In cryptography, SAFER (Secure And Fast Encryption Routine) is the name of a family of block ciphers designed primarily by James Massey (one of the designers of IDEA) on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule. More recent versions SAFER+ and SAFER++ were submitted as candidates to the AES process and the NESSIE project respectively. All of the algorithms in the SAFER family are unpatented and available for unrestricted use.
A weakness in the key schedule was corrected, with an S being added to the original Safer K designation to create Safer SK. There are some attacks against reduced round variants of Safer. Safer is secure against differential and linear cryptanalysis. However, Bruce Schneier, author of Applied Cryptography, recommends against using Safer because, "Safer was designed for Cylink, and Cylink is tainted by the NSA."
Description of SAFER
SAFER is a block cipher that operates on 64-bit blocks considered as 8 bytes. It consists of a round transformation iterated r times followed by a ﬁnal output transformation. Recommended values of r are 6 for SAFER K-64 and 10 for SAFER K-128. The key scheduling, described below, gives (2r + 1) 8-byte subkeys K1; : : : ; K2r+1. Subkeys K2i¡-1 and K2i are used in round i, and the subkey K2r+1 is used in the output transformation. A diagram of the round function is given in the image. The ith round function is built from four basic operations.
1. Mixed XOR/Addition Layer: Bytes 1; 4; 5; 8 of the round input are XORed with bytes 1; 4; 5; 8 of subkey K2i¡-1. Bytes 2; 3; 6; 7 of the round input are added bytewise (modulo 256) with bytes 2; 3; 6; 7 of subkey K2i¡-1.
2. Nonlinear Layer: For a byte x, 45 .x/is deﬁned to be 45x modulo 257, where x is regarded as a number 0 · x · 255, with the convention that 45 .128/ D 0. As 257 is prime and 45 is a primitive element modulo 257, this is an invertible function of a byte, and log 45.¢/ is deﬁned to be its inverse. The 45.¢/transformation is applied to bytes 1; 4; 5; 8 of the output of the mixed XOR=addition layer and the log 45.¢/transformation to bytes 2; 3; 6; 7.
3. Mixed Addition=XOR Layer: Bytes 1; 4; 5; 8 of the output of the nonlinear layer are added bytewise (modulo 256) with bytes 1; 4; 5; 8 of subkey K2i. Bytes 2; 3; 6; 7 of the output of the nonlinear layer are XORed with bytes 2; 3; 6; 7 of subkey K2i.
4. Pseudo-Hadamard Transform (PHT) Layer: The transforms 2-PHT in Fig. 1 map the byte pair .a1; a2/ to the byte pair .2a1 Ca2; a1 Ca2/, where addition is modulo 256. The effect of the three layers of 2-PHT transforms on the output v of the mixed addition=XOR layer is to map it to vM, where addition is modulo 256 and the output of the PHT layer is the output of the round function.
The ﬁnal output transformation afterr rounds is an application of the mixed XOR/addition layer with the output of the rth round and the subkey K2r+1.
Decryption using SAFER is carried out by reversing these operations and we do not describe it in detail.
Design Principles for SAFER
•Encrypting structure – faster diffusion than for substitution-permutation cipher.
• Byte orientation – during encryption and decryption, all operations are on bytes.
• Group operation at round input – “perfect secrecy” with a “one-time key”.
•Use of 2 additive group operations on bytes -- takes advantage of each’s
•Confusion via well-defined nonlinear functions – no “suspicious-looking”
•Fast-diffusing linear transformation – via the PHT and the Armenian shuffle.
•Scalability – Bytes can be made to 2 or 4 (or even 16) bit characters for study.
•Biases in key schedules – eliminates “weak keys”.
•Parity word and selections in key schedules – diversity in round subkeys.
•Number of rounds – chosen for security with a margin of safety.
ANSI C with 200 MHz Pentium Platform: • SAFER+ with 128 bit key (8 rounds) – about 18.2* megabits/s of
encrypted data and about 15.3 microseconds to run the key schedule.
• SAFER+ with 192 bit key (12 rounds) – about 12.3* megabits/s of
encrypted data and about 28.6 microseconds to run the key schedule.
• SAFER+ with 256 bit key (16 rounds) – about 9.3* megabits/s of
encrypted data and about 45.7 microseconds to run the key schedule.
Assembly on 8-bit Processors of the MCS 51 family with 16 MHz clock: •SAFER+ with 128 bit key (8 rounds) – about 25.6 kilobits/s of encrypted data.
• SAFER+ with 192 bit key (12 rounds) – about 16.9 kilobits/s of encrypted data.
• SAFER+ with 256 bit key (16 rounds) – about 12.7 kilobits/s of encrypted data.
Advantages of SAFER+•A proven track record of security
•Speed and simplicity
• Flexibility of Use
• Flexibility of Environment
Limitations of SAFER+ •No proof of complete security
• Encryption/Decryption Dissimilarity