An Analysis of Safer - DocsLib

sign in sign up

<<

AN ANALYSIS OF SAFER

Sean Murphy

Information SecurityGroupRoyal Holloway

University of London Egham Surrey TW EX UK

July

Abstract

Weinvestigate some of the algebraic prop erties of the SAFER

blo ck cipher when the message space is considered as a Zmo dule In

particular we consider the invariant Zsubmo dules of the PHT layer

and showhowtheseinvariant Zsubmo dules give p otential crypto

graphic weaknesses

Key Words Blo ck cipher SAFER Cryptanalysis Invariant Zsubmo dules

The author acknowledges the supp ort of the Nueld Foundation

Intro duction

SAFER K is a blo ck cipher that was intro duced by Massey at the

Cambridge SecurityWorkshop on Fast Software Encryption It op erates

on bit blo cks under the control of a bit key It is a byteoriented

cipher in that all the basic encryption op erations are on bytes or pairs of

bytes At the Leuven Workshop on Cryptographic Algorithms Massey

presented a pap er whichsurveyed the rst years research on SAFER

K and dened SAFER K which is SAFER with a bit key In

this pap er weinvestigate certain algebraic prop erties of the SAFER blo ck

cipher and showhow these prop erties are a p otential source of cryptographic

weaknesses

Following the original submission of this pap er and a related key attack

byKnudsen in mid revised blo ck ciphers SAFER SK and SAFER

SK were prop osed These dier from the original SAFER K

blo ck ciphers only by using the new key schedule prop osed byKnudsen

There is also an analysis of SAFER based on truncated dierentials and

an analysis that considers a revised SAFER encryption algorithm with a

dierent nonlinear layer

Each round of SAFER contains only one op eration that mixes message

bytes the PHT layer which exists to provide diusion This PHT layer is

a Zmo dule homomorphism on the message space Our analysis concentrates

on the Zsubmo dules of the message space that are preserved by the PHT

lay er that is the invariant Zsubmo dules These invariant Zsubmo dules and

their cosets are not diused by the PHT layer and so provide a metho d for

the cryptanalyst to cop e with the diusion in SAFER in a variety of attacks

whatever the key schedule This is the main result of this pap er However

the original key schedule of SAFER K did not mix key bytes This

allowed us to nd a pro jection onto a particular byte invariant Zsubmo dule

that do es not dep end on a quarter of the key under standard cryptographic

assumptions

We b egin this pap er by giving a description of SAFER and the original

key schedule of SAFER K In Section wegive a description of the

invariant Zsubmo dules of the PHT layer and in Section we showhow

these invariant Zsubmo dules can b e used to construct a Markovchain on

cosets In Section we showhow the original key schedule of SAFER K

gave rise to the prop erty describ ed ab ove and in Section we give

some other ways in whichtheinvariant Zsubmo dules of the PHT could b e

used for cryptanalysis We nish with some conclusions

Description of SAFER

SAFER is a blo ck cipher that op erates on bit blo cks considered as

bytes It consists of a round transformation iterated r times followed bya

nal output transformation Recommended values of r are for SAFER

K and for SAFER K The keyscheduling describ ed b elow gives

r byte subkeys K K Subkeys K and K are used in

r i i

round i and the subkey K is used in the output transformation A

r

th

diagram of the round function is given in Figure The i round function

is built from four basic op erations

MixedXORAddition Layer Bytes of the round input are

XORed with bytes ofsubkey K Bytes ofthe

i

round input are added bytewise mo dulo with bytes of

subkey K

i

x x

Nonlinear Layer For a byte x is dened to b e mo dulo

where x is regarded as a number x with the convention that

As is prime and is a primitive element mo dulo

this is an invertible function of a byte and log is dened to b e its

inverse The transformation is applied to bytes of the out

put of the Mixed XORAddition layer and the log transformation

to bytes

