From: (Serge Vaudenay)
Newsgroups: sci.crypt

Subject: Re: safer algo
Date: 1 Nov 1994 10:09:17 GMT
Organization: Ecole Normale Superieure, Paris, France
Lines: 28
Distribution: world
Message-ID: <39544d$>
References: <38qj70$> <39440u$>

In article <39440u$>, (JMKELSEY@DELP
HI.COM) writes:
|> (Thomas Yip) writes:
|> >Anyone out there know anything about 'SAFER" algo?  Where can I find the 
|> >source code?  Appreciate any help.  Thanks.
|> Yes.  The SAFER K-64 algorithm was designed by James Massey for Cylink, and
|> was presented at the Cambridge Security Workshop in December 1993.  It's 
|> basically a nice, byte-oriented product cipher.  SAFER is N rounds (I think
|> N should be at least 6) of
|> 1.  Alternately XOR and ADD in expanded key bytes.
|> 2.  Alternately substitute the discrete log base 45 mod 257, or 45 ** x mod
|>     257, for each byte.  (There are two tables, one for the discrete log, one
|>     for the exponential.  These appear to have been chosen as a way of 
|>     guaranteeing some nonlinearity conditions for the s-boxes, and they 
|>     allow the cipher to mix four incompatible operations, using the same 
|>     design principle as IDEA.)
|> [...]

Just let me add that a kown plaintext attack will be presented in next december
against SAFER with N=6 in which the log_45 is replaced by a random permutation.
This attack does not work with the log_45, but it shows both the weakness of
the general shape of SAFER and the strength of the particular design chosen
by James Massey.