NAME
     safer - encryption and decryption using SAFER

SYNOPSIS
     safer
          [ -e | -d ] [ -ecb | -cbc | -cfb | -ofb ]
          ( -k keyString | -kx keyHexString )
          [ -r nofRounds ] [ -v ]
          [ inputFile [ outputFile ] ]

     safer
          [ -h | -hc ] [ -tan | -abr ]
          [ -k keyString | -kx keyHexString ]
          [ -r nofRounds ] [ -v ]
          [ inputFile [ [ outputFile ] hashvalFile ]

DESCRIPTION
     Safer reads inputFile and writes the encrypted or  decrypted
     data  to outputFile or writes the hash value to hashvalFile.
     If a file name is not given in command line, safer uses  the
     standard  input  or output.  If the input file name is given
     as '-', safer reads from the standard input.

     SAFER K-64 [1] and SAFER K-128 [2] (Secure And Fast  Encryp-
     tion  Routine with a user-selected Key of length 64 bits and
     128 bits, respectively) are block ciphers developed by Prof.
     J.L.  Massey  at  the Swiss Federal Institute of Technology.
     The ciphers differ only in the length of  the  user-selected
     key.  For  encryption  or decryption the length of the user-
     selected key (keyString or  keyHexString)  determines  which
     cipher is used. For hashing SAFER K-128 is always used.

OPTIONS
     -e   Encryption (default).

     -d   Decryption.

     -k   The key is  specified with keyString.  If the length of
          keyString  is  less  than  10  characters, keyString is
          interpreted as a 64-bit key,  otherwise  as  a  128-bit
          key.

     -kx  The key is  specified with keyHexString.  If the length
          of  keyHexString  is  less  than 17 hex digits, keyHex-
          String is interpreted as a 64-bit key, otherwise  as  a
          128-bit  key.  For the modes -cbc, -cfb and -ofb, it is
          possible to specify an initial value denoted  by  y[0].
          In  this  case  the  key  and  the  initial  value  are
          separated by a colon, e.g. '1234:9A'.

     -r   nofRounds  defines the number of iterations for encryp-
          tion  or  decryption  (the larger nofRounds the greater
          the security). Default values are 6  rounds  for  SAFER
          K-64 and 10 rounds for SAFER K-128.

     -h   Compute a 128-bit hash  value from the input data.  The
          hash  value is written to hashvalFile (or standard out-
          put).

     -hc  Compute a 128-bit hash  value from the input data.  The
          input  is copied to outputFile (or standard output) and
          the hash value is written to hashvalFile  (or  standard
          error).

     -v   Verbose mode.  The selected parameters are  written  to
          standard error.

     Notation:
          z            = 64-bit or 128-bit key
          x[i]         = i-th 64-bit plaintext block (i = 1..L+1)
          y[i]         = i-th  64-bit  ciphertext  block   (i   =
                         1..L+1)
          x[1]..x[L]   = actual plaintext (last block  is  filled
                         with zeros)
          x[L+1]       = length of actual plaintext in bits
          x[1]..x[L+1] = plaintext
          y[1]..y[L+1] = ciphertext
          <a, b>       = 128-bit block  composed  of  two  64-bit
                         blocks
          E(z, .)      = encryption function under the key z
          D(z, .)      = decryption function, x = D(z, E(z, x))
          ^            = bit-by-bit exclisive-OR
          ~            = bit-by-bit complement

     Encryption / Decryption Modes:

     -ecb electronic code book mode
          y[i] = E(z, x[i])
          x[i] = D(z, y[i])

     -cbc cipher block chaining mode (default)
          y[i] = E(z, x[i] ^ y[i-1])
          x[i] = D(z, y[i]) ^ y[i-1]

     -cfb ciphertext feedback mode
          y[i] = x[i] ^ E(z, y[i-1])
          x[i] = y[i] ^ E(z, y[i-1])

     -ofb output feedback mode
          h[i] = E(z, h[i-1])
          y[i] = x[i] ^ h[i]
          x[i] = y[i] ^ h[i]

     Hash Functions:
          If no key is given, safer uses the all zero key.
          <h[0], g[0]> = z
          hash value = <h[L+1], g[L+1]>

     -tan tandem Davies-Meyer scheme (default)
          w[i] = E(<g[i-1], x[i]>, h[i-1])
          h[i] = h[i-1] ^ w[i]
          g[i] = g[i-1] ^ E(<x[i], w[i]>, g[i-1])

     -abr abreast Davies-Meyer scheme
          h[i] = h[i-1] ^ E(<g[i-1], x[i]>, h[i-1])
          g[i] = g[i-1] ^ E(<x[i], h[i-1]>, ~g[i-1])

     Key Formats:
          keyHexString  =  z:y[0]  =  {  '0'..'9'  |  'a'..'f'  |
          'A'..'F' | ':' }
          keyString = z = { ' '..'~' }

EXAMPLES
     To encrypt and decrypt a file in ciphertext feedback mode:

          safer -e -cfb -kx 123456:cDd7 data data.cr
          safer -d -cfb -kx 123456:cDd7 data.cr data.ori
          data and data.ori are identical

     To compute the hash value:

          safer -h data

     To compute the hash value and encrypt the data in one step:

          safer -hck "k e y" data | safer -kx 12E3 - data.cr

PATENT
     "Although our design of SAFER K-64 was sponsored  by  Cylink
     Corporation  (Sunnyvale,  CA,  USA),  Cylink  has explicitly
     relinquished any proprietary rights to this algorithm.  This
     largesse  on the part of Cylink was motivated by the reason-
     ing that the company would gain more from new business  than
     it  would  lose from competition should many new users adopt
     this publicly available cipher.  SAFER  K-64  has  not  been
     patented  and, to the best of our knowledge, is free for use
     by anyone without fees of any kind and with no violation  of
     any rights of ownership, intellectual or otherwise." [2]

REFERENCES
     [1]  Massey,  J.L.,  "SAFER  K-64:  A  Byte-Oriented   Block
          Ciphering Algorithm", pp. 1-17 in Fast Software Encryp-
          tion (Ed. R. Anderson), Proceedings  of  the  Cambridge
          Security  Workshop,  Cambridge,  U.K., Dec. 9-11, 1993,
          Lecture Notes in Computer Science No. 809.   Heidelberg
          and New York: Springer, 1994.

     [2]  Massey, J.L., "SAFER K-64: One Year Later", preliminary
          manuscript  of  a  paper  presented at the K. U. Leuven
          Workshop on Cryptographic Algorithms, Dec. 14-16, 1994.
          To  be published in the Proceedings of this workshop by
          Springer.

AUTHOR
     Richard De Moliner (demoliner@isi.ee.ethz.ch)
     Signal and Information Processing Laboratory
     Swiss Federal Institute of Technology
     CH-8092 Zurich, Switzerland

BUGS
     This program is at most as strong as SAFER  itself.  So,  we
     urge  the user to use this program only after he has assured
     himself that SAFER is strong enough  AND  he  has  read  the
     source  code  of  this  program and its libraries AND he has
     compiled the program himself with a troyan-free compiler. WE
     DO  NOT  GUARANTEE  THAT THIS PROGRAM IS A SECURE ENCRYPTION
     PROGRAM.
