing stage there is the diffusion layer: a novel cryptographic component termed a pseudo-Hadamard transform (PHT). (The PHT was also later used in the Twofish cipher.)
SAFER+ and SAFER++
There are two more-recent members of the SAFER family that have made changes to the main encryption routine, designed by the Armenian cryptographers Gurgen Khachatrian (American University of Armenia) and Melsik Kuregian in conjunction with Massey.
SAFER+ (Massey et al., 1998) was submitted as a candidate for the Advanced Encryption Standard and has a block size of 128 bits. The cipher was not selected as a finalist. Bluetooth uses custom algorithms based on SAFER+ for key derivation (called E21 and E22) and authentication as message authentication codes (called E1). Encryption in Bluetooth does not use SAFER+.[2]
SAFER++ (Massey et al., 2000) was submitted to the NESSIE project in two versions, one with 64 bits, and the other with 128 bits.
James L. Massey: SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. Fast Software Encryption 1993: 1-17
James L. Massey: SAFER K-64: One Year Later. Fast Software Encryption 1994: 212-241
James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES)
Massey, J. L., "Announcement of a Strengthened Key Schedule for the Cipher SAFER", September 9, 1995.
James Massey, Gurgen Khachatrian, Melsik Kuregian, "Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE)," Presented at the First Open NESSIE Workshop, November 2000.
Gurgen Khachatrian, Melsik Kuregian, Karen Ispiryan, James Massey, „Differential analysis of SAFER++ algorithm” – Second NESSIE workshop, Egham, UK, September 12–13, (2001)
Lars R. Knudsen, A Key-schedule Weakness in SAFER K-64. CRYPTO 1995: 274-286.
Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST, June 1998.
Karen Ispiryan “Some family of coordinate permutation for SAFER++” CSIT September 17–20, 2001 Yerevan, Armenia
^RSA Laboratories (2000), "3.6.7 What are some other block ciphers?", RSA Laboratories' Frequently Asked Questions about Today's Cryptography, Version 4.1(PDF), RSA Security Inc., retrieved 2014-06-25[permanent dead link]
^Sil Janssens (2005-01-09). (PDF). Archived from the original (PDF) on 2005-05-13. Retrieved 2007-02-27. {{cite journal}}: Cite journal requires |journal= (help)
External links
256bit Ciphers - SAFER Reference implementation and derived code
John Savard's description of SAFER+
John Savard's description of SAFER K and SAFER SK
SCAN's entry for SAFER K
SCAN's entry for SAFER SK
SCAN's entry for SAFER+
SCAN's entry for SAFER++
Announcement of new key schedule (SAFER SK)
SAFER SK-128 in portable Common Lisp
February 15, 2023
safer, this, article, about, encryption, algorithm, other, uses, acronym, disambiguation, cryptography, secure, fast, encryption, routine, name, family, block, ciphers, designed, primarily, james, massey, designers, idea, behalf, cylink, corporation, early, de. This article is about the encryption algorithm For other uses of the acronym see SAFER disambiguation In cryptography SAFER Secure And Fast Encryption Routine is the name of a family of block ciphers designed primarily by James Massey one of the designers of IDEA on behalf of Cylink Corporation The early SAFER K and SAFER SK designs share the same encryption function but differ in the number of rounds and the key schedule More recent versions SAFER and SAFER were submitted as candidates to the AES process and the NESSIE project respectively All of the algorithms in the SAFER family are unpatented and available for unrestricted use Contents 1 SAFER K and SAFER SK 2 SAFER and SAFER 3 See also 4 References 5 External linksSAFER K and SAFER SK Edit The SAFER K and SAFER SK round function The first SAFER cipher was SAFER K 64 published by Massey in 1993 with a 64 bit block size The K 64 denotes a key size of 64 bits There was some demand for a version with a larger 128 bit key and the following year Massey published such a variant incorporating new key schedule designed by the Singapore Ministry for Home affairs SAFER K 128 However both Lars Knudsen and Sean Murphy found minor weaknesses in this version prompting a redesign of the key schedule to one suggested by Knudsen these variants