Cryptanalysis of Safer++

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


This paper presents several multiset and boomerang attacks on Safer++ up to 5.5 out of its 7 rounds. These are the best known attacks for this cipher and significantly improve the previously known results. The attacks in the paper are practical up to 4 rounds. The methods developed to attack Safer++ can be applied to other substitution-permutation networks with incomplete diffusion.


Block Cipher Linear Cryptanalysis Collision Attack Linear Layer Fast Software Encryption 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer, Heidelberg (1993)zbMATHGoogle Scholar
  2. 2.
    Biryukov, A., Shamir, A.: Structural cryptanalysis of SASAS. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 394–405. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Gilbert, H., Minier, M.: A collision attack on seven rounds of Rijndael. In: Proceedings of the Third AES Candidate Conference. National Institute of Standards and Technology, pp. 230–241 (April 2000)Google Scholar
  4. 4.
    Kelsey, J., Schneier, B., Wagner, D.: Key-schedule cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and Triple-DES. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 237–251. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Knudsen, L.R.: Truncated and higher order differentials. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 196–211. Springer, Heidelberg (1995)Google Scholar
  6. 6.
    Knudsen, L.R.: A detailed analysis of SAFER K. Journal of Cryptology 13(4), 417–436 (2000)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Massey, J.L.: SAFER K-64: A byte-oriented block-ciphering algorithm. In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 1–17. Springer, Heidelberg (1994)Google Scholar
  8. 8.
    Massey, J.L.: On the optimality of SAFER+ diffusion. In: Proceedings of the Second AES Candidate Conference, National Institute of Standards and Technology (March 1999)Google Scholar
  9. 9.
    Massey, J.L., Khachatrian, G.H., Kuregian, M.K.: Nomination of SAFER++ as candidate algorithm for the New European Schemes for Signatures, Integrity, and Encryption (NESSIE). Primitive submitted to NESSIE by Cylink Corp. (September 2000)Google Scholar
  10. 10.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 386–397. Springer, Heidelberg (1994)Google Scholar
  11. 11.
    Murphy, S.: An analysis of SAFER. Journal of Cryptology 11(4), 235–251 (1998)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Nakahara Jr, J.: Cryptanalysis and Design of Block Ciphers. PhD thesis, Katholieke Universiteit Leuven (June 2003)Google Scholar
  13. 13.
    Nakahara Jr, J., Preneel, B., Vandewalle, J.: Linear cryptanalysis of reducedround versions of the SAFER block cipher family. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 244–261. Springer, Heidelberg (2001)Google Scholar
  14. 14.
    NESSIE Project – New European Schemes for Signatures, Integrity and Encryption,
  15. 15.
    Wagner, D.: The boomerang attack. In: Knudsen, L.R. (ed.) FSE 1999. LNCS, vol. 1636, pp. 156–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  1. 1.Dept. ESAT/SCD-COSICKatholieke Universiteit LeuvenHeverleeBelgium
  2. 2.Royal Institute of TechnologyStockholmSweden

Personalised recommendations