In cryptography, Khufu and Khafre are two block ciphers designed by Ralph Merkle in 1989 while working at Xerox's Palo Alto Research Center. Along with Snefru, a cryptographic hash function, the ciphers were named after the Egyptian Pharaohs Khufu, Khafre and Sneferu. Under a voluntary scheme, Xerox submitted Khufu and Khafre to the National Security Agency (NSA) prior to publication. NSA requested that Xerox not publish the algorithms, citing concerns about national security. Xerox, a large government contractor, complied. However, a reviewer of the paper passed a copy to John Gilmore, who made it available via the sci.crypt newsgroup [1] (http://groups.google.com/groups?selm=7981%40hoptoad.uucp); [2] (http://groups.google.com/groups?selm=497%40lexicon.com). It would appear this was against Merkle's wishes [3] (http://groups.google.com/groups?selm=1638%40arisia.Xerox.COM). The scheme was subsequently published at the 1990 CRYPTO conference (Merkle, 1990). Khufu and Khafre are patented by Xerox; US patent #5,003,597, issued on 26th March, 1991.
Khufu
Khufu is a 64bit block cipher which, unusually, uses keys of size 512 bits; block ciphers typically have much smaller keys, rarely exceeding 128 bits. Most of the key material is used to construct the cipher's Sboxes. Because the keysetup time is quite time consuming, Khufu is not well suited to situations in which many small messages are handled. It is better suited to bulk encryption of large amounts of data. Khufu is a Feistel cipher with 16 rounds by default (other multiples of eight between 8 and 64 are allowed). Each set of eight rounds is termed an octet; a different Sbox is used in each octet. In a round, the least significant byte of half of the block is passed into the 8×32bit Sbox. The Sbox output is then combined (using XOR) with the other 32bit half. The left half is rotated to bring a new byte into position, and the halves are swapped. At the start and end of the algorithm, extra key material is XORed with the block (key whitening). Other than this, all the key is contained in the Sboxes. There is a differential attack on 16 rounds of Khufu which can recover the secret key. It requires 2^{43} chosen plaintexts and has a 2^{43} time complexity (Gilbert and Chauvaud, 1994). 2^{32} plaintexts and complexity are required to merely distinguish the cipher from random. A boomerang attack (Wagner, 1999) can be used in an adaptive chosen plaintext / chosen ciphertext scenario with 2^{18} queries and a similar time complexity. Khufu is also susceptible to an impossible differential attack, which can break up to 18 rounds of the cipher (Biham et al., 1999). Schneier and Kelsey (1996) categorise Khafre and Khufu as "even incomplete heterogenous targetheavy Unbalanced Feistel Networks".
Khafre Khafre is similar to Khufu, but uses a standard set of Sboxes, and does not compute them from the key. An advantage is that Khafre can encrypt a small amount of data very rapidly — it has good key agility. However, Khafre probably requires a greater number of rounds to achieve a similar level of security as Khufu, making it slower at bulk encryption. Khafre uses a key whose size is a multiple of 64 bits. Because the Sboxes are not keydependent, Khafre XORs subkeys every eight rounds. Differential cryptanalysis is effective against Khafre: 16 rounds can be broken either using 1500 chosen plaintexts or 2^{38} known plaintexts. Similarly, 24 rounds can be attacked using 2^{53} chosen plaintexts or 2^{59} known plaintexts.
References  Eli Biham, Alex Biruykov, Adi Shamir "Miss in the middle attacks on IDEA, Khufu and Khafre," Fast Software Encryption '99, LNCS.
 Eli Biham, Adi Shamir: Differential Cryptanalysis of Snefru, Khafre, REDOCII, LOKI and Lucifer. CRYPTO 1991: 156171
 Henri Gilbert, Pascal Chauvaud: A Chosen Plaintext Attack of the 16round Khufu Cryptosystem. CRYPTO 1994: 359368
 R C Merkle, "Fast Software Encryption Functions", in Advances in Cryptology  Crypto'90, Lecture Notes in Computer Science, No 537, A J Menezes, S A Vanstone (eds), SpringerVerlag 1991, pp 476501
 B. Schneier and J. Kelsey, Unbalanced Feistel Networks and Block Cipher Design Fast Software Encryption, Third International Workshop Proceedings (February 1996), SpringerVerlag, 1996, pp. 121144.
 David Wagner: The Boomerang Attack. Fast Software Encryption 1999: 156170
