Secure and Fast Encryption Routine: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:09, 18 April 2006 edit 152.163.100.203 (talk) →SAFER K and SAFER SK ← Previous edit		Latest revision as of 16:23, 27 May 2025 edit undo Trappist the monk (talk \| contribs) Administrators 494,619 edits m cite repair;
(72 intermediate revisions by 51 users not shown)
Line 1: {{Short description\|Family of block ciphers}} ~~:''This article is about the encryption algorithm. For other uses of the acronym, see [[SAFER (disambiguation)]].''~~ In [[cryptography]], '''SAFER''' ('''Secure ~~And~~and Fast Encryption Routine''') is the name of a family of [[block cipher]]s designed primarily by [[James Massey]] (one of the designers of [[IDEA (cipher)\|IDEA]]) on behalf of Cylink Corporation. Its first variant was published in 1993, and other variants were published until about 2000. The early '''SAFER K''' and '''SAFER SK''' designs share the same [[encryption]] function, but differ in the number of rounds and the [[key schedule]]. More recent versions &~~mdash~~ndash; '''SAFER+''' and '''SAFER++''' &~~mdash~~ndash; were submitted as candidates to the [[AES process]] in 1998 and the [[NESSIE]] project in 2000, respectively. All of the algorithms in the SAFER family are unpatented and available for unrestricted use. ==SAFER K and SAFER SK== [[File:SAFER.png\|thumbnail\|250px\|The SAFER K and SAFER SK round function.]] The first SAFER cipher was '''SAFER K-64''', published by Massey in 1993, with a 64-bit [[block size (cryptography)\|block size]]. The "K-64" denotes a [[key size]] of 64 bits. There was some demand for a version with a larger 128-bit [[key (cryptography)\|key]], and the following year Massey published such a variant incorporating new key schedule designed by the [[Singapore]] Ministry for Home affairs: '''SAFER K-128'''. However, both [[Lars Knudsen]] and [[Sean Murphy (cryptographer)\|Sean Murphy]] found minor weaknesses in this version, prompting a redesign of the key schedule to one suggested by Knudsen; these variants were named '''SAFER SK-64''' and '''SAFER SK-128''' respectively – the "SK" standing for "Strengthened Key schedule", though the [[RSA Security\|RSA]] FAQ reports that, "one joke has it that SK really stands for 'Stop Knudsen', a wise precaution in the design of any block cipher".<ref>{{Citation \| url =https://archive.org/details/rsalabs_faq41 \| year = 2000\| title = RSA Laboratories' Frequently Asked Questions about Today's Cryptography, Version 4.1 \| section = 3.6.7 What are some other block ciphers?\|publisher= RSA Security}}</ref> Another variant with a reduced key size was published, '''SAFER SK-40''', to comply with [[40-bit encryption\|40-bit]] export restrictions. All of these ciphers use the same round function consisting of four stages, as shown in the diagram: a key-mixing stage, a substitution layer, another key-mixing stage, and finally a diffusion layer. In the first key-mixing stage, the plaintext block is divided into eight 8-bit segments, and subkeys are added using either addition modulo 256 (denoted by a "+" in a square) or [[XOR]] (denoted by a "+" in a circle). The substitution layer consists of two [[S-box]]es, each the inverse of each other, derived from discrete [[exponentiation]] (45<sup>''x''</sup>) and [[logarithm]] (log<sub>45</sub>x) functions. After a second key-mixing stage there is the diffusion layer: a novel cryptographic component termed a [[pseudo-Hadamard transform]] ('''PHT'''). (The PHT was also later used in the [[Twofish]] cipher.) This is obviously useless information. Please do not add spam to this site, t is considered vandalism. As soon as we can recover the lost information that is supposed to be here, it will be added back in. Until then, please be patient. ==SAFER+ and SAFER++== There are two more-recent members of the SAFER