                                                               20 November 1995

From: massey@isi.ee.ethz.ch (Prof. James L. Massey)
Subject: SAFER and the NSA


To all who have communicated to me their interest in SAFER:

        I have been informed by a member of the Special Projects Team of
the Ministry of Home Affairs, Singapore, that on p. 341 of the 2nd Edition
of his book, Applied Cryptography, Bruce Schneier has written:  "SAFER was
designed for Cylink, and Cylink is tainted by the NSA [80]. I recommend
years of intense cryptanalysis before using SAFER in any form."  I do not
yet have a copy of that book, but I feel compelled to let you know
immediately the facts in this matter.

        SAFER was indeed designed at the request of CYLINK, as I stated
clearly at the beginning of both papers that I have published on this
cipher [J. L. Massey, "SAFER K-64: A Byte-Oriented Block-Ciphering
Algorithm," in Fast Software Encryption (Ed. R. Anderson), Lecture Notes in
Computer Science No. 809.  New York: Springer, 1994, pp. 1-17 and J. L.
Massey, "SAFER K-64: One Year Later," in Fast Software Encryption (Ed. B.
Preneel), Lecture Notes in Computer Science No. 1008.  New York: Springer,
1995, pp. 212-241.]   The reason for CYLINK's sponsoring this development
is also stated in these papers.

        The only "design criteria" given to me by CYLINK were that the
cipher should be byte oriented to facilitate its implementation on smart
cards and that it should be fast.  Within those guidelines, the design of
SAFER is due entirely to me alone.  I personally developed this cipher
using my PC at my home and I made the cipher as strong as I could make it. 
While designing SAFER, I neither consulted, nor was contacted by, anyone
from the U. S. National Security Agency (NSA).  The only assistance I had
was feedback from a group commissioned by CYLINK to perform the
differential cryptanalysis of my designs, which assistance I clearly stated
in Section 7 of the former paper ["SAFER K-64: A Byte-Oriented
Block-Ciphering Algorithm"] and further acknowledged in Section 8 of the
latter paper ["SAFER K-64: One Year Later"].  More generally, while
designing SAFER, I neither consulted, nor was contacted by, anyone else
from any company or any agency.  

        I called the the original SAFER algorithm "SAFER K-64" to emphasize
that it had a user-selected key of 64 bits.  Later I incorporated the
design of a 128 bit key schedule that was proposed to me by the Special
Projects Team of the Ministry of Home Affairs, Singapore to obtain "SAFER
K-128" that was announced in Section 2 of the latter paper ["SAFER K-64:
One Year Later"].  The intent of the Special Projects Team of the Ministry
of Home Affairs, Singapore, was to strengthen the cipher, an intention that
I was glad to accomodate.

        In my e-mail announcement of 5 Sept. 1995 (revised slightly on 15
Sept. 1995 because of a programming glitch), I reported on two weaknesses
in SAFER that had been found by Lars Knudsen and by Sean Murphy.  I had
already mentioned Knudsen's attack on hashing with SAFER in Section 7 of
the latter paper ["SAFER K-64: One Year Later"].  Both of these weaknesses
stemmed from the fact that, in the key schedules for both SAFER K-64 and
SAFER K-128, a user-selected key byte affects only the byte in the
corresponding position in all round keys.  Knudsen proposed an innovative
new key schedule that not only avoids this byte stationarity but has other
nice properties as well.  In my e-mail announcement of 5 Sept. 1995
(revised on 15 Sept. 1995), I adopted Knudsen's key schedule in a new
version of SAFER that I called "SAFER SK-64" (where SK stands for
Strengthened Key).  I also modified the key schedule for SAFER K-128
correspondingly and announced "SAFER SK-128."  In an e-mail message dated
22 October 1995, I announced "SAFER SK-40", a version of SAFER with a 40
bit user-selected key.  I developed this key schedule primarily as a result
of my visit to Cylink one month earlier during which some people there had
expressed their interest in such a key length because of various export
regulations.  I made SAFER SK-40 as secure as I possibly could for this
restricted key size and I know of no attack on it that is faster than
exhaustive key search.

        The above is a true and complete account of the development of
SAFER.  I am prepared at any time to take an oath as to its veracity. 
Unfortunately, this is probably not enough to undo the damage to the
reputation of SAFER caused by Bruce Schneier's insinuation that SAFER may
be "tainted" in some way by some connection to the NSA.  Bruce Schneier did
not inform me that he was making such a statement in his new edition
(although I contributed all the information that I then had about SAFER to
him at his request when he was preparing this new edition), which would
have given me at least the opportunity to deny the insinuation.  In my
opinion, the publication of such an insinuation is irresponsible as there
is no way that the affected parties can PROVE that the insinuation is
false.  The responsible way to criticize a proposed cipher is to
demonstrate its weaknesses, not to suggest with no evidence that some
devious person may have built difficult-to-find weaknesses into it.  To the
best of my knowledge, SAFER SK-64, SAFER SK-128 and SAFER SK-40 are very
strong ciphers for their key lengths, and the older SAFER K-64 and SAFER
K-128 are also strong, if not quite so good as the newer versions.

                                        Sincerely, James L. Massey


