PERFORMANCE EVALUATION OF SAFER K-64 AND S-BOXES OF SAFER FAMILY Ekrem Aras and Melek D. Yücel Electrical Engineering Department of Middle East Technical University, 06531 Ankara, Türkiye. e-mail: [email protected], phone: 312 210 23 47, fax: 312 210 12 61 Abstract − If the characteristics of s-boxes of SAFER family of ciphers are examined for the criteria of strict avalanche, bit independence, and XOR table distribution, experiments show that the “exponentiating” s-box has a weakness for the input difference of 128 (=10000000 2) and the “logarithm-taking” s-box has a weakness for the input difference of 253 (=111111012). However, since these experiments are performed by isolating the s-boxes from the general structure, they do not necessarily indicate a weakness of the overall algorithm. We propose a quick and rough test method, called the avalanche weight distribution criterion, to evaluate the overall performance of block ciphers. We then apply this novel criterion and the conventional strict avalanche criterion to SAFER K-64; and show that the algorithm passes both tests successfully despite the specific weaknesses of its isolated s-boxes. I. INTRODUCTION Secure And Fast Encryption Routine with a Key of length 64 bits [1] (SAFER K-64) is a
symmetric (one-key) block cipher, which was designed by James L.Massey. SAFER K-64 is
the first designed cipher of the SAFER family of ciphers, which differ only in their key
schedules and in the number of rounds used.
The encryption and decryption blocks of SAFER family of ciphers contain two nonlinear
operations, called the “exponentiating box” and “logarithm-taking box”, which may have
significant effects on the strength of the entire system. If the “exponentiating” and “logarithm-
taking” boxes of SAFER family of ciphers are examined with respect to the criteria of
completeness, avalanche, strict avalanche (SAC) and bit independence (BIC), by considering
them isolated from the general structure of the cipher [2,3,4], experiments show that the
“exponentiating” s-box has a weakness for the input difference of 128 (=100000002 ) and the
“logarithm-taking” s-box has a weakness for the input difference of 253 (corresponding to
111111012 ). However, since these experiments are performed by isolating the boxes from the
general structure, these results do not indicate an overall weakness of the SAFER algorithms.
We propose a quick and rough test method, called the Avalanche Weight Distribution (AWD)
criterion, to evaluate the overall performance of block ciphers [4,5,6]. We then apply this
novel criterion and the conventional strict avalanche criterion to SAFER K-64; and show that
the cryptographic algorithm passes both tests successfully.
In Sec.II, we introduce Avalanche Weight Distribution (AWD) criterion after briefly
discussing the conventional criteria of completeness, avalanche, strict avalanche, bit
independence and X-OR distribution. SAFER K-64 is described and corresponding s-box
results are summarized in Sec.III. The overall round by round performance of SAFER K-64 is
presented in terms of AWD curves in Sec.IV, and with reference to the conventional strict
avalanche criterion in Sec.V. Conclusions are discussed in Sec.VI.
II. CRYPTOGRAPHIC TEST CRITERIA
Ideally, a block cipher should be hard to break, easy to implement, and fast to encrypt. In
1949, Shannon gave the fundamental theory of symmetric (secret-key) cryptosystems [7],
where he presented the principles of diffusion and confusion. Since then, these principles have
become the essential properties that block ciphers must have and methods of achieving good
diffusion and confusion have lied at the heart of block cipher design. Actually both principles
are defined in quite similar forms and try to achieve the same goal: hiding the statistical
To design a cipher according to the principle of diffusion means that one designs it to ensure
that “the statistical structure of plaintext which leads to its redundancy is dissipated into long term statistics” [7]. Lai [8] states the principle of diffusion as follows: “for virtually every key, the encryption function should be such that there is no statistical dependence between simple structures in the plaintext and simple structures in the ciphertext and that there is no simple relation between different encryption functions”. In other words, every bit of the ciphertext
should depend on every bit of the plaintext and every bit of the key, i.e., the effect of changing
one bit in the plaintext or in the key should be sensed on all ciphertext bits. This ensures that
the statistics of the plaintext are dissipated within the ciphertext so that an attacker cannot
predict the plaintext that corresponds to a particular ciphertext, even after observing a number
of similar plaintexts and their corresponding ciphertexts.
