```Path: illuminati.io.com!uunet!news.delphi.com!news.delphi.com!not-for-mail
From: jmkelsey@news.delphi.com (JMKELSEY@DELPHI.COM)
Newsgroups: sci.crypt

Subject: Re: safer algo
Date: 1 Nov 1994 01:01:18 -0000
Organization: Delphi Internet Services Corporation
Lines: 38
Message-ID: <39440u\$2jr@news.delphi.com>
References: <38qj70\$4bi@raffles.technet.sg>
NNTP-Posting-Host: news.delphi.com

tcyip@solomon.technet.sg (Thomas Yip) writes:

>Anyone out there know anything about 'SAFER" algo?  Where can I find the
>source code?  Appreciate any help.  Thanks.

Yes.  The SAFER K-64 algorithm was designed by James Massey for Cylink, and
was presented at the Cambridge Security Workshop in December 1993.  It's
basically a nice, byte-oriented product cipher.  SAFER is N rounds (I think
N should be at least 6) of

1.  Alternately XOR and ADD in expanded key bytes.
2.  Alternately substitute the discrete log base 45 mod 257, or 45 ** x mod
257, for each byte.  (There are two tables, one for the discrete log, one
for the exponential.  These appear to have been chosen as a way of
guaranteeing some nonlinearity conditions for the s-boxes, and they
allow the cipher to mix four incompatible operations, using the same
design principle as IDEA.)
3.  Alternately ADD and XOR in expanded key bytes.
4.  Mix the resulting 8-byte output block using something called the "pseudo-
Hammard transform," or PHT.  This mixes two bytes at a time like this:
PHT(a,b) --> a = a + b; b = b + a;
This is applied to differrent pairs of bytes three times, so that
each input byte has an effect on each output byte.

Then, it ends by doing one final XOR/ADD or key material.

Basically, the PHT is a wonderfully efficient way to deal with getting
fast diffusion.  The ADD/LOG/XOR operations that occur for each byte in
each round look like they make things pretty strongly nonlinear.

You can find a PASCAL implementation in the proceedings from the security
workshop, Springer-Verlag Lecture Notes in Computer Science #809.  If you
get a C/C++ implementation working, I'd like to see it--for some reason,
I kept having problems with my key scheduling or something when I tried
to hack one out.

--John Kelsey, jmkelsey@delphi.com

```