MixedAdditionXOR Layer Bytes of the output of the non

linear layer are added bytewise mo dulo with bytes of

subkey K Bytes of the output of the nonlinear layer are

i

XORed with bytes of subkey K

i

Pseudo HadamardTransform PHT Layer The transforms PHT in

Figure map the byte pair a a tothebyte pair a a a a

K XOR ADD ADD XOR XOR ADD ADD XOR i

LOG LOG LOG LOG

Ki ADD XOR XOR ADD ADD XOR XOR ADD

PHT PHT PHT PHT

P

H

P

P H

P

H

P

P H

P

H

P

P H

P

H

P

P H

P Hj R

Pq

PHT PHT PHT PHT

P

H

P

P H

P

H

P

P H

P

H

P

P H

P

H

P

P H

P R Hj

Pq

PHT PHT PHT PHT

Figure Encryption Round Structure of SAFER

where addition is mo dulo The eect of the three layers of PHT

transforms on the output v of the Mixed AdditionXOR layer is to map

it to vM where addition is mo dulo and

B C

B C

B C

B C

B C

B C

B C

M B C

B C

B C

B C

B C

B C

A

The output of the PHT layer is the output of the round function

The nal output transformation after r rounds is an application of the

th

Mixed XORAddition Layer with the output of the r round and the subkey

K

r

Decryption using SAFER is carried out by reversing these op erations and

we do not describ e it in detail

Key Scheduling

The key scheduling for SAFER is again byteoriented For SAFER K with

j th th

byte key K letK denote the j byte of K Thej byte of subkey K

i

j

K j is dened by

i

j j

j

i r RO L K B K

i

i i

j

are pre where RO L denotes a left rotation of the byte by n p ositions B

n

i

j

so dened key biases and addition is mo dulo Note that B

K K

For SAFER K the byte key K is split into twobyte halves

th

K K soK K K The j byte of a subkey is dened by

a b a b

j j

j

i r RO L K B K

i

i i

a

j j j

i r RO L K B K

i

i i

b

j

where the key biases B are the same as for SAFER K Encryption under

i

key K K K for SAFER K is identical to encryption under key K

for SAFER K

th

For SAFER K all of the subkey bytes used in the j byte p osition

th

dep end solely on the j byte of the keyFor SAFER K all of the even

th th

K subkey bytes used in the j byte p osition dep end solely on the j byte

i

of the left half of the key and all of the o dd K subkey bytes used in the

i

th th

j byte p osition dep end solely on the j byte of the right half of the key

Thus for SAFER K a byte of the byte key gives subkey bytes that

are all used either in an XOR op eration or an addition op eration but never

b oth We term these twotyp es of key bytes XOR and addition key bytes

The new key schedules for SAFER SK and SAFER SK do mix

e do not describ e them here key bytes W

Algebraic Structure of the PHT Layer

Our comments on and our analysis of SAFER relate primarily to the algebraic

prop erties of the PHT layer An intro duction to the algebra required is given

the ring in The PHT layer is a collection of transformations based on Z

of integers mo dulo Consider the byte message space V Z

of SAFER We can think of V as a mo dule in three equivalentways We

can regard V rstly as a free Z mo dule of rank or secondly as a torsion

Zmo dule that is annihilated byZ or nally as the quotient Zmo dule

Z Z Ineach case the PHT layer is an invertible mo dule homomorphism

V V where has matrix M with resp ect to the standard basis Our

analysis of SAFER is based on the invariant submo dules of V Recall that

a Zsubmo dule U is an invariant Zsubmo dule of V if U U However in

this case is invertible so if U is an invariant submo dule then U U

The invariant Zsubmo dules can b e thought of as those Zsubmo dules that

are preserved bythePHTlayer For example the simplest invariant

n

submo dules are V V the submo dule obtained by considering the

n

least signicant n bits of eachbyte We therefore b egin our analysis of

SAFER with a thorough investigation of invariant submo dules

Consider the dimensional rational vector space V Q and the free

Q

Zmo dule V Z Now can b e regarded as the linear transformation

Z

on V and as the Zmo dule homomorphism on V given by the matrix M

Q Z

Considered as a set emb edded in V as a linear transformation on V xes

Q Q

