General | |
---|---|
Designers | Ralph Merkle |
First published | 1989 |
Related to | Khufu |
Cipher detail | |
Key sizes | 512 bits |
Block sizes | 64 bits |
Structure | Feistel network |
Rounds | 16 or more |
Best public cryptanalysis | |
Biham and Shamir's differential attack is faster than brute force even for 24 rounds |
Khafre is similar to Khufu, but uses a standard set of S-boxes, and does not compute them from the key. (Rather, they are generated from the RAND tables, used as a source of "nothing up my sleeve numbers".) An advantage is that Khafre can encrypt a small amount of data very rapidly — it has good key agility. However, Khafre probably requires a greater number of rounds to achieve a similar level of security as Khufu, making it slower at bulk encryption. Khafre uses a key whose size is a multiple of 64 bits. Because the S-boxes are not key-dependent, Khafre XORs subkeys every eight rounds.
Differential cryptanalysis is effective against Khafre: 16 rounds can be broken using either 1500 chosen plaintexts or 238 known plaintexts. Similarly, 24 rounds can be attacked using 253 chosen plaintexts or 259 known plaintexts.
Read more about this topic: Khufu And Khafre