Path: illuminati.io.com!uunet!cs.utexas.edu!math.ohio-state.edu!jussieu.fr!
+     nef.ens.fr!vaudenay
From: vaudenay@dmi.ens.fr (Serge Vaudenay)
Newsgroups: sci.crypt

Subject: Re: safer algo
Date: 1 Nov 1994 10:09:17 GMT
Organization: Ecole Normale Superieure, Paris, France
Lines: 28
Distribution: world
Message-ID: <39544d$cms@nef.ens.fr>
References: <38qj70$4bi@raffles.technet.sg> <39440u$2jr@news.delphi.com>
NNTP-Posting-Host: morille.ens.fr

In article <39440u$2jr@news.delphi.com>, jmkelsey@news.delphi.com (JMKELSEY@DELP
HI.COM) writes:
|> tcyip@solomon.technet.sg (Thomas Yip) writes:
|> 
|> >Anyone out there know anything about 'SAFER" algo?  Where can I find the 
|> >source code?  Appreciate any help.  Thanks.
|> 
|> Yes.  The SAFER K-64 algorithm was designed by James Massey for Cylink, and
|> was presented at the Cambridge Security Workshop in December 1993.  It's 
|> basically a nice, byte-oriented product cipher.  SAFER is N rounds (I think
|> N should be at least 6) of
|>
|> 1.  Alternately XOR and ADD in expanded key bytes.
|> 2.  Alternately substitute the discrete log base 45 mod 257, or 45 ** x mod
|>     257, for each byte.  (There are two tables, one for the discrete log, one
|>     for the exponential.  These appear to have been chosen as a way of 
|>     guaranteeing some nonlinearity conditions for the s-boxes, and they 
|>     allow the cipher to mix four incompatible operations, using the same 
|>     design principle as IDEA.)
|> [...]


Just let me add that a kown plaintext attack will be presented in next december
against SAFER with N=6 in which the log_45 is replaced by a random permutation.
This attack does not work with the log_45, but it shows both the weakness of
the general shape of SAFER and the strength of the particular design chosen
by James Massey.

  --Serge