the subset V Thecharacteristic p olynomial of on V f xDet xI

Z Q

is given by

f X X X X X X X X X

which factorises over the integers as

f X X X X X X X X X

V therefore has the following three minimal invariant subspaces P of di

Q Q

mension Q of dimension and R of dimension These invariant

Q Q

V subspaces are dened by

Q

P kerI

Q

h e e d e e d i

Q kerI

Q

h e d d d d e i

R kerI

Q

h e e e e e e e e i

th

where e denotes the i standard basis vector and d e e e and

i

d e e e Ifwelet B denote the basis for V given ab oveinterms

Q Q

of P Q and R then

Q Q Q

e e d e e d e d d

B

Q

d d e e e e e e e e e

and the change of basis transformation from the standard basis to B is given

Q

by the matrix A with determinant where

C B

C B

C B

C B

C B

C B

C B

A C B

C B

C B

C B

C B

C B

A

V has a direct sum decomp osition as

Q

V P Q R where here denotes direct sum

Q Q Q Q

The V subspaces P Q and R are in fact pairwise orthogonal with resp ect

Q Q Q Q

to the standard inner pro duct on Q The matrix of with resp ect to the

basis B of V is a blo ck diagonal M dened by

Q Q

M

P

B C

M where M

A

Q

M

R

B C

B C

M M and M B C

P Q R

A

Wethus have the following three invariant Zsubmo dules of V as V

Z Z

is xed by as a subset of V

Q

P P V kerI

Z Q Z

h e e d e e d i

Q Q V kerI

Z Q Z

h e d d d d e i

R R V kerI

Z Q Z

h e e e e e e e e i

We can now dene T V as the direct sum of these invariant Z

Z Z

submo dules so

T P Q R where here denotes direct sum

Z Z Z Z

We note that T isaproperZsubmo dule of V as for example d T

Z Z Z

We can use this invariant decomp osition on T to givean invariant

Z

decomp osition on V by using the following lemma

Lemma Lemma Let L be a module over a ring with and

supp ose L is a direct sum L L L of submo dules L L For

t i

P

t

each i let N L andlet N N If is the natural homomorphism

i i i

i

L LN then

L L L

t

L L L

t

N N N

t

Supp ose welet denote the natural Zmo dule homomorphism

V

Z

V V

Z

Z

then gives the natural Zmo dule homomorphism

T

Z

T T

Z

T Z

Z

where T T is a Zsubmo dule of V We apply the ab ove lemma to

Z

the natural Zhomomorphism and the decomp osition T P Q R

Z Z Z Z

Noting that

T Z P Z Q Z R Z

Z Z Z Z

we obtain

T P Q R

Z Z Z Z

T

T Z P Z Q Z R Z

Z Z Z Z

As Z and T are invariant Zsubmo dules can b e welldened as the

Z

induced Zmo dule homomorphism on the quotient Zmo dule T Similarly

the three quotient Zsubmo dules in this decomp osition are invariant

Wethus havefollowing three invariant Zsubmo dules of T

P kerI

h e e d e e d i

Q kerI

h e d d d d e i

R kerI

h e e e e e e e e i

and the following decomp osition of T as the direct sum of invariant Z

submo dules

T P Q R where here denotes direct sum

Both T and V can b e regarded as free Z mo dules of rank with T V

T is freely generated by the basis B where

e e d e e d e d d

B

d d e e e e e e e e e

and V is freely generated by the standard basis The change of basis trans

formation that maps the standard basis to B is given by the matrix A dened

ab ove A is invertible as its determinant is a unit in Z soB is a

basis for V as a free Z mo dule Lemmas Therefore as a free

Z mo dule and hence as a Zmo dule T V

The decomp osition of T as the direct sum of invariant Zsubmo dules

is thus a decomp osition for V and so wehave

V P Q R where here denotes direct sum

Clearly V P Q and R have sizes and resp ectively

In order to nd further invariant Zsubmo dules weregard V as a tor

sion ZX mo dule In this mo dule scalar multiplication of a mo dule element

v byaninteger p olynomial g X an elementof ZX is dened by

v g X v g

that is the image of v under the mo dule homomorphism g The role of

this ZX mo dule in nding invariant submo dules is given by the following

theorem

Theorem U is an invariant Zsubmo dule of V if and only if U is a

ZX submo dule of V

Proof If U is an invariant Zsubmo dule of V thenU U Thus for

any n and

n

n n

X X

i i

U U U

i i

i i

so U g X U for any p olynomial g X Hence U is a ZX submo dule

ConverselyifU is a ZX submo dule then U U soU is an

invariant submo dule

