Constructing Symmetric Ciphers Using the CAST Design Procedure
 Carlisle M. Adams
 … show all 1 hide
Rent the article at a discount
Rent now* Final gross prices may vary according to local VAT.
Get AccessAbstract
This paper describes the CAST design procedure for constructing a family of DESlike SubstitutionPermutation Network (SPN) cryptosystems which appear to have good resistance to differential cryptanalysis, linear cryptanalysis, and relatedkey cryptanalysis, along with a number of other desirable cryptographic properties. Details of the design choices in the procedure are given, including those regarding the component substitution boxes (sboxes), the overall framework, the key schedule, and the round function. An example CAST cipher, an output of this design procedure, is presented as an aid to understanding the concepts and to encourage detailed analysis by the cryptologic community.
 C. M. Adams, A formal and practical design procedure for substitutionpermutation network cryptosystems, Ph.D. Thesis, Department of Electrical Engineering, Queen's University (1990).
 C. M. Adams and S. E. Tavares, The use of bent sequences to achieve higherorder strict avalanche criterion in Sbox design, Technical Report TR 90013, Dept. of Elec. Eng., Queen's University, Kingston, Ontario, Canada, Jan. (1990).
 C. M. Adams and S. E. Tavares, Generating and counting binary bent sequences, IEEE Transactions on Information Theory, Vol. IT36, (1990) pp. 1170–1173.
 C. M. Adams, On immunity against Biham and Shamir's “Differential Cryptanalysis”, Information Processing Letters, Vol. 41 (1992) pp. 77–80.
 C. M. Adams and S. E. Tavares, Designing sboxes for ciphers resistant to differential cryptanalysis, Proceedings of the 3rd Symposium on the State and Progress of Research in Cryptography, Rome, Italy, Feb. (1993) pp. 181–190.
 C. M. Adams, Simple and effective key scheduling for symmetric ciphers, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 94), May 5–6 (1994) pp. 129–133.
 C. M. Adams, Designing DESlike ciphers with guaranteed resistance to differential and linear attacks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 133–144.
 E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, SpringerVerlag (1993).
 E. Biham, New types of cryptanalytic attacks using related keys, Advances in Cryptology: Proc. of Eurocrypt '93, SpringerVerlag (1994) pp. 398–409.
 L. Brown, J. Pieprzyk, and J. Seberry, LOKI—A cryptographic primitive for authentication and secrecy applications, Advances in Cryptology: Proc. of Auscrypt '90 (1990) pp. 229–236.
 L. Brown, M. Kwan, J. Pieprzyk, and J. Seberry, Improving resistance to differential cryptanalysis and the redesign of LOKI, Advances in Cryptology: Proc. of Asiacrypt '91.
 D. Coppersmith, The real reason for Rivest's phenomenon, Adv. in Cryptology: Proc. of Crypto '85, SpringerVerlag, New York (1986) pp. 535–536.
 D. Coppersmith, The data encryption standard (DES) and its strength against attacks, IBM Journal of Research and Development, Vol. 38,No. 3 (1994) pp. 243–250.
 D. Davies, Some regular properties of the ‘data encryption standard’ algorithm, Advances in Cryptology: Proc. of Crypto '82, SpringerVerlag, New York (1983) pp. 89–96.
 D. Davies, A message authenticator algorithm suitable for a mainframe computer, Advances in Cryptology: Proc. of Crypto '84, SpringerVerlag, New York (1985) pp. 394–400.
 M. Dawson and S. E. Tavares, An expanded set of Sbox design criteria based on information theory and its relation to differentiallike attacks, Advances in Cryptology: Proc. of Eurocrypt '91, SpringerVerlag (1992) pp. 352–367.
 W. Diffie and M. E. Hellman, Privacy and Authentication: An Introduction to Cryptography, Proceedings of the IEEE, Vol. 67, (1979) pp. 397–427.
