Начиная с начала 2000 года осуществляется внедрение GHIS в здравоохранении, в рамках принятого проекта о реформирование информ


Mathematical Problems of Computer Science 42, 97-106, 2014. 

 
 

Design and Cryptanalysis of a New Encryption Algorithm 
SAFER-256  

 
Gurgen H. Khachatrian, Melsik K. Kyureghyan and Knarik M. Kyuregyan 

 
American University of Armenia 

Institute for Informatics and Automation Problems of  NAS RA 
e-mail: gurgenkh@aua.am, melsik@ipia.sci.am, knarikyuregyan@gmail.com 

 
 

Abstract 
 

In this paper a new encryption algorithm of SAFER family named SAFER-256 
is introduced. SAFER-256 is a 256 bit size block cipher with a 256 bit size user-
selected key. Security of the new algorithm against differential analysis attack is 
also presented. 

Keywords: Cipher, Round, Shuffling, Encryption, Decryption, Differential 
cryptanalysis, Effective weight. 

 
 
1. Introduction 

SAFER+ is one of the block ciphers of SAFER family proposed by Prof. James Massey together 
with Prof. Gurgen  Khachatrian and Dr. Melsik  Kureghyan. It is a 128 bit block size encryption 
algorithm with three different user-selected-key lengths, namely 128, 192 and 256. SAFER+ was 
submitted as a candidate for the Advanced Encryption Standard (AES) [2] and was subsequently 
adopted for use in the challenge/response entity authentication scheme in the Bluetooth protocol 
for wireless communications [5]. In this paper we propose a new 256 bit size block cipher named 
SAFER-256 with a 256 bit size user-selected-key. The structure of this algorithm is built based 
on the modified algorithm of SAFER+. The reason of presenting a new cipher is twofold. Firstly 
almost all existing and well known ciphers are 128 bit block ciphers and although they have 
options for the key size of 256 bits they do not really provide 256 bit security because of 
collision attacks on 128 bit block size which is not the case when the block size is 256. Secondly  
as we will show later in the paper the proceesing speed for the new cipher will be the same 
compared with analogous modifyied SAFER+ algorithm. 
The paper is organized as follows: In section 2 an algorithm specification for  SAFER-256 is 

given, section 3 represents results of differential anylsis for SAFER-256, section 4 is 
implementation aspects of SAFER-256 and the conclusion of the paper is in section 5.  
 
 
2. SAFER-256 Algorithm Specification   

 
SAFER-256 is a 256 bit block cipher. In Fig. 1 the encryption structure of the SAFER-256 

algorithm is introduced. The 32-byte plaintext block passes through 𝑟𝑟 = 6 rounds of encryption 
 

97 
 

mailto:gurgenkh@aua.am,%20melsik@ipia.sci.am,%20knarikyuregyan@gmail.com


Design and Cryptanalysis of a New Encryption Algorithm SAFER-256  
 

98 

for 256 bit key. In each round of encryption two subkeys are used. These round subkeys 
(𝐾𝐾1, 𝐾𝐾2, … , 𝐾𝐾2𝑟𝑟+1) are determined from the user-selected key 𝐾𝐾 according to the key schedule of 
SAFER+ [2]. The last subkey 𝐾𝐾2𝑟𝑟+1 is “added” to the block produced by the 𝑟𝑟 rounds of 
encryption in the manner that the bytes 1, 2, 3, 4, 9, 10, 11, 12, 17,18, 19, 20, 25, 26, 27, 28 are 
added together bit-by-bit modulo two (the bitwise “exclusive-or” operation) while the bytes 
5, 6, 7, 8, 13, 14, 15, 16, 21, 22, 23, 24, 29, 30, 31, 32 are added together modulo 256 (“byte 
addition”). This “addition” of round subkey 𝐾𝐾2𝑟𝑟+1 constitutes the output transformation for 
encryption and produces the ciphertext block of 32-bytes. 