were named SAFER SK 64 and SAFER SK 128 respectively the SK standing for Strengthened Key schedule though the RSA FAQ reports that one joke has it that SK really stands for Stop Knudsen a wise precaution in the design of any block cipher 1 Another variant with a reduced key size was published SAFER SK 40 to comply with 40 bit export restrictions All of these ciphers use the same round function consisting of four stages as shown in the diagram a key mixing stage a substitution layer another key mixing stage and finally a diffusion layer In the first key mixing stage the plaintext block is divided into eight 8 bit segments and subkeys are added using either addition modulo 256 denoted by a in a square or XOR denoted by a in a circle The substitution layer consists of two S boxes each the inverse of each other derived from discrete exponentiation 45x and logarithm log45x functions After a second key mixing stage there is the diffusion layer a novel cryptographic component termed a pseudo Hadamard transform PHT The PHT was also later used in the Twofish cipher SAFER and SAFER EditThere are two more recent members of the SAFER family that have made changes to the main encryption routine designed by the Armenian cryptographers Gurgen Khachatrian American University of Armenia and Melsik Kuregian in conjunction with Massey SAFER Massey et al 1998 was submitted as a candidate for the Advanced Encryption Standard and has a block size of 128 bits The cipher was not selected as a finalist Bluetooth uses custom algorithms based on SAFER for key derivation called E21 and E22 and authentication as message authentication codes called E1 Encryption in Bluetooth does not use SAFER 2 SAFER Massey et al 2000 was submitted to the NESSIE project in two versions one with 64 bits and the other with 128 bits See also EditSubstitution permutation network Confusion and diffusionReferences EditAlex Biryukov Christophe De Canniere Gustaf Dellkrantz Cryptanalysis of SAFER CRYPTO 2003 195 211 Lars R Knudsen A Detailed Analysis of SAFER K J Cryptology 13 4 417 436 2000 James L Massey SAFER K 64 A Byte Oriented Block Ciphering Algorithm Fast Software Encryption 1993 1 17 James L Massey SAFER K 64 One Year Later Fast Software Encryption 1994 212 241 James Massey Gurgen Khachatrian Melsik Kuregian Nomination of SAFER as Candidate Algorithm for the Advanced Encryption Standard AES Massey J L Announcement of a Strengthened Key Schedule for the Cipher SAFER September 9 1995 James Massey Gurgen Khachatrian Melsik Kuregian Nomination of SAFER as Candidate Algorithm for the New European Schemes for Signatures Integrity and Encryption NESSIE Presented at the First Open NESSIE Workshop November 2000 Gurgen Khachatrian Melsik Kuregian Karen Ispiryan James Massey Differential analysis of SAFER algorithm Second NESSIE workshop Egham UK September 12 13 2001 Lars R Knudsen A Key schedule Weakness in SAFER K 64 CRYPTO 1995 274 286 Lars R Knudsen Thomas A Berson Truncated Differentials of SAFER Fast Software Encryption 1996 15 26 Nomination of SAFER as Candidate Algorithm for the Advanced Encryption Standard AES Submission document from Cylink Corporation to NIST June 1998 Karen Ispiryan Some family of coordinate permutation for SAFER CSIT September 17 20 2001 Yerevan Armenia RSA Laboratories 2000 3 6 7 What are some other block ciphers RSA Laboratories Frequently Asked Questions about Today s Cryptography Version 4 1 PDF RSA Security Inc retrieved 2014 06 25 permanent dead link Sil Janssens 2005 01 09 Preliminary study Bluetooth Security PDF Archived from the original PDF on 2005 05 13 Retrieved 2007 02 27 a href Template Cite journal html title Template Cite journal cite journal a Cite journal requires journal help External links Edit256bit Ciphers SAFER Reference implementation and derived code John Savard s description of SAFER John Savard s description of SAFER K and SAFER SK SCAN s entry for SAFER K SCAN s entry for SAFER SK SCAN s entry for SAFER SCAN s entry for SAFER Announcement of new key schedule SAFER SK SAFER SK 128 in portable Common Lisp Retrieved from https en wikipedia org w index php title SAFER amp oldid 1084898182, wikipedia, wiki, book, books, library,
