If the characteristics of s-boxes of the SAFER family of ciphers are examined for the criteria of strict avalanche, bit independence, and XOR table distribution, experiments show that the \exponentiating" s-box has a weakness for an input dierence of 128 (=10000000 2) and the \logarithm-taking" s-box has a weakness for an input dierence of 253 (=111111012). However, since these experiments are performed by isolating the s-boxes from the general structure, they do not necessarily indicate a weakness in the overall algorithm. We propose a quick and rough test method, called the avalanche weight distribution criterion, to evaluate the overall performance of block ciphers. We then apply this novel criterion and the conventional strict avalanche criterion to SAFER K-64, and show that the algorithm passes both tests successfully despite the specic weaknesses of its isolated s-boxes.
[1]
Claude E. Shannon,et al.
Communication theory of secrecy systems
,
1949,
Bell Syst. Tech. J..
[2]
Eli Biham,et al.
Differential cryptanalysis of DES-like cryptosystems
,
1990,
Journal of Cryptology.
[3]
Stafford E. Tavares,et al.
On the Design of S-Boxes
,
1985,
CRYPTO.
[4]
John B. Kam,et al.
Structured Design of Substitution-Permutation Encryption Networks
,
1979,
IEEE Transactions on Computers.
[5]
Xuejia Lai,et al.
On the design and security of block ciphers
,
1992
.
[6]
James L. Massey,et al.
SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm
,
1993,
FSE.
[7]
Serge Mister,et al.
Practical S-Box Design
,
1996
.
[8]
H. Feistel.
Cryptography and Computer Privacy
,
1973
.