Khufu and Khafre

Khafre
General
Designers	Ralph Merkle
First published	1989
Related to	Khufu
Cipher detail
Key sizes	512 bits
Block sizes	64 bits
Structure	Feistel network
Rounds	16 or more
Best public cryptanalysis
	Biham and Shamir's differential attack is faster than brute force even for 24 rounds

Khufu
General
Designers	Ralph Merkle
First published	1989
Related to	Khafre
Cipher detail
Key sizes	512 bits
Block sizes	64 bits
Structure	Feistel network
Rounds	16
Best public cryptanalysis
	Gilbert and Chauvaud's differential attack

Last updated January 27, 2024

In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu.

Under a voluntary scheme, Xerox submitted Khufu and Khafre to the US National Security Agency (NSA) prior to publication. NSA requested that Xerox not publish the algorithms, citing concerns about national security. Xerox, a large contractor to the US government, complied. However, a reviewer of the paper passed a copy to John Gilmore, who made it available via the sci.crypt newsgroup.^[1]^[2] It would appear this was against Merkle's wishes.^[3] The scheme was subsequently published at the 1990 CRYPTO conference (Merkle, 1990).

Khufu and Khafre were patented by Xerox; the patent was issued on March 26, 1991.^[4]

Khufu

Khufu is a 64-bit block cipher which, unusually, uses keys of size 512 bits; block ciphers typically have much smaller keys, rarely exceeding 256 bits. Most of the key material is used to construct the cipher's S-boxes. Because the key-setup time is quite time consuming, Khufu is not well suited to situations in which many small messages are handled. It is better suited to bulk encryption of large amounts of data.

Khufu is a Feistel cipher with 16 rounds by default (other multiples of eight between 8 and 64 are allowed). Each set of eight rounds is termed an octet; a different S-box is used in each octet. In a round, the least significant byte of half of the block is passed into the 8×32-bit S-box. The S-box output is then combined (using XOR) with the other 32-bit half. The left half is rotated to bring a new byte into position, and the halves are swapped. At the start and end of the algorithm, extra key material is XORed with the block (key whitening). Other than this, all the key is contained in the S-boxes.

There is a differential attack on 16 rounds of Khufu which can recover the secret key. It requires 2⁴³ chosen plaintexts and has a 2⁴³ time complexity (Gilbert and Chauvaud, 1994). 2³² plaintexts and complexity are required merely to distinguish the cipher from random. A boomerang attack (Wagner, 1999) can be used in an adaptive chosen plaintext / chosen ciphertext scenario with 2¹⁸ queries and a similar time complexity. Khufu is also susceptible to an impossible differential attack, which can break up to 18 rounds of the cipher (Biham et al., 1999).

Schneier and Kelsey (1996) categorise Khafre and Khufu as "even incomplete heterogeneous target-heavy Unbalanced Feistel Networks".

Khafre

Khafre is similar to Khufu, but uses a standard set of S-boxes, and does not compute them from the key. (Rather, they are generated from the RAND tables, used as a source of "nothing up my sleeve numbers".) An advantage is that Khafre can encrypt a small amount of data very rapidly — it has good key agility. However, Khafre probably requires a greater number of rounds to achieve a similar level of security as Khufu, making it slower at bulk encryption. Khafre uses a key whose size is a multiple of 64 bits. Because the S-boxes are not key-dependent, Khafre XORs subkeys every eight rounds.

Differential cryptanalysis is effective against Khafre: 16 rounds can be broken using either 1500 chosen plaintexts or 2³⁸ known plaintexts. Similarly, 24 rounds can be attacked using 2⁵³ chosen plaintexts or 2⁵⁹ known plaintexts.

Related Research Articles

The Data Encryption Standard is a symmetric-key algorithm for the encryption of digital data. Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography.

Differential cryptanalysis is a general form of cryptanalysis applicable primarily to block ciphers, but also to stream ciphers and cryptographic hash functions. In the broadest sense, it is the study of how differences in information input can affect the resultant difference at the output. In the case of a block cipher, it refers to a set of techniques for tracing differences through the network of transformation, discovering where the cipher exhibits non-random behavior, and exploiting such properties to recover the secret key.