To design a cipher according to the principle of confusion means that one designs it so as “to make the relation between the simple statistics of ciphertext and the simple description of key a very complex and involved one” [7]. The principle of confusion is also stated [8] as follows:
the dependence of the key on the plaintext and ciphertext should be so complex that
We first describe the conventional test criteria which can be applied either to the overall
transformation describing a block cipher or to the isolated s-boxes of substitution permutation
networks. We then define our novel criterion of Avalanche Weight Distribution (AWD) which
measures the overall performance roughly but quickly.
II.1. Conventional Test Methods 1) Completeness:
The idea of completeness was introduced by Kam and Davida [9]. If a cryptographic
transformation is complete, then each ciphertext bit must depend on all of the plaintext bits.
Thus, if it were possible to find the simplest Boolean expression for each ciphertext bit in
terms of the plaintext bits, each of those expressions would have to contain all of the plaintext
2) Avalanche Criterion:
The idea of avalanche was introduced by Feistel [10]. For a given transformation to exhibit
the avalanche effect, an average of one half of the output bits should change whenever a single
input bit is complemented. In order to determine whether a given function f : n
the n dimensional binary vector space into itself) satisfies this requirement, 2 plaintext pairs,
P and Pi, such that P and Pi differ only in bit i (Pi = P ⊕ ei, and ei is the n-bit unit vector with
a one in position i) are used to calculate the 2 exclusive-or sums, Cd = f (P) ⊕ f (Pi). These
output difference vectors Cd are referred to as avalanche vectors, whose elements are called
avalanche variables. If one half of the avalanche variables are equal to 1 for each i in 1≤ i ≤ n,
then the function f has good avalanche effect.
3) Strict Avalanche Criterion:
The concepts of the completeness and the avalanche effect were combined by Webster and
Tavares [11] to define the Strict Avalanche Criterion (SAC). If a cryptographic function is to
satisfy the strict avalanche criterion, then each output bit should change with a probability of
one half whenever a single input bit is complemented. Consider two input vectors which
differ only in bit i, with the corresponding avalanche vector Cd . f meets the strict avalanche
criterion, if the probability that each bit in the avalanche vector Cd is equal to 1 is one half
over the set of all possible input vectors P and Pi , for all values of i. Therefore; completeness
and avalanche effect are necessary conditions if the strict avalanche criterion is to be met.
In addition, f is said to satisfy Maximum Order Strict Avalanche Criterion (MOSAC) if for all j such that 1≤ j ≤ n, flipping any combination of one or more input bits changes output bit j
Distance to SAC and distance to MOSAC are the measures of the closeness of the cipher
function f , to SAC and MOSAC respectively. We define normalized distance to SAC for the
jth avalanche variable as follows:
{ D j P e all( P, P )
where ei is the n-bit unit vector with a 1 in position i, Pd is the input difference, Cd [j] is the jth avalanche variable of the avalanche vector C d. If SAC is satisfied perfectly, then DSAC [
is 0 for all output bits; and in the worst case normalized distance
Similarly we define normalized distance to MOSAC for the jth avalanche variable as:
Pd = ä }= 1 all (P , P⊕ ä)
where δ is the n-bit binary representation of any integer in [1, 2 −1], and the avalanche vector d = f (P) ⊕ f (P ⊕ δ ). If MOSAC is satisfied, then D
In the worst case, the normalized distance
4) Bit Independence Criterion:
The idea of Bit Independence Criterion (BIC) was introduced by Webster and Tavares [11].