The input for decryption is the ciphertext block of 32-bytes. The decryption begins with the 
input transformation that undoes the output transformation in the encryption process. At first the 
round subkey 𝐾𝐾2𝑟𝑟+1 is ”subtracted” from the ciphertext block in the manner that the round 
subkey bytes 1, 2, 3, 4, 9, 10, 11, 12, 17,18, 19, 20, 25, 26, 27, 28  are added together bit-by-bit 
modulo two to the corresponding ciphertext bytes  while the round subkey bytes 5, 6, 7, 8, 13, 14,
15, 16, 21, 22, 23, 24, 29, 30, 31, 32 are subtracted modulo 256 from the corresponding 
ciphertext bytes. The result of this “subtraction” is the same 32-byte block as was produced from 
the 𝑟𝑟 rounds of encryption before the output transformation was applied. This block then passes 
through the 𝑟𝑟 rounds of decryption, the round 𝑖𝑖 of which undoes the round 𝑟𝑟 − 𝑖𝑖 + 1 of 
encryption, where  𝑖𝑖 = 1,2, … , 𝑟𝑟. After the round 𝑟𝑟 we obtain a plaintext block. Note that the 
round keys for decryption are the same as those for encryption but are used in reverse order. 
 
 
2.1 SAFER-256 Encryption Round 

The SAFER-256 round schema is given in Fig. 2. The first operation within the round   𝑖𝑖,
1 ≤ 𝑖𝑖 ≤ 𝑟𝑟, is the “addition” of the round subkey  𝐾𝐾2𝑖𝑖−1  to the 16-byte round input in the manner 
that the bytes 1, 2, 3, 4, 9, 10, 11, 12, 17,18, 19, 20, 25, 26, 27, 28 are added together bit-by-bit 
modulo two while the bytes 5, 6, 7, 8, 13, 14, 15, 16, 21, 22, 23, 24, 29, 30, 31, 32  are added 
together modulo 256. The  32-byte result of this “addition” is then processed by a nonlinear 
layer in the manner that the value 𝑥𝑥 of byte 𝑗𝑗 is converted to 45𝑥𝑥𝑚𝑚𝑚𝑚𝑚𝑚 257 for bytes 𝑗𝑗 =
1, 2, 3, 4, 9, 10, 11, 12, 17,18, 19, 20, 25, 26, 27, 28  (with the convention that when 𝑥𝑥 = 128, 
then 45128𝑚𝑚𝑚𝑚𝑚𝑚 257 = 256 is represented by 0), while the value  𝑥𝑥 of byte 𝑗𝑗 is converted to 
log45 𝑥𝑥 for bytes 𝑗𝑗 = 5, 6, 7, 8, 13, 14, 15, 16, 21, 22, 23, 24, 29, 30, 31, 32 (with the convention 
that when 𝑥𝑥 = 0, then the output log45 0 is represented by 128). The round key 𝐾𝐾2𝑖𝑖 is then 
“added” to the output of the nonlinear layer in the manner that the bytes 5, 6, 7, 8, 13, 14, 15, 16,
21, 22, 23, 24, 29, 30, 31, 32 are added together bit-by-bit modulo two, while the bytes 1, 2, 3, 4,
9, 10, 11,12, 17,18, 19, 20, 25, 26, 27, 28  are added together modulo 256. The 16-byte result of 
this “addition” 
 
𝑥𝑥 = [𝑥𝑥1, 𝑥𝑥2, 𝑥𝑥3, 𝑥𝑥4, 𝑥𝑥5, 𝑥𝑥6, 𝑥𝑥7, 𝑥𝑥8, 𝑥𝑥9, 𝑥𝑥10, 𝑥𝑥11, 𝑥𝑥12, 𝑥𝑥13, 𝑥𝑥14, 𝑥𝑥15, 𝑥𝑥16, 𝑥𝑥17, 𝑥𝑥18, 𝑥𝑥19, 𝑥𝑥20, 𝑥𝑥21, 𝑥𝑥22,

𝑥𝑥23, 𝑥𝑥24, 𝑥𝑥25, 𝑥𝑥26, 𝑥𝑥27, 𝑥𝑥28, 𝑥𝑥29, 𝑥𝑥30, 𝑥𝑥31, 𝑥𝑥32]
 

 
is then postmultiplied by the matrix 𝑀𝑀 modulo 256 to give the 32-byte round output 
 
𝑦𝑦 = [𝑦𝑦1, 𝑦𝑦2, 𝑦𝑦3, 𝑦𝑦4, 𝑦𝑦5, 𝑦𝑦6, 𝑦𝑦7, 𝑦𝑦8, 𝑦𝑦9, 𝑦𝑦10, 𝑦𝑦11, 𝑦𝑦12, 𝑦𝑦13, 𝑦𝑦14, 𝑦𝑦15, 𝑦𝑦16, 𝑦𝑦17, 𝑦𝑦18, 𝑦𝑦19, 𝑦𝑦20, 𝑦𝑦21, 𝑦𝑦22,

