Analysis of Involutional Ciphers: Khazad and Anubis

  • Alex Biryukov
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2887)


In this paper we study structural properties of SPN ciphers in which both the S-boxes and the affine layers are involutions. We apply our observations to the recently designed Rijndael-like ciphers Khazad and Anubis, and show several interesting properties of these ciphers. We also show that 5-round Khazad has 264 weak keys under a ”slide-with-a-twist” attack distinguisher. This is the first cryptanalytic result which is better than exhaustive search for 5-round Khazad. Analysis presented in this paper is generic and applies to a large class of ciphers built from involutional components.


  1. 1.
    Barreto, P., Rijmen, V.: The Khazad Legacy-Level Block Cipher, Submission to the NESSIE ProjectGoogle Scholar
  2. 2.
    Barreto, P., Rijmen, V.: The Anubis Block Cipher, Submission to the NESSIE ProjectGoogle Scholar
  3. 3.
    Biryukov, A., Wagner, D.: Advanced Slide Attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 589–606. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Daemen, J., Rijmen, V.: The Design of Rijndael. Springer, Heidelberg (2001)Google Scholar
  5. 5.
    Gilbert, H., Minier, M.: A collision attack on seven rounds of Rijndael. In: Proceedings of the third AES Conference, pp. 230–241. NIST (2000)Google Scholar
  6. 6.
    NESSIE, New European Schemes for Signatures, Integrity, and Encryption, IST- 1999-12324,
  7. 7.
    Rejewski, M.: Mathematical Solution of the Enigma Cipher. Cryptologia 6(1), 1–18 (1982)CrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Alex Biryukov
    • 1
  1. 1.Dept. ESAT/COSICKatholieke Universiteit LeuvenLeuvenBelgium

Personalised recommendations