Linear Cryptanalysis of Reduced-Round Versions of the SAFER Block Cipher Family

  • Jorge NakaharaJr
  • Bart Preneel
  • Joos Vandewalle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1978)


This paper presents a linear cryptanalytic attack against reduced round variants of the SAFER family of block ciphers. Compared with the 1.5 round linear relations by Harpes et al., the following new linear relations were found: a 3.75-round non-homomorphic linear relation for both SAFER-K and SAFER-SK with bias ∈ = 2-29; a 2.75 round relation for SAFER+ with bias ∈ = 2-49. For a 32-bit block mini-version of SAFER a 4.75-round relation with bias ∈ = 2-16 has been identified. These linear relations apply only to certain weak key classes. The results show that by considering non-homomorphic linear relations, more rounds of the SAFER block cipher family can be attacked. The new attacks pose no threat to any member of the SAFER family.


Linear Relation Block Cipher Advance Encryption Standard Linear Hull Linear Cryptanalysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 2.
    Brincat, K., Meijer, A., “On the SAFER cryptosystem,” Cryptography and Coding, Proceedings of 6th IMA Conference, LNCS 1355, M. Darnell, Ed., Springer-Verlag, 1997, pp. 59–68.Google Scholar
  2. 3.
    C. Harpes, “Cryptanalysis of Iterated Block Ciphers,” ETH series in Information Processing, J. L. Massey, Ed., Vol. 7, Hartung-Gorre Verlag, Konstanz, 1996.Google Scholar
  3. 4.
    C. Harpes, G. Kramer, J. L. Massey, “A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma,” Advances in Cryptology, Proceedings Eurocrypt’95, LNCS 921, L. C. Guillou and J.-J. Quisquater, Eds., Springer-Verlag, 1995, pp. 24–38.Google Scholar
  4. 5.
    D. Wagner, “The boomerang attack,” Fast Software Encryption, LNCS 1636, L. R. Knudsen, Ed., Springer-Verlag, 1999, pp. 201–214.Google Scholar
  5. 6.
    E. Biham, A. Shamir, “Differential Cryptanalysis of the Data Encryption Standard,” Springer-Verlag, 1993.Google Scholar
  6. 7.
    H. Wu, F. Bao, R. H. Deng, Q.-Z. Ye, “Improved truncated differential attacks on SAFER,” Advances in Cryptology, Proceedings Asiacrypt’98, LNCS 1514, K. Ohta, D. Pei, Eds., Springer-Verlag, 1998, pp. 133–147.Google Scholar
  7. 8.
    J. Borst, B. Preneel, J. Vandewalle, “Linear Cryptanalysis of RC5 and RC6,” Fast Software Encryption, LNCS 1636, L. R. Knudsen, Ed., Springer-Verlag, 1999, pp. 16–30.Google Scholar
  8. 9.
    J. Kelsey, B. Schneier, D. Wagner, “Key schedule weaknesses in SAFER+,” Proceedings 2nd Advanced Encryption Standard Candidate Conference, March 22-23, 1999, Rome (I), pp. 155–167.Google Scholar
  9. 10.
    J. L. Massey, G. H. Khachatrian, M. K. Kuregian, “Nomination of SAFER+ as candidate algorithm for the Advanced Encryption Standard (AES),” June 12, 1998. Available at
  10. 11.
    J. L. Massey, “SAFER-K64: a byte-oriented block ciphering algorithm,” Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 1–17.Google Scholar
  11. 12.
    J. L. Massey, “SAFER-K64: one year later,” Fast Software Encryption, LNCS 1008, B. Preneel, Ed., Springer-Verlag, 1995, pp. 212–241.Google Scholar
  12. 13.
    J. L. Massey, “Strengthened key schedule for the cipher SAFER,” posted to the USENET newsgroup sci.crypt, September 1995. Available at
  13. 14.
    K. Nyberg, “Linear approximation of block ciphers,” Advances in Cryptology, Proceedings Eurocrypt’94, LNCS 950, A. De Santis, Ed., Springer-Verlag, 1995, pp. 439–444.Google Scholar
  14. 15.
    L. R. Knudsen, “A key schedule weakness in SAFER-K64,” Advances in Cryptology, Proceedings Crypto’95, LNCS 963, D. Coppersmith, Ed., Springer-Verlag, 1995, pp. 274–286.Google Scholar
  15. 16.
    L. R. Knudsen, “Why SAFER K changed its name,” Technical Report LIENS 96-13, Laboratoire d’Informatique, Ecole Normale Supfierieure, Paris, France, April 1996. Available at
  16. 17.
    L. R. Knudsen, T. A. Berson, “Truncated differentials of SAFER,” Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 15–26.Google Scholar
  17. 18.
    M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances in Cryptology, Proceedings Eurocrypt’93, LNCS 765, T. Helleseth, Ed., Springer-Verlag, 1994, pp. 386–397.Google Scholar
  18. 19.
    M. Matsui, A. Yamagishi, “A new method for known plaintext attack on FEAL cipher,” Advances in Cryptology, Proceedings Eurocrypt’92, LNCS 658, R. A. Rueppel, Ed., Springer-Verlag, 1993, pp. 81–91.Google Scholar
  19. 20.
    S. Murphy, “An analysis of SAFER,” Journal of Cryptology, Vol. 11,No. 4, 1998, pp. 235–251.zbMATHCrossRefMathSciNetGoogle Scholar
  20. 21.
    S. Vaudenay, “On the need for multipermutations: Cryptanalysis of MD4 and SAFER,” Fast Software Encryption, LNCS 1039, D. Gollmann, Ed., Springer-Verlag, 1996, pp. 286–297.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Jorge NakaharaJr
    • 1
  • Bart Preneel
    • 1
  • Joos Vandewalle
    • 1
  1. 1.Dept. Electrical Engineering-ESATKatholieke Universiteit LeuvenHeverleeBelgium

Personalised recommendations