𝑦𝑦23, 𝑦𝑦24, 𝑦𝑦25, 𝑦𝑦26, 𝑦𝑦27, 𝑦𝑦28, 𝑦𝑦29, 𝑦𝑦30, 𝑦𝑦31, 𝑦𝑦32],
 

 
in the manner  
 

𝑦𝑦 = 𝑥𝑥𝑀𝑀, 



G. Khachatrian, M. Kyureghyan and  K. Kyuregyan 99 

where 𝑀𝑀 is the 32×32 matrix in Fig. 3. 
 
𝑦𝑦2 = 8𝑥𝑥1 +  2𝑥𝑥2 + 2𝑥𝑥3 + 4𝑥𝑥4 + 2𝑥𝑥5 + 2𝑥𝑥6 + 4𝑥𝑥7 + 2𝑥𝑥8 + 2𝑥𝑥9 + 4𝑥𝑥10 + 4𝑥𝑥11 + 𝑥𝑥12 + 𝑥𝑥13

+ 8𝑥𝑥14 + 16𝑥𝑥15 + 𝑥𝑥16+𝑥𝑥17 + 𝑥𝑥18 + 𝑥𝑥19 + 𝑥𝑥20 + 4𝑥𝑥21 + 2𝑥𝑥22+4𝑥𝑥23 + 2𝑥𝑥24
+ 𝑥𝑥25 + 𝑥𝑥26 + 𝑥𝑥27 + 𝑥𝑥28 + 2𝑥𝑥29 + 𝑥𝑥30 + 2𝑥𝑥31 + 𝑥𝑥32, 

 
(where the arithmetic is modulo 256) as follows from the second column of the matrix 𝑀𝑀.  
Multiplication by matrix M provides the liner layer  of the round that is four times “shuffling” 
+”2-PHT" operations. Shuffling is the coordinate permutation [25, 28, 29, 32, 17, 20, 21, 24, 13, 
16,  9, 12, 5, 8, 1, 4, 3, 2, 7, 6, 11, 10, 15, 14, 27, 26, 31, 30, 19, 18, 23, 22] and 2-PHT is 
Pseudo-Hadamrd matrix  �2 1

1 1
�, that has as an input 2 bytes (𝑎𝑎1, 𝑎𝑎2) and as an output (2𝑎𝑎1 +

𝑎𝑎2, 𝑎𝑎1 + 𝑎𝑎2)  2-bytes over the ring of integers modulo 256 (all operations are modulo 256).  
 
 
2.2 SAFER-256 Decryption Round 

In the decryption round of SAFER-256 simply invert in reverse order the operations from 
the encryption round. Thus, the first operation in the decryption round is to postmultiply the 32-
byte round input   
 
𝑦𝑦 = [𝑦𝑦1, 𝑦𝑦2, 𝑦𝑦3, 𝑦𝑦4, 𝑦𝑦5, 𝑦𝑦6, 𝑦𝑦7, 𝑦𝑦8, 𝑦𝑦9, 𝑦𝑦10, 𝑦𝑦11, 𝑦𝑦12, 𝑦𝑦13, 𝑦𝑦14, 𝑦𝑦15, 𝑦𝑦16, 𝑦𝑦17, 𝑦𝑦18, 𝑦𝑦19, 𝑦𝑦20, 𝑦𝑦21, 𝑦𝑦22,

𝑦𝑦23, 𝑦𝑦24, 𝑦𝑦25, 𝑦𝑦26, 𝑦𝑦27, 𝑦𝑦28, 𝑦𝑦29, 𝑦𝑦30, 𝑦𝑦31, 𝑦𝑦32]
 

 
by the matrix 𝑀𝑀−1, which is modulo 256 inverse of 𝑀𝑀, to give the 32-byte result 
 
