Path: illuminati.io.com!uunet!cs.utexas.edu!math.ohio-state.edu!jussieu.fr! + nef.ens.fr!vaudenay From: vaudenay@dmi.ens.fr (Serge Vaudenay) Newsgroups: sci.crypt Subject: Re: safer algo Date: 1 Nov 1994 10:09:17 GMT Organization: Ecole Normale Superieure, Paris, France Lines: 28 Distribution: world Message-ID: <39544d$cms@nef.ens.fr> References: <38qj70$4bi@raffles.technet.sg> <39440u$2jr@news.delphi.com> NNTP-Posting-Host: morille.ens.fr In article <39440u$2jr@news.delphi.com>, jmkelsey@news.delphi.com (JMKELSEY@DELP HI.COM) writes: |> tcyip@solomon.technet.sg (Thomas Yip) writes: |> |> >Anyone out there know anything about 'SAFER" algo? Where can I find the |> >source code? Appreciate any help. Thanks. |> |> Yes. The SAFER K-64 algorithm was designed by James Massey for Cylink, and |> was presented at the Cambridge Security Workshop in December 1993. It's |> basically a nice, byte-oriented product cipher. SAFER is N rounds (I think |> N should be at least 6) of |> |> 1. Alternately XOR and ADD in expanded key bytes. |> 2. Alternately substitute the discrete log base 45 mod 257, or 45 ** x mod |> 257, for each byte. (There are two tables, one for the discrete log, one |> for the exponential. These appear to have been chosen as a way of |> guaranteeing some nonlinearity conditions for the s-boxes, and they |> allow the cipher to mix four incompatible operations, using the same |> design principle as IDEA.) |> [...] Just let me add that a kown plaintext attack will be presented in next december against SAFER with N=6 in which the log_45 is replaced by a random permutation. This attack does not work with the log_45, but it shows both the weakness of the general shape of SAFER and the strength of the particular design chosen by James Massey. --Serge