SAFER K-128;decryption;ciphers;Knudsen;key schedule;rounds;brute-force search">
SAFER (Secure And Fast Encryption Routine) is a non-proprietary block cipher developed by Massey in 1993 for Cylink Corporation [Mas93]. It is a byte-oriented algorithm with a 64-bit block size and, in one version, a 64-bit key size. It has a variable number of rounds (maximum of 10), but a minimum of six rounds is recommended. Unlike most recent block ciphers, SAFER has slightly different encryption and decryption procedures. Only byte-based operations are employed to ensure its utility in smart card-based applications that have limited processing power. When first announced, SAFER was intended to be implemented with a key of length 64 bits and it was accordingly named SAFER K-64. Another version of SAFER was designed that could handle 128-bit keys and was named SAFER K-128.
Early cryptanalysis of SAFER K-64 [Mas93] showed that SAFER K-64 could be considered immune to both differential and linear cryptanalysis (see Question 58 and Question 59) when the number of rounds is greater than six. Knudsen [Knu95] discovered a weakness in the key schedule of SAFER K-64 and a new key schedule for the family of SAFER ciphers soon followed. These new versions of SAFER are denoted SAFER SK-64 and SAFER SK-128 where SK denotes a strengthened key schedule. Most recently, a version of SAFER called SAFER SK-40 was announced, which uses a 40-bit key and has five rounds (thereby increasing the speed of encryption). This reduced-round version is secure against differential and linear cryptanalysis in the sense that any such attack would require more effort than a brute-force search for a 40-bit key.