+     swrinde!pipex!!!news
From: Andrew Haley 
Newsgroups: sci.crypt.research

Subject: SAFER K-64
Date: 30 Nov 1994 14:35:29 GMT
Organization: None
Lines: 17
Message-ID: <3bi2jh$>

In _Fast Software Encryption_, James Massey proposes a block cipher
which uses FFT-like permutations combined with 8 -> 8-bit S-boxes derived
from the function n -> (45^n mod 257).
The idea of using the FFT-like permutations for rapid diffusion is
rather nice, but the choice of the S-box is a bit of an enigma.
Granted, this function is highly nonlinear with respect to 8 bit XOR,
but wouldn't a "near-bent" function without the unfortunate properties
of this S-box be a better choice?  For example, S(i+j) = S(i)*S(j).
Is there any really strong reason for the chice of this function?
Ref: SAFER K-64, A Byte-Oriented Block Ciphering Algorithm, pp 1-17 in
Fast Software Encryption, ed. Ross Anderson, Springer-Verlag 1994.