AN ANALYSIS OF SAFER Sean Murphy Information SecurityGroupRoyal Holloway University of London Egham Surrey TW EX UK July Abstract Weinvestigate some of the algebraic prop erties of the SAFER blo ck cipher when the message space is considered as a Zmo dule In particular we consider the invariant Zsubmo dules of the PHT layer and showhowtheseinvariant Zsubmo dules give p otential crypto graphic weaknesses Key Words Blo ck cipher SAFER Cryptanalysis Invariant Zsubmo dules The author acknowledges the supp ort of the Nueld Foundation Intro duction SAFER K is a blo ck cipher that was intro duced by Massey at the Cambridge SecurityWorkshop on Fast Software Encryption It op erates on bit blo cks under the control of a bit key It is a byteoriented cipher in that all the basic encryption op erations are on bytes or pairs of bytes At the Leuven Workshop on Cryptographic Algorithms Massey presented a pap er whichsurveyed the rst years research on SAFER K and dened SAFER K which is SAFER with a bit key In this pap er weinvestigate certain algebraic prop erties of the SAFER blo ck cipher and showhow these prop erties are a p otential source of cryptographic weaknesses Following the original submission of this pap er and a related key attack byKnudsen in mid revised blo ck ciphers SAFER SK and SAFER SK were prop osed These dier from the original SAFER K blo ck ciphers only by using the new key schedule prop osed byKnudsen There is also an analysis of SAFER based on truncated dierentials and an analysis that considers a revised SAFER encryption algorithm with a dierent nonlinear layer Each round of SAFER contains only one op eration that mixes message bytes the PHT layer which exists to provide diusion This PHT layer is a Zmo dule homomorphism on the message space Our analysis concentrates on the Zsubmo dules of the message space that are preserved by the PHT lay er that is the invariant Zsubmo dules These invariant Zsubmo dules and their cosets are not diused by the PHT layer and so provide a metho d for the cryptanalyst to cop e with the diusion in SAFER in a variety of attacks whatever the key schedule This is the main result of this pap er However the original key schedule of SAFER K did not mix key bytes This allowed us to nd a pro jection onto a particular byte invariant Zsubmo dule that do es not dep end on a quarter of the key under standard cryptographic assumptions We b egin this pap er by giving a description of SAFER and the original key schedule of SAFER K In Section wegive a description of the invariant Zsubmo dules of the PHT layer and in Section we showhow these invariant Zsubmo dules can b e used to construct a Markovchain on cosets In Section we showhow the original key schedule of SAFER K gave rise to the prop erty describ ed ab ove and in Section we give some other ways in whichtheinvariant Zsubmo dules of the PHT could b e used for cryptanalysis We nish with some conclusions Description of SAFER SAFER is a blo ck cipher that op erates on bit blo cks considered as bytes It consists of a round transformation iterated r times followed bya nal output transformation Recommended values of r are for SAFER K and for SAFER K The keyscheduling describ ed b elow gives r byte subkeys K K Subkeys K and K are used in r i i round i and the subkey K is used in the output transformation A r th diagram of the round function is given in Figure The i round function is built from four basic op erations MixedXORAddition Layer Bytes of the round input are XORed with bytes ofsubkey K Bytes ofthe i round input are added bytewise mo dulo with bytes of subkey K i x x Nonlinear Layer For a byte x is dened to b e mo dulo where x is regarded as a number x with the convention that As is prime and is a primitive element mo dulo this is an invertible function of a byte and log is dened to b e its inverse The transformation is applied to bytes of the out put of the Mixed XORAddition layer and the log transformation to bytes MixedAdditionXOR Layer Bytes of the output of the non linear layer are added bytewise mo dulo with bytes of subkey K Bytes of the output of the nonlinear layer are i XORed with bytes of subkey K i Pseudo HadamardTransform PHT Layer The transforms PHT in Figure map the byte pair a a tothebyte pair a a a a K XOR ADD ADD XOR XOR ADD ADD XOR i LOG LOG LOG LOG Ki ADD XOR XOR ADD ADD XOR XOR ADD PHT PHT PHT PHT P H P P H P H P P H P H P P H P H P P H P Hj R Pq PHT PHT PHT PHT P H P P H P H P P H P H P P H P H P P H P R Hj Pq PHT