For a given set of avalanche vectors generated by complementing a single plaintext bit, all
avalanche variables should be pairwise independent. Alternatively, consider two n-bit input
vectors which differ only in bit i, with the corresponding avalanche vector Cd. If f meets the
bit independence criterion, the bits j and k in Cd change independently for all i, j, k (1≤ j, k ≤ n
with j ≠ k). In order to measure the degree of independence between a pair of avalanche
variables, their correlation coefficient ρ (Cd [j],Cd [k]) is calculated. The cryptographic
function f is said to satisfy Maximum Order Bit Independence Criterion (MOBIC) if the same
output bit independence holds whenever any combination of one or more input bits are
The correlation matrix BBIC and the maximum correlation matrix
using the correlation coefficient ρ (Cd [j],Cd [k]) : P = e = ρ C
Similarly, for the criteria of MOBIC, the correlation coefficient is calculated for every pair of
avalanche variables, and correlation and maximum correlation matrices of size nxn are defined
= ä = ρ C
) ( d[j] , d [k]
) = max { BMOBIC( ,
where δ is the n-bit binary representation of any integer in the interval [1, 2 −1], and Cd [j] is
the jth avalanche variable of the avalanche vector Cd = f (P) ⊕ f (P ⊕ δ). 5) X-OR Table Distribution
Differential cryptanalysis [13], which is a powerful cryptanalytic attack, requires knowledge
tables of substitution boxes (s-boxes). For an nxn s-box, the X-OR table
has a size of 2 x 2 with its rows and columns indexed by 0, 1, 2, …, 2 −1. Position [i, j] in
the X-OR table contains the number of input vectors:
{P ∈{ ,0 }n
: f ( P) ⊕ f ( P ⊕ ç
= ç
such that 0 ≤ i, j ≤ 2 −1, and ηi and ηj are n-bit binary representations of indices i and j. P is the
input vector, f (.) corresponds to the cryptographic function of the s-box, and the pair (i, j) is
called an input/output X-OR pair. Differential cryptanalysis exploits such X-OR pairs with
large X-OR table entries. A cipher can be secured against differential cryptanalysis by
selecting s-boxes with low X-OR table entries, ideally 0 or 2 (the only exception is the entry
(0, 0) which has the value of 2 ). The sum of the X-OR table entries on each row is equal to 2 ,
which is the total number of input vector pairs (P, P ⊕ ηi). II.2. Avalanche Weight Distribution Criterion
We define the “Avalanche Weight Distribution (AWD) curve” as the “histogram of the Hamming weight of the ciphertext difference vector” [4,5,6]. We then propose AWD as a
simple criterion for fast and rough analysis of the diffusion and confusion properties
If the Avalanche Weight Distribution (AWD) criterion measures the diffusion properties of
block ciphers [4] then we state the criterion as follows: Even for quite similar plaintext pairs
(P1, P2), histograms of the Hamming weight of the avalanche vectors should be completely
random. Hence, AWD curves corresponding to all possible pairs of similar inputs should be
binomially distributed around n/2 for a well diffused block cipher of blocklength n.
If the AWD criterion reveals the confusion properties of block ciphers [4] then we state the
criterion as follows: For all pairs of similar secret keys (K1, K2), histograms of the Hamming
weight of the differences of corresponding ciphertext pairs (C1, C2) should be binomially
distributed around n/2 for a well confused block cipher of blocklength n.
III. TEST RESULTS FOR SAFER S-BOXES Secure And Fast Encryption Routine with a Key of length 64 bits [1] (SAFER K-64)
is a symmetric (one-key) block cipher, which was designed by J. L. Massey. SAFER K-64 is a
byte-oriented block-enciphering algorithm. The block length is 8 bytes (64 bits) for plaintext
and ciphertext; the user-selected key is also 8 bytes (64 bits) in length. SAFER K-64 is the
first designed cipher of the SAFER family of ciphers consisting of SAFER K-64, SAFER K-
128, SAFER SK-64, SAFER SK-128, and SAFER SK-40. The block size of all the ciphers in
the SAFER family is 64 bits, while the key length is 40 or 64 or 128 bits as indicated in the
name of the cipher. The other ciphers in the SAFER family differ from SAFER K-64 only in
their key schedules and in the number of rounds used. The encryption round structure of
SAFER K-64 is shown in Figure 1. The operations labeled “45(.)” and “log45” in Figure 1 are
the “only nonlinear layers” of the cipher and they apply two different “highly nonlinear”
transformations to their inputs. These two operations are called the “exponentiating box” and
-taking box”, which can be considered as the s-boxes of SAFER family of ciphers.
They are used both in the encryption and decryption, but in different locations of the round
structures, since the encryption and decryption are slightly different. The s-boxes of SAFER
family of ciphers use the two operations defined by:
• the operation labeled “45(.)” in Figure1, which maps the byte input j to the byte output
45j modulo 257 (except that this output is taken to be 0 if the modular result is 256,
• the operation labeled “log45” in Figure 1, which maps the byte input j to the byte output
is log45(j) (except that this output is taken to be 128 if the input bit is j = 0).
