Newsgroups: sci.crypt

Subject: Re: safer algo
Date: 1 Nov 1994 01:01:18 -0000
Organization: Delphi Internet Services Corporation
Lines: 38
Message-ID: <39440u$>
References: <38qj70$>
NNTP-Posting-Host: (Thomas Yip) writes:

>Anyone out there know anything about 'SAFER" algo?  Where can I find the 
>source code?  Appreciate any help.  Thanks.

Yes.  The SAFER K-64 algorithm was designed by James Massey for Cylink, and
was presented at the Cambridge Security Workshop in December 1993.  It's 
basically a nice, byte-oriented product cipher.  SAFER is N rounds (I think
N should be at least 6) of
1.  Alternately XOR and ADD in expanded key bytes.
2.  Alternately substitute the discrete log base 45 mod 257, or 45 ** x mod
    257, for each byte.  (There are two tables, one for the discrete log, one
    for the exponential.  These appear to have been chosen as a way of 
    guaranteeing some nonlinearity conditions for the s-boxes, and they 
    allow the cipher to mix four incompatible operations, using the same 
    design principle as IDEA.)
3.  Alternately ADD and XOR in expanded key bytes.
4.  Mix the resulting 8-byte output block using something called the "pseudo-
    Hammard transform," or PHT.  This mixes two bytes at a time like this:
    PHT(a,b) --> a = a + b; b = b + a;
    This is applied to differrent pairs of bytes three times, so that
    each input byte has an effect on each output byte.
Then, it ends by doing one final XOR/ADD or key material.
Basically, the PHT is a wonderfully efficient way to deal with getting
fast diffusion.  The ADD/LOG/XOR operations that occur for each byte in 
each round look like they make things pretty strongly nonlinear.  
   You can find a PASCAL implementation in the proceedings from the security
workshop, Springer-Verlag Lecture Notes in Computer Science #809.  If you
get a C/C++ implementation working, I'd like to see it--for some reason, 
I kept having problems with my key scheduling or something when I tried 
to hack one out.

   --John Kelsey,