NAME
     safer - encryption and decryption using SAFER

SYNOPSIS
     safer
          [ -e | -d ] [ -ecb | -cbc | -cfb | -ofb ]
          ( -k keyString | -kx keyHexString )
          [ -r nofRounds ] [ -s ] [ -v ]
          [ inputFile [ outputFile ] ]

     safer
          [ -h | -hc ] [ -tan | -abr ]
          [ -k keyString | -kx keyHexString ]
          [ -r nofRounds ] [ -s ] [ -v ]
          [ inputFile [ [ outputFile ] hashvalFile ]

DESCRIPTION
     Safer reads inputFile and writes the encrypted or  decrypted
     data  to outputFile or writes the hash value to hashvalFile.
     If a file name is not given in command line, safer uses  the
     standard  input  or output.  If the input file name is given
     as '-', safer reads from the standard input.
 
     SAFER [1] (Secure And Fast Encryption Routine)  is  a  block
     cipher  developed  by Prof. J.L. Massey at the Swiss Federal
     Institute of Technology.  There exist four versions of  this
     algorithm,  namely:  SAFER  K-64 [1], SAFER K-128 [2], SAFER
     SK-64 [3] and SAFER SK-128 [3].  The  numerals  64  and  128
     stand  for  the  length of the user-selected key, 'K' stands
     for the original  key  schedule  and  'SK'  stands  for  the
     strengthened key schedule (in which some of the "weaknesses"
     of the original key schedule have been removed).

OPTIONS
     -e   Encryption (default).

     -d   Decryption.

     -k   The key is  specified with keyString.  If the length of
          keyString  is  less  than  10  characters, keyString is
          interpreted as a 64-bit key,  otherwise  as  a  128-bit
          key.

     -kx  The key is  specified with keyHexString.  If the length
          of  keyHexString  is  less  than 17 hex digits, keyHex-
          String is interpreted as a 64-bit key, otherwise  as  a
          128-bit  key.  For the modes -cbc, -cfb and -ofb, it is
          possible to specify an initial value denoted  by  y[0].
          In  this  case  the  key  and  the  initial  value  are
          separated by a colon, e.g. '1234:9A'.

     -r   nofRounds gives the number of rounds  in the encryption
          (resp.  decryption)  process.   Default  values  are  6
          rounds for SAFER K-64, 8 rounds for SAFER SK-64 and  10
          rounds for SAFER K-128 and SAFER SK-128.

     -s   The strengthened key schedule contained in SAFER  SK-64
          or  SAFER  SK-128  is used, instead of the original key
          schedule contained in SAFER K-64 or SAFER K-128.

     -h   Compute a 128-bit hash  value from the input data.  The
          hash  value is written to hashvalFile (or standard out-
          put).

     -hc  Compute a 128-bit hash  value from the input data.  The
          input  is copied to outputFile (or standard output) and
          the hash value is written to hashvalFile  (or  standard
          error).

     -v   Verbose mode.  The selected parameters are  written  to
          standard error.

     Notation:
          z            = 64-bit or 128-bit key
          x[i]         = i-th 64-bit plaintext block (i = 1..L+1)
          y[i]         = i-th  64-bit  ciphertext  block   (i   =
                         1..L+1)
          x[1]..x[L]   = actual plaintext (last block  is  filled
                         with zeros)
          x[L+1]       = length of actual plaintext in bits
          x[1]..x[L+1] = plaintext
          y[1]..y[L+1] = ciphertext
          <a, b>       = 128-bit block  composed  of  two  64-bit
                         blocks
          E(z, .)      = encryption function under the key z
          D(z, .)      = decryption function, x = D(z, E(z, x))
          ^            = bit-by-bit exclisive-OR
          ~            = bit-by-bit complement

     Encryption / Decryption Modes:

     -ecb electronic code book mode
          y[i] = E(z, x[i])
          x[i] = D(z, y[i])

