Under a voluntary scheme, Xerox submitted Khufu and Khafre to the National Security Agency (NSA) prior to publication. NSA requested that Xerox not publish the algorithms, citing concerns about national security. Xerox, a large government contractor, complied. However, a reviewer of the paper passed a copy to John Gilmore, who made it available via the sci.crypt newsgroup ; It would appear this was against Merkle's wishes The scheme was subsequently published at the 1990 CRYPTO conference (Merkle, 1990).
Khufu is a Feistel cipher with 16 rounds by default (other multiples of eight between 8 and 64 are allowed). Each set of eight rounds is termed an octet; a different S-box is used in each octet. In a round, the least significant byte of half of the block is passed into the 8×32-bit S-box. The S-box output is then combined (using XOR) with the other 32-bit half. The left half is rotated to bring a new byte into position, and the halves are swapped. At the start and end of the algorithm, extra key material is XORed with the block (key whitening). Other than this, all the key is contained in the S-boxes.
There is a differential attack on 16 rounds of Khufu which can recover the secret key. It requires 243 chosen plaintexts and has a 243 time complexity (Gilbert and Chauvaud, 1994). 232 plaintexts and complexity are required to merely distinguish the cipher from random. A boomerang attack (Wagner, 1999) can be used in an adaptive chosen plaintext / chosen ciphertext scenario with 218 queries and a similar time complexity. Khufu is also susceptible to an impossible differential attack, which can break up to 18 rounds of the cipher (Biham et al., 1999).
Schneier and Kelsey (1996) categorise Khafre and Khufu as "even incomplete heterogeneous target-heavy Unbalanced Feistel Networks".
Differential cryptanalysis is effective against Khafre: 16 rounds can be broken using either 1500 chosen plaintexts or 238 known plaintexts. Similarly, 24 rounds can be attacked using 253 chosen plaintexts or 259 known plaintexts.