The CAST-128 Encryption Algorithm
RFC 2144

• Status
• IESG evaluation record
• IESG writeups
• Email expansions
• History

• Versions
• 00

Network Working Group                                         C. Adams
Request for Comments: 2144                        Entrust Technologies
Category: Informational                                       May 1997

                   The CAST-128 Encryption Algorithm

Status of this Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Abstract

   There is a need in the Internet community for an unencumbered
   encryption algorithm with a range of key sizes that can provide
   security for a variety of cryptographic applications and protocols.

   This document describes an existing algorithm that can be used to
   satisfy this requirement.  Included are a description of the cipher
   and the key scheduling algorithm (Section 2), the s-boxes (Appendix
   A), and a set of test vectors (Appendix B).

TABLE OF CONTENTS

   STATUS OF THIS MEMO.............................................1
   ABSTRACT........................................................1
   1. INTRODUCTION.................................................1
   2. DESCRIPTION OF ALGORITHM.....................................2
   3. INTELLECTUAL PROPERTY CONSIDERATIONS.........................8
   4. SECURITY CONSIDERATIONS......................................8
   5. REFERENCES...................................................8
   6. AUTHOR'S ADDRESS.............................................8
   APPENDICES
   A. S-BOXES......................................................9
   B. TEST VECTORS................................................15

1. Introduction

   This document describes the CAST-128 encryption algorithm, a DES-like
   Substitution-Permutation Network (SPN) cryptosystem which appears to
   have good resistance to differential cryptanalysis, linear
   cryptanalysis, and related-key cryptanalysis.  This cipher also
   possesses a number of other desirable cryptographic properties,
   including avalanche, Strict Avalanche Criterion (SAC), Bit
   Independence Criterion (BIC), no complementation property, and an
   absence of weak and semi-weak keys.  It thus appears to be a good

Adams                        Informational                      [Page 1]
RFC 2144             CAST-128 Encryption Algorithms             May 1997

   candidate for general-purpose use throughout the Internet community
   wherever a cryptographically-strong, freely-available encryption
   algorithm is required.

   Adams [Adams] discusses the CAST design procedure in some detail;
   analyses can also be obtained on-line (see, for example, [Web1] or
   [Web2]).

2. Description of Algorithm

   CAST-128 belongs to the class of encryption algorithms known as
   Feistel ciphers; overall operation is thus similar to the Data
   Encryption Standard (DES).  The full encryption algorithm is given in
   the following four steps.

   INPUT:  plaintext m1...m64; key K = k1...k128.
   OUTPUT: ciphertext c1...c64.

   1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from K
      (see Sections 2.1 and 2.4).
   2. (L0,R0) <-- (m1...m64).  (Split the plaintext into left and
      right 32-bit halves L0 = m1...m32 and R0 = m33...m64.)
   3. (16 rounds) for i from 1 to 16, compute Li and Ri as follows:
      Li = Ri-1;
      Ri = Li-1 ^ f(Ri-1,Kmi,Kri), where f is defined in Section 2.2
       (f is of Type 1, Type 2, or Type 3, depending on i).
   4. c1...c64 <-- (R16,L16).  (Exchange final blocks L16, R16 and
      concatenate to form the ciphertext.)

   Decryption is identical to the encryption algorithm given above,
   except that the rounds (and therefore the subkey pairs) are used in
   reverse order to compute (L0,R0) from (R16,L16).

   See Appendix B for test vectors which can be used to verify
   correctness of an implementation of this algorithm.

2.1. Pairs of Round Keys

   CAST-128 uses a pair of subkeys per round:  a 32-bit quantity Km is
   used as a "masking" key and a 5-bit quantity Kr is used as a
   "rotation" key.

Adams                        Informational                      [Page 2]
RFC 2144             CAST-128 Encryption Algorithms             May 1997

2.2. Non-Identical Rounds

   Three different round functions are used in CAST-128.  The rounds are
   as follows (where "D" is the data input to the f function and "Ia" -
   "Id" are the most significant byte through least significant byte of
   I, respectively).  Note that "+" and "-" are addition and subtraction
   modulo 2**32, "^" is bitwise XOR, and "<<<" is the circular left-
   shift operation.

       Type 1:  I = ((Kmi + D) <<< Kri)
                f = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]

       Type 2:  I = ((Kmi ^ D) <<< Kri)
                f = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]

       Type 3:  I = ((Kmi - D) <<< Kri)
                f = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]

   Rounds 1, 4, 7, 10, 13, and 16 use f function Type 1.