 H. Feistel, Cryptography and computer privacy, Scientific American, Vol. 228 (1973) pp. 15–23.
 H. Feistel, W. Notz, and J. L. Smith, Some cryptographic techniques for machinetomachine data communications, Proceedings of the IEEE, Vol. 63 (1975) pp. 1545–1554.
 E. Grossman and B. Tuckerman, Analysis of a Feistellike cipher weakened by having no rotating key, Technical Report RC 6375, IBM (1977).
 C. Harpes, G. Kramer, and J. Massey, A generalization of linear cryptanalysis and the applicability of Matsui's pilingup lemma, Proc. of Eurocrypt '95, SpringerVerlag (1995) pp. 24–38.
 H. M. Heys and S. E. Tavares, Cryptanalysis of treestructured substitutionpermutation networks, IEE Electronics Letters, Vol. 29,No. 1 (1993) pp. 40–41.
 H. M. Heys, The design of substitutionpermutation network ciphers resistant to cryptanalysis, Ph.D. Thesis, Department of Electrical and Computer Engineering, Queen's University (1994).
 H. M. Heys and S. E. Tavares, On the security of the CAST encryption algorithm, Canadian Conference on Electrical and Computer Engineering, Halifax, Nova Scotia, Canada, Sept. (1994) pp. 332–335.
 B. S. Kaliski Jr., R. L. Rivest, and A. T. Sherman, Is the data encryption standard a group? (Results of cycling experiments on DES), Journal of Cryptology, Vol. 11 (1988) pp. 3–36.
 J. B. Kam and G. I. Davida, Structured design of substitutionpermutation encryption networks, IEEE Trans. on Computers, Vol. C28 (1979) pp. 747–753.
 L. R. Knudsen, Cryptanalysis of LOKI91, Advances in Cryptology: Proc. of Auscrypt '92, SpringerVerlag (1993) pp. 196–208.
 L. R. Knudsen, Iterative characteristics of DES and s2DES, Advances in Cryptology: Proc. of Crypto '92, SpringerVerlag (1993) pp. 497–511.
 X. Lai and J. L. Massey, A proposal for a new block encryption standard, Adv. in Cryptology: Proc. of Eurocrypt '90, SpringerVerlag, (1991) pp. 389–404.
 X. Lai, J. L. Massey, and S. Murphy, Markov ciphers and differential cryptanalysis, Advances in Cryptology: Proc. of Eurocrypt '91, SpringerVerlag (1991) pp. 17–38.
 J. Lee, H. M. Heys, and S. E. Tavares, On the resistance of the CAST encryption algorithm to differential cryptanalysis, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 107–120.
 J. Massey, SAFERK64: A byteoriented blockciphering algorithm, Proceedings of the Cambridge Security Workshop on Fast Software Encryption, Cambridge, U.K., SpringerVerlag, Dec. 9–11 (1993) pp. 1–17. [See also: SAFER K64: One Year Later, in Proceedings of the Second International Workshop on Fast Software Encryption, SpringerVerlag (1995) pp. 212–241; and Strengthened Key Schedule for the Cipher SAFER, posted to the USENET newsgroup sci.crypt, September 9 (1995)]
 M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology: Proc. of Eurocrypt '93, SpringerVerlag, (1994) pp. 386–397.
 W. Meier and O. Staffelbach, Nonlinearity criteria for cryptographic functions, Adv. in Cryptology: Proc. of Eurocrypt '89, SpringerVerlag (1990) pp. 549–562.
 H. Meijer, Multiplicationpermutation encryption networks, Technical Report # 85171, Queen's University, Dept. of Computing and Information Science (1985).
 R. Merkle, A fast software oneway hash function, Journal of Cryptology, Vol. 3,No. 1 (1990) pp. 43–58.
 R. Merkle, Fast software encryption functions, Advances in Cryptology: Proc. of Crypto '90, SpringerVerlag, New York (1991) pp. 477–501.