𝑥𝑥 = [𝑥𝑥1, 𝑥𝑥2, 𝑥𝑥3, 𝑥𝑥4, 𝑥𝑥5, 𝑥𝑥6, 𝑥𝑥7, 𝑥𝑥8, 𝑥𝑥9, 𝑥𝑥10, 𝑥𝑥11, 𝑥𝑥12, 𝑥𝑥13, 𝑥𝑥14, 𝑥𝑥15, 𝑥𝑥16, 𝑥𝑥17, 𝑥𝑥18, 𝑥𝑥19, 𝑥𝑥20, 𝑥𝑥21, 𝑥𝑥22,

𝑥𝑥23, 𝑥𝑥24, 𝑥𝑥25, 𝑥𝑥26, 𝑥𝑥27, 𝑥𝑥28, 𝑥𝑥29, 𝑥𝑥30, 𝑥𝑥31, 𝑥𝑥32]
 

 
in the manner 
 

𝑥𝑥 = 𝑦𝑦𝑀𝑀−1, 
 

where matrix 𝑀𝑀−1 is the 32×32 matrix in Fig. 4. 
For instance, these operations give 
 
𝑥𝑥10 = −2𝑦𝑦1 + 2𝑦𝑦2 − 𝑦𝑦3 + 𝑦𝑦4 − 4𝑦𝑦5 + 4𝑦𝑦6−4𝑦𝑦7 + 8𝑦𝑦8 − 16𝑦𝑦9 + 32𝑦𝑦10 − 𝑦𝑦11 + 𝑦𝑦12

− 𝑦𝑦13+𝑦𝑦14−2𝑦𝑦15 + 2𝑦𝑦16 − 4𝑦𝑦17 + 8𝑦𝑦18 − 2𝑦𝑦19 + 4𝑦𝑦20 − 𝑦𝑦21 + 2𝑦𝑦22−8𝑦𝑦23
+ 8𝑦𝑦24 − 2𝑦𝑦25 + 4𝑦𝑦26 − 𝑦𝑦27 + 2𝑦𝑦28 − 4𝑦𝑦29 + 8𝑦𝑦30 − 2𝑦𝑦31 + 2𝑦𝑦32. 

 
The round subkey 𝐾𝐾2𝑟𝑟−2𝑖𝑖+2 is then “subtracted” from 𝑥𝑥 in the manner that the round subkey 
bytes 1, 2, 3, 4, 9, 10, 11, 12, 17,18, 19, 20, 25, 26, 27, 28  are subtracted modulo 256 from the 
corresponding bytes of 𝑥𝑥 while the round subkey bytes 5, 6, 7, 8, 13, 14, 15, 16, 21, 22, 23, 24,
29, 30, 31, 32 are added bit-by-bit modulo 2 to the corresponding bytes of 𝑥𝑥. Then the 16-byte 
result of this “subtraction” is then processed nonlinearly in the manner that the value 𝑥𝑥 of byte 𝑗𝑗 
is converted to log45 𝑥𝑥 for bytes 𝑗𝑗 = 1, 2, 3, 4, 9, 10, 11, 12, 17,18, 19, 20, 25, 26, 27, 28  (again 
with the convention that when 𝑥𝑥 = 0, then the output log45 0 is represented by 128), while the 
value 𝑥𝑥 of byte 𝑗𝑗 is converted to 45𝑥𝑥𝑚𝑚𝑚𝑚𝑚𝑚 257 for bytes 𝑗𝑗 = 5, 6, 7, 8, 13, 14, 15, 16, 21, 22,
23, 24, 29, 30, 31, 32 (again with the convention that when 𝑥𝑥 = 128, then 45128𝑚𝑚𝑚𝑚𝑚𝑚 257 =



Design and Cryptanalysis of a New Encryption Algorithm SAFER-256  
 

100 

256 is represented by 0). The round key 𝐾𝐾2𝑟𝑟−2𝑖𝑖+1 is then “subtracted” from the 16-byte result in 
the manner that the round subkey bytes 1, 2, 3, 4, 9, 10, 11, 12, 17,18, 19, 20, 25, 26, 27, 28  are 
added bit-by-bit modulo 2 to the corresponding input bytes while the round subkey bytes 
5, 6, 7, 8, 13, 14, 15, 16, 21, 22, 23, 24, 29, 30, 31, 32 are subtracted modulo 256 from the 
corresponding input bytes to obtain the 32-byte round output. 
 