Figure 1: Encryption Round Structure of SAFER K-64
The encryption algorithm consists of r rounds of identical transformations that are applied in
sequence to the plaintext, followed by an output transformation, to produce the final
ciphertext. r = 6 is recommended but larger values of r can be used if desired for even greater
security. Each round is controlled by two 8-byte subkeys and the output transformation is
We apply the conventional criteria discussed in Sec.II to SAFER s-boxes and summarize the
III.1. Exponentiating S-Box 1) SAC and MOSAC: j P = e curves, given by (1), are depicted in Figure 2.
In the figure there are eight curves corresponding to input differences, e , …, e . If those
curves are merged into a single one by (2), the maximum of normalized distance to SAC for
[ j , is found almost the same as the curve
SAC [ ] | Pd = e (= 128 )} Normalized Distance to SAC Bit Position j of the Avalanche Vector Figure 2: {D j P = e versus j Curves for the Exponentiating S-box
The normalized distance to MOSAC values for all possible 255 input differences are calculated
by (3). Instead of drawing all these curves in the same figure, only the D max
by (4), is depicted in Figure 3. Actually, this curve is also nearly the same as the curve
in Figure 2. The only difference is at the 6th avalanche variable and occurs
for the input difference of 137 (=100010012).
Normalized Distance to MOSAC . Bit Position j of the Avalanche Vector Figure 3:D max
versus j Curve for the Exponentiating S–box
At all other avalanche variables, the maxima occur for the input difference of 128
(=100000002). It is observed that normalized distance to MOSAC for all avalanche variables
other than the 6th are considerably high and SAC completely fails at the 7th and 8th avalanche
D(MO)SAC is equal to 1.
2) BIC and MOBIC:
matrices are calculated by (6) and (8) respectively as follows;
As seen from the matrices, the correlation coefficient between the 7th and any other avalanche
variable, and between the 8th and any other avalanche variable is ∞ (actually “undefined”
since the variance of the avalanche variable is 0 for the 7th and 8th bit positions of the
avalanche vector). A search over all correlation matrices defined by (7) shows that these
undefined rows correspond to an input difference of 128. Other values in the
are also quite close to 1, which means that the avalanche variables are highly correlated.
3) X-OR Table Distribution:
The X-OR table is a matrix of size 256x256, whose entries are calculated by (9). If it is
divided into 8 pieces, so that each piece is 32x256, the maximum entry for each piece is as
1st piece: max. entry = 12 for (i, j) = (21, 184)
The maximum entry is 128 for the whole X-OR table and occurs for the position [128, 253],
which means that when Pd =12810, the avalanche vector Cd =25310 occurs for 50% of the
overall input pairs since the highest possible value is 28=256. The X-OR table distribution test
also verifies the previous tests in that the maximum table entry occurs for the input difference
III.2. Logarithm-Taking S -Box 1) SAC and MOSAC: j P = e
curves, given by (1), are depicted in Figure 4.
In the figure there are eight curves each obtained for one of the eight 8-bit unit vector input
differences, e , …, e . It is seen from Figure 4 that normalized distances to SAC for all
avalanche variables are below 0.25, which is quite good. Those curves are merged into a
curve by (2), which takes the maximum of normalized distance to SAC values
for each avalanche variable. However, Dmax
curve is not depicted since (1) gives more
valuable information than (2) will give.
Bit Position j of the Avalanche Vector
Figure 4: {D j P = e
versus j Curves for the Logarithm-Taking S-box
The normalized distance to MOSAC values for all possible 255 input differences are calculated
by (3). Because of the difficulty in drawing all these curves, only D max
(4) is depicted in Figure 5. In this figure, the maxima, which are about 0.5, all occur for the
input difference of 253 (=111111012) at all avalanche variables; hence, we obtain the same
Bit Position j of the Avalanche Vector
Figure 5:D max
versus j Curve for the Logarithm-Taking S-box
2) BIC and MOBIC:
matrices are calculated by (6) and (8) respectively as follows;
3) X-OR Table Distribution:
The X-OR table is a matrix of 256 x 256, whose entries are calculated by (9). If it is
divided into 8 pieces, so that each piece is 32 x 256, the maximum entry for each piece is as
The maximum entry is 128 for the whole X-OR table and occurs for the position [253, 128],
which means that when Pd = 25310, the avalanche vector Cd =12810 occurs for 50% of the
overall input pairs since the highest possible value is 28=256. The X-OR table distribution test
also verifies the SAC test in that the maximum table entry occurs for the input difference of
253, where SAC test has its maxima.