Wethus need to nd the ZX submo dules of the ZX mo dule V For

any ZX submo dule U let

ann U fg X ZX jU g X g

denote the annihilator of U in ZX an ideal in ZX This function gives

an inclusionreversing mapping from the ZX submo dules of V to the ideals

of ZX We can also dene an inclusionreversing mapping from the set of

ideals of ZX totheZX submo dules of V Accordinglyforanyideal I of

ZX let

N I fv V jv I gV

V

denote the null ZX submo dule of V of the ideal I N N and N

P Q R

can b e similarly dened as null submo dules in P Q and RHowever not

every ZX submo dule is the null ZX submo dule of some ideal for exam

ple ZX submo dule f e e gwhichisxedby but is a prop er

ZX submo dule of xed p oint ZX submo dule ker I However any

ZX submo dule U is a ZX submo dule of the null ZX submo dule of its

annihilator so U N ann U We term N annU the minimal null

V V

ZX submo dule containing U The following theorem shows that a null

ZX submo dule can b e decomp osed as a direct sum of null ZX submo dules

of P Q and R

Theorem For any ideal I of ZX

I N I N I N I N

V P Q R

with N I P N I Q and N I R

P Q R

Proof Let n N I N I N I then n can b e written as n

P Q R

p q r where p hX q hX r hX forall hX I Thus

n hX p hX q hX r hX for all hX I so n N I

V

Therefore N I N I N I N I

P Q R V

Conversely supp ose n N I n can b e written as n p q r for

V

some p P q Q and r RFor any hX I

n hX p q r hX p hX q hX r hX

p q r

for some p P q Q and r RasP Q and R are ZX submo dules

However P Q R is a direct sum hence

p q r p hX q hX r hX

and so p N I q N I and r N I As n p q r wehavethat

P Q R

n N I N I N I Therefore N I N I N I N I

P Q R V P Q R

Therefore wehave equalityandwe clearly have a direct sum so

N I N I N I N I

V P Q R

This theorem enables us to nd ZX submo dules of V b ecause any ZX

submo dule is contained in its minimal null ZX submo dule This null ZX

submo dule can b e decomp osed into null ZX submo dules of P Q and RWe

thus consider the ZX submo dules of V P Q and RAny ZX submo dule

U can b e regarded in the natural wayasaZX ann U mo dule We

therefore calculate the following annihilators

A annV A annP A ann Q A ann R

V P Q R

Weknow that

h pX i h X X iA

P

so any elementof A can b e reduced mo dulo h pX i to a p olynomial of

P

the form a a X where a a f g By considering the eect

of mo dule homomorphisms a a on the generators of P as a Zmo dule

we nd the only other generator for A is X Similar calculations

P

give A and A sowehave

Q R

A ann P h X pX i

P

h X X X i

A ann Q h qX i h X X i

Q

A ann Rh X rX i

R

h X X X X X i

By considering the eect of elements of A A on P etc wend

Q R

A ann V h X q X r X X q X r X i

V

h X X X X X X X

X X X X X X X i

If we dene the following quotient rings

Z ZX A Z ZX A Z ZX A Z ZX A

V V P P Q Q R R

then the elements in these rings can b e written as

Z fa a X ja a g

P

Z fa a X ja a g

Q

a X ja a a Z fa a X a X

R

a g

Z fa a X ja a a

V

a a a a g

The rings Z Z Z and Z have sizes and resp ectively

P Q R V

Note that all four of these rings can b e regarded as cyclic mo dules over

themselves

We can thus regard V as a Z mo dule and P Q and R as Z Z

V P Q

and Z mo dules resp ectively By considering the eect of on one of the

R

generators as Zmo dules p q and r of P Q and R resp ectivelywe nd that

P Q and R contain cyclic submo dules generated by one element that are

isomorphic to Z Z and Z as mo dules over themselves resp ectivelyWe

P Q R

denote these cyclic submo dules hpi hq i and hr i resp ectivelyThese

Z Z Z

P Q R

cyclic submo dules can also b e regarded as Zsubmo dules and as suchwe

have the following Zmo dule isomorphisms

hpi hpi P ZMo dule Isomorphism

Z

P

hq i Q ZMo dule Isomorphism

Z

Q

hr i hr i R ZMo dule Isomorphism

Z

R

Thus Q is a cyclic Z mo dule of size The cyclic Z andZ submo dules

Q P R

i are of size and resp ectively These of P and R hpi and hr

Z Z

R P

cyclic submo dules intersect nontriviall y with any other submo dule of P and

R resp ectively P and R contain manysuch cyclic submo dules of these sizes