Articles related to cryptography include:

In cryptography, Lucifer was the name given to several of the earliest civilian block ciphers, developed by Horst Feistel and his colleagues at IBM. Lucifer was a direct precursor to the Data Encryption Standard. One version, alternatively named DTD-1, saw commercial use in the 1970s for electronic banking.

Snefru is a cryptographic hash function invented by Ralph Merkle in 1990 while working at Xerox PARC. The function supports 128-bit and 256-bit output. It was named after the Egyptian Pharaoh Sneferu, continuing the tradition of the Khufu and Khafre block ciphers.

<span class="mw-page-title-main">GOST (block cipher)</span> Soviet/Russian national standard block cipher

The GOST block cipher (Magma), defined in the standard GOST 28147-89, is a Soviet and Russian government standard symmetric key block cipher with a block size of 64 bits. The original standard, published in 1989, did not give the cipher any name, but the most recent revision of the standard, GOST R 34.12-2015, specifies that it may be referred to as Magma. The GOST hash function is based on this cipher. The new standard also specifies a new 128-bit block cipher called Kuznyechik.

<span class="mw-page-title-main">FEAL</span> Block cipher

In cryptography, FEAL is a block cipher proposed as an alternative to the Data Encryption Standard (DES), and designed to be much faster in software. The Feistel based algorithm was first published in 1987 by Akihiro Shimizu and Shoji Miyaguchi from NTT. The cipher is susceptible to various forms of cryptanalysis, and has acted as a catalyst in the discovery of differential and linear cryptanalysis.

In cryptography, LOKI89 and LOKI91 are symmetric-key block ciphers designed as possible replacements for the Data Encryption Standard (DES). The ciphers were developed based on a body of work analysing DES, and are very similar to DES in structure. The LOKI algorithms were named for Loki, the god of mischief in Norse mythology.

<span class="mw-page-title-main">MacGuffin (cipher)</span> Block cipher

In cryptography, MacGuffin is a block cipher created in 1994 by Bruce Schneier and Matt Blaze at a Fast Software Encryption workshop. It was intended as a catalyst for analysis of a new cipher structure, known as Generalized Unbalanced Feistel Networks (GUFNs). The cryptanalysis proceeded very quickly, so quickly that the cipher was broken at the same workshop by Vincent Rijmen and Bart Preneel.

In cryptography, REDOC II and REDOC III are block ciphers designed by Michael Wood (cryptographer) for Cryptech Inc and are optimised for use in software. Both REDOC ciphers are patented.

The slide attack is a form of cryptanalysis designed to deal with the prevailing idea that even weak ciphers can become very strong by increasing the number of rounds, which can ward off a differential attack. The slide attack works in such a way as to make the number of rounds in a cipher irrelevant. Rather than looking at the data-randomizing aspects of the block cipher, the slide attack works by analyzing the key schedule and exploiting weaknesses in it to break the cipher. The most common one is the keys repeating in a cyclic manner.

In cryptography, the boomerang attack is a method for the cryptanalysis of block ciphers based on differential cryptanalysis. The attack was published in 1999 by David Wagner, who used it to break the COCONUT98 cipher.

Introduced by Martin Hellman and Susan K. Langford in 1994, the differential-linear attack is a mix of both linear cryptanalysis and differential cryptanalysis.

In cryptography, impossible differential cryptanalysis is a form of differential cryptanalysis for block ciphers. While ordinary differential cryptanalysis tracks differences that propagate through the cipher with greater than expected probability, impossible differential cryptanalysis exploits differences that are impossible at some intermediate state of the cipher algorithm.

In cryptography, integral cryptanalysis is a cryptanalytic attack that is particularly applicable to block ciphers based on substitution–permutation networks. It was originally designed by Lars Knudsen as a dedicated attack against Square, so it is commonly known as the Square attack. It was also extended to a few other ciphers related to Square: CRYPTON, Rijndael, and SHARK. Stefan Lucks generalized the attack to what he called a saturation attack and used it to attack Twofish, which is not at all similar to Square, having a radically different Feistel network structure. Forms of integral cryptanalysis have since been applied to a variety of ciphers, including Hierocrypt, IDEA, Camellia, Skipjack, MISTY1, MISTY2, SAFER++, KHAZAD, and FOX.

In cryptography, KN-Cipher is a block cipher created by Kaisa Nyberg and Lars Knudsen in 1995. One of the first ciphers designed to be provably secure against ordinary differential cryptanalysis, KN-Cipher was later broken using higher order differential cryptanalysis.

