User:Matt Crypto/Scratch
- Split into SAFER K/SK vs SAFER+/++?
- C++ lives at C Plus Plus, since "+"s aren't allowed in article names
In cryptography, SAFER, which stands for Secure And Fast Encryption Routine, is the name of a family of block ciphers designed primarily by James Massey (one of the designers of IDEA) on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs are all based on the same encryption function, but with varying numbers of rounds and alterations to the key schedule. More recent versions — SAFER+ and SAFER++ — were submitted as candidates to the AES process and the NESSIE project respectively.
SAFER K and SAFER SK
The first SAFER cipher was SAFER K-64, published by Massey in 1993, with a 64-bit block size. The "K-64" denotes a key size of 64 bits. There was some demand for a version with a larger 128-bit key, and the following year Massey published such a variant incorporating new key schedule designed by the Ministry for Home affairs, Singapore: SAFER K-128. However, both Lars Knudsen and Sean Murphy found minor weaknesses in this version, prompting a redesign of the key schedule to one suggested by Knudsen; these variants were named SAFER SK-64 and SAFER SK-128 respectively; the "SK" standing for "Strengthened Key schedule", though the RSA FAQ reports that one joke has it that SK really stands for "Stop Knudsen", a wise precaution in the design of any block cipher. Another variant with a reduced key size was published, SAFER SK-40, to comply with 40-bit export restrictions. All these variants use the same round function, though with differing numbers of rounds.
- SAFER K-64 (Massey, 1993)
- SAFER K-128 (Massey, 1994)
- SAFER SK-64 (Massey, 1995) Fixed weaknesses in key schedule found by Lars Knudsen
- SAFER SK-128 (Massey, 1995)
- SAFER SK-40
- SAFER+ (Massey et al, 1998) (AES candidate)
- SAFER++ (Massey et al, 2000) (NESSIE)
- SAFER was designed for Cylink, and Cylink is tained by the NSA. I recommend years of intense cryptanalysis before using SAFER in any form.
- Although our design of SAFER K-64 was sponsored by Cylink Corporation (Sunnyvale, CA, USA), Cylink has explicitly relinquished any proprietary rights to this algorithm. This largesse on the part of Cylink was motivated by the reasoning that the company would gain more from new business than it would lose from competition should many new users adopt this publicly available cipher. SAFER K-64 has not been patented and, to the best of our knowledge, is free for use by anyone without fees of any kind and with no violation of any rights of ownership, intellectual or otherwise.
— Massey, J.L., 1995
References
- Alex Biryukov, Christophe De Cannière, Gustaf Dellkrantz: Cryptanalysis of SAFER++. CRYPTO 2003: 195-211
- Lars R. Knudsen: A Detailed Analysis of SAFER K. J. Cryptology 13(4): 417-436 (2000)
- James L. Massey: SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. Fast Software Encryption 1993: 1-17
- James L. Massey: SAFER K-64: One Year Later. Fast Software Encryption 1994: 212-241
- James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES)
- Massey, J. L., "Announcement of a Strengthened Key Schedule for the Cipher SAFER", September 9, 1995.
- James Massey, Gurgen Khachatrian, Melsik Kuregian, "Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE)," Presented at the First Open NESSIE Workshop, November 2000.
- Lars R. Knudsen: A Key-schedule Weakness in SAFER K-64. CRYPTO 1995: 274-286
- Lars R. Knudsen, Thomas A. Berson: Truncated Differentials of SAFER. Fast Software Encryption 1996: 15-26
- Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST, June 1998.