Analysis of Involutional Ciphers: Khazad and Anubis

  • Alex Biryukov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2887)


In this paper we study structural properties of SPN ciphers in which both the S-boxes and the affine layers are involutions. We apply our observations to the recently designed Rijndael-like ciphers Khazad and Anubis, and show several interesting properties of these ciphers. We also show that 5-round Khazad has 264 weak keys under a ”slide-with-a-twist” attack distinguisher. This is the first cryptanalytic result which is better than exhaustive search for 5-round Khazad. Analysis presented in this paper is generic and applies to a large class of ciphers built from involutional components.


  1. 1.
    Barreto, P., Rijmen, V.: The Khazad Legacy-Level Block Cipher, Submission to the NESSIE ProjectGoogle Scholar
  2. 2.
    Barreto, P., Rijmen, V.: The Anubis Block Cipher, Submission to the NESSIE ProjectGoogle Scholar
  3. 3.
    Biryukov, A., Wagner, D.: Advanced Slide Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Heidelberg (2001)Google Scholar
  5. 5.
    Gilbert, H., Minier, M.: A collision attack on seven rounds of Rijndael. In: Proceedings of the third AES Conference, pp. 230–241. NIST (2000)Google Scholar
  6. 6.
    NESSIE, New European Schemes for Signatures, Integrity, and Encryption, IST- 1999-12324,
  7. 7.
    Rejewski, M.: Mathematical Solution of the Enigma Cipher. Cryptologia 6(1), 1–18 (1982)CrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Alex Biryukov
    • 1
  1. 1.Dept. ESAT/COSICKatholieke Universiteit LeuvenLeuvenBelgium

Personalised recommendations