In cryptography, Ladder-DES is a block cipher designed in 1994 by Terry Ritter. It is a 4-round Feistel cipher with a block size of 128 bits, using DES as the round function. It has no actual key schedule, so the total key size is 4×56=224 bits.

In cryptography, COCONUT98 is a block cipher designed by Serge Vaudenay in 1998. It was one of the first concrete applications of Vaudenay's decorrelation theory, designed to be provably secure against differential cryptanalysis, linear cryptanalysis, and even certain types of undiscovered cryptanalytic attacks.

In cryptography, the Davies attack is a dedicated statistical cryptanalysis method for attacking the Data Encryption Standard (DES). The attack was originally created in 1987 by Donald Davies. In 1994, Eli Biham and Alex Biryukov made significant improvements to the technique. It is a known-plaintext attack based on the non-uniform distribution of the outputs of pairs of adjacent S-boxes. It works by collecting many known plaintext/ciphertext pairs and calculating the empirical distribution of certain characteristics. Bits of the key can be deduced given sufficiently many known plaintexts, leaving the remaining bits to be found through brute force. There are tradeoffs between the number of required plaintexts, the number of key bits found, and the probability of success; the attack can find 24 bits of the key with 2⁵² known plaintexts and 53% success rate.

The following outline is provided as an overview of and topical guide to cryptography:

References

General

R.C. Merkle (August 1990). Fast Software Encryption Functions (PDF/PostScript). Advances in Cryptology— CRYPTO '90. Santa Barbara, California: Springer-Verlag. pp. 476–501. Retrieved August 23, 2007.
Eli Biham, Adi Shamir (August 1991). Differential Cryptanalysis of Snefru, Khafre, REDOC-II, LOKI and Lucifer (PDF/PostScript). Advances in Cryptology—CRYPTO '91. Santa Barbara, California: Springer-Verlag. pp. 156–171. Retrieved August 23, 2007.
Henri Gilbert, Pascal Chauvaud (August 1994). A Chosen Plaintext Attack of the 16-round Khufu Cryptosystem. Advances in Cryptology—CRYPTO '94. Santa Barbara, California: Springer-Verlag. pp. 359–368.
Bruce Schneier, John Kelsey (February 1996). Unbalanced Feistel Networks and Block Cipher Design (PDF/PostScript). 3rd International Workshop on Fast Software Encryption (FSE '96). Cambridge: Springer-Verlag. pp. 121–144. Retrieved August 23, 2007.
Eli Biham, Alex Biryukov, Adi Shamir (March 1999). Miss in the Middle Attacks on IDEA, Khufu and Khafre. 6th International Workshop on Fast Software Encryption (FSE '99). Rome: Springer-Verlag. pp. 124–138. Archived from the original (gzipped PostScript) on May 15, 2011. Retrieved February 14, 2007.{{cite conference}}: CS1 maint: multiple names: authors list (link)
David Wagner (March 1999). The Boomerang Attack (PDF/PostScript). 6th International Workshop on Fast Software Encryption (FSE '99). Rome: Springer-Verlag. pp. 156–170. Retrieved February 5, 2007.

Citations

↑ John Gilmore (July 13, 1989). "Merkle's "A Software Encryption Function" now published and available". Newsgroup: sci.crypt. Usenet: 7981@hoptoad.uucp.
↑ Frank Cunningham (August 14, 1989). "the recent uproar". Newsgroup: sci.crypt. Usenet: 497@lexicon.com.
↑ http://groups.google.com/groups?selm=1638%40arisia.Xerox.COM
↑ U.S. patent 5,003,597

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] John Gilmore (July 13, 1989). "Merkle's "A Software Encryption Function" now published and available". Newsgroup: sci.crypt. Usenet: 7981@hoptoad.uucp.

[2] Frank Cunningham (August 14, 1989). "the recent uproar". Newsgroup: sci.crypt. Usenet: 497@lexicon.com.

[3] ttp://groups.google.com/groups?selm=1638%40arisia.Xerox.COM

[4] U.S. patent 5,003,597

[1]

[2]

[3]

[4]

Khufu and Khafre

Contents

Khufu

Khafre

Related Research Articles

References