Khufu and Khafre
| General | |
|---|---|
| Designers | Ralph Merkle |
| First published | 1989 |
| Related to | Khafre |
| Cipher detail | |
| Key sizes | 512 bits |
| Block sizes | 64 bits |
| Structure | Feistel network |
| Rounds | 16 |
| Best public cryptanalysis | |
| Gilbert and Chauvaud's differential attack | |
| General | |
|---|---|
| Designers | Ralph Merkle |
| First published | 1989 |
| Related to | Khufu |
| Cipher detail | |
| Key sizes | 512 bits |
| Block sizes | 64 bits |
| Structure | Feistel network |
| Rounds | 16 or more |
| Best public cryptanalysis | |
|
Biham and Shamir's differential attack is faster than brute force even for 24 rounds |
|
In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu.
Under a voluntary scheme, Xerox submitted Khufu and Khafre to the US National Security Agency (NSA) prior to publication. NSA requested that Xerox not publish the algorithms, citing concerns about national security. Xerox, a large contractor to the US government, complied. However, a reviewer of the paper passed a copy to John Gilmore, who made it available via the sci.crypt newsgroup. It would appear this was against Merkle's wishes. The scheme was subsequently published at the 1990 CRYPTO conference (Merkle, 1990).
Khufu and Khafre were patented by Xerox; issued on March 26, 1991.
Khufu is a 64-bit block cipher which, unusually, uses keys of size 512 bits; block ciphers typically have much smaller keys, rarely exceeding 256 bits. Most of the key material is used to construct the cipher's S-boxes. Because the key-setup time is quite time consuming, Khufu is not well suited to situations in which many small messages are handled. It is better suited to bulk encryption of large amounts of data.
Khufu is a Feistel cipher with 16 rounds by default (other multiples of eight between 8 and 64 are allowed). Each set of eight rounds is termed an octet; a different S-box is used in each octet. In a round, the least significant byte of half of the block is passed into the 8×32-bit S-box. The S-box output is then combined (using XOR) with the other 32-bit half. The left half is rotated to bring a new byte into position, and the halves are swapped. At the start and end of the algorithm, extra key material is XORed with the block (key whitening). Other than this, all the key is contained in the S-boxes.
...
Wikipedia