New Impossible Differential Attack on SAFER +  and SAFER + + 

  • Jingyuan Zhao
  • Meiqin Wang
  • Jiazhe Chen
  • Yuliang Zheng
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7839)


SAFER+ was a candidate block cipher for AES with 128-bit block size and a variable key sizes of 128, 192 or 256 bits. Bluetooth uses customized versions of SAFER+ for security. The numbers of rounds for SAFER+ with key sizes of 128, 192 and 256 are 8, 12 and 16, respectively. SAFER++, a variant of SAFER+, was among the cryptographic primitives selected for the second phase of the NESSIE project. The block size is 128 bits and the key size can take either 128 or 256 bits. The number of rounds for SAFER++ is 7 for keys of 128 bits, and 10 for keys of 256 bits. Both ciphers use PHT as their linear transformation. In this paper, we take advantage of properties of PHT and S-boxes to identify 3.75-round impossible differentials for SAFER++ and 2.75-round impossible differentials for SAFER+, which result in impossible differential attacks on 4-round SAFER+/128(256), 5-round SAFER++/128 and 5.5-round SAFER++/256. Our attacks significantly improve previously known impossible differential attacks on 3.75-round SAFER+/128(256) and SAFER++/128(256). Our attacks on SAFER+/128(256) and SAFER++/128(256) represent the best currently known attack in terms of the number of rounds.


SAFER+ SAFER++ Impossible Differential PHT Bluetooth 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Behnam, B., Taraneh, E., Mohammad, R.A.: Impossible Differential Cryptanalysis of SAFER++. In: Proceedings of the 2008 International Conference on Security Management, SAM 2008, pp. 10–14. CSREA Press (2008)Google Scholar
  2. 2.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 12–23. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., De Cannière, C., Dellkrantz, G.: Cryptanalysis of Safer++. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 195–211. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    BLUETOOTH SPECIFICATION Version 1.0B (November 29, 1999),
  5. 5.
    Knudsen, L.: DEAL-A 128-bit Block Cipher. NIST AES proposal. Technial report 151 (February 21, 1998) (retrieved February 27, 2007)Google Scholar
  6. 6.
    Knudsen, L.: A Detailed Analysis of SAFER K. Journal of Cryptplogy 13(4), 417–436 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Massey, J.L.: SAFER K-64: One Year Later. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 212–241. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  8. 8.
    Massey, J.L., Khachatrian, G.H., Kuregian, M.K.: 1st AES Conference on Nomination of SAFER+ as Candidate Algorithm for The Advanced Encryption Standard, California, USA (June 1998),
  9. 9.
    Massey, J.L., Khachatrian, G.H., Kuregian, M.K.: 1st NESSIE Workshop on The SAFER++ Block Encryption Algorithm, Heverlee, Belgium (November 2000),
  10. 10.
    Nakahara Jr., J., Preneel, B., Vandewalle, J.: Linear Cryptanalysis of Reduced-Round Versions of the SAFER Block Cipher Family. In: Schneier, B. (ed.) FSE 2000. LNCS, vol. 1978, pp. 244–261. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Nakahara, J.: Cryptanalysis and Design of Block Ciphers. PhD thesis. Katholidke University, Leuven (2003)Google Scholar
  12. 12.
    Nakahara, J., Preneel, B.: Impossible Differential Attacks on Reduced-Round SAFER Ciphers. NESSIE Public Report, NES/DOC/KUL/WP5/30/1 (2003)Google Scholar
  13. 13.
    NESSIE Project–New European Schemes for Signatures, Integrity and Encryption,
  14. 14.
    Piret, G., Quisauater, J.: Integral Cryptanalysis on Reduced-Round SAFER++–A Way to Extend The Attack? (2003),
  15. 15.
    Yemo, Y., Park, I.: Optimization of Integral Cryptanalysis on Reduced-Round SAFER++. Joho Shori Gakkai Shinpojiumu Ronbunshu 2003(15) (2003) (published in Japan)Google Scholar
  16. 16.
    Zheng, S., Wang, C.L., Yang, Y.X.: A New Impossible Differential Attack on SAFER Ciphers. Computers and Electrical Engineering 36, 180–189 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  17. 17.
    Zhao, J., Wang, M., Chen, J., Zheng, Y.: New Impossible Differential Attack on SAFER +  and SAFER + + . IACR ePrint Archive report (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jingyuan Zhao
    • 1
    • 2
  • Meiqin Wang
    • 1
    • 2
  • Jiazhe Chen
    • 1
    • 2
  • Yuliang Zheng
    • 1
    • 2
    • 3
  1. 1.Key Laboratory of Cryptologic Technology and Information Security, Ministry of EducationShandong UniversityJinanChina
  2. 2.School of MathematicsShandong UniversityJinanChina
  3. 3.Department of Software and Information SystemsUNC CharlotteCharlotteUSA

Personalised recommendations