## A Key-schedule Weakness in SAFER K-64 (1995)

Venue: | Advances in Cryptology, Proceedings Crypto'95, LNCS 963 |

Citations: | 19 - 8 self |

### BibTeX

@INPROCEEDINGS{Knudsen95akey-schedule,

author = {Lars R. Knudsen and To About},

title = {A Key-schedule Weakness in SAFER K-64},

booktitle = {Advances in Cryptology, Proceedings Crypto'95, LNCS 963},

year = {1995},

pages = {274--286},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

. In this paper we analyse SAFER K-64 and show a weakness in the key schedule. It has the effect that for almost every key K, there exists at least one different key K , such that for many plaintexts the outputs after 6 rounds of encryption are equal. The output transformation causes the ciphertexts to differ in one of the 8 bytes. Also, the same types of keys encrypt even more pairs of plaintexts different in one byte to ciphertexts different only in the same byte. This enables us to do a related-key chosen plaintext attack on SAFER K-64, which finds 8 bits of the key requiring from 2 44 to about 2 47 chosen plaintexts. While our observations may have no greater impact on the security of SAFER K-64 when used for encryption in practice, it greatly reduces the security of the algorithm when used in hashing modes, which is illustrated. We give collisions for the well-known secure hash modes using a block cipher. Also we give a suggestion of how to improve the key schedule, such th...

### Citations

160 | New Types of Cryptanalytic Attacks Using Related Keys
- Biham
- 1994
(Show Context)
Citation Context ...of collisions from Theorem 4 are given in the section about collisions of hash functions. We can use Theorem 4 to establish a related-key attack on SAFER. 3.1 A Related-key Chosen Plaintext Attack In =-=[3, 4, 1]-=- new attacks based on related keys were introduced. In this section we apply the principles of these attacks and introduce a chosen plaintext attack on SAFER. Assume we have access to two oracles, one... |

125 |
On the Design and Security of Block Ciphers
- Lai
- 1992
(Show Context)
Citation Context ...lying block cipher has no weaknesses, free-start preimage attacks and free-start collision attacks have time complexities 2 m and 2 m=2 encryptions, respectively, of the underlying m-bit block cipher =-=[5, 8]-=-. In a free-start attack the attacker is free to choose the initial values. Using SAFER as the underlying block cipher it is possible to find both free-start and fixed-start collisions with a complexi... |

111 |
Analysis and Design of Cryptographic Hash Functions
- Preneel
- 1993
(Show Context)
Citation Context .... There are essentially 12 secure single block length hash functions, which by a linear transformation of the inputs to one round of the hash function can be transformed into only 2 different schemes =-=[8, 9]-=-: H i = EM i (H i\Gamma1 ) \Phi H i\Gamma1 (4) H i = EM i (H i\Gamma1 ) \Phi H i\Gamma1 \Phi M i (5) The first scheme is known as the Davies-Meyer scheme. These schemes are believed to be secure, in t... |

47 | K-64: A Byte-Oriented Block-Ciphering Algorithm
- Massey, SAFER
- 1994
(Show Context)
Citation Context ...ive collisions for the well-known secure hash modes using a block cipher. Also we give a suggestion of how to improve the key schedule, such that our attacks are no longer possible. 1 Introduction In =-=[6]-=- a new encryption algorithm, SAFER K-64, hereafter denoted SAFER, was proposed. Both the block and the key size is 64. The algorithm is an iterated cipher, such that encryption is done by iteratively ... |

44 | A generalization of linear cryptanalysis and the applicability of Matsuiās piling-up lemma
- Harpes, Kramer, et al.
- 1995
(Show Context)
Citation Context ...d to produce the ciphertext. For SAFER the suggested number of rounds is 6. Strong evidence has been given that SAFER is secure against differential cryptanalysis [7] and against linear cryptanalysis =-=[2]-=-. In [11] it was shown that by replacing the S-boxes in SAFER by random permutations, about 6% of the resulting ciphers can be broken faster than by exhaustive search. In this paper we analyse SAFER a... |

34 | On the Need for Multipermutations: Cryptanalysis of MD4
- Vaudenay
- 1995
(Show Context)
Citation Context ...duce the ciphertext. For SAFER the suggested number of rounds is 6. Strong evidence has been given that SAFER is secure against differential cryptanalysis [7] and against linear cryptanalysis [2]. In =-=[11]-=- it was shown that by replacing the S-boxes in SAFER by random permutations, about 6% of the resulting ciphers can be broken faster than by exhaustive search. In this paper we analyse SAFER and show a... |

32 | Cryptanalysis of LOKI91
- Knudsen
- 1992
(Show Context)
Citation Context ...of collisions from Theorem 4 are given in the section about collisions of hash functions. We can use Theorem 4 to establish a related-key attack on SAFER. 3.1 A Related-key Chosen Plaintext Attack In =-=[3, 4, 1]-=- new attacks based on related keys were introduced. In this section we apply the principles of these attacks and introduce a chosen plaintext attack on SAFER. Assume we have access to two oracles, one... |

27 |
Block ciphers - Analysis, Design and Applications
- Knudsen
- 1994
(Show Context)
Citation Context ...of collisions from Theorem 4 are given in the section about collisions of hash functions. We can use Theorem 4 to establish a related-key attack on SAFER. 3.1 A Related-key Chosen Plaintext Attack In =-=[3, 4, 1]-=- new attacks based on related keys were introduced. In this section we apply the principles of these attacks and introduce a chosen plaintext attack on SAFER. Assume we have access to two oracles, one... |

11 |
How easy is collision search? Application to DES
- Quisquater, Delescaille
- 1990
(Show Context)
Citation Context ...ncryptions. Two keys encrypting a plaintext into the same ciphertext is called a "key-collision" in the literature ? Postdoctoral researcher sponsored by the Danish Technical Research Counci=-=l. and in [10]-=- a brute-force key-collision attack on the DES was given, which can be applied to any block cipher. Given a plaintext P the method finds two keys for which the two encryptions of P are equal and requi... |

4 |
K-64: One year later
- SAFER
- 1995
(Show Context)
Citation Context ...ly an output transformation is applied to produce the ciphertext. For SAFER the suggested number of rounds is 6. Strong evidence has been given that SAFER is secure against differential cryptanalysis =-=[7]-=- and against linear cryptanalysis [2]. In [11] it was shown that by replacing the S-boxes in SAFER by random permutations, about 6% of the resulting ciphers can be broken faster than by exhaustive sea... |

4 |
Functions Based on Block Ciphers: A Synthetic Approach
- Hash
- 1993
(Show Context)
Citation Context .... There are essentially 12 secure single block length hash functions, which by a linear transformation of the inputs to one round of the hash function can be transformed into only 2 different schemes =-=[8, 9]-=-: H i = EM i (H i\Gamma1 ) \Phi H i\Gamma1 (4) H i = EM i (H i\Gamma1 ) \Phi H i\Gamma1 \Phi M i (5) The first scheme is known as the Davies-Meyer scheme. These schemes are believed to be secure, in t... |