Crypto Wiki

Template:About In cryptography, SAFER (Secure And Fast Encryption Routine) is the name of a family of block ciphers designed primarily by James Massey (one of the designers of IDEA) on behalf of Cylink Corporation. The early SAFER K and SAFER SK designs share the same encryption function, but differ in the number of rounds and the key schedule. More recent versions — SAFER+ and SAFER++ — were submitted as candidates to the AES process and the NESSIE project respectively. All of the algorithms in the SAFER family are unpatented and available for unrestricted use.



The SAFER K and SAFER SK round function.

The first SAFER cipher was SAFER K-64, published by Massey in 1993, with a 64-bit block size. The "K-64" denotes a key size of 64 bits. There was some demand for a version with a larger 128-bit key, and the following year Massey published such a variant incorporating new key schedule designed by the Singapore Ministry for Home affairs: SAFER K-128. However, both Lars Knudsen and Sean Murphy found minor weaknesses in this version, prompting a redesign of the key schedule to one suggested by Knudsen; these variants were named SAFER SK-64 and SAFER SK-128 respectively — the "SK" standing for "Strengthened Key schedule", though the RSA FAQ reports that, "one joke has it that SK really stands for 'Stop Knudsen', a wise precaution in the design of any block cipher". Another variant with a reduced key size was published, SAFER SK-40, to comply with 40-bit export restrictions.

All of these ciphers use the same round function consisting of four stages, as shown in the diagram: a key-mixing stage, a substitution layer, another key-mixing stage, and finally a diffusion layer. In the first key-mixing stage, the plaintext block is divided into eight 8-bit segments, and subkeys are added using either addition modulo 256 (denoted by a "+" in a square) or XOR (denoted by a "+" in a circle). The substitution layer consists of two S-boxes, each the inverse of each other, derived from discrete exponentiation (45x) and logarithm (log45x) functions. After a second key-mixing stage there is the diffusion layer: a novel cryptographic component termed a pseudo-Hadamard transform (PHT). (The PHT was also later used in the Twofish cipher.)

SAFER+ and SAFER++[]

There are two more-recent members of the SAFER family that have made changes to the main encryption routine, designed by the Armenian cryptographers Gurgen Khachatrian and Melsik Kuregian in conjunction with Massey.

  • SAFER+ (Massey et al., 1998) was submitted as a candidate for the Advanced Encryption Standard and has a block size of 128 bits. The cipher was not selected as a finalist. Bluetooth uses custom algorithms based on SAFER+ for key derivation (called E21 and E22) and authentication as message authentication codes (called E1). Encryption in Bluetooth does not use SAFER+.[1]
  • SAFER++ (Massey et al., 2000) was submitted to the NESSIE project in two versions, one with 64 bits, and the other with 128 bits.

See also[]


  • Alex Biryukov, Christophe De Cannière, Gustaf Dellkrantz: Cryptanalysis of SAFER++. CRYPTO 2003: 195-211
  • Lars R. Knudsen: A Detailed Analysis of SAFER K. J. Cryptology 13(4): 417-436 (2000)
  • James L. Massey: SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. Fast Software Encryption 1993: 1-17
  • James L. Massey: SAFER K-64: One Year Later. Fast Software Encryption 1994: 212-241
  • James Massey, Gurgen Khachatrian, Melsik Kuregian, Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES)
  • Massey, J. L., "Announcement of a Strengthened Key Schedule for the Cipher SAFER", September 9, 1995.
  • James Massey, Gurgen Khachatrian, Melsik Kuregian, "Nomination of SAFER++ as Candidate Algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE)," Presented at the First Open NESSIE Workshop, November 2000.
  • Gurgen Khachatrian, Melsik Kuregian, Karen Ispiryan, James Massey, „Differential analysis of SAFER++ algorithm” – Second NESSIE workshop, Egham, UK, September 12-13, (2001)
  • Lars R. Knudsen, A Key-schedule Weakness in SAFER K-64. CRYPTO 1995: 274-286.
  • Lars R. Knudsen, Thomas A. Berson, "Truncated Differentials of SAFER". Fast Software Encryption 1996: 15-26
  • Nomination of SAFER+ as Candidate Algorithm for the Advanced Encryption Standard (AES), Submission document from Cylink Corporation to NIST, June 1998.
  • Karen Ispiryan “Some family of coordinate permutation for SAFER++” CSIT September 17-20, 2001 Yerevan, Armenia
  1. Template:Cite paper

External links[]

Template:Link GA

ca:SAFER fr:SAFER (cryptographie) it:SAFER pt:SAFER ru:SAFER