III.3. Comparison of Exponentiating and Logarithm-Taking Boxes
The exponentiating s-box has a weakness for the input difference of 128 (=100000002). In
order to compare the exponentiating s-box and the logarithm-taking s-box better in terms of
curves, given by Figure 3 and Figure 5 are sketched together in Figure 6.
Bit Position j of the Avalanche Vector
Figure 6:
Curves for the Exponentiating and Logarithm-Taking S-boxes
As seen from the solid curve in Figure 6, none of the avalanche variables obey the
SAC; moreover, it is observed by comparing Figure 6 with Figure 2 that:
for all j, except j = 6. For the input difference of 128,
many of the avalanche variables have large distances to SAC, and D
one for j = 7 and j = 8; since the outputs of the exponentiating box always have the same bit
values in their 7th, and the complement bit values in their 8th bit positions.
For the same reason, the last two rows of
are also quite close to 1, which means that the avalanche variables are highly
correlated, and many of them are the same as the elements of B
given by (5). The X-OR table distribution test also verifies SAC and BIC tests in that the
maximum table entry occurs for the input difference of 128.
The logarithm-taking s-box has a weakness for the input difference of 253 (=111111012). The
dashed curve in Figure 6 corresponds to Dmax
[j P
for all j. However, normalized distance to MOSAC for all j is about 0.5, which is better than
the case of exponentiating s-box. Many elements of
entry of the X-OR table also occurs for the input difference of 253, where the SAC test has its
So, the logarithm-taking s-box seems to be have a weakness for the input difference of 253
and the exponentiating s-box has a weakness for the input difference of 128.
Finally, we should mention that since the results presented in this section are obtained by
isolating the substitution boxes from the general structure, they don’t indicate an overall
weakness of the SAFER algorithm. The overall performance of a specific algorithm from
SAFER family is investigated by two different criteria in the following two sections.
IV. AWD CURVES OF SAFER K-64
We use the following test procedure [4] to examine the overall round by round diffusion
properties of SAFER K-64 by the criterion of avalanche weight distribution (AWD):
§ A plaintext P is chosen at random and the plaintext Pi is calculated so that the difference
between P and Pi is ei, i.e., Pi = P ⊕ ei and P and Pi differ only in bit i, where ei is a 64-bit
unit vector with a 1 in position i, and i∈ {1, 2, …, 64},
§ P and Pi are submitted to r-rounds of SAFER K-64 for encryption under a random key,
§ From the resultant ciphertexts C and Ci, the Hamming weight of the avalanche vector: wt(Cd) = wt(C ⊕ Ci) = j is calculated, where j ∈ {0, 1, 2, …, 64},
§ The value of the jth element of an avalanche weight distribution array of size 65 is
AWD_array [j] = AWD_array [j] + 1,
§ The steps above are repeated 10000 times and the values in the avalanche weight
distribution array are sketched versus its index.
With the help of the test procedure explained above, 64 figures, each corresponding to a
different input difference Pd = ei where i=1,., 64, are obtained for 1-round encryption of
SAFER K-64. Some of these curves seem to obey the binomial distribution around a mean
value of 32 and this is what we expect due to the AWD criterion. However, some curves seem
to be far from being binomially distributed. These histograms are unacceptable since after a
single round of encryption the avalanche vectors may have very small Hamming weights such
as 1, 2, 4, 5 and 6. Hence, we concentrate on the worst diffusion curves of the first round and
increase the encryption round number to 2. The resultant curves after 2 rounds of encryption
are depicted in figures 7, 8 and 9 together with the former curves obtained after a single round
S A F E R K - 6 4 w i t h 1 - r o u n d e n c r y p t i o n
S A F E R K - 6 4 w i t h 2 - r o u n d e n c r y p t i o n
Number of occurences of wt(Cd) Figure 7:AWD Curves of SAFER K-64 for e57 Number of occurences of wt(Cd) Figure 8:AWD Curves of SAFER K-64 for e41
S A F E R K - 6 4 w i t h 1 - r o u n d o f e n c r y p t i o n
S A F E R K - 6 4 w i t h 2 - r o u n d o f e n c r y p t i o n
Number of occurences of wt(Cd) Figure 9: AWD Curves of SAFER K-64 for e49
It is observed from figures 7, 8, and 9 that when the number of encryption rounds is increased
to 2, the desired diffusion is achieved even for the worst AWD curves of the first round.