 
3. Differential Cryptanalysis 
 

The attack by differential cryptanalysis on an 𝑟𝑟-round cipher relies on being able to find a 
(𝑟𝑟 − 1) round differential whose probability is substantially less than the average probability of 
such a differential, which is 1

2256−1
≈ 2−256 for a 32-byte block length. We have analyzed all  the 

possible “highly probable” 5-round differential chains by [1] and have found that their 
probabilities are substantially less than  2−256. These results imply that SAFER-256 is secure 
against differential cryptanalysis only after 𝑟𝑟 = 6 rounds in the sense that the attack by 
differential cryptanalysis is as difficult as the exhaustive key search for the 256 bit key. 

The purpose of the linear transform layer is to provide SAFER-256 with diffusion, i.e., to 
ensure that small changes in round inputs cause large changes in round outputs. If 𝑣𝑣 denotes a 
vector of 32 bytes, we will write 𝑊𝑊(𝑣𝑣) for the (Hamming) weight of 𝑣𝑣, i.e., for the number of its 
nonzero bytes. Because the linear transform layer performs a linear operation over the ring of 
integers modulo 256 and because “differences” can be taken conveniently as byte differences 
modulo 256 at the output of the nonlinear layer in Fig. 2, the diffusion in SAFER256 is well 
measured by how well the linear transform layer converts low weight inputs into high weight 
outputs  𝑣𝑣𝑀𝑀.  

It’s easy to see that cryptographic properties of SAFER-256 depends on the chosen 
permutation of coordinates and its interaction with matrices 𝑀𝑀 in Fig. 3.  
 𝑉𝑉1[5,11,19,32](𝑎𝑎, −𝑎𝑎, 4𝑎𝑎, −8𝑎𝑎) (4(1) →)will denote the 1-parametr set of all weight 4 
byte vectors 𝑣𝑣 that are nonzero only in bytes 5, 11, 19, 32 where their values are 𝑎𝑎, −𝑎𝑎, 4𝑎𝑎, −8𝑎𝑎, 
respectively, and where the parameter 𝑎𝑎 satisfies 𝑎𝑎 ∈ {0,32, −32,64, −64,128} as is required for 
𝑣𝑣 to have weight 4. 𝑉𝑉0[7,8,9](128,64,45) (3(0) →) will denote the 0-parameter set containing a 
single vector of weight 3 with values 128, 64, 45 in bytes 7, 8, 9, respectively. 

We define the effective weight of a difference chain to be the sum of the weights of the 
vectors in the chain minus the sum of the number of parameters in the chain.  

The reason for introducing the effective weight of a chain is the following. There are not 
more than 28 choices for each parameter and, hence, the probability of difference chain with t 
parameters is at most 28𝑡𝑡 times that of a characteristic with vectors of the same weight. 
Moreover, 2−8 is essentially the average probability of a transition for a specified nonzero byte 
difference to another specified nonzero byte difference so that when the vectors in the 
characteristic have total weight 𝑤𝑤, then the characteristic has probability roughly 2−8𝑤𝑤. Hence, 
the probability of the difference chain can be roughly estimated as 28𝑡𝑡 ∙ 2−8𝑤𝑤 = 2−8(𝑤𝑤−𝑡𝑡), where 
𝑤𝑤 − 𝑡𝑡 is the effective weight. In the first round for which the transitions have probability 2−5, all 
the byte transition probabilities will be less than  2−7. Thus, for any difference chain 𝐶𝐶 with five 
or more rounds we can be confident that the probability 𝑃𝑃(𝐶𝐶) of 𝐶𝐶 satisfies  

 
2−7𝑊𝑊𝑒𝑒𝑒𝑒𝑒𝑒(𝐶𝐶), 

 
where 𝑊𝑊𝑒𝑒𝑒𝑒𝑒𝑒(𝐶𝐶) is the effective weight of 𝐶𝐶 [3]. 
 



G. Khachatrian, M. Kyureghyan and  K. Kyuregyan 101 

The following minimal effective weight differential chains were found: 
 
A differential chain with the effective weight 43 having the weight/parameters chain 
5(0) → 2(1) → 24(1) → 6(0) → 6(1), 
4(0) → 3(1) → 20(1) → 10(0) → 6(1). 
 
A differential chain with the effective weight 44 having the weight/parameters chain 
2(0) → 5(1) → 24(1) → 7(0) → 6(1), 
2(0) → 4(1) → 24(1) → 7(0) → 7(1), 
3(0) → 3(1) → 25(1) → 6(0) → 7(1). 
 