     -cbc cipher block chaining mode (default)
          y[i] = E(z, x[i] ^ y[i-1])
          x[i] = D(z, y[i]) ^ y[i-1]

     -cfb ciphertext feedback mode
          y[i] = x[i] ^ E(z, y[i-1])
          x[i] = y[i] ^ E(z, y[i-1])

     -ofb output feedback mode
          h[i] = E(z, h[i-1])
          y[i] = x[i] ^ h[i]
          x[i] = y[i] ^ h[i]

     Hash Functions:
          If no key is given, safer uses the all zero key.
          <h[0], g[0]> = z
          hash value = <h[L+1], g[L+1]>

     -tan tandem Davies-Meyer scheme (default)
          w[i] = E(<g[i-1], x[i]>, h[i-1])
          h[i] = h[i-1] ^ w[i]
          g[i] = g[i-1] ^ E(<x[i], w[i]>, g[i-1])

     -abr abreast Davies-Meyer scheme
          h[i] = h[i-1] ^ E(<g[i-1], x[i]>, h[i-1])
          g[i] = g[i-1] ^ E(<x[i], h[i-1]>, ~g[i-1])

     Key Formats:
          keyHexString  =  z:y[0]  =  {  '0'..'9'  |  'a'..'f'  |
          'A'..'F' | ':' }
          keyString = z = { ' '..'~' }

EXAMPLES
     To encrypt and decrypt a file in ciphertext feedback mode:

          safer -e -cfb -kx 123456:cDd7 data data.cr
          safer -d -cfb -kx 123456:cDd7 data.cr data.ori
          data and data.ori are identical

     To compute the hash value:

          safer -h data

     To compute the hash value and encrypt the data in one step:

          safer -hck "k e y" data | safer -kx 12E3 - data.cr

PATENT
     "Although our design of SAFER K-64 was sponsored  by  Cylink
     Corporation  (Sunnyvale,  CA,  USA),  Cylink  has explicitly
     relinquished any proprietary rights to this algorithm.  This
     largesse  on the part of Cylink was motivated by the reason-
     ing that the company would gain more from new business  than
     it  would  lose from competition should many new users adopt
     this publicly available cipher.  SAFER  K-64  has  not  been
     patented  and, to the best of our knowledge, is free for use
     by anyone without fees of any kind and with no violation  of
     any rights of ownership, intellectual or otherwise." [2]

REFERENCES
     [1]  Massey,  J.L.,  "SAFER  K-64:  A  Byte-Oriented   Block
          Ciphering Algorithm", pp. 1-17 in Fast Software Encryp-
          tion (Ed. R. Anderson), Proceedings  of  the  Cambridge
          Security  Workshop,  Cambridge,  U.K., Dec. 9-11, 1993,
          Lecture Notes in Computer Science No. 809.   Heidelberg
          and New York: Springer, 1994.

     [2]  Massey, J.L., "SAFER K-64: One Year Later", preliminary
          manuscript  of  a  paper  presented at the K. U. Leuven
          Workshop on Cryptographic Algorithms, Dec. 14-16, 1994.
          To  be published in the Proceedings of this workshop by
          Springer.

     [3]  Massey,  J.L.,  "Announcement  of  a  Strengthened  Key
          Schedule  for  the  Cipher  SAFER", Sept. 9, 1995, (see
          file 'SAFER_SK.TXT' on distribution).

AUTHOR
     Richard De Moliner (demoliner@isi.ee.ethz.ch)
     Signal and Information Processing Laboratory
     Swiss Federal Institute of Technology
     CH-8092 Zurich, Switzerland

BUGS
     This program is at most as strong as SAFER  itself.  So,  we
     urge  the user to use this program only after he has assured
     himself that SAFER is strong enough  AND  he  has  read  the
     source  code  of  this  program and its libraries AND he has
     compiled the program himself with a troyan-free compiler. WE
     DO  NOT  GUARANTEE  THAT THIS PROGRAM IS A SECURE ENCRYPTION
     PROGRAM.