They are each generated by a single generator of P and R considered as

Zmo dules The submo dules of the cyclic mo dules Z Z and Z over

P Q R

themselves are given by the ideals of Z Z and Z resp ectivelyorequiva

P Q R

lently by ideals in ZX containing A A and A resp ectively Theorem

P Q R

Further analysis of the ideals of the rings can b e conducted by using

the theory of Grobner bases

Wehavegiven a thorough analysis of the invariant Zsubmo dules of V

by considering the equivalent ZX submo dules of V We summarise here the

results of the ZX mo dule analysis in terms of invariant Zsubmo dules

Wehaveshown that V can b e decomp osed as V P Q R where P

Q and R are invariant Zsubmo dules and that any other invariant Z

mo dules is contained in a minimal null Zsubmo dule which decomp oses as

asumof invariant Zsubmo dules of P Q and R The Zsubmo dules P

and R contain certain invariant Zsubmo dules that intersect nontrivially

with any other invariant Zsubmo dule of P and R resp ectfully Further

invariant Zsubmo dules of these Zsubmo dules of P and R and of the

Zsubmo dule Q can b e calculated by considering the ideals of the various

p olynomial quotient rings given ab ove

AMarkov Chain on Quotient Mo dules

Let U be an invariant Zsubmo dule of V We consider the eect of the

th

i round function on the cosets of U in V or equivalently on the quotient

i

Zmo dule VU Supp ose now that an element x V is the round input

i i

y V is the input to the PHT layer and z V is the round output and

i i i

x y and z are the corresp onding cosets of U or elements of VUFor a

U U U

given round subkey K K we can calculate the transition probability

i i

i i

between a coset of U b efore and a coset of U after the jx P y

K K

U U

i i

combined mixed XORaddition nonlinear and mixed additionXOR layers

The eect of the PHT layer or istopermute the cosets of U as U is

invariant For this round subkey K K we can calculate the transition

i i

i i

probability P z jx between the a coset of U b efore and after the

K K

U U

i i

round function of SAFER For this round subkey K K the round

i i

function of SAFER gives a keydep enden t probability transition matrix on

the cosets of U This transition matrix Q is dened by

K K

i i

i i

Q P z jx

k

K K

i i U U

Consider now the SAFER encryption function with r rounds followed by

th

a nal output transformation whichwe regard as the r round Let

i th r

x V b e the input to the i round i r with x as the

i

output Let x i r b e the corresp onding cosets of U or

U

r

elements of VUFor a given key K the sequence x x forms a key

U U

dep endent random pro cess with state space the cosets of U The transition

matrix for this random pro cess Q is dened by

K

r

Q P x jx

K K

U U

The standard cryptographic assumption implicitly used in b oth linear and

dierential cryptanalysis is that for a given key such a random pro cess

dened on a state space of cosets forms a rst order Markovchain In

linear cryptanalysis these are usually cosets of a hyp erplane of the message

space considered as a binary vector space In dierential cryptanalysis

these are usually cosets of

fm mjm M gM M where M is the message space

and these give the characteristics This assumption can b e tested empir

ically Under this assumption we can write the transition matrix Q as a

K

pro duct of transition matrices for eachround Thus if key K gives round

subkeys K K the transition matrix Q is given by

r K

Q Q Q Q Q

K K K K K K K K

r r r

APotential Cryptographic Weakness

Wehave seen that the Zmo dule V can b e written as the direct sum of

invariant Zsubmo dules as V P Q RWe can dene a submo dule S

by

S P Q he d d e i

Sisaninvariant submo dule with V R S We consider how the Markov

chain describ ed in the Section applies to cosets of the submo dule S We

can dene to b e the natural Zmo dule homomorphism

V

V R

S

We can regard the random pro cess on the cosets of S as a random pro cess

on elements of RFor an element v V we write v for this coset of S or

S

st

equivalently elementof RThevalue of v do es not dep end on the and

