The CAST-256 Encryption Algorithm
RFC 2612
| Document | Type |
RFC - Informational
(June 1999; No errata)
Was draft-adams-cast-256 (individual)
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | Legacy | ||
| Formats | plain text pdf html bibtex | ||
| Stream | Legacy state | (None) | |
| Consensus Boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | RFC 2612 (Informational) | |
| Telechat date | |||
| Responsible AD | (None) | ||
| Send notices to | (None) | ||
Network Working Group C. Adams
Request for Comments: 2612 J. Gilchrist
Category: Informational Entrust Technologies
June 1999
The CAST-256 Encryption Algorithm
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
There is always a desire in the Internet community for unencumbered
encryption algorithms with a range of key sizes that can provide
security for a variety of cryptographic applications and protocols.
This document describes an existing algorithm that can be used to
satisfy this requirement. Included are a description of the cipher
and the key scheduling algorithm, the s-boxes, and a set of test
vectors (Appendix A).
Table of Contents
Abstract........................................................1
1. Introduction.................................................2
2. CAST-256 Algorithm Specification.............................2
3. Cipher Naming................................................8
4. Cipher Usage.................................................8
5. Security Considerations......................................8
6. References...................................................9
7. Authors' Addresses...........................................9
Appendix A. Test Vectors.......................................10
Full Copyright Statement.......................................19
Adams & Gilchrist Informational [Page 1]
RFC 2612 The CAST-256 Encryption Algorithm June 1999
1. Introduction
This document describes the CAST-256 encryption algorithm, a DES-like
Substitution-Permutation Network (SPN) cryptosystem built upon the
CAST-128 encryption algorithm [1] which appears to have good
resistance to differential cryptanalysis, linear cryptanalysis, and
related-key cryptanalysis. This cipher also possesses a number of
other desirable cryptographic properties, including avalanche, Strict
Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no
complementation property, and an absence of weak and semi-weak keys.
It thus appears to be a good candidate for general-purpose use
throughout the Internet community wherever a cryptographically-
strong, freely-available encryption algorithm is required.
CAST-256 has a block size of 128 bits and a variable key size (128,
160, 192, 224, or 256 bits).
2. CAST-256 Algorithm Specification
2.1 CAST-128 Notation
The following notation from CAST-128 [1] is relevant to CAST-256.
CAST-128 uses a pair of subkeys per round: a 5-bit quantity Kri
is used as a "rotation" key for round i and a 32-bit quantity Kmi
is used as a "masking" key for round i.
Three different round functions are used in CAST-128. The rounds
are as follows (where D is the data input to the operation, Ia -
Id are the most significant byte through least significant byte of
I, respectively, Si is the ith s-box (see Section 2.1.1 for s-box
contents), and O is the output of the operation). Note that "+"
and "-" are addition and subtraction modulo 2**32, "^" is bitwise
eXclusive-OR, and "<<<" is the circular left-shift operation.
Type 1: I = ((Kmi + D) <<< Kri)
O = ((S1[Ia] ^ S2[Ib]) - S3[Ic]) + S4[Id]
Type 2: I = ((Kmi ^ D) <<< Kri)
O = ((S1[Ia] - S2[Ib]) + S3[Ic]) ^ S4[Id]
Type 3: I = ((Kmi - D) <<< Kri)
O = ((S1[Ia] + S2[Ib]) ^ S3[Ic]) - S4[Id]
Let f1, f2, f3 be keyed round function operations of Types 1, 2,
and 3 (respectively) above.
Adams & Gilchrist Informational [Page 2]
RFC 2612 The CAST-256 Encryption Algorithm June 1999
CAST-128 uses four round function substitution boxes (s-boxes),
S1 - S4. These are defined as follows (entries -- written in
hexadecimal notation -- are to be read left-to-right, top-to-
bottom).
2.1.1 S-Boxes
S-Box S1
30fb40d4 9fa0ff0b 6beccd2f 3f258c7a 1e213f2f 9c004dd3 6003e540 cf9fc949
bfd4af27 88bbbdb5 e2034090 98d09675 6e63a0e0 15c361d2 c2e7661d 22d4ff8e
28683b6f c07fd059 ff2379c8 775f50e2 43c340d3 df2f8656 887ca41a a2d2bd2d
a1c9e0d6 346c4819 61b76d87 22540f2f 2abe32e1 aa54166b 22568e3a a2d341d0
66db40c8 a784392f 004dff2f 2db9d2de 97943fac 4a97c1d8 527644b7 b5f437a7
b82cbaef d751d159 6ff7f0ed 5a097a1f 827b68d0 90ecf52e 22b0c054 bc8e5935
4b6d2f7f 50bb64a2 d2664910 bee5812d b7332290 e93b159f b48ee411 4bff345d
fd45c240 ad31973f c4f6d02e 55fc8165 d5b1caad a1ac2dae a2d4b76d c19b0c50
Show full document text