The CAST-256 Encryption Algorithm
RFC 2612

Document Type RFC - Informational (June 1999; No errata)
Was draft-adams-cast-256 (individual)
Last updated 2013-03-02
Stream Legacy
Formats plain text pdf html bibtex
Stream Legacy state (None)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state RFC 2612 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        C. Adams
Request for Comments: 2612                               J. Gilchrist
Category: Informational                          Entrust Technologies
                                                            June 1999

                   The CAST-256 Encryption Algorithm

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   There is always a desire in the Internet community for unencumbered
   encryption algorithms with a range of key sizes that can provide
   security for a variety of cryptographic applications and protocols.

   This document describes an existing algorithm that can be used to
   satisfy this requirement.  Included are a description of the cipher
   and the key scheduling algorithm, the s-boxes, and a set of test
   vectors (Appendix A).

Table of Contents

   Abstract........................................................1
   1. Introduction.................................................2
   2. CAST-256 Algorithm Specification.............................2
   3. Cipher Naming................................................8
   4. Cipher Usage.................................................8
   5. Security Considerations......................................8
   6. References...................................................9
   7. Authors' Addresses...........................................9
   Appendix A. Test Vectors.......................................10
   Full Copyright Statement.......................................19

Adams & Gilchrist            Informational                      [Page 1]
RFC 2612           The CAST-256 Encryption Algorithm           June 1999

1. Introduction

   This document describes the CAST-256 encryption algorithm, a DES-like
   Substitution-Permutation Network (SPN) cryptosystem built upon the
   CAST-128 encryption algorithm [1] which appears to have good
   resistance to differential cryptanalysis, linear cryptanalysis, and
   related-key cryptanalysis.  This cipher also possesses a number of
   other desirable cryptographic properties, including avalanche, Strict
   Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no
   complementation property, and an absence of weak and semi-weak keys.
   It thus appears to be a good candidate for general-purpose use
   throughout the Internet community wherever a cryptographically-
   strong, freely-available encryption algorithm is required.

   CAST-256 has a block size of 128 bits and a variable key size (128,
   160, 192, 224, or 256 bits).

2. CAST-256 Algorithm Specification

2.1 CAST-128 Notation

   The following notation from CAST-128 [1] is relevant to CAST-256.

      CAST-128 uses a pair of subkeys per round:  a 5-bit quantity Kri
      is used as a "rotation" key for round i and a 32-bit quantity Kmi
      is used as a "masking" key for round i.

      Three different round functions are used in CAST-128.  The rounds
      are as follows (where D is the data input to the operation, Ia -
      Id are the most significant byte through least significant byte of
      I, respectively, Si is the ith s-box (see Section 2.1.1 for s-box
      contents), and O is the output of the operation).  Note that "+"
      and "-" are addition and subtraction modulo 2**32, "^" is bitwise
      eXclusive-OR, and "<<<" is the circular left-shift operation.

           Type 1:  I = ((Kmi + D) <<< Kri)
                    O = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]

           Type 2:  I = ((Kmi ^ D) <<< Kri)
                    O = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]

           Type 3:  I = ((Kmi - D) <<< Kri)
                    O = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]

       Let f1, f2, f3 be keyed round function operations of Types 1, 2,
       and 3 (respectively) above.

Adams & Gilchrist            Informational                      [Page 2]
RFC 2612           The CAST-256 Encryption Algorithm           June 1999

       CAST-128 uses four round function substitution boxes (s-boxes),
       S1 - S4.  These are defined as follows (entries -- written in
       hexadecimal notation -- are to be read left-to-right, top-to-
       bottom).

2.1.1 S-Boxes

 S-Box S1
 30fb40d4 9fa0ff0b 6beccd2f 3f258c7a 1e213f2f 9c004dd3 6003e540 cf9fc949
 bfd4af27 88bbbdb5 e2034090 98d09675 6e63a0e0 15c361d2 c2e7661d 22d4ff8e
 28683b6f c07fd059 ff2379c8 775f50e2 43c340d3 df2f8656 887ca41a a2d2bd2d
 a1c9e0d6 346c4819 61b76d87 22540f2f 2abe32e1 aa54166b 22568e3a a2d341d0
 66db40c8 a784392f 004dff2f 2db9d2de 97943fac 4a97c1d8 527644b7 b5f437a7
 b82cbaef d751d159 6ff7f0ed 5a097a1f 827b68d0 90ecf52e 22b0c054 bc8e5935
 4b6d2f7f 50bb64a2 d2664910 bee5812d b7332290 e93b159f b48ee411 4bff345d
 fd45c240 ad31973f c4f6d02e 55fc8165 d5b1caad a1ac2dae a2d4b76d c19b0c50
Show full document text