S

th th

bytes of v as e and e are absent from the basis for R Consider the i

th

round of a SAFER encryption under a given i round subkey K K

i i

i i

Supp ose now that an element x V is the round input y V is the input

i i i i

to the PHT layer and z V is the round output and x y and z are the

S S S

i

thecentral corresp onding cosets of S or elements of RFor a given input x

i

six bytes of the output y of the combined mixed XORaddition nonlinear

st th

and mixed additionXOR layers do not dep end on the and bytes of

i i

the subkeys K and K Thus the distribution of y conditional on x is

i i

S S

i i

constant whenever the central key bytes agree z dep ends only on y as S

S S

i i

is invariant For the given subkey the distribution of z conditional on x

S S

st th

therefore do es not dep end on the and bytes of the subkeys K and

i

K The keydep endent oneround transition matrix on the cosets of S is

i

identical for all subkeys K K that agree on the central six bytes If we

i i

dene to b e the restriction to these central six bytes then the oneround

transition matrix can b e written as

i i

jx Q P z

K K K K

S S

i i i i

Supp ose nowthatwehaveanr round plus nal output transformation

r

SAFER encryption with message m x and ciphertext c x For

agiven key K under the standard cryptographic assumption that sucha

pro cess forms a rst order Markov pro cess the transition matrix b etween

message cosets and ciphertext cosets of S is the pro duct of the round tran

sition matrices Thus

i i

Q P z jx Q Q Q

K K K K K K K

U U r r r

The transition matrix Q therefore dep ends only on the central six bytes

K

of the subkeys K K For SAFER K the key scheduling

r

restricts bytes of K to the same bytes of anysubkeysowehave Q Q

K K

For SAFER K this means that the distribution of c conditional on m

S S

st th

do es not dep end on the and bytes of the key whereas for SAFER K

st th th

the distribution of c conditional on m do es not dep end on the

S S

th

and bytes of the key

For either SAFER K or SAFER K wehave found a halfrank al

gebraic structure R of the messageciphertext space on which the output

distributions do not dep end on a quarter of the key bytes In it is stated

that SAFER was designed in accordance with Shannons principles of con

fusion and diusion for obtaining security in secretkey ciphers Shannons

principle of confusion is to make the relation b etween simple statistics

of ciphertext and simple statistics of the key a very complex and involved

one As there are simple statistics of the output that is its pro jection on

R that do not dep end on a quarter of the key bytes it arguable that SAFER

do es not satisfy the principle of confusion Therefore if there are any col

lections of functions of m whichhave nonnegligibl e correlations with any

S

collections of functions of c thenwehave a reduced key searc h

S

For practical reasons wemay need to concentrate on the least signicant

n bits of eachbyte that is the mo dule V The ab ove reasoning also applies

n

to this mo dule so just by considering the least signicant n bits wemay

still get a reduced key search We note that when we consider as mo dule

homomorphism of V for small nithaseven more structure For example

n

as a mo dule homomorphism of V every submo dule of P is invariantand

R has a submo dule of rank in whichevery submo dule is invariant

There are many similar attacks on SAFER using the invariant Z

submo dule S with dierent timespace complexity tradeos Wedonot

investigate all these attacks to nd the b est one The key schedule has al

ready b een revised in the light of this pap er and The attack b elowis

given solely as an illustration of the typ e of attackitmay b e p ossible to

mount on SAFER using the invariant Zsubmo dule S

We can attempt to exploit the lack of dep endence on certain key bytes

by calculating empirical transition probabilities on cosets of S for plain

textciphertext data Given enough data we can see whichkeydep endent

sets of transition probabiliti es b est agree with the empirical probabilities and

