In this paper we analyze the block cipher SAFER K. First, we show a weaknes
s in the key schedule, that has the effect that for almost every key there
exists on the average three and a half other keys such that the encryptions
of plaintexts different in one of eight bytes yield ciphertexts also diffe
rent in only one byte. Moreover, the differences in the keys, plaintexts, a
nd ciphertexts are in the same byte. This enables us to do a related-key ch
osen plaintext attack on SAFER K, which finds the secret key. Also, the sec
urity of SAFER K, when used in standard hashing modes, is greatly reduced,
which is illustrated. Second, we propose a new key schedule for SAFER K avo
iding these problems. Third, we do differential cryptanalysis of SAFER K. W
e consider truncated differentials and apply them in an attack on five-roun
d SAFER K, which finds the secret key much faster than by an exhaustive sea
rch.