PHT PHT PHT Figure Encryption Round Structure of SAFER where addition is mo dulo The eect of the three layers of PHT transforms on the output v of the Mixed AdditionXOR layer is to map it to vM where addition is mo dulo and B C B C B C B C B C B C B C M B C B C B C B C B C B C A The output of the PHT layer is the output of the round function The nal output transformation after r rounds is an application of the th Mixed XORAddition Layer with the output of the r round and the subkey K r Decryption using SAFER is carried out by reversing these op erations and we do not describ e it in detail Key Scheduling The key scheduling for SAFER is again byteoriented For SAFER K with j th th byte key K letK denote the j byte of K Thej byte of subkey K i j K j is dened by i j j j i r RO L K B K i i i j are pre where RO L denotes a left rotation of the byte by n p ositions B n i j so dened key biases and addition is mo dulo Note that B K K For SAFER K the byte key K is split into twobyte halves th K K soK K K The j byte of a subkey is dened by a b a b j j j i r RO L K B K i i i a j j j i r RO L K B K i i i b j where the key biases B are the same as for SAFER K Encryption under i key K K K for SAFER K is identical to encryption under key K for SAFER K th For SAFER K all of the subkey bytes used in the j byte p osition th dep end solely on the j byte of the keyFor SAFER K all of the even th th K subkey bytes used in the j byte p osition dep end solely on the j byte i of the left half of the key and all of the o dd K subkey bytes used in the i th th j byte p osition dep end solely on the j byte of the right half of the key Thus for SAFER K a byte of the byte key gives subkey bytes that are all used either in an XOR op eration or an addition op eration but never b oth We term these twotyp es of key bytes XOR and addition key bytes The new key schedules for SAFER SK and SAFER SK do mix e do not describ e them here key bytes W Algebraic Structure of the PHT Layer Our comments on and our analysis of SAFER relate primarily to the algebraic prop erties of the PHT layer An intro duction to the algebra required is given the ring in The PHT layer is a collection of transformations based on Z of integers mo dulo Consider the byte message space V Z of SAFER We can think of V as a mo dule in three equivalentways We can regard V rstly as a free Z mo dule of rank or secondly as a torsion Zmo dule that is annihilated byZ or nally as the quotient Zmo dule Z Z Ineach case the PHT layer is an invertible mo dule homomorphism V V where has matrix M with resp ect to the standard basis Our analysis of SAFER is based on the invariant submo dules of V Recall that a Zsubmo dule U is an invariant Zsubmo dule of V if U U However in this case is invertible so if U is an invariant submo dule then U U The invariant Zsubmo dules can b e thought of as those Zsubmo dules that are preserved bythePHTlayer For example the simplest invariant n submo dules are V V the submo dule obtained by considering the n least signicant n bits of eachbyte We therefore b egin our analysis of SAFER with a thorough investigation of invariant submo dules Consider the dimensional rational vector space V Q and the free Q Zmo dule V Z Now can b e regarded as the linear transformation Z on V and as the Zmo dule homomorphism on V given by the matrix M Q Z Considered as a set emb edded in V as a linear transformation on V xes Q Q the subset V Thecharacteristic p olynomial of on V f xDet xI Z Q is given by f X X X X X X X X X which factorises over the integers as f X X X X X X X X X V therefore has the following three minimal invariant subspaces P of di Q Q mension Q of dimension and R of dimension These invariant Q Q V subspaces are dened by Q P kerI Q h e e d e e d i Q kerI Q h e d d d d e i R kerI Q h e e e e e e e e i th where e denotes the i standard basis vector and d e e e and i d e e e Ifwelet B denote the basis for V given ab oveinterms Q Q of P Q and R then Q Q Q e e d e e d e d d B Q d d e e e e e e e e e and the change of basis transformation from the standard basis to B is given Q by the matrix A with determinant where C B C B C B C B C B C B C B A C B C B C B C B C B C B A V has a direct sum decomp osition as Q V P Q R where here denotes direct sum Q Q Q Q The V subspaces P Q and R are in fact pairwise orthogonal with resp ect Q Q Q Q to the standard inner pro duct on Q The matrix of with resp ect to the basis B of V is a blo ck diagonal M dened by Q Q M P B C M where M A Q M R