thus nd key information

In order to calculate these transition matrices we need to calculate tran

sition matrices for one round Wenow explain how the comp onents of the

round function aect the transition matrix We rst note that we can write

R as the direct sum of two Zsubmo dules of rank one involving linear com

binations of bytes and the other linear combinations of bytes

Thus wehave

R h e e e e ihe e e e i

In the mixed XORaddition nonlinear and mixed additionXOR phases

SAFER acts indep endently on these two Zsubmo dules of RWe call the set

of cosets on either of these two submo dules halfcosets

Adding a subkey byte corresp onds to p ermuting the cosets of S in V ac

cording to the subkey byte XORing a subkey byte corresp onds to adding

one of a small set of other bytes according to a known distribution that de

p ends on the subkey byte Combining these two op erations into the mixed

X ORaddition or the mixed additionXOR phase we see that either of these

phases gives a transition matrix on the cosets that dep ends on the sub

key The log transforms give transition matrices on eachofthe

halfcosets Wegive some examples b elow Thus the combined eect of

the mixed XORaddition nonlinear and mixed additionXOR layers is to

givekeydep endent transition matrices on the halfcosets These transition

matrices are eectively keydep endentweighted averages of the p ermuted

transition matrix on the halfcosets for the nonlinear layer To obtain the

keydep endent transition matrix for all of the cosets we combine the key

dep endent transition matrices for b oth of the comp onent halfcosets using

an elementbyelement pro duct

The eect of the PHT layer is to p ermute the cosets as S is an invariant

subspace This p ermutation is given by M where

R

B C

B C

M B C

R

A

was given earlier as the blo ck corresp onding to R of the matrix M as a blo ck

matrix Thus we can nd the keydep endent transition matrix for one round

by p ermuting the columns of the keydep endent matrix for the combined

mixed XORaddition nonlinear and mixed additionXOR layers The key

dep endent transition matrix for a numb er of rounds is just the pro duct of

the individual keydep endent oneround transition matrices

Let P m c denote the probability of transition from message class

K S S

m to ciphertext class c under key class K where K K denotes the

S S

relevant or key bytes SAFER K or K P m c is just the

K S S

relevantentry of the transition matrix corresp onding to K Supposewehave

anumb er of messageciphertext pairs and let N m c b e the number of

S S

times message class m and c o ccur For a known plaintext attackwecan

S S

nd the value of K that maximises the loglikeliho o d function

X

m c N m c log P

S S S S K

m c

S S

This is a maximisation over at most or elements For round SAFER

an approximate probability argument using random functions shows that for

a given key class K ab out e of class pairs m c do not o ccur

S S

m c for of class pairs m c Thus for round that is P

S S S S K

SAFER wehave a trivial attackinwhichwe can identify the true key class

with a handful of messageciphertext pairs

The ab ove analysis for SAFER with a realistic numb er of rounds requires

the calculation of vast numb ers of transition matrices In order to

make the calculations more tractable we can consider the least signicant n

bits of every byte that is the mo dule V The general theory given ab ove

n

applies to this mo dule and its relevant submo dules Lo oking at the least

signicant bit gives no information as the transition probabilities through the

nonlinear layer are uniform Vaudenay considered this situation in the

case when the and log functions are replaced by functions that give

nonuniform transition probabilities Thus we consider the least signicant

bits of eachbyte In this case XORing byorisequivalent to adding

or resp ectively and XORing byorisequivalent to adding with

probability one half or with probability one half The transition matrix

for a set of halfcosets of S is J T where J is the matrix

with every entry and T is given in App endix The matrix T is calculated

by considering all values of the three bytes involved in the halfcoset as

are J and J b elow

Whilst these transition probabilities are not uniform they are not non

uniform enough to launch an attack on SAFER with a realistic number of

rounds

When we consider the least signicant bits of eachbyte we obtain the

transition matrix on the halfcosets of J T whereJ is the

matrix with every entry The rst rowofT is given in App endix It

can b e seen that a typical entry of T has absolute size ab out soa typical

entry of the transition matrix diers from the uniform value of by ab out

The least signicant bits in eachbyte give the transition matrix

on the halfcosets of J T where J is the matrix with

every entry The rst rowof T is given in App endix A typical entry

of T has size ab out soatypical entry of the transition matrix diers

from the uniform value of byabout Wehave shown parts of these

two matrices in the App endix to show that even when considering the least

few signicant bits of every byte the transition probabilities of the half

cosets are highly nonuniform Even after allowing for the averaging eect

of XORing key bytes the keydep endent transition matrices for the half

