In
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, SAFER (Secure And Fast Encryption Routine) is the name of a family of
block ciphers designed primarily by
James Massey
James Lee Massey (February 11, 1934 – June 16, 2013) was an American information theorist and
cryptographer, Professor Emeritus of Digital Technology at ETH Zurich. His notable work includes the application of the Berlekamp–Massey algorithm ...
(one of the designers of
IDEA
In common usage and in philosophy, ideas are the results of thought. Also in philosophy, ideas can also be mental representational images of some object. Many philosophers have considered ideas to be a fundamental ontological category of bei ...
) on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the same
encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can de ...
function, but differ in the number of rounds and the
key schedule. More recent versions — SAFER+ and SAFER++ — were submitted as candidates to the
AES process
The Advanced Encryption Standard (AES), the symmetric block cipher ratified as a standard by National Institute of Standards and Technology of the United States (NIST), was chosen using a process lasting from 1997 to 2000 that was markedly more ...
and the
NESSIE
NESSIE (New European Schemes for Signatures, Integrity and Encryption) was a European research project funded from 2000 to 2003 to identify secure cryptographic primitives. The project was comparable to the NIST AES process and the Japanese Gov ...
project respectively. All of the algorithms in the SAFER family are unpatented and available for unrestricted use.
SAFER K and SAFER SK
The first SAFER cipher was SAFER K-64, published by Massey in 1993, with a 64-bit
block size. The "K-64" denotes a
key size
In cryptography, key size, key length, or key space refer to the number of bits in a key used by a cryptographic algorithm (such as a cipher).
Key length defines the upper-bound on an algorithm's security (i.e. a logarithmic measure of the faste ...
of 64 bits. There was some demand for a version with a larger 128-bit
key, and the following year Massey published such a variant incorporating new key schedule designed by the
Singapore
Singapore (), officially the Republic of Singapore, is a sovereign island country and city-state in maritime Southeast Asia. It lies about one degree of latitude () north of the equator, off the southern tip of the Malay Peninsula, bor ...
Ministry for Home affairs: SAFER K-128. However, both
Lars Knudsen
Lars Ramkilde Knudsen (born 21 February 1962) is a Danish researcher in cryptography, particularly interested in the design and analysis of block ciphers, hash functions and message authentication codes (MACs).
Academic
After some early work ...
and
Sean Murphy found minor weaknesses in this version, prompting a redesign of the key schedule to one suggested by Knudsen; these variants were named SAFER SK-64 and SAFER SK-128 respectively — the "SK" standing for "Strengthened Key schedule", though the
RSA FAQ reports that, "one joke has it that SK really stands for 'Stop Knudsen', a wise precaution in the design of any block cipher".
Another variant with a reduced key size was published, SAFER SK-40, to comply with
40-bit export restrictions.
All of these ciphers use the same round function consisting of four stages, as shown in the diagram: a key-mixing stage, a substitution layer, another key-mixing stage, and finally a diffusion layer. In the first key-mixing stage, the plaintext block is divided into eight 8-bit segments, and subkeys are added using either addition modulo 256 (denoted by a "+" in a square) or
XOR (denoted by a "+" in a circle). The substitution layer consists of two
S-box
In cryptography, an S-box (substitution-box) is a basic component of symmetric key algorithms which performs substitution. In block ciphers, they are typically used to obscure the relationship between the key and the ciphertext, thus ensuring Shan ...
es, each the inverse of each other, derived from discrete
exponentiation
Exponentiation is a mathematical operation, written as , involving two numbers, the '' base'' and the ''exponent'' or ''power'' , and pronounced as " (raised) to the (power of) ". When is a positive integer, exponentiation corresponds to r ...
(45
''x'') and
logarithm
In mathematics, the logarithm is the inverse function to exponentiation. That means the logarithm of a number to the base is the exponent to which must be raised, to produce . For example, since , the ''logarithm base'' 10 of ...
(log
45x) functions. After a second key-mixing stage there is the diffusion layer: a novel cryptographic component termed a
pseudo-Hadamard transform The pseudo-Hadamard transform is a reversible transformation of a bit string that provides cryptographic diffusion. See Hadamard transform.
The bit string must be of even length so that it can be split into two bit strings ''a'' and ''b'' of equa ...
(PHT). (The PHT was also later used in the
Twofish
In cryptography, Twofish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. It was one of the five finalists of the Advanced Encryption Standard contest, but it was not selected for standardization. T ...
cipher.)
SAFER+ and SAFER++
There are two more-recent members of the SAFER family that have made changes to the main encryption routine, designed by the Armenian cryptographers Gurgen Khachatrian (American University of Armenia) and Melsik Kuregian in conjunction with Massey.
* SAFER+ (Massey et al., 1998) was submitted as a candidate for the
Advanced Encryption Standard
The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.
AES is a varian ...
and has a block size of 128 bits. The cipher was not selected as a finalist.
Bluetooth
Bluetooth is a short-range wireless technology standard that is used for exchanging data between fixed and mobile devices over short distances and building personal area networks (PANs). In the most widely used mode, transmission power is limi ...
uses custom algorithms based on SAFER+ for key derivation (called E21 and E22) and authentication as
message authentication codes (called E1). Encryption in Bluetooth does not use SAFER+.
* SAFER++ (Massey et al., 2000) was submitted to the
NESSIE
NESSIE (New European Schemes for Signatures, Integrity and Encryption) was a European research project funded from 2000 to 2003 to identify secure cryptographic primitives. The project was comparable to the NIST AES process and the Japanese Gov ...
project in two versions, one with 64 bits, and the other with 128 bits.
See also
*
Substitution–permutation network
*
Confusion and diffusion
References
*
Alex Biryukov, Christophe De Cannière, Gustaf Dellkrantz: Cryptanalysis of SAFER++.
CRYPTO 2003: 195-211
*
Lars R. Knudsen: A Detailed Analysis of SAFER K.
J. Cryptology 13(4): 417-436 (2000)
* James L. Massey: SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm.
Fast Software Encryption
Fast or FAST may refer to:
* Fast (noun), high speed or velocity
* Fast (noun, verb), to practice fasting, abstaining from food and/or water for a certain period of time
Acronyms and coded Computing and software
* ''Faceted Application of Subje ...
1993: 1-17
* James L. Massey: SAFER K-64: One Year Later. Fast Software Encryption 1994: 212-241
* James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES)
* Massey, J. L., "Announcement of a Strengthened Key Schedule for the Cipher SAFER", September 9, 1995.
* James Massey, Gurgen Khachatrian, Melsik Kuregian, "Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE)," Presented at the First Open NESSIE Workshop, November 2000.
* Gurgen Khachatrian, Melsik Kuregian, Karen Ispiryan, James Massey, „Differential analysis of SAFER++ algorithm” – Second NESSIE workshop, Egham, UK, September 12–13, (2001)
*
Lars R. Knudsen, A Key-schedule Weakness in SAFER K-64. CRYPTO 1995: 274-286.
*
Lars R. Knudsen,
Thomas A. Berson, "Truncated Differentials of SAFER". Fast Software Encryption 1996: 15-26
* Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST, June 1998.
* Karen Ispiryan “Some family of coordinate permutation for SAFER++” CSIT September 17–20, 2001 Yerevan, Armenia
External links
256bit Ciphers - SAFER Reference implementation and derived codeAnnouncement of new key schedule (SAFER SK)SAFER SK-128 in portable Common Lisp
{{Cryptography navbox , block
Block ciphers