A differential chain with the effective weight 45 having the weight/parameters chain 
6(0) → 3(1) → 22(1) → 7(0) → 7(1). 
 
A differential chain with the effective weight 46 having the weight/parameters chain 
6(0) → 2(1) → 24(1) → 7(0) → 7(1). 
 
 
4. Implementation aspects 

Differential analysis has shown that new encryption algorithm SAFER-256 based on the 
structure of SAFER+ is secure after only 7 rounds. Due to structural modifications  we have 
made possible to reduce the required rounds down to 6 and still be secure against differential 
cryptanalysis attack. 

We have implemented 128 bit block cipher and 256 bit cipher in case of 256 bit user selected 
key and have obtained that 128 bit block cipher implementation time is approximately the same 
compared with  256 bit block cipher implementation time. However SAFER-256 is much more 
secure compared with 128-bit cipher against other types of attacks for example against collision 
attack as was mentioned in the introduction.  
 
 
5. Conclusion 

In this paper a new algorithm called SAFER-256 is introduced. It was shown that the 
presented cipher is secure against differential cryptanalysis attack after only six rounds and as a 
result has approximately the same processing speed compared with analogous cipher with 128 
bit block length. Thus the new cipher provides the same security level against differential 
cryptanlysis attack, while having much higher level of security against other possible types of 
attack due to larger block length . 
 
 



Design and Cryptanalysis of a New Encryption Algorithm SAFER-256  
 

102 

 



G. Khachatrian, M. Kyureghyan and  K. Kyuregyan 103 

 



Design and Cryptanalysis of a New Encryption Algorithm SAFER-256  
 

104 

 



G. Khachatrian, M. Kyureghyan and  K. Kyuregyan 105 

 



Design and Cryptanalysis of a New Encryption Algorithm SAFER-256  
 

106 

Acknowledgement 
 
This work was supported by the State Committee Science MES RA, in the frame of the research 
project SCS 13-1B352. 
 
References 
 

[1] E. Biham and A. Shamir, “Differential cryptanalysis of DES-like cryptosystem”, 
Advances in Cryptology-CRYPTO’90, Lecture Notes in Computer Science,  Heidelberg 
and New York: Springer, no. 537, pp. 212-241,  1990. 

[2] J. L. Massey, G.H. Khachatryan and K. M. Kyuregian, “Nomination of SAFER+ as 
candidate  algorithm for the  advanced  encryption  standard (AES)”, NIST AES Proposl, 
1998.  

[3] J. L. Massey,  “SAFER K-64: One Year Later”, Fast Software Encryption II, Lecture 
Notes in Computer Science, New York, Springer, no. 1008,  pp. 212-241, 1995. 

[4] J. L. Massey, G.H. Khachatryan and K. M. Kyuregian,“Nomination of SAFER++ as 
candidate algorithm for the new european schemes for signatures, integrity and 
encryption (NESSIE)”, Submission document from Cylink Corporation, 2000.  

[5] BLUETOOTH SPECIFICATION Version 1.0B, 29 Nov. 1999, [Online]. Available: 

http://www.bluetooth.com/link/pec/bluetooth_b.pdf   

 
Submitted  28.07.2014,  accepted 27.11.2014. 

 
SAFER-256 նոր ծածկագրման ալգորիթմի կառուցվածքը և 

ծածկագրավերլուծությունը 
 

Գ. Խաչատրյան, Մ. Կյուրեղյան և Ք. Կյուրեղյան 
 

Ամփոփում 
 

Այս հոդվածում ներկայացված է SAFER ընտանիքին պատկանող նոր ծածկագրա-
կան համակարգ SAFER-256: Այն 256 բիթ երկարությամբ բլոկային համակարգ է 256 
բիթ բանալիով և անվտանգ է դիֆերենցիալ անալիզի նկատմամբ 6 ռաունդից հետո: 
 
 

Дизайн и криптоанализ нового алгоритма шифрования 
SAFER-256 

 
Г. Хачатрян, М. Кюрегян и К. Кюрегян 

Аннотация 

В данной статье представлена новая криптографическая система SAFER-256 из 
семьи SAFER. Это 256 битовая блоковая система с 256 битным ключом, которая 
устойчива по отнoшению к дифференциальному анализу после 6 раундов.