The CAST-256 Encryption Algorithm
RFC 2612
Document | Type |
RFC - Informational
(June 1999; No errata)
Was draft-adams-cast-256 (individual)
|
|
---|---|---|---|
Authors | Carlisle Adams , Jeff Gilchrist | ||
Last updated | 2013-03-02 | ||
Stream | Legacy | ||
Formats | plain text html pdf htmlized bibtex | ||
Stream | Legacy state | (None) | |
Consensus Boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | RFC 2612 (Informational) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group C. Adams Request for Comments: 2612 J. Gilchrist Category: Informational Entrust Technologies June 1999 The CAST-256 Encryption Algorithm Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract There is always a desire in the Internet community for unencumbered encryption algorithms with a range of key sizes that can provide security for a variety of cryptographic applications and protocols. This document describes an existing algorithm that can be used to satisfy this requirement. Included are a description of the cipher and the key scheduling algorithm, the s-boxes, and a set of test vectors (Appendix A). Table of Contents Abstract........................................................1 1. Introduction.................................................2 2. CAST-256 Algorithm Specification.............................2 3. Cipher Naming................................................8 4. Cipher Usage.................................................8 5. Security Considerations......................................8 6. References...................................................9 7. Authors' Addresses...........................................9 Appendix A. Test Vectors.......................................10 Full Copyright Statement.......................................19 Adams & Gilchrist Informational [Page 1] RFC 2612 The CAST-256 Encryption Algorithm June 1999 1. Introduction This document describes the CAST-256 encryption algorithm, a DES-like Substitution-Permutation Network (SPN) cryptosystem built upon the CAST-128 encryption algorithm [1] which appears to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis. This cipher also possesses a number of other desirable cryptographic properties, including avalanche, Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no complementation property, and an absence of weak and semi-weak keys. It thus appears to be a good candidate for general-purpose use throughout the Internet community wherever a cryptographically- strong, freely-available encryption algorithm is required. CAST-256 has a block size of 128 bits and a variable key size (128, 160, 192, 224, or 256 bits). 2. CAST-256 Algorithm Specification 2.1 CAST-128 Notation The following notation from CAST-128 [1] is relevant to CAST-256. CAST-128 uses a pair of subkeys per round: a 5-bit quantity Kri is used as a "rotation" key for round i and a 32-bit quantity Kmi is used as a "masking" key for round i. Three different round functions are used in CAST-128. The rounds are as follows (where D is the data input to the operation, Ia - Id are the most significant byte through least significant byte of I, respectively, Si is the ith s-box (see Section 2.1.1 for s-box contents), and O is the output of the operation). Note that "+" and "-" are addition and subtraction modulo 2**32, "^" is bitwise eXclusive-OR, and "<<<" is the circular left-shift operation. Type 1: I = ((Kmi + D) <<< Kri) O = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id] Type 2: I = ((Kmi ^ D) <<< Kri) O = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id] Type 3: I = ((Kmi - D) <<< Kri) O = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id] Let f1, f2, f3 be keyed round function operations of Types 1, 2, and 3 (respectively) above. Adams & Gilchrist Informational [Page 2] RFC 2612 The CAST-256 Encryption Algorithm June 1999 CAST-128 uses four round function substitution boxes (s-boxes), S1 - S4. These are defined as follows (entries -- written in hexadecimal notation -- are to be read left-to-right, top-to- bottom). 2.1.1 S-Boxes S-Box S1 30fb40d4 9fa0ff0b 6beccd2f 3f258c7a 1e213f2f 9c004dd3 6003e540 cf9fc949 bfd4af27 88bbbdb5 e2034090 98d09675 6e63a0e0 15c361d2 c2e7661d 22d4ff8e 28683b6f c07fd059 ff2379c8 775f50e2 43c340d3 df2f8656 887ca41a a2d2bd2d a1c9e0d6 346c4819 61b76d87 22540f2f 2abe32e1 aa54166b 22568e3a a2d341d0 66db40c8 a784392f 004dff2f 2db9d2de 97943fac 4a97c1d8 527644b7 b5f437a7 b82cbaef d751d159 6ff7f0ed 5a097a1f 827b68d0 90ecf52e 22b0c054 bc8e5935 4b6d2f7f 50bb64a2 d2664910 bee5812d b7332290 e93b159f b48ee411 4bff345d fd45c240 ad31973f c4f6d02e 55fc8165 d5b1caad a1ac2dae a2d4b76d c19b0c50Show full document text