 S. Miyaguchi, A. Shiraishi, and A. Shimizu, Fast data encryption algorithm feal8, Review of Electrical Communications Laboratories, Vol. 36,No. 4 (1988).
 S. Miyaguchi, The FEAL cipher family, Advances in Cryptology: Proc. of Crypto '90, SpringerVerlag, New York (1991) pp. 627–638.
 J. H. Moore and G. J. Simmons, Cycle structure of the DES with weak and semiweak keys, Advances in Cryptology: Proc. of Crypto '86, SpringerVerlag, New York (1987) pp. 9–32.
 National Bureau of Standards (U.S.), Data Encryption Standard (DES), Federal Information Processing Standards Publication 46, Jan. 15 (1977).
 K. Nyberg, Constructions of bent functions and difference sets, Advances in Cryptology: Proc. of Eurocrypt '90, SpringerVerlag, (1991) pp. 151–160.
 K. Nyberg, Perfect nonlinear Sboxes, Advances in Cryptology: Proc. of Eurocrypt '91, SpringerVerlag (1991) pp. 378–386.
 K. Nyberg and L. Knudsen, Provable security against differential cryptanalysis, Advances in Cryptology: Proc. of Crypto '92, SpringerVerlag (1993) pp. 566–574.
 L. O'Connor, An average case analysis of a differential attack on a class of SPnetworks, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 121–130.
 B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, and J. Vandewalle, Propagation characteristics of boolean functions, Advances in Cryptology: Proc. of Eurocrypt '90, SpringerVerlag, Berlin (1991) pp. 161–173.
 V. Rijmen, B. Preneel, On weaknesses of nonsurjective round functions, Workshop Record of the Workshop on Selected Areas in Cryptography (SAC 95), May 18–19 (1995) pp. 100–106.
 R. Rivest, The RC5 encryption algorithm, Proceedings of the Second International Workshop on Fast Software Encryption, SpringerVerlag (1995) pp. 86–96.
 B. Schneier, The blowfish encryption algorithm, Proceedings of the Cambridge Security Workshop on Fast Software Encryption, Cambridge, U.K., SpringerVerlag, Dec. 9–11 (1993) pp. 191–204.
 J. Seberry, X.M. Zhang, and Y. Zheng, Systematic generation of cryptographically robust SBoxes (Extended Abstract), Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, Nov. 3–5 (1993) pp. 171–182.
 C. E. Shannon, Communication theory of secrecy systems, Bell Systems Technical Journal, Vol. 28 (1949) pp. 656–715.
 M. Sivabalan, S. E. Tavares, and L. E. Peppard, On the design of SP networks from an information theoretic point of view, Advances in Cryptology: Proc. of Crypto '92, SpringerVerlag (1993) pp. 260–279.
 A. F. Webster, Plaintext/ciphertext bit dependencies in cryptographic systems, M.Sc. Thesis, Department of Electrical Engineering, Queen's University, Kingston, Ont. (1985).
 A. F. Webster and S. E. Tavares, On the design of SBoxes, Adv. in Cryptology: Proc. of Crypto '85, SpringerVerlag, New York (1986) pp. 523–534.
 M. Wiener, personal communication.
 A. Youssef, personal communication.
 Title
 Constructing Symmetric Ciphers Using the CAST Design Procedure
 Journal

Designs, Codes and Cryptography
Volume 12, Issue 3 , pp 283316
 Cover Date
 19971101
 DOI
 10.1023/A:1008229029587
 Print ISSN
 09251022
 Online ISSN
 15737586
 Publisher
 Kluwer Academic Publishers
 Additional Links
 Topics
 Keywords

 design of encryption algorithms
 block ciphers
 substitution boxes
 key scheduling
 differential cryptanalysis
 linear cryptanalysis
 Industry Sectors
 Authors

 Carlisle M. Adams ^{(1)}
 Author Affiliations

 1. Entrust Technologies, 750 Heron Road, Suite E08, Ottawa, Canada, K1V 1A7