Khufu is a 64-bit block cipher which, unusually, uses keys of size 512 bits; block ciphers typically have much smaller keys, rarely exceeding 256 bits. Most of the key material is used to construct the cipher's S-boxes. Because the key-setup time is quite time consuming, Khufu is not well suited to situations in which many small messages are handled. It is better suited to bulk encryption of large amounts of data. Khufu is a Feistel cipher with 16 rounds by default. Each set of eight rounds is termed an octet; a different S-box is used in each octet. In a round, the least significant byte of half of the block is passed into the 8×32-bit S-box. The S-box output is then combined with the other 32-bit half. The left half is rotated to bring a new byte into position, and the halves are swapped. At the start and end of the algorithm, extra key material is XORed with the block. Other than this, all the key is contained in the S-boxes. There is a differential attack on 16 rounds of Khufu which can recover the secret key. It requires 243chosen plaintexts and has a 243time complexity. 232 plaintexts and complexity are required merely to distinguish the cipher from random. A boomerang attack can be used in an adaptive chosen plaintext / chosen ciphertext scenario with 218 queries and a similar time complexity. Khufu is also susceptible to an impossible differential attack, which can break up to 18 rounds of the cipher. Schneier and Kelsey categorise Khafre and Khufu as "even incomplete heterogeneous target-heavy Unbalanced Feistel Networks".
Khafre
Khafre is similar to Khufu, but uses a standard set of S-boxes, and does not compute them from the key. An advantage is that Khafre can encrypt a small amount of data very rapidly — it has good key agility. However, Khafre probably requires a greater number of rounds to achieve a similar level of security as Khufu, making it slower at bulk encryption. Khafre uses a key whose size is a multiple of 64 bits. Because the S-boxes are not key-dependent, Khafre XORs subkeys every eight rounds. Differential cryptanalysis is effective against Khafre: 16 rounds can be broken using either 1500 chosen plaintexts or 238 known plaintexts. Similarly, 24 rounds can be attacked using 253 chosen plaintexts or 259 known plaintexts.