Moreover, for more than 2 rounds of encryption we did not observe any distortion in the
binomial shape of the AWD curves .
Hence, we conclude that the SAFER K-64 achieves the desired diffusion after at most the
V. AVALANCHE CURVES OF SAFER K-64
We now use the following test procedure to examine the overall round by round
diffusion properties of SAFER K-64, by the conventional criterion of strict avalanche;
§ A plaintext P is chosen at random and the plaintext Pi is calculated so that the difference
between P and Pi is ei, i.e., Pi = P ⊕ ei and P and Pi differ only in bit i, where ei is a 64-bit
unit vector with a 1 in position i, and i∈ {1, 2, …, 64},
§ P and Pi are submitted to r-rounds of SAFER K-64 for encryption under a random key,
§ From the resultant ciphertexts C and Ci, the avalanche vector Cd = (C ⊕ Ci) is calculated,
§ The 64 bit avalanche vector is summed up to an avalanche sum array, i.e.,
avalanche_sum_array = avalanche_sum_array + Cd,
§ The steps above are repeated 10000 times and the values in the avalanche sum array are
With the help of the test procedure explained above, 64 avalanche curves each corresponding
to an input difference ei where i ∈ {1,2,., 64} are obtained for r-round encryption of SAFER
K-64. In figures 10 and 11 we give the worst case examples each showing 3 curves
corresponding to 1-round, 2-round and 6-round encryptions of SAFER K-64.
S A F E R K - 6 4 w i t h 1 - r o u n d e n c r y p t i o n
S A F E R K - 6 4 w i t h 2 - r o u n d e n c r y p t i o n
S A F E R K - 6 4 w i t h 8 - r o u n d e n c r y p t i o n
Number of changes of avalanche variables A v a l a n c h e v a r i a b l e Figure 10: Avalanche Curves of SAFER K-64 for e2
S A F E R K - 6 4 w i t h 1 - r o u n d e n c r y p t i o n
S A F E R K - 6 4 w i t h 2 - r o u n d e n c r y p t i o n
S A F E R K - 6 4 w i t h 8 - r o u n d e n c r y p t i o n
Number of changes of avalanche variable A v a l a n c h e v a r i a b l e Figure 11: Avalanche Curves of SAFER K-64 for e32
It is expected due to the strict avalanche criterion that an average of one half of the output bits
should change whenever a single input bit is complemented, i.e., avalanche_sum_array [i] ≈
5000 for all i since the number of trials is 10000.
However, it is observed from figures 10 and 11 that the number of changes is much different
from 5000 for most of the avalanche variables and the strict avalanche criterion completely
fails at some avalanche variables for 1-round encryption of SAFER K-64. It is also observed
that when the number of encryptions is increased to 2, the desired diffusion is achieved even
for the worst avalanche variables. Moreover, for 6-rounds of encryption the resultant
avalanche curves are very similar to the curves obtained for 2-rounds of encryption.
Hence, we conclude that the SAFER K-64 achieves the desired diffusion after at most the
second of its six rounds and note that this result is also verified by the tests applied for the
VI. CONCLUSIONS
Characteristics of s-boxes of SAFER family of ciphers in terms of SAC, MOSAC, BIC,
MOBIC and X-OR distributions, and overall diffusion properties of SAFER K-64 in terms of
AWD and SAC are examined. Experiments show that although the logarithm-taking s-box
seems to be more resistive to the attacks than the exponentiating s-box, yet it has a weakness
for the input difference of 253 (=111111012) and the exponentiating s-box has a weakness for
the input difference of 128 (=100000002).
However, as far as two different criteria such as the quick and rough test method of AWD, and
a more sensitive measure of strict avalanche curves indicate, the overall performance of
SAFER K-64 does not suffer from the weaknesses of its s-boxes and achieves the desired
diffusion after at most the second step of its six rounds. It is still challenging to direct further
work on this subject towards cryptanalysis of SAFER K-64 by making use of the sensitive
inputs of its exponentiating and logarithm-taking boxes.