cosets across the mixed XORaddition nonlinear and mixed additionXOR

layers are still highly nonuniform By taking the elementwise pro duct of

transition matrices we obtain keydep endent transition matrices across the

cosets The PHT layer p ermutes the columns of this matrix so we can obtain

oneround keydep endent round transition matrices on the cosets which are

highly nonuniform By taking an appropriate pro duct of such matrices we

can calculate keydep endent transition matrices from the message cosets to

the ciphertext cosets

Given sucient computational p ower we can precompute all suchkey

dep endent transition matrices For a set of messageciphertext pairs we

could use these matrices to calculate the likeliho o ds as given ab ove In prac

tice the keys may naturally o ccur in classes that give approximately equal

transition matrices whichwould reduce the key search In any case the key

search for the attack describ ed ab oveisatworst or bits SAFER K

or K

Other Potential Algebraic Weaknesses

The invariant Zsubmo dules of Section essentially give the cryptanalyst a

metho d for controlling the diusion of SAFER in the PHT layer There are

several ways in whichthismay b e p otentially b e exploited We briey list

some of them

In the Zsubmo dule V or V there are many linear combinations of

bytes that are xed by By analysing howthekey and nonlinear

layers aect these linear combinations either individually or jointlyit

may b e p ossible to nd information ab out the key

has many small cycles In particular on V has order and

on V xes every Zsubmo dule of rank We can analyse the

Zsubmo dules generated bysuch small cycles Those Zsubmo dules

generated by cycles that involve elements of low mo dule weightmay

provide key information

Constructing ane Zmo dule approximations to the log and

XOR functions and relating these to the invariant Zsubmo dules may

givekey information

Further investigation of invariant Zsubmo dules of V In particular it

may b e p ossible to relax the requirement of strict invariance and analyse

probabilistical l y invariant Zsubmo dules for example the central six

bytes he e e e e e i There are manysuch Zsubmo dules which

could givekey information

Dierential analysis based on the invariant Zsubmo dules

In SAFER K wesawabovethatthekey bytes divide into two

typ es the addition key bytes and the XOR key bytes The eect of

adding twokey bytes sequentially is the same as adding one k ey byte

equal to their sum It is therefore p ossible that b ecause of the underly

ing Zmo dule structure the transition probabiliti es would dep end only

on the value of the overall addition of certain addition key bytes This

would give a greatly reduced key search

Conclusions

In this pap er wehavegiven an analysis of the SAFER algorithm based on

the algebraic prop erties of the PHT layer and in particular the invariant Z

submo dules In particular for a given keywehave found a pro jection

of the byte messageciphertext space onto a byte Zsubmo dule so that

the probabilityofany message pro jection giving any ciphertext pro jection is

indep endent of one quarter of the key bytes This gives the real p ossibili ty

of reducing a key searchtoorbytes SAFER K or K Wehave

given an example of one wayinwhichthismay b e exploitable given sucient

computational resources

The key scheduling for SAFER K and SAFER K has b een changed

to give SAFER SK and SK since the original submission of this pap er

and This amongst other things ensures that this pro jection dep ends

on all the key bytes However the main contribution of this pap er is the use

of the invariant Zsubmo dules of the PHT layer to allow the cryptanalyst to

control diusion and the algebraic analysis of these invariant Zsubmo dules

Even with the new key schedule there remains the p ossibili ty of using the

invariant Zsubmo dules of the PHT layer to analyse SAFER

wledgements Ackno

I wish to thank Fred Pip er and Simon Blackburn for some interesting dis

cussions and the referees for their helpful comments

References

TA Berson and LA Knudsen Truncated Dierentials of SAFER In

Fast Software Encryption Third International Workshop Cambridge

pages SpringerVerlag LNCS

E Biham and A Shamir Dierential Cryptanalysis of the Date En

cryption Standard SpringerVerlag

D Cox J Little and D OShea Ideals Varieties and Algorithms

SpringerVerlag

G Grimmett and D Stirzacker Probability and Random Processes

Clarendon

B Hartley and TO Hawkes Rings Modules and Linear AlgebraChap

man and Hall

LA Knudsen A KeySchedule Weakness in SAFER K In Advances

in CryptologyCRYPTO pages SpringerVerlag LNCS

JL Massey SAFER K A ByteOriented Blo ckCiphering Algo

rithm In Fast Software Encryption Proceedings of Cambridge Security

Workshop pages SpringerVerlag LNCS

JL Massey SAFER K One Year Later In Fast SoftwareEn

cryption Second International Workshop Leuven pages

SpringerVerlag LNCS

M Matsui Linear Cryptanalysis Metho d for DES Cipher In Ad

vances in Cryptology EUROCRYPT pages Springer

Verlag LNCS

CE Shannon Communication Theory of Secrecy Systems Bel l System

Technical Journal

S Vaudenay On the need for multip ermutations Cryptanalysis of MD

and SAFER In Fast Software Encryption Second International Work

shop Leuven pages SpringerVerlag LNCS

App endix Matrix T

st

App endix RowofMatrixT

st

App endix RowofMatrixT

Web Analytics