family that have made changes to the main encryption routine, designed by the Armenian cryptographers Gurgen Khachatrian (American University of Armenia) and Melsik Kuregian in conjunction with Massey. * '''SAFER+''' (Massey et al., 1998) was submitted as a candidate for the [[AES process\|Advanced Encryption Standard]] and has a block size of 128 bits. The cipher was not selected as a finalist. [[Bluetooth]] uses custom algorithms based on SAFER+ ~~was~~for ~~included~~key inderivation ~~the~~(called ~~[[Bluetooth]]~~E21 ~~standard~~and asE22) anand ~~algorithm~~authentication ~~for~~as [[message authentication code]]s ~~and~~(called ~~key~~E1). ~~generation~~Encryption in Bluetooth does not use SAFER+.<ref name="bt-preliminary">{{Cite report \|url=http://student.vub.ac.be/~sijansse/2e%20lic/BT/Voorstudie/PreliminaryStudy.pdf \|title=Preliminary study: Bluetooth Security \|author=Janssens \|first=Sil \|date=2005-01-09 \|access-date=2007-02-27 \|archive-url=https://web.archive.org/web/20050513170859/http://student.vub.ac.be/~sijansse/2e%20lic/BT/Voorstudie/PreliminaryStudy.pdf \|archive-date=2005-05-13 }}</ref> * '''SAFER++''' (Massey et al., 2000) was submitted to the [[NESSIE]] project in two versions, one with 64 bits, and the other with 128 bits. ==See also== * [[~~Substitution-permutation~~Substitution–permutation network]] * [[Confusion and diffusion]] ==References== * [[Alex Biryukov]], Christophe De Cannière, Gustaf Dellkrantz: Cryptanalysis of SAFER++. [[CRYPTO]] 2003: 195-211 * [[Lars R. Knudsen]]: A Detailed Analysis of SAFER K. [[J. Cryptology]] 13(4): 417-436 (2000) * James L. Massey: SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. [[Fast Software Encryption]] 1993: 1-17 * James L. Massey: SAFER K-64: One Year Later. Fast Software Encryption 1994: 212-241 * James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES) * Massey, J. L., "Announcement of a Strengthened Key Schedule for the Cipher SAFER", September 9, 1995. * James Massey, Gurgen Khachatrian, Melsik Kuregian, "Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE)," Presented at the First Open NESSIE Workshop, November 2000. * Gurgen Khachatrian, Melsik Kuregian, Karen Ispiryan, James Massey, "Differential analysis of SAFER++ algorithm" – Second NESSIE workshop, Egham, UK, September 12–13, (2001) * Lars R. Knudsen: A Key-schedule Weakness in SAFER K-64. CRYPTO 1995: 274-286 * [[Lars R. Knudsen]], ~~Thomas~~ A. ~~Berson:~~Key-schedule ~~Truncated~~Weakness ~~Differentials~~in ofSAFER ~~SAFER~~K-64. ~~Fast~~CRYPTO ~~Software Encryption 1996~~1995: 15274-26286. * [[Lars R. Knudsen]], [[Tom Berson\|Thomas A. Berson]], "Truncated Differentials of SAFER". Fast Software Encryption 1996: 15-26 * Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST, June 1998. * Karen Ispiryan "Some family of coordinate permutation for SAFER++" CSIT September 17–20, 2001 Yerevan, Armenia {{Reflist}} ==External links== * [http://embeddedsw.net/Cipher_Reference_Home.html 256bit Ciphers - SAFER Reference implementation and derived code] * [http://www.quadibloc.com/crypto/co040407.htm John Savard's description of SAFER+] * [http://www.quadibloc.com/crypto/co040301.htm John Savard's description of SAFER K and SAFER SK] Line 34 ⟶ 42: * [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER-SK SCAN's entry for SAFER SK] * [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER+ SCAN's entry for SAFER+] * [http://www.users.zetnet.co.uk/hopwood/crypto/scan/cs.html#SAFER++ SCAN's entry for SAFER++] (November 2000) * [http://groups.google.com/groups?selm=4336pm%24e9t%40net.auckland.ac.nz Announcement of new key schedule (SAFER SK)] * [https://cliki.net/SAFER SAFER SK-128 in portable Common Lisp] {{Cryptography navbox \| block}} ~~{{Block_ciphers}}~~ [[Category:Block ciphers]]▼ ▲[[Category:Block ciphers]] ~~[[fr:SAFER (cryptographie)]]~~