REFERENCES
1. J. L. Massey, “SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm”, Fast Software Encryption – Proceedings of Cambridge Security Workshop, Cambridge, U.K.,
LNCS 809, pp.1-17, Springer Verlag, 1994.
2. E. Aras and M. D. Yücel, “Examination of Substitution Boxes of SAFER”, Proc. ELECO’99 Int. Conf. on Electrical & Electronics Engineering, Bursa, Türkiye, pp.418-
3. E. Aras and M. D. Yücel, “Some Cryptographic Properties of Exponentiating and
Logarithm-Taking Boxes”, Proc.20’th Biennial Symp. on Communications,
Univ., Kingston, Ontario, Canada, pp.69-73, May 2000.
4. E. Aras, “Analysis of Security Criteria for Block Ciphers”, M.Sc.Thesis, Electrical &
Electronics Eng. Dept. of Middle East Technical University, Ankara, Türkiye, September
5. R. C. Acar, “Cryptographic Test Methods for Block Ciphers”, M.Sc.Thesis, Electrical &
Electronics Eng. Dept. of Middle East Technical University, Ankara, Türkiye, December
6. M. D. Yücel and R. C. Acar, “Comparison of the Block Ciphers DES and IDEA”, Proc. ELECO’99 Int. Conf. on Electrical & Electronics Engineering, Bursa, Türkiye, pp.281-
7. C. E. Shannon, “Communication Theory of Secrecy Systems”, Bell Systems Technical Journal, Vol.28, pp.656-715, 1949.
8. X. Lai, “On the Design and Security of Block Ciphers”, ETH Series in Information Processing, Vol.1, Hartung-Gorre Verlag Konstanz, 1992.
9. J. B. Kam and G. I. Davida, “Structured Design of Substitution-Permutation Encryption
Networks”, IEEE Transactions on Computers, Vol. C-28, No. 10, pp. 747-753, October
10. H. Feistel, “Cryptography and Computer
Scientific American, Vol. 228, No. 5,
11. A. F. Webster and S. E. Tavares, “On the Design of S-
Proc. of CRYPTO’85, Springer Verlag, New York, pp. 523-534, 1986.
12. S. Mister and C. M. Adams, “Practical S-Box Design”, SAC’96 – Third Annual Workshop on Selected Areas in Cryptography, Queen’s Univ., Kingston, Ontario, Canada, pp. 61-76,
13. E. Biham and A. Shamir, “Differential Cryptanalysis of DES-like Cryptosystems”, Journal of Cryptology, Vol.4, No.1, pp.3-72, 1991.
LIST OF FIGURES Figure 1: Encryption Round Structure of SAFER K-64 Figure 2: {D P = e versus j Curves for the Exponentiating S-box Figure 3:D max
versus j Curve for the Exponentiating S–box
Figure 4: {D
[j P = e versus j Curves for the Logarithm-Taking S-box Figure 5:D max
versus j Curve for the Logarithm-Taking S-box
Figure 6:
Curves for the Exponentiating and Logarithm-Taking S-boxes
Figure 7:AWD Curves of SAFER K-64 for e57 Figure 8:AWD Curves of SAFER K-64 for e41 Figure 9: AWD Curves of SAFER K-64 for e49 Figure 10: Avalanche Curves of SAFER K-64 for e2 Figure 11: Avalanche Curves of SAFER K-64 for e32

REQUEST # 30680-S1-01 Pharmaceutical Prior Art Challenge – Montelukast Sodium Requesting Organization: SUBMIT PRIOR ART BY : February 20, 2009 MANAGER: Kevin C. Stark, Ph.D. SOLUTION PROVIDER HELP DESK EMAIL Opportunity $50,000 Reward for legitimizing the validity of patents based on technical literature research. If one or more references show a paten

Otto-von-Guericke - University of MagdeburgComputer Graphics and Interactive Systems Laboratory at the Department of Simulation and Graphics (ISG) Faculty of Computer Science Otto-von-Guericke-University of Magdeburg Universitätsplatz 2 D-39106 Magdeburg, Germany ℡ +49-391-67 18772 " +49-391-67 Rooms and Locations The lab occupies adequate lab space in its new Core Competence