A Generalization of Linear Cryptanalysis Applied to SAFER

It is shown that the cipher SAFER, after only three of the suggested six rounds, is secure against the procedure for nding eeective homomorphic I/O sums used in a generalization of linear cryptanalysis. SAFER is a 64-bit block cipher, introduced by J. L. Massey in 1993 Mas94]. For this cipher, we will use the convention that bytes, i.e., 8-bit tuples, are numbered from 1 to 8 and their bits from 7 (most signiicant bit) to 0 (least signiicant bit). Thus, if X is any eight-byte variable, we will write X = X1 X2 X3 : : : X8 and, for instance, X1 = X1 7 X1 6 : : : X1 0 , and sometimes write a tuple in hexadecimal notation by using a \typewriter" font (e.g.,1000000=80). SAFER is an r-round iterated cipher whose round function is deened in Fig. 1. Let X denote the input and Y the output of this round function. The round function consists of a cascade of 1. a byte-wise mixed XOR/Byte-Addition (XOR/ADD) of 8 input bytes and 8 key bytes, viz., the rst part K of the round key, | its output is U = XOR/ADD(X; K) | 2. a non-linear layer, where each byte is subjected to either the non-linear func